News

NIS2 Directive: New draft implementing regulations published

28.06.2024

The Network and Information Security Directive 2.0 (“NIS2 Directive”), which was adopted at the end of 2022, is still the subject of extensive discussions on legal policy. It requires companies in certain sectors and industries above a certain company or group size to implement cybersecurity risk management measures. As a European directive, the NIS2 Directive is not directly applicable to companies, but must first be implemented by the EU Member States in their national jurisdictions. National legislators have until 17 October 2024 to do so.

German Implementation Act

Since the adoption of the NIS2 Directive, the Federal Ministry of the Interior and Community (“Ministry”) has been working on the German implementation act (NIS-2 Implementation and Cyber Security Reinforcement Act – NIS2UmsuCG), which provides for a comprehensive revision of the German Act on the Federal Office for Information Security. Several ministerial drafts have been published since mid-2023; Noerr was also involved in the third draft of 7 May 2024 via the Bundesverband IT-Sicherheit e. V. (German Federal IT Security Association) by participating in an opinion as part of the association hearing.

On 26 June 2024, the Ministry published what is now the fourth ministerial draft as of 24 June 2024 (full text available here, comparison with the third ministerial draft available here).

Interesting changes have been made with regard to the liability of the management of NIS2-regulated entities. The third ministerial draft still stipulated that any waiver by an entity of claims for damages against the management would be invalid. Settlement of such claims should only be permitted to a limited extent. These provisions have now been removed again in the fourth ministerial draft. Nevertheless, the new draft continues to emphasise the legal risks for the management. According to the new wording in the law, managing directors would have to “implement” risk management measures. Whether such a broad obligation can and should be maintained seems unclear in terms of legal policy.

In addition, the latest ministerial draft contains welcome clarifications for entities that are also regulated by other legislation due to the industry they are in, such as the energy or telecommunications sectors.

While experts and the Federal Office for Information Security had previously assumed that the German legislator would exceed the implementation deadline of 17 October 2024 by several months, the Ministry is now applying pressure and has placed the cabinet consultation regarding the NIS2 Implementation Act on the agenda for the cabinet meeting on 24 July 2024. However, it remains to be seen whether the Act will actually come into force on time, and that will depend in particular on how comprehensively the ministerial draft to be adopted is debated in the Bundestag and Bundesrat.

Commission implementing regulation for entities in digital sectors

In addition, on 27 June 2024 the European Commission issued its draft implementing regulation specifying the obligations for entities that fall within the NIS2 sectors of digital infrastructure, managed service providers (B2B) and digital service providers. For one thing, the draft specifies the technical and methodological requirements for risk management measures to be implemented by these entities. Secondly, it specifies the cases in which a security incident is considered to be “significant” and must therefore be reported to the competent authority.

Although the implementing regulation only applies to entities in the above digital sectors (including providers of cloud computing services, data centre services, online marketplaces and managed service providers), it provides a trend for all NIS2-regulated entities as to how at least the European Commission interprets individual risk management measures. It is also quite likely that the supervisory authorities will at least be guided by this.

When the draft was published, the Commission launched a public consultation on the implementing regulation; this consultation phase will run until 25 July 2024. While the implementing regulation will basically be directly applicable in all EU Member States from 18 October 2024, German companies will only have to implement risk management measures once the German NIS2 Implementation Act comes into force.

Entities can use our NIS2 Checker to check free of charge and without obligation whether they are likely to fall within the scope of the NIS2 Directive.

Contact

Julian Monschke
Julian Monschke+49 69 971477179
Paul Vogel
Paul Vogel+49 89 28628542
Andreas Daum
Andreas Daum+49 89 28628466

Commerce & Trade
Data Tech and Telecoms
Digital Business
Cyber Risks

Share

Show all

Insights

modern glass building with pulse
News

NIS2 Directive: New draft implementing regulations published

28.06.2024
Processor Data Competence Center
News

Digital Markets Act: European Commission designates further gatekeeper and core platform services

31.05.2024
data center in server room
News

Data centres are the basis of all (further) developments of our time

28.05.2024
lights tunnel
News

Relevance of the DMA for online inter­mediation services

24.05.2024
hands bridge with pulse
News

EU merger control: European Commission takes stricter action against submission of incorrect, incomplete and misleading information

02.05.2024
focus with pulse
News

Role of the DMA for app developers

30.04.2024
glowing light spiral
News

Supply chain compliance: CSDDD and EU Forced Labour Regulation coming soon

26.04.2024
hand touching led wall screen
News

Data Compliance Governance

16.04.2024
compass with pulse
News

Data Act – Scope, Impact, Implementation

16.04.2024