NIS 2 Directive:Implementation and current status in Germany

Author: Dr Markus Hülper, Attorney at law

In the age of digitalisation, network and information systems are indispensable for the functioning of our society and economy. In order to better protect these systems and strengthen cyber security, the European Union has adopted the NIS 2 Directive. It must be transposed into national law by 17 October 2024.

What is the NIS 2 Directive?

The NIS 2 Directive (Network and Information Security) is a further development of the first NIS Directive, which came into force in 2016. It aims to ensure a high standardised level of cybersecurity throughout the EU. The NIS 2 Directive extends the scope of the original directive and places stricter requirements on the security of network and information systems.

Main objectives of the NIS 2 Directive

Strengthening the level of cybersecurity in the EU

The NIS 2 Directive aims to increase the overall level of cybersecurity in all EU Member States in order to better respond to threats.

Clarification and standardisation of the specific requirements:

The NIS 2 Directive defines specific security requirements more clearly and extends them to ensure standardised implementation in all EU countries.

Extension of the sectors covered by the Directive:

More sectors and businesses, including small and medium-sized enterprises (SMEs), will now be covered by the NIS 2 Directive to protect a wider range of network and information systems.

Strengthening resilience to cyber threats:

The directive obliges companies to take measures to improve their ability to defend against and manage cyber attacks.

Protection of critical infrastructure:

The focus is on protecting critical infrastructures in order to ensure the functionality of important social and economic processes.

Improvement in responsiveness:

The NIS 2 Directive aims to improve the ability to respond quickly and effectively to cyber incidents across the EU.

Implementation of the NIS 2 Directive in Germany

Germany has already taken measures to transpose the NIS 2 Directive into national law. Germany is pursuing a comprehensive approach that includes legal as well as technical and organisational measures.

Legal measures

As part of the implementation of the NIS 2 Directive, Germany introduced the IT Security Act 2.0, which came into force in May 2021. This law provides for the following measures, among others:

Extension of the reporting obligations:

Operators of critical infrastructures (KRITIS) are obliged to report significant IT security incidents to the Federal Office for Information Security (BSI). This ensures that the BSI is informed of security incidents at an early stage and can initiate appropriate measures.

Stricter safety requirements:

Companies must prove that they have appropriate security measures in place to protect their network and information systems. This includes regular security checks and the implementation of protective measures against cyber attacks.

Increase in sanctions:

Heavy fines can be imposed for breaches of the security requirements. The fines amount to up to €10 million or 2% of annual global turnover, whichever is higher. In addition, managing directors and other management bodies are to be personally liable for breaches of the extended cyber security obligations. (cf. Section 38 BSIG-E).

Technical and organisational measures

In addition to the legal requirements, Germany also relies on technical and organisational measures to strengthen cyber security. These include

Promotion of co-operations:

Cooperation between the state, industry and science is being intensified in order to jointly develop solutions for current cyber threats. By sharing knowledge and resources, synergies can be exploited and the defence against cyber attacks improved.

Sensibilisierung und Schulung:

Unternehmen und ihre Mitarbeiter werden durch Schulungen und Aufklärungskampagnen für die Bedeutung der Cybersicherheit sensibilisiert. Dies umfasst sowohl technische Schulungen als auch Sensibilisierungsmaßnahmen, um ein Bewusstsein für sichere Verhaltensweisen im Umgang mit IT-Systemen zu schaffen.

Stärkung des BSI:

Das Bundesamt für Sicherheit in der Informationstechnik (BSI) wird personell und finanziell weiter aufgestockt, um seine Aufgaben effektiv wahrnehmen zu können. Dies umfasst die Bereitstellung von Ressourcen für die Überwachung und Analyse von Cyberbedrohungen sowie die Unterstützung von Unternehmen bei der Umsetzung von Sicherheitsmaßnahmen.

The current status of the German draft bill

The draft bill for the implementation of the NIS 2 Directive in Germany was published in February 2023 and is currently in the consultation phase. The draft envisages comprehensively integrating the requirements of the NIS 2 Directive into national law and expanding and adapting the existing provisions of the IT Security Act 2.0.

Important contents of the draft bill

As part of the implementation of the NIS 2 Directive, Germany introduced the IT Security Act 2.0, which came into force in May 2021. This law provides for the following measures, among others:

Extension of the scope of application:

The draft envisages that more sectors and companies, including small and medium-sized enterprises (SMEs), will fall under the regulations of the NIS 2 Directive.

Increase in safety requirements:

Companies must provide detailed evidence of the fulfilment of the prescribed safety measures.

Increased reporting obligations:

The reporting obligations for security incidents will be extended, while the deadlines for reporting incidents will be shortened. Companies must also set up and operate a contact point.

Co-operation and exchange:

The draft promotes cooperation and the exchange of information between various players in the field of cyber security in order to be able to react more quickly to threats.

Sanction mechanisms:

Sanctions for breaches of the safety requirements will be tightened to ensure compliance.

Challenges during implementation

The implementation of the NIS 2 Directive poses various challenges for Germany:

Complexity of the requirements

The extended security requirements and reporting obligations require companies to make considerable investments in their IT security.

Coordination effort:

Co-operation between different stakeholders must be intensified to ensure effective implementation of the directive.

Scarcity of resources:

Both companies and authorities have a high demand for qualified personnel in order to implement the requirements of the NIS 2 Directive.

Conclusion: companies must act now

The NIS 2 Directive is an important step towards strengthening cyber security in the EU. Germany has already made significant progress in implementing the directive, but also faces considerable challenges. Through a combination of legal measures, technical support and intensive cooperation, it is possible to achieve a high level of cyber security and increase resilience to cyber threats.

For companies and organisations, this means that they need to be well prepared for the new requirements. An early examination of the regulations and the implementation of suitable security measures are crucial in order to fulfil the legal requirements and avoid possible sanctions.

We support you in understanding and implementing the requirements of the NIS 2 Directive. With our expertise and experience in the field of IT security, we are at your side as a competent partner to optimally protect your network and information systems.

Your personal contact

Matthias SchulzSenior Sales Manager

You might also be interested in these articles

How legal departments reduce daily stress
Learn more
Workload and internal company integration as two major challenges for legal departments
Learn more