On September 27, 2023, the German Federal Ministry of the Interior and Home Affairs (BMI) published a new discussion paper on the draft German law implementing the European NIS-2 Directive. Central points seem to be a harmonization with the other legal situation and an approach to the economy.
What is the significance of the discussion paper?
The discussion paper is primarily an update to the draft bill for the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) that was first published in July 2023, following internal discussions - we reported. In particular, the economic aspects of the draft were highlighted and the associations concerned were asked to comment by October 20, 2023.
Nevertheless, there still seems to be a need for discussion between the individual ministries, as can be seen from isolated sources. As a result, it is now questionable whether the law can still be passed in 2023. If this were not the case, the implementation of NIS-2 would in any case proceed more slowly than with NIS-1. Whether a slower pace is welcome in view of the current cyber threat situation may be questionable. On the other hand, the prior involvement of industry, which is groaning under German bureaucracy, before the law is passed is certainly welcome. However, there is still time until October 17, 2024 to implement the directive.
What changes does the discussion paper envisage?
Compared to the draft of April 3, 2023, the following key changes are envisaged:
Enter into force
It is provided in Art. 29 that the Act shall enter into force on October 1, 2024.
Critical equipment testing
Audits of critical facilities(KRITAN, new for: KRITIS) for the risk management measures provided for in the draft (§§ 30, 31 BSIG2) are now to take place only every 3 years, instead of every 2 years, § 39 BSIG2.
The first review will take place at a variable date, but no earlier than 3 years after the effective date of the NIS2UmsuCG, i.e., October 1, 2027.
The other particularly important facilities (BWE) were exempted from these regular audits. However, the BWE and the important facilities (WE) can still be required by the BSI to perform audits or self-audits, §§ 64, 65 BSIG2 - if the BSI does not even perform the audit itself.
Information on sectors
The information on the WE and BEW sectors has been partially revised. In Annexes 1 and 2 to the Act, specific facility types are now named for each sector. This means that certain companies can now be assigned to a sector more quickly (§ 28 BSIG2), which is essential, among other things, for the registration obligations (§ 33 BSIG2).
On the other hand, apparently no changes were made to the sectors for CRITAN/KRITIS pursuant to Section 28 (6) BSIG2.
According to Art. 2 No. 2 of the draft, however, paragraphs 5 to 8 of Section 28 BSIG2 are to be deleted. Instead, according to Art. 2 No. 1, reference is now to be made to Art. 2 No. 3 of the Implementation Act for the CER Directive for the CRITAN definition. However, this point is still contradictory so far, as the paragraphs are still listed in Art. 1 so far.
Categorization of the companies
With the new version of Section 28 (3) BSIG2 , only those employees and sales figures that actually work in the areas named in Annexes 1 and 2 of the Act are relevant for the categorization of a company as WE or BWE. In some cases, however, the proportion of work performed by individual employees must be taken into account in the case of "cross-sectional tasks".
Since the employee and sales figures are decisive for the distinction between WE and BWE (so-called size-cap rule), this change is particularly important. In fact, if a certain sales or employee number limit is exceeded, a particularly important facility is assumed in principle, so that stricter mandatory and penalty rules must be applied.
The amendment accommodates companies, as business units are now recorded according to their actual size.
Central exchange platform
In Section 30 (7) BSIG2, BWE is now already required to participate in the BSI's central exchange platform (BISP) within one year of the NIS2UmsuCG coming into force, which goes beyond the requirements of NIS-2.
Reporting and registration requirements
The notification and registration requirements have now moved one paragraph back, so they can now be found in § 32 and § 33 BSIG2.
The paragraph that provided for particularly short registration periods for CRITIS (Section 33 (3)) has been replaced by a reference to the forthcoming CRITIS umbrella law. Section 8 of this law could provide for a similar deadline.
§ Section 38 (1) sentence 2 BSIG2, which provided that management boards may not delegate cybersecurity risk management measures to third parties, appears to have been deleted without replacement. However, the discussion paper makes clear that even if an auxiliary is involved, the "management body remains ultimately responsible." Managing directors must therefore continue to acquire sufficient skills themselves through regular training, Section 38 (3) BSIG2.
At the same time, however, the possibility of waiving claims for compensation against the managing director was further prohibited. Corresponding agreements shall continue to be ineffective according to Sec. 38 (2) BSIG2.
On the other hand, it is a relief that employees are no longer obliged to participate in the same training courses as management. In the comments to the discussion sheet, however, it was stated that the facilities are nevertheless required to offer such training.
Use of products
The obligation for BWE operators to exclusively use products certified for cybersecurity has been moved from § 30 (9) to § 30 (6) BSIG2, but will be retained. Developers whose products are thus deprived of a security certification - even temporarily - because of a breach of regulations continue to face the threat of a total loss of BWE customers (see our last report).
What follows from the discussion paper? What is to be done?
It should be noted that the published content of the discussion paper does not yet contain the entire text of the law. Of a total of probably 29 articles, only 3 can be viewed so far. It should also be noted that the feedback from the industry associations is still being incorporated. The draft law is therefore still subject to change.
At any rate, it should be noted at the moment that the current draft improves comprehensibility and somewhat softens the originally very strict requirements. However, the NIS-2 directive sets limits to this: The essential requirements must be implemented.
Therefore, further developments should be kept in mind. It is advisable to coordinate with industry associations as early as possible, seek legal advice and take the necessary measures, as the cost of resources, personnel and services (especially audits) is likely to become much stretched, expensive and scarce in the near future when the NIS2UmsuCG takes a solid shape. The organization of training should also be prudently undertaken early to be able to work through the extensive material.
We will be happy to assist you with our specialist legal expertise in order to achieve the best possible result.