NIS2 in Germany

EU NIS2 will be transposed in Germany into national law by the NIS2UmsuCG, the NIS2 implementation law. As in other EU member states, it is expected to come into force in late 2024. It transposes EU minimum requirements for cybersecurity of the EU NIS2 directive into German regulations and laws and extends them.

  1. Operators
  2. Cybersecurity
  3. Information
  4. Roadmap
  5. in German

The draft law has passed the consultation and awaits the federal legislative process by October 2024. The NIS2UmsuCG is an amendment act that changes existing German CIP laws. In addition to NIS2, there will be another law, KRITIS-DachG, that will regulate operators. NIS2 will affect at least 30 thousand companies in Germany, according to official estimates.

This is the English version of an article on German NIS2 implementation law, based on draft law from December 2023. Articles § cited refer to this draft law. Many links to further information point to German articles with more details.

EU NIS2 Summer School

Workshop: German Critical Infrastructures in English

An introduction to German KRITIS and NIS2 regulation. (S24.2)
Summer School ∙ Module S24.2 ∙ English ∙ 11 June 2024 online

Implementation in Germany

Current status

As of Spring 2024, there have been (at least) four draft laws in various states of finalization for the German NIS2 implementation NIS2UmsuCG.

The current roadmap for new drafts of the law as well as the formal dates of publication and commencement are currently unclear. If the deadline of October will be kept is not sure.

up

Regulated operators

Companies in Germany

Affected companies in Germany are split into three groups: critical infrastructure operators (former KRITIS operators, in the following referred to as operators), essential entities (besonders wichtige Einrichtungen), and important entities (wichtige Einrichtungen).

The German regulation will classify essential and important entities based on their number of employees, yearly turnover and balance. Companies are affected if they operate in one of the sectors specified in the annex of their group.

  1. Very important (essential) entities based on company size in NIS sectors 1
       companies with ≥ 250 staff or
       companies with ≥ 50m EUR revenue und assets ≥ 43m EUR
       special cases: qTSP, TLD, DNS, telco, critical facilities, central government
  2. Important entities based on company size in NIS sectors 1 2
       companies with ≥ 50 staff or
       companies with ≥ 10m EUR revenue und assets ≥ 10m EUR
       trust services
  3. Operators of critical facilities (KRITIS) are still regulated based on KRITIS methods with individual infrastructure assets
       Critical facilities above threshold (usually ≥ 500k supplied persons)
  4. Some federal entities are also regulated with separate requirements

up

Entities and operators

Essential and important entities

Essential entities §28 (1) are large enterprises operating in certain sectors, some companies independet of their size and operators of critical infrastructures. Important entities §28 (2) are large and medium enterprises in a broad spectrum of sectors.

Based on own analysis of German law, December 2023
Entity Size Sectors
Essential
§28 (1)
Large enterprises
in annex 1
Energy, Transport, Finances/Insurances, Health, Water/Waste Water, IT and Telecommunications, Space
size-independent Qualified trust services, TLD registries, DNS services
Medium enterprises Providers of public telecommunication networks and services
size-independent Operators of critical infrastructure (KRITIS operators)
Important
§28 (2)
Medium enterprises
in annex 1
Energy, Transport, Finances/Insurances, Health, Water/Waster Water, IT and Telecommunications, Space
Large enterprises
Medium enterprises
in annex 2
Postal/Courier, Municipal Waste, Chemistry, Food, Manufacturing, Digital Services, Research
size-independent Trust Services

up

Company sizes

Companies regulated as entities are differentiated by their size: employees, annual revenue (turnover) and annual balance. NIS2 very important (essential) entities are defined in §28 (1) and important entities in §28 (2).

Entity Sectors Size Employees Revenue and balance
Very important 1   Large enterprises
  Large enterprises
≥ 250

≥ 50m + ≥ 43m EUR
Important 1 2   Medium enterprises and up
  Medium enterprises and up
≥ 50
≥ 10m + ≥ 10m EUR

German NIS2 rules will include more companies than original EU NIS2 rules: Companies will be identified by either employees or financial data, not and like in EU NIS2.

up

Infrastructure operators

Existing German critical infrastructures (KRITIS), will be called operators of critical facilities in NIS2. §28 (5) German KRITIS methodology with KRITIS sectors, critical services and facilities with thresholds is retained. Operators will also become essential entities. §28 (1) No. 4

Based on own analysis of German law, December 2023
Operator Size Sectors
Critical Facility
§28 (5)
Facility above
threshold
§28 (6)
Energy, Transport, Finance/Insurance, Health, Water, Food, IT and Telco, Space, Municipal waste

up

NIS2 Sectors

German NIS2 defines two groups of sectors: Sectors for entities are defined in Annex 1 and 2 and KRITIS sectors for critical facilities in §28 (6). Sectors for entities are split into sectors of high criticality, annex 1, and other critical sectors, annex 2.

