NIS2 in Germany

Current status

As of Spring 2024, there have been (at least) four draft laws in various states of finalization for the German NIS2 implementation NIS2UmsuCG. The law is developed and implemented by the Federal Interior Ministry (BMI).

• First law draft (Referentenentwurf) April 2023
• Second law draft July 2023
• Third draft (discussion paper) September 2023
• Interior ministry workshop (machine room talk) October 2023
• Fourth draft law December 2023 (current)

Entities will be regulated by the BSI, the Federal Agency for Cybersecurity. The roadmap for new drafts as well as the formal dates of publication and commencement are currently unclear. If the deadline of October will be kept is uncertain.

National differences XXX

There are several changes and peculiarities in the German implementation of NIS2: XXX

• Die deutsche KRITIS-Methodik mit Anlagen und Schwellenwerten bleibt als dritte Unternehmens­gruppe Betreiber kritischer Anlagen bestehen.
• Die NIS2 essential und important entities heißen auf deutsch besonders wichtige und wichtige Einrichtungen.
• Die Schwelle für Unternehmen liegt tiefer, da die Kriterien der Unternehmensgröße in Mitarbeitern und Umsatz einzeln zählen – es sind auch Unternehmen <50 Mitarbeitern potenziell betroffen (wenn der Umsatz ≥10 Mio. EUR ist).
• Die NIS2-Sektoren der Annexe I und II sind in Deutschland leicht unterschiedlich gefasst – ICT Service Management und Digital Infrastructure gehören in Deutschland zu IT/TK.
• Neben den NIS2-Sektoren gibt es weiter die bisherigen KRITIS-Sektoren, die leicht von NIS2 abweichen.
• Eine weitere Besonderheit betrifft den Sektor öffentliche Verwaltung in Deutschland. Im Diskussionspapier von September 2023 fehlt die genaue Auflistung der betroffenen Einrichtungen und Teilsektoren der öffentlichen Verwaltung. Nach Angaben des Dis­kus­si­ons­papiers sollen die Einzelheiten in Anhang 3 folgen, der noch nicht veröffentlicht wurde.
• Deutschland fasst mehrere Sektoren zusammen: Aus den EU-Sektoren Gas und Wasserstoff wird der Sektor Gasversorgung. Der Sektor IT und TK wird die EU-Sektoren Digitale Infrastruktur und Verwaltung von IKT-Diensten umfassen.

Companies in Germany

Affected companies in Germany are split into three groups: critical infrastructure operators (former KRITIS operators, in the following referred to as operators), essential entities (besonders wichtige Einrichtungen), and important entities (wichtige Einrichtungen).

The German regulation will classify essential and important entities based on their number of employees, yearly turnover and balance. Companies are affected if they operate in one of the sectors specified in the annex of their group.

1. Very important (essential) entities based on company size in NIS sectors 1
      companies with ≥ 250 FTE or
      companies with ≥ 50m EUR yearly revenue and balance ≥ 43m EUR
      special cases: qTSP, TLD, DNS, telco, critical facilities, central government
2. Important entities based on company size in NIS sectors 1 2
      companies with ≥ 50 FTE or
      companies with ≥ 10m EUR yearly revenue and balance ≥ 10m EUR
      trust services
3. Operators of critical facilities (KRITIS) are still regulated based on KRITIS methods with individual infrastructure assets
      Critical facilities above threshold (usually ≥ 500k supplied persons)
4. Some federal entities are also regulated with separate requirements

Entities and operators

Essential and important entities

Essential entities §28 (1) are large enterprises operating in certain sectors, some companies independet of their size and operators of critical infrastructures. Important entities §28 (2) are large and medium enterprises in a broad spectrum of sectors.

Company sizes

Companies regulated as entities are differentiated by their size: employees, annual revenue (turnover) and annual balance. NIS2 very important (essential) entities are defined in §28 (1) and important entities in §28 (2).

German NIS2 rules will include more companies than original EU NIS2 rules: Companies will be identified by either employees or financial data, not and like in EU NIS2.

