The clock is ticking. From 18 October 2024, member states must apply the requirements of the NIS2 Directive. The Directive will lead to a significant expansion of company-related cybersecurity requirements. Nevertheless, implementation is currently stalling in Germany. According to rumours, there are disagreements in the departmental alignment. The latest status of implementation is a discussion paper from the Federal Ministry of the Interior, Building and Community from last year. This is in addition to two existing draft bills. The drafts differ to some extent, but at least provide an indication of the legal situation that companies will have to adapt to in future.
Relaxation of verification obligations
According to the German draft bills, the implementation of the NIS2 Directive by those responsible is to be verified at regular intervals. The required evidence can be provided through security audits, inspections or certifications. According to the two draft bills, all particularly important entities would have been obliged to submit appropriate evidence to the Federal Office for Information Security (BSI) every two years. These requirements have now been relaxed in the discussion paper. The interval for providing evidence has been increased to three years and now only applies to operators of critical facilities, which only form a subset of the particularly important entities. However, this approach is not mandatory, as the NIS2 Directive does not provide for an obligation to regularly provide evidence. It merely obliges the member states to authorise the supervisory authorities to request appropriate evidence.
Scope of application
The discussion paper simplifies the definition of the scope of application with regard to both the draft bills and the text of the Directive by now writing out the thresholds for small and medium-sized enterprises and, unlike in the text of the Directive, no cumbersome reference is made to the EU Commission’s definition of SMEs. In Annex 1, the insurance sector is no longer included in the list of sectors of high criticality – unlike in the draft bill. This sector is also not mentioned as a relevant sector in the NIS2 Directive, meaning that the member states are free to decide whether to include it. However, there is a heading “Finance and insurance” in Annex 1, without insurance being included in the list. This suggests a drafting error. This is why the insurance industry in Germany should also prepare for the upcoming implementation of the requirements.
Prospects
Even though the obligation to provide evidence will not take effect until three years after the implementation law comes into force, companies must be prepared to provide regular evidence of the implementation of the required risk management measures in future. In the meantime, a workshop discussion on the discussion paper has also taken place. The leaked documents show that the BMI is currently elaborating a second draft bill, which will then go to the second departmental vote. However, no significant deviations from the Directive are expected. The transposition into German law should be completed by 17 October 2024, and the new requirements should then apply from 18 October 2024 without a transitional period.
back