NIS2UmsuCG - "turning point" in the IT industry?

On the occasion of the growing threat situation identified in the Cybersecurity Report 2022, the German Federal Office for Information Security (BSI) - echoing Chancellor Scholz - speaks of a "turning point in time" for cybersecurity. A legal basis for denying this challenge will probably be the NIS-2 directive, which provides for extensive changes in Europe - and Germany. In Germany, the first draft law to implement the EU directive, with the unpronounceable name "NIS2UmsuCG," went public on April 2, 2023. We provide an insight into what could change and what steps companies will have to take in the future.

What does NIS even mean and for whom does this directive become relevant?

NIS stands for "European Networkand Information SecurityDirective", which can be translated as "EU Networkand Information SecurityDirective". While NIS-1 dates back to 2016, NIS-2 did not come into force until January 16, 2023. As an EU directive, NIS-2 still requires implementing laws in the individual EU member states in order to take effect there. The national laws may even be stricter than the European template. The deadline for implementation is already ticking and must be met in Germany by Oct. 17, 2024. Based on the implementation period of NIS-1 (≈11 months), implementation by December 2023 is considered likely. With the publication of the German draft bill on NIS2UmsuCG, similarities and differences can now be provisionally assessed for the first time. As a so-called shell law, NIS2UmsuCG combines amendments to several laws under the "shell" of a specific topic. Most of the changes are planned in the BSIG (here new version referred to as BSIG2 ).

NIS-2 provides for one - if not the - largest expansion of the scope of (minimum) cybersecurity requirements, because smaller companies and additional industries are now also covered. Currently, up to 30,000 newly affected companies are assumed. It should be emphasized that "medium-sized enterprises" are now included, for example. These are those with 50 or more employees and/or annual sales of over €10 million. However, these must then also belong to certain sectors*. In addition, NIS2UmsuCG will also be of interest to operators of CRITIS and larger companies.

*(Among others: Energy, Transport & Traffic, Banking, Financial Market Infrastructures, Healthcare, Drinking Water, Wastewater, Digital Infrastructure, Telecommunications, Administration, B2B ICT Services, Space Infrastructure; (NIS-2, Annex II:) Logistics, Municipal Waste, Production, Chemicals, Food, Manufacturing, Digital Service Providers, Research).

Three versus two facility types - Is Germany doing everything differently?

One of the questions that many companies must now clarify is whether or not they fall under the new regulation. The EU Directive provides for a distinction to be made between only two types of facilities:Essential("essential") and important ("important") facilities. The German draft is different. Here, a distinction is made between critical facilities (KRITIS/KRITAN), particularly important facilities (BWE) and important facilities(WE) (in a graded order). This distinction is important because obligations and threatened fines are based on these categories: The more important a facility, the more obligations operators have and the more penalties they face for violations.

Up to now, a distinction has been made in Germany between critical infrastructures(KRITIS) and companies in the special public interest(UBI). With the new regulation, CRITIS operators can first rely on their classification remaining in place, because an almost congruent category (CRITAN) is envisaged. In the future, KRITIS will strictly be managed as a subcategory of the particularly important facilities, which is why the term "facilities" is now used, Section 28 III No. 4 BSIG2. Because of their high systemic relevance, however, they will probably continue to be a special target group for statutory regulations. The category of UBIs has not been given a direct equivalent, so operators will have to carry out a complete re-evaluation of their classification here.

What are the new obligations?

The catalog of obligations in NIS2UmsuCG is very extensive. Consequently, we can only explain the most essential obligations here and must otherwise refer to individual case-related legal advice.

The greatest practical relevance will probably be the obligation to register with the BSI, § 32 I BSIG2. Anyone who now falls into one of the three categories must register with the BSI within 3 months at the latest. In the case of new KRITIS/KRITAN, registration must even take place within a single working day.

Unfortunately, the rough benchmarks (employees, revenue) are not conclusive. Sometimes companies fall under the regulations regardless of size only because of the type of business model (e.g., DNS service providers). In the case of public telecommunications providers, there are special rules according to which even medium-sized companies are considered BWEs. There are also variable classifications. Thus, smaller companies can also fall under NIS2UmsuCG if, for example, they are the sole provider of a service in an EU country (cf. Art. 3 I lit. e) NIS-2).