Infrastructure operators

Existing German critical infrastructures (KRITIS), will be called operators of critical facilities in NIS2. §28 (5) German KRITIS methodology with KRITIS sectors, critical services and facilities with thresholds is retained. Operators will also become essential entities. §28 (1) No. 4

NIS2 Sectors

German NIS2 defines two groups of sectors: Sectors for entities are defined in Annex 1 and 2 and KRITIS sectors for critical facilities in §28 (6). Sectors for entities are split into sectors of high criticality, annex 1, and other critical sectors, annex 2.

Obligations

The requirements for critical infrastructures and entities will change significantly with NIS2 in Germany. The existing KRITIS obligations under the BSI law (BSIG from 2021) will be retained in their basic form but will be extended and restructured significantly.

Exclusions

There are several exceptions and special rules for companies regarding NIS2 requirements.

Security and risk management

Very important (essential) and important entities must take appropriate, proportionate and effective technical and organizational measures to protect the IT and processes of their services to avoid incidents, disruptions and to minimize the impact of disruptions. §30 (1)

Entities should take into account their risk exposure, size, implementation costs, probability of occurence and severity of security incidents and social and economic impact. §30 (1)

Measures

The measures to be implemented by operators and entities must be based on an all-hazards approach and should take European and international standards into account. The measures should comply with the state of the art and must cover at least the following topics: §30 (2)

• Risk analysis and security for information systems
• Incident response and management
• Maintenance and recovery, backup management, crisis management
• Supply chain security, security between entities, service provider security
• Security in development, procurement, and maintenance
• Vulnerability management
• Assessment of cybersecurity and risk management effectiveness
• Training covering cybersecurity and cyber hygiene
• Cryptography and encryption
• Personnel security, access control, and facility management
• Multi-factor authentication and continuous authentication
• Secure communication (voice, video, and text)
• Secure emergency communication

Documentation

Entities must document the implementation of their security measures. §30 (1)

Sector regulation

Some sectors are partially excluded from the risk management requirements in §30 and §31. For these sectors, corresponding measures will be specified in equivalent sector regulation.

• DNS, TLD, Cloud Computing, Data Centers, CDNs, Managed Services and Security Services, Online Marketplaces and Search Engines, Social Networks, and Trust Services will (should) receive EU requirements for measures according to §30 (2) through an Implementing Act.
• Public telecommunications networks and services will receive requirements for equivalent measures according to §31 through the TKG and the BNetzA Security Catalog.
• Energy supply networks and energy facilities will receive requirements for equivalent measures according to §31 through the EnWG and the BNetzA Security Catalog.
• Entities according to Article 2 (4) of Regulation (EU) 2022/2554 will receive equivalent measures through DORA. (Parts of the financial sector)

Official guidance

Detailed guidance for implementing measures by the EU, BSI, or public associations is not yet known, but there will certainly be developments throughout 2024. Similarly, there are still no official adaptions of existing Cybersecurity Standards such as ISO 27001 or C5 to NIS2 available.

Existing ISMS certifications will generally not be sufficient for NIS2 requirements – the scope of NIS2 could go beyond existing certificates, and the mentioned measures are sometimes deeper and broader than typical frameworks.

Previous German KRITIS practice encouraged ISO 27001 in critical infrastructures, but usually demanded more from operators than vanilla ISO or limited scopes.

EU Implementing acts

According to Article 21 (5) of NIS2, the Commission can issue specific technical and method requirements in Implementing Acts, which then become directly binding and take precedence over the requirements in §30 (2) from German law. §30 (4) If the legal acts are not exhaustive, the German Federal Ministry of the Interior can issue its own specifications. §30 (5)

For operators of DNS, TLD, Cloud Computing, Data Centers, CDNs, Managed Services and Managed Security Services, Online Marketplaces, Search Engines, Social Networks, and Trust Services, the EU Commission will establish binding measures in a separate Implementing Act by October 2024, §30 (2) only applies to them secondarily. §30 (3)

