Implementation of NIS2 Directive on the horizon
In response to the growing threat posed by cyber attacks, the EU has enacted the NIS2 Directive, which Member States have to transpose into national law. The implementation of the NIS2 Directive is now getting closer in Germany (information in German on the government draft can be found here). The upper house of the German parliament (Bundesrat) will now be looking at the government draft for the first time, meaning that in a best-case scenario the lower house (Bundestag (German document)) will be able to take up its work before the end of September 2024.
The scope of application of the current German Act on the Federal Office for Information Security (BSI Act (BSI-Gesetz)) will be greatly expanded by the NIS2 Directive, leading to a multitude of additional companies being covered. Companies affected by these changes are advised to begin to make themselves familiar with the new rules, which will come into force in the near future, and to take appropriate measures.
Companies, and especially their legal departments, should start considering the following tasks right now (for more detailed information also see our past article):
- Define responsibilities: Who will coordinate things? Is it ensured that the management will take on the responsibility? What (new) roles are to fill?
- Review the scope of application: Will my company fall under the scope of application of the relevant implementing statutes?
- Review your information security (detailed information in German can be found on the website of the Federal Office for Information Security): How secure is my business?
- Conduct reviews of contracts concerning the supply chain: Have all service providers been carefully selected? Are they monitored on a regular basis? Are the contracts with the service providers appropriate and balanced?
- Set up emergency plans: Do all the relevant people in the company know what measures to take in an emergency?
- Prepare training for the management and employees: Does the upper management possess the necessary knowledge?
European and German legislators have been extremely active in the field of digital regulation. This means that it is in the interests of companies to closely evaluate which existing or new laws apply to them.
If you would like to keep track of these laws, we recommend consulting our map of European digital law here. Information on cyber risks can be found here.