Three- to five-stage reporting system

Another new feature is a three- to five-stage reporting system for significant safety incidents pursuant to Section 2 I No. 10, No. 37 in conjunction with Section 31 I No. 1-4 BSIG2 according to the following scheme:

1. Initial report: No later than 24 hours after knowledge of a significant security incident. (+ info whether suspicion is due to illegal and/or malicious acts or has cross-border effects, § 31 I No. 1 BSIG2).
2. Second notification: No later than 72 hours after knowledge of the security incident. Confirmation/update of information from initial report, initial assessment (severity, impact, indicators of compromise).
3. Interim messageif necessary: Status update may be required at the request of the BSI.
4. If applicable, progress report: A progress report must be submitted no later than 1 month after the second report (transmission) if the security incident is still ongoing.
5. Final notification: No later than 1 month after second notification (transmission) OR after completion of security incident handling (after progress notification); Detailed description of incident, severity, impact, threat type, cause, remedial actions, transboundary impact.

Catalog of measures

A central content is a catalog of measures in § 30 IV BSIG2, which clarifies which requirements are specifically placed on companies. The measures must include:

1. Concepts related to risk analysis and security for information systems,
2. [Concrete plans for] managing security incidents.
3. Business continuity, such as backup management and disaster recovery, and crisis management,
4. Supply chain security, including security-related aspects of the relationships between individual facilities and their direct vendors or service providers,
5. Security measures in the acquisition, development, and maintenance of information technology systems, components, and processes, including vulnerability management and disclosure,
6. Concepts and procedures for evaluating the effectiveness of cybersecurity risk management measures,
7. Basic cyber hygiene procedures and cybersecurity training,
8. Concepts and methods for the use of cryptography and encryption
9. Personnel security, access control concepts, and asset management,
10. Use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communications systems within the facility, if applicable.

Documentation obligations / Obligation to provide evidence

From 2025/26 onwards, BWE will also be obliged to document all these measures and to provide evidence to the BSI every 2 years, § 34 I BSIG2.

Section 38 of the BSIG2 should be of particular interest, as it contains specific obligations for the management of companies (Section 2 I No. 11 of the BSIG2). In the future, management will no longer be allowed to delegate the approval and monitoring of the new security measures prescribed in Section 30 BSIG2 to third parties. They must themselves acquire the skills and knowledge required to achieve the digital protection level (from a management perspective) - e.g., through training. In case of non-compliance & damages, a management will be personally liable in the future. Settlements and waivers of these claims by the institution are declared invalid by law, § 38 III BSIG2. At BWE, violations may even result in suspension of safety certifications, § 64 VI No. 1 BSIG2, or temporary prohibition of management from performing their duties, § 64 VI No. 2 BSIG2.

The latter regulations should set alarm bells ringing for companies. After all, if companies are now required to ensure the security of their supply chains under Section 30 BSIG2, they will be forced to switch to another provider if they lose their security certification. In some cases, this will even be required by law, § 30 IX BSIG2. In fact, this could mean the complete loss of one or even all customers for companies if they lose their certification due to a breach.

Consequently, BWE shall be obliged to participate in the exchange of information on vulnerabilities already 1 year after the entry into force of NIS2UmsuCG, §§ 6, 30 X BSIG2, which is a tightening to Art. 29 NIS-2.

What are the penalties for violations?

In the case of fines, a distinction is made between BWE and WE. KRITAN are counted as BWE in this context. BWE is subject to a maximum fine of €10 million or a maximum fine of at least 2% of the total worldwide turnover of the company to which the facility belongs (previous fiscal year), whichever is higher. WE faces a maximum fine of €7 million or a minimum of 1.4% of total worldwide turnover.

The explanatory memorandum to the draft NIS2UmsuCG even mentions penalties of up to €20 million. However, this idea is not (yet) reflected in the legal text. However, this does raise the possibility of higher fines in Germany.

What is to be done with a view to the future?

It is advisable for companies to take initial steps now and keep an eye on further legal developments. Not only because this fulfills legal requirements, but also because it can avert existential threats. The BSI already registered 20,174 software vulnerabilities last year, of which a full 13% were critical in nature. In addition, a disaster situation was declared for 207 days because state institutions were unable to provide many social services due to a ransomware attack. Thus, in 2022, the number of malware variants increased by 116 million.

It could be very helpful to have already answered in advance all questions regarding the classification of one's own company as well as required systems and personnel. After all, the demand for these resources is likely to increase by leaps and bounds once NIS2UmsuCG is adopted. A late response is likely to become significantly more expensive due to the increased competition that will then exist. The availability of consulting resources is also likely to follow this pattern.

On the horizon is ultimately also the implementation of the CER Directive, which is intended to supplement the digital protection standard of NIS-2 with an increased standard for the physical resilience of CRITIS. A corresponding implementation will take place with the CRITIS umbrella law.

In the end, legal advice will become urgent in most cases. Should you choose our law firm for this, we will be happy to accompany you through this time with our specialist legal advice and help you to pursue an optimal strategy for mastering the upcoming legal challenges.

We already give lectures on this topic on request and continue to offer them for individual companies and associations.

Benno Gerwinn

Research assistant