Based on own analysis of German law, December 2023
KRITIS Sectors of High Criticality 1 Other Critical Sectors 2
Energy Energy
Power supply, district heating/cooling, fuel/heating oil, gas
Transport Transport
Air, rail, shipping, road
Transport
Postal and courier
Finance/Insurance Finance/Insurance
Banks, financial market infrastructure
Chemistry
Trade, Production
Health Health
Services, reference laboratories, R&D, pharma (NACE C 21), Medical devices
Research
Research institutions
Water Water/Waste water
Drinking water, waste water
Manufacturing
Medical/diagnostics; IT, electronics, electrics, optical (NACE C 26 and 27); Mechanical engineering (NACE C 28), vehicles/parts (NACE C 29), vehicle construction (NACE C 30)
IT and Telco IT and Telecommunications
IXPs, DNS, TLD, cloud providers, data center services, CDNs, TSP, electronic communication/services, managed services and security services
Digital Services
Marketplaces, search engines, social networks
Space Space
Ground infrastructures
Food Food
Wholesale, production, processing
Municipal waste Municipal waste
Waste management

up

Cybersecurity

Obligations

The requirements for critical infrastructures and entities will change significantly with NIS2 in Germany. The existing KRITIS obligations under the BSI law (BSIG from 2021) will be retained in their basic form but will be extended and restructured significantly.

Based on own analysis of German law, December 2023
*   implicit, as operators of critical facilities are also essential entities
Requirement Operator of
Critical Facilities
Essential Entity Important Entity
Scope Facility Company Company
Risk management measures §30 *
Higher standards for KRITIS §31 (1)
Attack detection (SzA) §31 (2)
Reporting §32 *
Registration §33 §34
Information (customers) §35 *
Governance §38 *
Audits §39 partly (§64) partly (§65)

Exclusions

There are several exceptions and special rules for companies regarding NIS2 requirements.

Based on own analysis of German law, December 2023
Additional individual exclusions are possible, *   the DORA exclusions are somewhat complex
Exclusion from Entity Section
Security measures §30 (2) DNS, TLD, Cloud Computing, Data Centers, CDNs, Managed Services and Security Services, Online Marketplaces and Search Engines, Social Networks, Trust Services
needs to be handled with an EU implementing act
§30 (3)
KRITIS requirements
reporting obligations
information obligations
evidence/audit
§§31, 32, 35, 39
Public telecommunications networks and services §28 (4)
Energy supply networks and energy facilities §28 (4)
Companies under DORA (EU) 2022/2554* §28 (4)
Obligations and measures Companies under DORA (EU) 2022/2554*
gematik (German healthcare telematics)
§28 (1)
Risk management and reporting obligations §§30,32
+ registration §§33-34
National security, public security, defense, law enforcement
+ when exclusively operating in the above-mentioned sectors
§37

up

Security and risk management

Very important (essential) and important entities must take appropriate, proportionate and effective technical and organizational measures to protect the IT and processes of their services to avoid incidents, disruptions and to minimize the impact of disruptions. §30 (1)

Entities should take into account their risk exposure, size, implementation costs, probability of occurence and severity of security incidents and social and economic impact. §30 (1)

Measures

The measures to be implemented by operators and entities must be based on an all-hazards approach and should take European and international standards into account. The measures should comply with the state of the art and must cover at least the following topics: §30 (2)

Documentation

Entities must document the implementation of their security measures. §30 (1)

Sector regulation

Some sectors are partially excluded from the risk management requirements in §30 and §31. For these sectors, corresponding measures will be specified in equivalent sector regulation.

Official guidance

Detailed guidance for implementing measures by the EU, BSI, or public associations is not yet known, but there will certainly be developments throughout 2024. Similarly, there are still no official adaptions of existing Cybersecurity Standards such as ISO 27001 or C5 to NIS2 available.

Existing ISMS certifications will generally not be sufficient for NIS2 requirements – the scope of NIS2 could go beyond existing certificates, and the mentioned measures are sometimes deeper and broader than typical frameworks.

