NIS2 in Germany

Germany picture

EU NIS2 will be transposed in Germany into national law by NIS2UmsuCG, NIS2 implementation law. As in other EU member states, it is expected to come into force in late 2024. It transposes EU minimum requirements for cybersecurity of the EU NIS2 directive into German regulations and laws and extends them for German regulatory peculiarities.

  1. Operators
  2. Cybersecurity
  3. Information
  4. Roadmap
  5. in German

The draft law has passed the consultation and awaits the federal legislative process by October 2024. The NIS2UmsuCG is an amendment that changes existing German CIP laws. In addition to NIS2, there will be another law, KRITIS-DachG, regulating operators. NIS2 will affect at least 30,000 companies in Germany, according to official estimates.

This is the English version of an article on German NIS2 implementation law, based on draft law from July 2024. Articles § cited refer to this draft law.

Implementation in Germany

Current status

There have been multiple draft laws in various states of finalization for the German NIS2 implementation NIS2UmsuCG. The law is developed by the Federal Interior Ministry, BMI.

Versions of NIS2UmsuCG, July 2024
No. Version Date Comment
1. Draft April 2023
2. Draft July 2023
3. Discussion paper September 2023 incomplete
3a. Machine room chat October 2023 at BMI
4. Draft December 2023
5. Formal draft May 2024
6. Formal draft June 2024
6. Formal draft July 2024 Government version

Entities will be regulated by the BSI, the Federal Agency for Cybersecurity. The roadmap for new drafts, formal dates of publication and commencement deadline are currently unclear.

up

National differences

There are several changes and peculiarities in the German implementation of NIS2:

up

Regulated operators

Companies in Germany

Affected companies in Germany are split into three groups: critical infrastructure operators (KRITIS operators), essential entities (besonders wichtige Einrichtungen), and important entities (wichtige Einrichtungen).

The German regulation classifies essential and important entities based on staff (FTE), yearly turnover and balance. Companies are affected if they operate in one of the NIS2 sectors.

  1. Essential entities based on company size in NIS sectors 1
       Companies with ≥ 250 FTE or
       Companies with > 50m EUR yearly revenue and balance > 43m EUR
       Special cases: qTSP, TLD, DNS, telco, critical facilities, central government
  2. Important entities based on company size in NIS sectors 1 2
       Companies with ≥ 50 FTE or
       Companies with > 10m EUR yearly revenue and balance > 10m EUR
       Trust services
  3. Operators of critical facilities (KRITIS) are still regulated based on KRITIS methods with individual infrastructure assets
       critical facilities above threshold (usually ≥ 500k supplied persons)
  4. Some federal entities are also regulated with separate requirements

up

Entities and operators

Essential and important entities

Essential entities §28 (1) are large enterprises operating in certain sectors, some companies independet of their size and operators of critical infrastructures. Important entities §28 (2) are large and medium enterprises in a broad spectrum of sectors.

Based on own analysis of German law, July 2024
Entity Size Sectors
Essential
§28 (1)
Large enterprises
in annex 1
Energy, Transport, Finance, Health, Water/Waste Water, Digital Infrastructure, Space
size-independent Qualified trust services, TLD registries, DNS services
Medium enterprises Providers of public telecommunication networks and services
size-independent Operators of critical infrastructure (KRITIS operators)
Important
§28 (2)
Medium enterprises
in annex 1
Energy, Transport, Finance, Health, Water/Waster Water, Digital Infrastructure, Space
Large enterprises
Medium enterprises
in annex 2
Postal/Courier, Municipal Waste, Chemicals, Food, Manufacturing, Digital Services, Research
size-independent Trust Services

up

Company sizes

Companies regulated as entities are differentiated by their size: employees, annual revenue (turnover) and annual balance. NIS2 essential entities are defined in §28 (1) and important entities in §28 (2).

Entity Sectors Size Employees Revenue and balance
Essential 1   Large enterprises
  Large enterprises
≥ 250

> 50m + > 43m EUR
Important 1 2   Medium enterprises and up
  Medium enterprises and up
≥ 50
> 10m + > 10m EUR

up

Infrastructure operators

Existing German critical infrastructures (KRITIS), will be called operators of critical facilities in NIS2. §28 (6) German KRITIS methodology with KRITIS sectors, critical services and facilities with thresholds is retained. Operators will also become essential entities. §28 (1) No. 1

Based on own analysis of German law, July 2024
Operator Size Sectors
Critical Facility
§28 (6)
Facility above
threshold
§28 (7)
Energy, Transport, Finance/Insurance, Health, Water, Food, IT and Telco, Space, Municipal waste

up

NIS2 Sectors

German NIS2 defines two groups of sectors: Sectors for entities are defined in Annex 1 and 2 and KRITIS sectors for critical facilities are not defined in the law anymore. Sectors for entities are split into sectors of high criticality, annex 1, and other critical sectors, annex 2.

