The European Parliament approved the Network and Information Security 2 Directive (“NIS 2”) last year, expanding the scope of the Network and Information Security Directive (“NIS”). Now Germany has introduced the draft of the “NIS 2 Implementation and Cyber Security Strengthening Act,” which previews the approach the German government may take – an approach that other Member States may follow. EU Member States have until 17 October 2024 to enact NIS 2 into national legislation.

Here is a look at several ways the German NIS 2 legislation may impact businesses.  

1. Who is NIS 2 likely to impact in Germany?

NIS 2 sought to expand the scope of NIS to cover all sectors deemed “critical for the economy and society,” including digital service providers, communications providers, healthcare services, pharmaceutical and medical device manufacturers. Those entities were to be defined as either “essential” or “important.” The proposed draft in Germany identifies three categories:

• Operators of Critical Systems (“OCS”).
• Operators of Essential Services (“OES”).
• Operators of Important Services (“OIS”).

Additional proposals have suggested encompassing digital service providers and companies of “special public interest,” and the definitions are likely to evolve. Businesses directly subject to the German NIS 2 legislation need to prepare – and vendors servicing these companies should assess to what extent they should adapt their services so customers subject to the NIS 2 legislation can continue using their services.

In addition to substantive amendments to the BSIG (Law on the Federal Office for Information Security), the proposed draft introduces reforms to the Federal Office for Information Security.

2. What measures will German organisations impacted by NIS 2 need to take?

The proposed draft contains a list of requirements. The level of sophistication of the measures varies based on whether an organisation is deemed to be an OES or OIS, with the more stringent requirements being imposed on an OES. Requirements include:

• Incident handling protocols.
• Vulnerability identification, management, patching and disclosure.
• Cybersecurity risk management procedures.
• Cryptography and encryption.
• Access control management.
• Multi-factor authentication and secured communications systems.
• Clear contractual agreements to ensure supply chain security.

3. What are the proposed incident reporting requirements in Germany?

NIS 2 will also require “essential” and “important” operators to notify a competent authority without undue delay of any cybersecurity incident that has a “significant” impact on the provision of their services. Notably, the focus is not on personal data but on service delivery.

The proposed draft outlines a four-stage reporting process:

1. Initial report – within 24 hours.
2. Updated report – within 72 hours.
3. Final report – within one month.
4. Additional responses to competent authorities.

4. What are the consequences for non-compliance in Germany under the proposed draft?

The potential maximum fines for non-compliance could reach either (i) €10 million or 2% of global annual turnover for “critical” and “essential” operators or (ii) €7 million or 1.4% of global annual turnover for “important” operators.

Additional violations of enforcement actions may trigger fines of up to €20 million.

Notably, where non-compliance with NIS 2 may also involve a personal data breach, authorities will not impose fines under both the NIS2 and EU GDPR regimes if the breach arises from the same security event and a data protection supervisory authority has already imposed a fine.

5. How does the proposed draft develop the position on management responsibility proposed by NIS 2?

The draft brings responsibility for cybersecurity to management, which can be held liable for damages arising from a failure to comply with reasonable duties for cybersecurity. Additional commentary indicates that such “damage” will include fines and claims.

Further, the proposed draft states that management bodies may not delegate cybersecurity obligations to third parties and that the organisation may not waive such claims to protect management. The proposal also suggests that the German cyber security authority, BSI, may limit management from performing tasks until certain violations are remedied.

The draft act in Germany represents the first indication of how a Member State perceives NIS2 should be transposed into local law, with a heavy focus on management responsibility. The draft will serve as guidance for organisations in Germany – and could signal the approach other Member States may take.

The proposed draft outlines minimum cybersecurity requirements. Organisations should assess their practices against the proposed requirements and take the opportunity to bolster cybersecurity preparedness.