Previous German KRITIS practice encouraged ISO 27001 in critical infrastructures, but usually demanded more from operators than vanilla ISO or limited scopes.

EU Implementing acts

According to Article 21 (5) of NIS2, the Commission can issue specific technical and method requirements in Implementing Acts, which then become directly binding and take precedence over the requirements in §30 (2) from German law. §30 (4) If the legal acts are not exhaustive, the German Federal Ministry of the Interior can issue its own specifications. §30 (5)

For operators of DNS, TLD, Cloud Computing, Data Centers, CDNs, Managed Services and Managed Security Services, Online Marketplaces, Search Engines, Social Networks, and Trust Services, the EU Commission will establish binding measures in a separate Implementing Act by October 2024, §30 (2) only applies to them secondarily. §30 (3)

Critical facilities

For operators of critical facilities (KRITIS), higher standards and additional requirements apply when selecting measures and assessing adequacy:

up

Reporting

Registration and contact

Entities and operators must self-identify and register with the regulation authority BSI. There are more specific registration rules for certain companies. §33 §34

Essential and important entities as well as DNS registries must register with the BSI within three months, including: Name, legal form, contact details, email/telephone, IP address ranges, sector and sub-sector, EU countries with business activities. §33 (1)

Operators of critical facilities must provide additional information during registration. §33 (2) Registration with another government authority, the BBK, via the KRITIS-DachG is not entirely clear.

Changes to the data as specified in (1) and (2) must be reported annually to the BSI, all other information immediately, within two weeks. §33 (5)

The BSI can register essential and important entities as well as DNS registries on its own powers. For this, the BSI may request documents and details. §33 (2) (6)

Some operators defined in §63 must register with the BSI by January 17, 2025, §34, this includes DNS and TLD, Cloud Computing, Data Centers, CDNs, Managed Service Providers and Managed Security Service Providers, Online Marketplaces, Search Engines, Social Networks, when the main establishment in the EU is in Germany.

up

Notifications

With NIS2, affected entities have many information and reporting obligations that go beyond the existing §8b BSIG reporting obligations (KRITIS).

Security incidents

Essential entities (including operators of critical facilities) and important entities must report security incidents to the BSI   within very short deadlines (24 hours) and with incremental follow-up reports: §32

The BSI establishes the reporting option in agreement with the BBK, for NIS2 and the KRITIS-DachG. The BSI may issue further provisions on the reporting procedure. §32 (4)

Customers and public

In the event of significant security incidents, the BSI may instruct essential and important entities to inform their customers (recipients of their services). §35 (1)

Entities in the financial and insurance sectors, information technology and telecommunications, ICT services, and digital services must immediately inform potentially affected customers of a significant cyber threat, including possible countermeasures that customers may need to take. §35 (2)

The BSI will respond, if possible, within 24 hours of receiving a notification from companies, possibly with queries, offers of support, and information. §36 (1) If raising public awareness is necessary or in the public interest, the BSI may inform the public or ask the company to do so. §36 (2). This also applies if the company is a federal entity. §4 (3)

Information exchange

Essential entities must participate in information exchange through the central exchange platform of the BSI within one year of the entry into force of German NIS2 law. §30 (7)

up

Evidence and audits

Operators of critical facilities must demonstrate the implementation of NIS2 measures to the BSI every three years. Depending on their own registration, audits must then be conducted every three years, similar to existing KRITIS compliance audits.

Based on own analysis of German law, December 2023
Operators of Critical Facilities Entities
Essential Important
Law NIS2UmsuCG DachG NIS2UmsuCG NIS2UmsuCG
Timeframe from 2024 from 2026 from 2024 from 2024
Requirement §39 (1) §11 §64 §65
Form Audits Audits Sampled by BSI
Content IT Security
Reporting Obligations
IDS
Resilience IT Security
Reporting Obligations
IT Security
Reporting Obligations
Scope Critical Facility Critical Facility Company Company
Frequency every three years Sample Sample as needed
Recipient BSI BBK BSI BSI

Operators of critical facilities

Operators of critical facilities must provide evidence for the measures according to §30(1), §31, and §31(2) Attack Detection (Angriffserkennung) through Audits, Inspections, or Certifications every three years to the BSI, as previously done in KRITIS audits. §39(1)

For operators already being audited as KRITIS operators, the BSI will set the deadline for providing evidence to at least three years after the provision of the last evidence according to §8a(3) BSIG – so the next submission might be postponed by a year.

