NIS2 Directive: New draft implementing regulations published
The Network and Information Security Directive 2.0 (“NIS2 Directive”), which was adopted at the end of 2022, is still the subject of extensive discussions on legal policy. It requires companies in certain sectors and industries above a certain company or group size to implement cybersecurity risk management measures. As a European directive, the NIS2 Directive is not directly applicable to companies, but must first be implemented by the EU Member States in their national jurisdictions. National legislators have until 17 October 2024 to do so.
German Implementation Act
Since the adoption of the NIS2 Directive, the Federal Ministry of the Interior and Community (“Ministry”) has been working on the German implementation act (NIS-2 Implementation and Cyber Security Reinforcement Act – NIS2UmsuCG), which provides for a comprehensive revision of the German Act on the Federal Office for Information Security. Several ministerial drafts have been published since mid-2023; Noerr was also involved in the third draft of 7 May 2024 via the Bundesverband IT-Sicherheit e. V. (German Federal IT Security Association) by participating in an opinion as part of the association hearing.
On 26 June 2024, the Ministry published what is now the fourth ministerial draft as of 24 June 2024 (full text available here, comparison with the third ministerial draft available here).
Interesting changes have been made with regard to the liability of the management of NIS2-regulated entities. The third ministerial draft still stipulated that any waiver by an entity of claims for damages against the management would be invalid. Settlement of such claims should only be permitted to a limited extent. These provisions have now been removed again in the fourth ministerial draft. Nevertheless, the new draft continues to emphasise the legal risks for the management. According to the new wording in the law, managing directors would have to “implement” risk management measures. Whether such a broad obligation can and should be maintained seems unclear in terms of legal policy.
In addition, the latest ministerial draft contains welcome clarifications for entities that are also regulated by other legislation due to the industry they are in, such as the energy or telecommunications sectors.
While experts and the Federal Office for Information Security had previously assumed that the German legislator would exceed the implementation deadline of 17 October 2024 by several months, the Ministry is now applying pressure and has placed the cabinet consultation regarding the NIS2 Implementation Act on the agenda for the cabinet meeting on 24 July 2024. However, it remains to be seen whether the Act will actually come into force on time, and that will depend in particular on how comprehensively the ministerial draft to be adopted is debated in the Bundestag and Bundesrat.
Commission implementing regulation for entities in digital sectors
In addition, on 27 June 2024 the European Commission issued its draft implementing regulation specifying the obligations for entities that fall within the NIS2 sectors of digital infrastructure, managed service providers (B2B) and digital service providers. For one thing, the draft specifies the technical and methodological requirements for risk management measures to be implemented by these entities. Secondly, it specifies the cases in which a security incident is considered to be “significant” and must therefore be reported to the competent authority.
Although the implementing regulation only applies to entities in the above digital sectors (including providers of cloud computing services, data centre services, online marketplaces and managed service providers), it provides a trend for all NIS2-regulated entities as to how at least the European Commission interprets individual risk management measures. It is also quite likely that the supervisory authorities will at least be guided by this.
When the draft was published, the Commission launched a public consultation on the implementing regulation; this consultation phase will run until 25 July 2024. While the implementing regulation will basically be directly applicable in all EU Member States from 18 October 2024, German companies will only have to implement risk management measures once the German NIS2 Implementation Act comes into force.
Entities can use our NIS2 Checker to check free of charge and without obligation whether they are likely to fall within the scope of the NIS2 Directive.