Critical facilities

For operators of critical facilities (KRITIS), higher standards and additional requirements apply when selecting measures and assessing adequacy:

• Even more elaborate measures are considered proportionate for §30 §31 (2)
• Use of Attack Detection Systems (OH SzA) §31 (2)
• Audit obligations (KRITIS audits) for measures and IDS §39 (1)

Registration and contact

Entities and operators must self-identify and register with the regulation authority BSI. There are more specific registration rules for certain companies. §33 §34

Essential and important entities as well as DNS registries must register with the BSI within three months, including: Name, legal form, contact details, email/telephone, IP address ranges, sector and sub-sector, EU countries with business activities. §33 (1)

Operators of critical facilities must provide additional information during registration. §33 (2) Registration with another government authority, the BBK, via the KRITIS-DachG is not entirely clear.

Changes to the data as specified in (1) and (2) must be reported annually to the BSI, all other information immediately, within two weeks. §33 (5)

The BSI can register essential and important entities as well as DNS registries on its own powers. For this, the BSI may request documents and details. §33 (2) (6)

Some operators defined in §63 must register with the BSI by January 17, 2025, §34, this includes DNS and TLD, Cloud Computing, Data Centers, CDNs, Managed Service Providers and Managed Security Service Providers, Online Marketplaces, Search Engines, Social Networks, when the main establishment in the EU is in Germany.

Notifications

With NIS2, affected entities have many information and reporting obligations that go beyond the existing §8b BSIG reporting obligations (KRITIS).

Security incidents

Essential entities (including operators of critical facilities) and important entities must report security incidents to the BSI   within very short deadlines (24 hours) and with incremental follow-up reports: §32

• Initial report on significant security incidents immediately, but no later than within 24 hours
• Follow-up report on a significant security incident within 72 hours, including an evaluation of the initial report (severity, impact, compromise)
• Intermediate reports upon request from the BSI
• Final report or progress report within one month, including description, causes, measures, and cross-border impacts
• Operators of critical facilities must also report the facilities, critical service, and impacts

The BSI establishes the reporting option in agreement with the BBK, for NIS2 and the KRITIS-DachG. The BSI may issue further provisions on the reporting procedure. §32 (4)

Customers and public

In the event of significant security incidents, the BSI may instruct essential and important entities to inform their customers (recipients of their services). §35 (1)

Entities in the financial and insurance sectors, information technology and telecommunications, ICT services, and digital services must immediately inform potentially affected customers of a significant cyber threat, including possible countermeasures that customers may need to take. §35 (2)

The BSI will respond, if possible, within 24 hours of receiving a notification from companies, possibly with queries, offers of support, and information. §36 (1) If raising public awareness is necessary or in the public interest, the BSI may inform the public or ask the company to do so. §36 (2). This also applies if the company is a federal entity. §4 (3)

Information exchange

Essential entities must participate in information exchange through the central exchange platform of the BSI within one year of the entry into force of German NIS2 law. §30 (7)

Evidence and audits

Operators of critical facilities must demonstrate the implementation of NIS2 measures to the BSI every three years. Depending on their own registration, audits must then be conducted every three years, similar to existing KRITIS compliance audits.

Operators of critical facilities

Operators of critical facilities must provide evidence for the measures according to §30(1), §31, and §31(2) Attack Detection (Angriffserkennung) through Audits, Inspections, or Certifications every three years to the BSI, as previously done in KRITIS audits. §39(1)

For operators already being audited as KRITIS operators, the BSI will set the deadline for providing evidence to at least three years after the provision of the last evidence according to §8a(3) BSIG – so the next submission might be postponed by a year.

