The sharp rise in cybercrime, against which the authorities in particular are largely powerless, is one of the greatest challenges of our time. Vital facilities are also severely affected due to a lack of preparation and comparatively low resilience. This leads to considerable operational restrictions, production stoppages and – in the case of the insidious ransomware attacks – high ransom payments.
Against this background, the European legislator has issued the NIS2 Directive. This regulates the cyber and information security of certain companies and institutions. There is already a complex draft bill for implementation in Germany, which is expected to be adopted sooner rather than later and will therefore become finally binding for companies. Companies are therefore well advised to deal with this new IT security law in good time. This is because the obligations arising from the NIS2 Directive and the German implementation law will affect significantly more companies than before. You should therefore first check whether your company will be affected by the German NIS2 implementation. If this is the case, the question arises as to how your company can prepare accordingly. These questions are answered in the following blog post.
A. Who falls under the German NIS2 implementation?
This already shows the complexity of the new regulations, which are based on multiple levels of referral and also overlap with each other. There will be the following classification in future:
1. Operator of “critical systems” = highest qualification level
Facilities in the energy, traffic and transportation, banking, financial market infrastructure, healthcare, drinking water, wastewater, food, digital infrastructure and municipal waste disposal sectors. The facilities must be of great importance for the functioning of the community, for which quality and quantity criteria are introduced.
2. Particularly important facilities
Large companies that belong to the energy, traffic and transportation, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, management of ICT services (B2B) or space sectors.
Medium-sized companies as providers of TC services or publicly accessible TC networks.
Qualified trust service providers, top-level domain name registries or DNS service providers regardless of their company size.
3. “only” important facilities = lowest qualification level
Very broadly defined with a considerable increase in the number of companies affected.
Medium-sized and large companies in the energy, transport and traffic, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, management of ICT services (B2B), space, logistics, municipal waste, production, chemicals, food, manufacturing, digital service providers and research sectors.
Trust service providers are also included.
B. What obligations do companies have?
The obligations are defined according to the respective classification in the above categorization. However, it is crucial that even the lowest classification has to fulfill almost all obligations, as in the case of critical facilities essentially only the standards are set higher.
In detail, these are
1. A registration obligation subject to fines.
2. The introduction of comprehensive IT risk management to ensure IT security. The following minimum consensus must be adhered to here:
- Concepts relating to risk analysis and security for information systems and for dealing with security incidents,
- Business continuity, such as back-up management and disaster recovery, and crisis management,
- Security of the supply chain, including security-related aspects of the relationships between individual entities and their direct suppliers or service providers,
- Security measures in the acquisition, development and maintenance of information technology systems, components and processes, including management and disclosure of vulnerabilities,
- Concepts and procedures for assessing the effectiveness of risk management measures in the area of cyber security,
- Basic cyber hygiene procedures and cyber security training,
- Concepts and procedures for the use of cryptography and encryption,
- Personnel security, access control concepts and system management,
- Use of solutions for multi-factor authentication or continuous authentication, secure voice, video and text communication and, if necessary, secure emergency communication systems within the facility.
3. Significant Reporting obligations, feedback to the public.
4. Compliance and liability of managing directors, which means that ensuring corporate IT security finally becomes a management issue.
C. Sensible approach
I. Step 1: Classification into the new categorizations
The first step is to classify your company according to the new categorizations (see in detail under A.) in order to determine which specific obligations your company will have to comply with.
II. Step 2: Review of your existing technical and organizational measures and examination of further obligations arising from the German NIS2 implementation
Appropriate measures are expected in areas such as cyber security, risk management, incident management, supply chain security, network security and cryptography as well as access control. Consequently, you must critically review your company’s existing TOMs to determine whether they meet the new requirements mentioned above and, if necessary, adapt them and the IT security organization to the increased requirements. Certifications such as ISO 27001 or BSI basic protection can provide a good basis for this.
Specifically, companies will have to deal with the following topics:
- The emerging obligation to register, which is subject to fines.
- TOMs must ensure the availability, integrity, authenticity and confidentiality of information technology systems, components and processes.
- Companies must ensure business continuity even in the event of major cyber or information security incidents. This includes practised emergency procedures and resilient organizational structures.
- The establishment of processes for the immediate reporting of security incidents to the responsible authority (usually the BSI).
- Training and informing the management so that it can approve the risk management measures in the area of IT security and monitor their implementation.
As some of the measures have not yet been specifically named, companies should keep a close eye on the legislative process and seek advice if necessary. An exchange with other comparable companies can be helpful.
D. Outlook and advice
The national implementation of NIS2 must be completed by 17.10.2024, but the parliamentary process should be completed by 30.11.2023. A further timetable or any deadlines for the companies concerned are not yet known, but it can be assumed that the obligations will be implemented in the near future.
It is crucial that your company is able to tackle the implementation in a targeted manner right from the start.
I will be happy to work with you in work stores to establish the status quo, define the specific steps with you and support their practical, legally compliant implementation. You can benefit from my many years of practical experience as a lawyer and IT specialist: After more than 25 years as a software developer and IT consultant with advanced training in cyber security and a teaching position at the Baden-Württemberg Police University on the subject of cybercrime, I am very familiar with both IT security and the language of technicians, so that I can get involved with you immediately and support you without time-consuming “translation processes”.
I look forward to meeting you!