Based on own analysis of German law, July 2024
KRITIS Sectors of High Criticality 1 Other Critical Sectors 2
Energy Energy
Power supply, district heating/cooling, fuel/heating oil, gas
Transport Transport
Air, rail, shipping, road
Transport
Postal and courier
Finance/Insurance Finance
Banks, financial market infrastructure
Chemicals
Trade, import (NACE 20)
Health Health
Services, reference laboratories, R&D, pharma (NACE C 21), Medical devices
Research
Research institutions
Water Water/Waste water
Drinking water, waste water
Manufacturing
Medical/diagnostics; IT, electronics, electrics, optical (NACE C 26 and 27); Mechanical engineering (NACE C 28), vehicles/parts (NACE C 29), vehicle construction (NACE C 30)
IT and Telco Digital Infrastructure
IXPs, DNS, TLD, cloud providers, data center services, CDNs, TSP, electronic communication/services, managed services and security services
Digital Services
Marketplaces, search engines, social networks
Space Space
Ground infrastructures
Food Food
Wholesale, production, processing
Municipal waste Municipal waste
Waste management

up

Cybersecurity

Obligations

The requirements for critical infrastructures and entities will change significantly with NIS2 in Germany. The existing KRITIS obligations under the BSI law (BSIG from 2021) will be retained in their basic form but will be extended and restructured significantly.

Own analysis of German NIS2UmsuCG, July 2024
*   implicit, as operators of critical facilities are also essential entities
Requirement Critical Facilities Essential Entity Important Entity
Scope Facility Company Company
Risk management measures §30 *
Higher standards for KRITIS §31 (1)
Attack detection (SzA) §31 (2)
Reporting §32 *
Registration §33 §34
Information (customers) §35 *
Governance §38 *
Audits §39 partly (§61) partly (§62)

Exclusions

There are several exceptions and special rules for companies regarding NIS2 requirements.

Own analysis of German NIS2UmsuCG, July 2024
Entity Section Exclusion
DNS, TLD, Cloud Computing, Data Centers, CDNs, Managed Services and Security Services, Online Marketplaces and Search Engines, Social Networks, Trust Services (Sector IT) §30 (3) NIS2 Measures §30 (2)
(Implementing Act)
Public telecommunications networks and services §28 (4) KRITIS requirements
reporting, evidence, audit, §§30, 31, 32, 35, 36, 38, 39, 61, 62
Energy networks and energy facilities §28 (4)
Companies under DORA (EU) 2022/2554 §28 (5) NIS2 and KRITIS
reporting, customers, evidences, management, §§30, 31, 32, 35, 36, 38, 39
German healthcare telematics §28 (5)
National security, public security, defense, law enforcement §37 Risk management and reporting §§30,32
+ registration §§33-34
Federal administration (§29) §28 (1) §28 (2) Important and essential entities
Public bodies §28 (8)

up

Security and risk management

Essential and important entities must take appropriate, proportionate and effective technical and organizational measures to protect the IT and processes of their services to avoid incidents, disruptions and to minimize the impact of disruptions. §30 (1)

Entities should take into account their risk exposure, size, implementation costs, probability of occurence and severity of security incidents and social and economic impact. §30 (1)

Measures

The measures to be implemented by operators and entities must be based on an all-hazards approach and should take European and international standards into account. The measures should comply with the state of the art and must cover at least the following topics: §30 (2)

Entities must document the implementation of their security measures. §30 (1)

Sector regulation

Some sectors are partially excluded from the risk management requirements in §30 and §31. For these sectors, corresponding measures will be specified in equivalent sector regulation.

Official guidance

Detailed guidance for implementing measures by German BSI or public associations is not yet known, but there will certainly be developments throughout 2024. Similarly, there are still no official adaptions of existing Cybersecurity Standards such as ISO 27001 or C5 to NIS2 available.

Existing ISMS certifications will generally not be sufficient for NIS2 – scope of NIS2 might be beyond existing certificates and measures are sometimes deeper.

