NIS2 Directive: Current developments and delays

Originally, the NIS2 Directive was due to come into force on 17 October. However, as is so often the case with the implementation of extensive regulations, there appears to be a delay. There are draft regulations and the implementation process is taking longer than originally anticipated. Here is an updated overview of current developments and the reasons for the delay.

The objectives of the NIS2 Directive

The NIS2 Directive is an EU directive that must be transposed into national, i.e. German, law. The aim of the directive is to establish a holistic approach to IT security. Particularly important organisations in Germany are to be encouraged to actively work on their cyber security. Previously, only KRITIS companies were regulated; with NIS2, the focus will be placed on significantly more institutions.

Delays in implementation

The implementation of the NIS2 directive is currently being delayed for various reasons. One of the main reasons is the numerous draft bills for national legislation, which differ in detail. Draft bills are an important step in the legislative process, especially in Germany and other European countries. They represent the first formal draft of a law or directive prepared by a ministry or authority. These drafts form the basis for further discussion and processing within the government and often also with affected interest groups and experts. The discussions within the framework of the NIS2 Directive relate, among other things, to the sectors to be regulated and the responsibility of management. In addition, the various industry associations must coordinate to find practicable solutions. Another factor is the parallel development of other laws, such as the Critical Umbrella Act and the DORA Act, which also have an impact on the regulation of cyber security. The aim is to design these sets of regulations in such a way that they interlock and do not create a patchwork quilt.

The current situation and future developments

The third draft of the NIS2 Implementation and Cybersecurity Strengthening Act is currently being coordinated with the associations. This draft contains some important changes that affect the sectors concerned. One of the most important changes is the renaming of the categories: The sectors previously labelled "essential and important facilities" will now be referred to as "particularly important and important facilities". This new classification is intended to emphasise the prioritisation and protection of particularly sensitive areas even more clearly.

In addition, operators of critical facilities and federal authorities are now also included in the new draft. This means that these organisations are subject to strict security requirements and reporting obligations in order to ensure their cyber security. Traditional local authorities, on the other hand, remain exempt from these regulations for the time being. The aim of this distinction is to focus the measures on the areas with the highest risk and the greatest significance for national security and public order.

Another important aspect of the new draft bill is the introduction of registration obligations with the Federal Office for Information Security (BSI). Within three months of the law coming into force, affected companies must register with the BSI. The responsibility for determining whether a company is affected lies with the company itself. This means that each company must independently check whether it falls under the provisions of the Act, as there is no direct notification by the legislator. This personal responsibility requires companies to pay a high level of attention and have a thorough understanding of the legal requirements in order to fulfil their obligations and avoid possible sanctions.

The role of the BSI

The NIS2 Directive gives the BSI extended powers and responsibilities. As a control and implementation body, the BSI will play a central role in the monitoring and enforcement of IT security measures in future. Operators of critical infrastructures in particular will be obliged to provide the BSI with regular proof of compliance with security requirements. This evidence is intended to ensure that the highest standards of IT security are maintained.

The BSI reserves the right to carry out random checks on other infrastructures that are not classified as critical. These checks are intended to ensure that the necessary security measures are also implemented in less sensitive areas. This combination of full monitoring of critical operators and random checks of other facilities is intended to achieve a high level of security across the entire area of networks and information systems.

Differences in national implementation

Although the EU directive provides for uniform regulations for all member states, there is still some scope for national adjustments. However, these deviations from the EU requirements are only permitted in special circumstances to ensure that the fundamental objectives of the directive are not undermined.

The national implementation law integrates existing laws such as the BSI Act and the Energy Industry Act and adapts them accordingly. This integration is intended to ensure that the new requirements of the NIS2 Directive fit seamlessly into the existing legal framework. These adjustments are necessary to ensure the efficiency and coherence of security measures, taking into account existing legal structures and responsibilities.

Challenges and personal responsibility

Companies should address the requirements of the new regulations at an early stage, as no long transition periods are envisaged once the law comes into force. Although the BSI will grant companies a certain grace period, it is still advisable not to wait until the last minute to implement the new regulations. A proactive approach to cyber security is essential.

Cyber security should be understood as an ongoing process, similar to a model railway that is never really finished. Constant adjustments and improvements are required to counter the ever-changing threats. Organisations must therefore always be vigilant and regularly review and adapt their security measures in order to meet the high standards of the NIS2 directive and effectively protect their systems.

We also have several podcast episodes on NIS2 that provide comprehensive support and in-depth insights.