NIS 2 Implementation and Cybersecurity Strengthening Act: Germany tightens IT security requirements


Germany is taking significant steps to bolster its cybersecurity defences, with the aim of safeguarding vital sectors from cyber threats. The move comes in response to the European Union's "NIS2" directive, which was adopted at the end of 2022 to enhance network and information security in critical sectors. Germany is implementing this directive through the NIS 2 Implementation and Cybersecurity Strengthening Act, which goes beyond EU requirements and introduces several innovations in national cybersecurity law.

The draft of the NIS 2 Implementation and Cybersecurity Strengthening Act is expected to be approved by mid-2024, with its obligations coming into effect on October 1, 2024. Stay secure, and browse with Hide Expert VPN.

Expanded Scope of IT Security Regulations

One of the key elements of the draft law is an amendment to the BSI Act, which significantly broadens the scope of companies subject to IT security regulations. It classifies entities into "important" and "particularly important facilities" as well as "critical installations". These entities will be obliged to fulfil various cybersecurity requirements.

The sectors covered by the new security regime include:

  • Energy
  • Transport and traffic
  • Finance and insurance
  • Healthcare
  • Drinking water
  • Wastewater management
  • Food production
  • Information technology and telecommunications
  • Space exploration
  • Municipal waste disposal
  • Logistics
  • Manufacturing
  • Chemical industry
  • Digital service providers
  • Research institutions.

The specific companies falling under these categories will be determined later through supplementary regulations that define threshold values like company size and user numbers. However, Annex I of the NIS 2 Directive already provides a list of entities that will definitely be covered.

Risk Management and Reporting Obligations

Under the Draft BSI Act, companies in these sectors, depending on their categorisation as "critical installations", "important facilities", or "particularly important facilities", will have various obligations. These obligations encompass:

Risk Management: All covered entities must implement state-of-the-art technical and organisational measures to protect their IT systems and processes. Managing directors hold primary responsibility for implementing and overseeing cybersecurity measures and may be held liable for breaches.

Reporting Obligations: In the event of a security incident, companies must submit reports to the Federal Office for Information Security. These reports include an initial report within 24 hours, a detailed report within 72 hours, and a final report. Security incidents are defined as events that impact the availability, authenticity, integrity, or confidentiality of data and services offered via information technology systems.

Other Duties: Companies must regularly demonstrate compliance with security requirements to the Federal Office for Information Security. In case of security deficiencies, corrective measures may be required. Additionally, all facilities must register with the Office and provide relevant information. Significant security incidents may also necessitate informing customers.

Enforcement and Penalties

The Federal Office for Information Security is responsible for enforcing compliance with these obligations and can take measures to ensure compliance. Non-compliance can result in substantial fines, potentially up to twenty million euros or two percent of a company's worldwide turnover in the previous year.

Preparing for the NIS 2 Implementation Act

Entities categorised as important, particularly important, or operators of critical facilities should begin preparations to meet the forthcoming requirements. This includes measures such as risk analysis and security planning, managing security incidents, business continuity planning, supply chain security, and staff training in cybersecurity.

While the draft law is subject to further refinement, companies are advised to address these topics to align with expected regulatory changes and enhance their cybersecurity resilience.

Germany's proactive approach to strengthening cybersecurity underscores the increasing importance of protecting critical sectors and operating with a VPN service to fight against cyber threats in today's digital landscape.