There is an OpenKRITIS NIS2 mapping to ISO 27001:2022 controls as well as a mapping of the EU NIS2 Implementing Act.

EU Implementing acts

According to Article 21 (5) of NIS2, the Commission can issue specific technical and method requirements in Implementing Acts, which then become directly binding and take precedence over the requirements in §30 (2) from German law. §30 (4) If the legal acts are not exhaustive, the German Federal Ministry of the Interior can issue its own specifications. §30 (5)

For operators of DNS, TLD, Cloud Computing, Data Centers, CDNs, Managed Services and Managed Security Services, Online Marketplaces, Search Engines, Social Networks, and Trust Services, the EU Commission will establish binding measures in a separate Implementing Act by October 2024, §30 (2) only applies to them secondarily. §30 (3)

Critical facilities

For operators of critical facilities (KRITIS), higher standards and additional requirements apply when selecting measures and assessing adequacy:

up

Reporting

Registration and contact

Entities and operators must self-identify and register with the regulation authority BSI. There are more specific registration rules for certain companies. §33 §34

Essential and important entities as well as DNS registries must register with the BSI within three months, including: Name, legal form, contact details, email/telephone, IP address ranges, sector and sub-sector, EU countries with business activities. §33 (1)

Operators of critical facilities must provide additional information during registration. §33 (2) Registration with BBK government authority via the KRITIS-DachG is not entirely clear.

Changes to the data as specified in (1) and (2) must be reported annually to the BSI, all other information immediately, within two weeks. §33 (5)

The BSI can register essential and important entities as well as DNS registries on its own powers. For this, the BSI may request documents and details. §33 (2) (6)

Some operators defined in §60 must register with the BSI within three months §34, this includes DNS and TLD, Cloud Computing, Data Centers, CDNs, Managed Service Providers and Managed Security Service Providers, Online Marketplaces, Search Engines, Social Networks, when the main establishment in the EU is in Germany.

up

Notifications

With NIS2, affected entities have many information and reporting obligations that go beyond the existing §8b BSIG reporting obligations (KRITIS).

Security incidents

Essential entities (including operators of critical facilities) and important entities must report security incidents to the BSI   within very short deadlines (24 hours) and with incremental follow-up reports: §32

The BSI establishes the reporting option in agreement with the BBK, for NIS2 and the KRITIS-DachG. The BSI may issue further provisions on the reporting procedure. §32 (4)

Customers and public

In the event of significant security incidents, the BSI may instruct essential and important entities to inform their customers (recipients of their services). §35 (1)

Entities in the financial and insurance sectors, information technology and telecommunications, ICT services, and digital services must immediately inform potentially affected customers of a significant cyber threat, including possible countermeasures. §35 (2)

BSI will respond, if possible, within 24 hours of receiving a notification from companies, possibly with queries, offers of support, and information. §36 (1) If raising public awareness is necessary or in the public interest, the BSI may inform the public or ask the company to do so. §36 (2) This also applies if the company is a federal entity. §4 (3)

up

Evidence and audits

Operators of critical facilities must demonstrate the implementation of NIS2 measures to the BSI every three years. Depending on their own registration, audits must then be conducted every three years, similar to existing KRITIS compliance audits.

Based on own analysis of German NIS2UmsuCG July 2024
Operators of critical facilities Entities
Essential Important
Law NIS2UmsuCG DachG NIS2UmsuCG NIS2UmsuCG
Timeframe from 2025 from 2026 from 2024 from 2024
Requirement §39 (1) §11 §63 §64
Form Audits part of Audits Sampled by BSI
Content IT security
Notifications
SzA
Resilience IT security
Notifications
IT security
Notifications
Scope Facility/entity Facility Entity Entity
Frequency every three years Sample Sample as needed
Recipient BSI BBK BSI BSI

Operators of critical facilities

Operators of critical facilities must provide evidence for the measures according to §30, §31 and §38 through Audits, Inspections, or Certifications every three years to the BSI, as previously done in KRITIS audits. §39(1)

For operators already being audited as KRITIS operators, the BSI will set the deadline for providing evidence to at least three years after the provision of the last evidence according to §8a(3) BSIG – so the next submission might be postponed by a year.