The BSI has the authority to independently audit operators of critical facilities as essential entities §64 and can establish requirements for audits. §39(2)

Entities

Entities must document the implementation of the measures. §30 (1) They are not required to regularly provide audits to the BSI for the implementation of §30 measures and §32 reporting obligations after registration. The BSI can, however, compel entities to undertake audits, request evidence, and conduct their own audits. §64 (1) (3) (5)

The BSI has enforcement rights for evidence from essential and important entities. §64 §65

When selecting entities, the BSI should proceed in a risk-oriented manner, taking into account the extent of risk exposure, the size of the entity, the likelihood and severity of potential security incidents, as well as their possible societal and economic impact. §64 (4)

The BSI can establish requirements for these audits. §64 (2)

Legislation

The German NIS2 Implementation law was planned to come into force in October 2024 to supersede the existing KRITIS regulation (BSIG 2021). Drafts of the law have been public since Summer 2023. It is not yet clear if the October 2024 deadline will be kept.

Deadlines

Various deadlines for the implementation of the obligations are specified in the law. The NIS2 Implementation law NIS2UmsuCG is set to come into effect in October 2024 – still TBC.

Essential entities

• Registration within three months after identification §33(1)
• Participation in information exchange within one year after entry into force §30(7)

Important entities

• Registration within three months after identification §33(1)

Operators of critical facilities

• Registration within three months after identification §33(1) and §33(2)
• Initial evidence of implementation of measures to be provided no later than a date determined by the BSI and BBK at registration: at least three years after the law comes into effect §39(1), i.e., from 2027.
• Ongoing evidence of implementation of measures every three years thereafter §39(1)
• Participation in information exchange within one year after entry into force §30(7)

Additional legislation

Various requirements of the NIS2UmsuCG are intended to be specified or defined by one or more legal ordinances (KRITIS-Verordnungen): §57

• Services considered to be critical, their level of supply, and which facilities or parts thereof are considered critical infrastructure under the law §57(4)
• Details on the issuance of security certificates and recognition according to §54 §57(1)
• Specifics of the IT security label according to §52, as well as the determination of the suitability of industry-specific IT security requirements and their approval §57(2)
• Products, services, or processes used by essential or important entities that must have certification under §30(6) §57(3)

The regulation is intended to be defined in accordance with the KRITIS-DachG and consolidate operators and entities in one regulation so that affected companies can find relevant categories and thresholds in a single table.

A draft of the regulation(s) is not yet available.

EU Requirements and Implementing Acts

The EU Commission may issue its own requirements through Implementing Acts to define the measures in §30(2), which would take precedence over national law, generally in §30(4) and specifically for certain IT operators in §30(3).

If this does not occur, the German Federal Ministry of the Interior will issue technical, methodological, and sectoral definitions for clarification purposes. §30(5)

Industry Standards

Essential entities, including operators of critical facilities, can continue to propose sector-specific security standards (B3S) for implementing the measures in §30(1). The BSI determines the suitability of the B3S. §30(9)

Literature

1. Statement BSI   Cybersecurity   Responsibilities and Tools in the Federal Republic of Germany, Bundestag, public hearing Committee on Digital Affairs, January 25, 2023
2. Update for European Cyber Security, Mit Sicherheit   BSI Magazin 2022/02, December 14, 2022
3. Draft by the BMI: NIS2UmsuCG, various versions, AG KRITIS 2023

Sources

1. Workshop Discussion Paper, by the BMI for economic-related regulations for the implementation of the NIS-2 Directive, German Federal Ministry of the Interior, Intrapol, October 26, 2023
2. Discussion Paper by the Federal Ministry of the Interior and for Homeland   NIS2UmsuCG, third draft, AG KRITIS, September 27, 2023
3. Draft by the BMI: NIS-2 Implementation and Cybersecurity Strengthening Act   NIS2UmsuCG, draft law for the implementation of the NIS-2 Directive and the regulation of essential aspects of information security management in federal administration, AG KRITIS, July 3, 2023
4. Draft by the BMI: NIS-2 Implementation and Cybersecurity Strengthening Act   NIS2UmsuCG, draft law for the implementation of the NIS-2 Directive and the regulation of essential aspects of information security management in federal administration, Intrapol, April 3, 2023
5. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive), December 27, 2022
6. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive), December 27, 2022