Under NIS-2, the Ministry of the Interior could prohibit operators of critical infrastructure from installing certain components, for example from China – even retroactively. The energy industry is sounding the alarm and the Bundestag sees a need for improvement.
By Wilhelmine Stenglin
The Federal Audit Office has issued a harsh verdict on the federal government's NIS-2 bill.
By Wilhelmine Stenglin
This week, the cabinet presented a draft for the KRITIS Umbrella Act and parliament debated the NIS-2 Implementation Act. There is criticism of both drafts.
By Wilhelmine Stenglin
The NIS2 Directive, the successor to the first EU Directive on Network and Information Security (NIS), is intended to meet the high demands placed on the security of critical infrastructures in Europe by increasing digitalization and the growing threat of cyberattacks. Read all about the key aspects of NIS2, its requirements and implementation in Germany from the Table.Briefings editorial team. What is the NIS2 directive? The NIS2 Directive is a European Union legal framework designed to improve the cybersecurity of companies and organizations in the Member States. It came into force on Dec. 27, 2022 and had to be transposed into national law by Oct. 18, 2024. The aim of the directive is to strengthen the resilience of critical infrastructures and create uniform security standards across Europe.compared to the previous regulation, the NIS2 directive significantly expands the scope of application. More companies and sectors are now covered by the regulations and the requirements for cyber security measures have been tightened. NIS2 Directive: Who is affected? One of the key issues in connection with the NIS2 Directive is determining which entities are affected. The directive differentiates between essential and important facilities. A crucial point is that the size of a company can be decisive. Companies with more than 50 employees or an annual turnover of more than EUR 10 million must implement NIS2 and its requirements. Smaller companies are only affected if they operate in a critical industry. In addition, supply chains and third-party providers are also coming into focus. Companies must ensure that their service providers have also implemented appropriate security measures. This underlines the importance of an end-to-end security strategy along the entire value chain. What are the requirements of the NIS2 directive? The requirements of the NIS2 directive are comprehensive and cover various areas of cyber security. The central requirements include: What is the NIS2 Implementation Act? The NIS2 Implementation Act is the national transposition of the EU Directive into German law, and a corresponding draft bill has already been submitted. The aim is to integrate the requirements of NIS2 into the German IT Security Act, taking into account the special features of the German market. The draft provides for the Federal Network Agency and the Federal Office for Information Security (BSI) to act as central supervisory authorities. They will be responsible for monitoring compliance with the regulations and supporting companies in implementing them. In addition, the implementation law should define clear guidelines for responsibilities within companies. For example, it is expected that a Chief Information Security Officer (CISO) will be appointed who reports directly to the management. When will NIS2 come into force in Germany? The EU member states were obliged to transpose the NIS2 directive into national law by Oct. 18, 2024. The NIS2 Implementation Act was expected to come into force in Germany in the same period. Against this backdrop, companies should prepare for the expected changes and make any necessary adjustments promptly. An early start to preparations offers advantages: Companies can identify gaps in their security architecture at an early stage and close them in a targeted manner. This not only minimizes compliance risks, but also increases resilience to cyber threats. Challenges in implementing the NIS2 directive Implementing the NIS2 requirements poses considerable challenges for many companies. These include: The NIS2 Directive is crucial to strengthening cyber security in Europe. It expands the scope of application, tightens the requirements and places great emphasis on cooperation between companies and authorities. It also calls for increased measures for risk assessment and incident detection in order to detect and ward off attacks at an early stage. It is crucial for companies in Germany to take a close look at the NIS2 Implementation Act. This will enable them to reduce regulatory risks and strengthen their resilience to cyber threats in the long term. A forward-looking approach to the implementation of security measures can have a positive long-term impact on competition and strengthen the trust of customers and partners.
