The threats to data, networks and IT infrastructures are constantly increasing. In 2023, the damage caused by the ever more frequent IT security incidents amounted to over 200 billion euros in Germany alone. The EU has responded to this development with the so-called NIS-2-Directive. This Directive introduces stricter requirements for IT security in the EU. The EU member states must transpose the NIS-2-Directive into national law by October 17, 2024. Germany has so far failed to adopt a national implementation act. However, there is already a legislative draft for a German implementation law. The core of the current legislative draft will be the reform of the so-called BSI Act (hereinafter referred to as the BSIG-E). This draft is already available: https://dserver.bundestag.de/brd/2024/0380-24.pdf.
Under NIS-2, the number of companies legally obliged to take IT security measures will increase significantly. In particular, NIS-2 not only applies to critical infrastructures, but can also affect, for example, manufactures of machinery and equipment or in general companies that manufacture products. Instead of the approximately 5,000 companies that were previously affected by IT security requirements, in the future around 30,000 companies will be obliged to comply with IT security obligations.
The legal obligations are extensive. Affected companies must take technical and organizational measures to prevent disruptions to information technology systems and to minimize the impact of security incidents. The company´s management is obliged to implement such technical and organizational measures and to continuously monitor their implementation. In addition, NIS-2 contains extensive reporting requirements in the event of security incidents. Violations of the legal obligations can be subject to substantial fines. In individual cases, the fine can be up to 2 % of the total worldwide annual turnover.
Scope of NIS-2
According to the current draft of Germany´s implementation act BSIG-E, the scope of the new legislation shall apply to essential and important entities. A company is an important entity if it has (i) at least 50 employees or an annual turnover of over 10 million Euros and (ii) is active in one of the following sectors:
A company is an essential entity, if it (i) employs at least 250 employees or has an annual turnover of over 50 million Euros and (ii) is it active in one of the sectors of energy, transport and traffic, finance, health, water, digital infrastructure or space. To essential entities even more extensive IT security obligations apply.
Obligations under NIS-2
NIS-2 requires a variety of so-called risk management measures. These include, for example, the introduction of an Information Security Management System (ISMS), the performance of risk analyses, and measures to manage security incidents, ensure the security of the supply chain, and maintain cyber hygiene within the company (e.g. secure passwords, access restrictions, backup concepts, etc.).
For companies under the scope of NIS-2 it will be important to install and maintain sufficient documentation of such measures to exculpate themselves in the event of a security incident. Overall, it may make sense for affected companies to aim for an ISO 27001 certification.
Under NIS-2, the implementation of risk management measures is the responsibility of the company´s management (especially managing directors). The management must ensure that the risk management measures are implemented and monitored continuously. To be able to do so, the management must regularly attend training courses to acquire sufficient knowledge and skills to identify and assess risks around IT security.
If, despite all these measures, a significant IT security incident occurs, NIS-2 introduces reporting requirements. The company must issue an initial report to the relevant supervisory authority (in Germany the Federal Office for Information Security – BSI) within 24 hours (!) after becoming aware of the incident. The reporting deadlines are very short. Besides, they apply irrespective of weekends, holidays, vacations or the like. The initial report must be followed by a comprehensive report within 72 hours.
Legal consequences of violations
Companies that violate the obligations under the BSIG-E shall face substantial fines. Depending on the violation, the fine can be up to 10 million Euros. However, the regulatory authority can impose significantly higher fines in individual cases. The government draft stipulates that the level of fines for individual violations can be determined based on turnover. For important entities with an annual turnover of more than 500 million Euro, the fine can be up to 1.4% of the worldwide annual turnover, and for essential entities with an annual turnover of more than 500 million Euros, the fine can be up to 2% of the worldwide annual turnover.
Besides, the current legislative draft in Germany refers to the possibility of liability for managing directors on the already applicable rules of corporate law for violations of management´s obligations under NIS-2. Thus, managing directors should check if existing (D&O) insurance policies also cover breaches of IT security obligations.
Conclusion
Even though no law implementing the NIS-2-Directive has yet come into force in Germany, companies should as a precaution check (or have checked) at an early stage if NIS-2 and the future implementation act will apply. If this is the case, the affected companies should familiarize themselves with the extensive obligations under NIS-2 as soon as possible and begin to implement applicable IT security measures. For this companies should carry out a comprehensive evaluation of the company's current IT security landscape as soon as possible in order to identify and determine which further steps are needed to comply with NIS-2.
Dr. Markus Spitz, markus.spitz@rittershaus.net
Dr. Michael Wenzel, Michael.wenzel@rittershaus.net
Both authors are lawyers at the Mannheim office of RITTERSHAUS Rechtsanwälte PartmbB, Harrlachweg