The BSI has the authority to independently audit operators of critical facilities as essential entities §64 and can establish requirements for audits. §39(2)

Entities

Entities must document the implementation of the measures. §30 (1) They are not required to regularly provide audits to the BSI for the implementation of §30 measures and §32 reporting obligations after registration. The BSI can, however, compel entities to undertake audits, request evidence, and conduct their own audits. §64 (1) (3) (5)

The BSI has enforcement rights for evidence from essential and important entities. §64 §65

When selecting entities, the BSI should proceed in a risk-oriented manner, taking into account the extent of risk exposure, the size of the entity, the likelihood and severity of potential security incidents, as well as their possible societal and economic impact. §64 (4)

The BSI can establish requirements for these audits. §64 (2)

up

Roadmap

Legislation

The German NIS2 Implementation law was planned to come into force in October 2024 to supersede the existing KRITIS regulation (BSIG 2021). Drafts of the law have been public since Summer 2023. It is not yet clear if the October 2024 deadline will be kept.

German NIS2 progress, March 2024
Version Status Date Responsible
NIS Deadline implementation May 2018 EU member states
IT security act 2.0 In force May 2021 Federal council
NIS2 EU 2022/2555 Final Dec 2022 EU
NIS2 Implementation Law Draft Apr 2023 Interior ministry
NIS2 Implementation Law Draft Jul 2023 Interior ministry
NIS2 Implementation Law Discussion paper Sep 2023 Interior ministry
NIS2 Implementation Law Draft Dec 2023 Interior ministry
NIS2 Implementation Law Announcement not clear Parliament
Ordinances missing not clear Interior ministry
NIS2 Implementation Law In force planned Oct 2024 Parliament
NIS2 Implementation Law In force not clear Federal gazette
NIS2 Deadline implementation Oct 2024 EU member states

up

Deadlines

Various deadlines for the implementation of the obligations are specified in the law. The NIS2 Implementation law NIS2UmsuCG is set to come into effect in October 2024 – still TBC.

Essential entities

Important entities

Operators of critical facilities

up

Additional legislation

Various requirements of the NIS2UmsuCG are intended to be specified or defined by one or more legal ordinances (KRITIS-Verordnungen): §57

The regulation is intended to be defined in accordance with the KRITIS-DachG and consolidate operators and entities in one regulation so that affected companies can find relevant categories and thresholds in a single table.

A draft of the regulation(s) is not yet available.

EU Requirements and Implementing Acts

The EU Commission may issue its own requirements through Implementing Acts to define the measures in §30(2), which would take precedence over national law, generally in §30(4) and specifically for certain IT operators in §30(3).

If this does not occur, the German Federal Ministry of the Interior will issue technical, methodological, and sectoral definitions for clarification purposes. §30(5)

Industry Standards

Essential entities, including operators of critical facilities, can continue to propose sector-specific security standards (B3S) for implementing the measures in §30(1). The BSI determines the suitability of the B3S. §30(9)

up

Further Information

Most of these links and documents are in German (DE).

Literature

  1. Statement BSI   Cybersecurity   Responsibilities and Tools in the Federal Republic of Germany, Bundestag, public hearing Committee on Digital Affairs, January 25, 2023
  2. Update for European Cyber Security, Mit Sicherheit   BSI Magazin 2022/02, December 14, 2022
  3. Draft by the BMI: NIS2UmsuCG, various versions, AG KRITIS 2023

Sources

  1. Workshop Discussion Paper, by the BMI for economic-related regulations for the implementation of the NIS-2 Directive, German Federal Ministry of the Interior, Intrapol, October 26, 2023
  2. Discussion Paper by the Federal Ministry of the Interior and for Homeland   NIS2UmsuCG, third draft, AG KRITIS, September 27, 2023
  3. Draft by the BMI: NIS-2 Implementation and Cybersecurity Strengthening Act   NIS2UmsuCG, draft law for the implementation of the NIS-2 Directive and the regulation of essential aspects of information security management in federal administration, AG KRITIS, July 3, 2023
  4. Draft by the BMI: NIS-2 Implementation and Cybersecurity Strengthening Act   NIS2UmsuCG, draft law for the implementation of the NIS-2 Directive and the regulation of essential aspects of information security management in federal administration, Intrapol, April 3, 2023
  5. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive), December 27, 2022
  6. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive), December 27, 2022