BSI has the authority to independently audit operators of critical facilities as essential entities §61 and can establish requirements for audits. §39 (2)

Entities

Entities must document the implementation of the measures. §30 (1) They are not required to regularly provide audits to the BSI for the implementation of §30 measures and §32 reporting obligations after registration. BSI can, however, compel entities to undertake audits, request evidence, and conduct their own audits. §61 (1) (3) (5)

BSI has enforcement rights for evidence from essential and important entities. §61 §62

When selecting entities, the BSI should proceed in a risk-oriented manner, taking into account the extent of risk exposure, the size of the entity, the likelihood and severity of potential security incidents, as well as their possible societal and economic impact. §61 (4)

The BSI can establish requirements for these audits. §61 (2)

up

Roadmap

Legislation

The German NIS2 Implementation law was planned to come into force in October 2024 to supersede the existing KRITIS regulation (BSIG 2021). Drafts of the law have been public since Summer 2023. It is not yet clear if the October 2024 deadline will be kept.

German NIS2 progress, July 2024
Version Status Date Responsible
NIS Deadline implementation May 2018 EU member states
IT security act 2.0 In force May 2021 Federal council
NIS2 EU 2022/2555 Final Dec 2022 EU
NIS2 Implementation Law Draft Apr 2023 Interior ministry
NIS2 Implementation Law Draft Jul 2023 Interior ministry
NIS2 Implementation Law Discussion paper Sep 2023 Interior ministry
NIS2 Implementation Law Draft Dec 2023 Interior ministry
NIS2 Implementation Law Draft May 2024 Interior ministry
NIS2 Implementation Law Draft June 2024 Interior ministry
NIS2 Implementation Law Draft July 2024 Cabinet approval
NIS2 Implementation Law Announcement not clear Parliament
KRITIS Ordinances not clear Interior ministry
NIS2 Implementation Law Planned Oct 2024 Parliament
NIS2 Implementation Law Commencement not clear Federal gazette
NIS2 Deadline implementation Oct 2024 EU member states

up

Deadlines

Various deadlines for the implementation of the obligations are specified in the law. The NIS2 Implementation law NIS2UmsuCG is set to come into effect in October 2024 – still TBC.

Essential entities

Important entities

Operators of critical facilities

up

Additional legislation

Various requirements of the NIS2UmsuCG are intended to be specified or defined by one or more legal ordinances (KRITIS-Verordnungen): §56

The regulation is intended to be defined in accordance with the KRITIS-DachG and consolidate operators and entities in one regulation so that affected companies can find relevant categories and thresholds in a single table.

A draft of the regulation(s) is not yet available.

EU Requirements and Implementing Acts

The EU Commission may issue its own requirements through Implementing Acts to define the measures in §30 (2), which would take precedence over national law, generally in §30 (4) and specifically for certain IT operators in §30 (3).

If this does not occur, the German Federal Ministry of the Interior will issue technical, methodological, and sectoral definitions for clarification purposes. §30(5)

Industry Standards

Essential entities, including operators of critical facilities, can continue to propose sector-specific security standards (B3S) for implementing the measures in §30 (1) The BSI determines the suitability of the B3S. §30(9)

up

Further Information

Most of these links and documents are in German (DE).

Literature

  1. Statement BSI   Cybersecurity   Responsibilities and Tools in the Federal Republic of Germany, Bundestag, public hearing Committee on Digital Affairs, January 25, 2023
  2. Update for European Cyber Security, Mit Sicherheit   BSI Magazin 2022/02, December 14, 2022
  3. Draft by the BMI: NIS2UmsuCG, various versions, AG KRITIS 2023

Sources

  1. Workshop Discussion Paper, by the BMI for economic-related regulations for the implementation of the NIS-2 Directive, German Federal Ministry of the Interior, Intrapol, October 26, 2023
  2. Discussion Paper by the Federal Ministry of the Interior and for Homeland   NIS2UmsuCG, third draft, AG KRITIS, September 27, 2023
  3. Draft by the BMI: NIS-2 Implementation and Cybersecurity Strengthening Act   NIS2UmsuCG, draft law for the implementation of the NIS-2 Directive and the regulation of essential aspects of information security management in federal administration, AG KRITIS, July 3, 2023
  4. Draft by the BMI: NIS-2 Implementation and Cybersecurity Strengthening Act   NIS2UmsuCG, draft law for the implementation of the NIS-2 Directive and the regulation of essential aspects of information security management in federal administration, Intrapol, April 3, 2023
  5. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive), December 27, 2022
  6. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive), December 27, 2022