NIS2 Direc­ti­ve: Dis­cus­sion paper on regu­la­ti­ons for the economy

The clock is ticking. From 18 Octo­ber 2024, mem­ber sta­tes must app­ly the requi­re­ments of the NIS2 Direc­ti­ve. The Direc­ti­ve will lead to a signi­fi­cant expan­si­on of company-related cyber­se­cu­ri­ty requi­re­ments. Nevert­hel­ess, imple­men­ta­ti­on is curr­ent­ly stal­ling in Ger­ma­ny. Accor­ding to rumours, the­re are dis­agree­ments in the depart­ment­al ali­gnment. The latest sta­tus of imple­men­ta­ti­on is a dis­cus­sion paper from the Fede­ral Minis­try of the Inte­ri­or, Buil­ding and Com­mu­ni­ty from last year. This is in addi­ti­on to two exis­ting draft bills. The drafts dif­fer to some ext­ent, but at least pro­vi­de an indi­ca­ti­on of the legal situa­ti­on that com­pa­nies will have to adapt to in future.

Rela­xa­ti­on of veri­fi­ca­ti­on obligations

Accor­ding to the Ger­man draft bills, the imple­men­ta­ti­on of the NIS2 Direc­ti­ve by tho­se respon­si­ble is to be veri­fied at regu­lar inter­vals. The requi­red evi­dence can be pro­vi­ded through secu­ri­ty audits, inspec­tions or cer­ti­fi­ca­ti­ons. Accor­ding to the two draft bills, all par­ti­cu­lar­ly important enti­ties would have been obli­ged to sub­mit appro­pria­te evi­dence to the Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI) every two years. The­se requi­re­ments have now been rela­xed in the dis­cus­sion paper. The inter­val for pro­vi­ding evi­dence has been increased to three years and now only appli­es to ope­ra­tors of cri­ti­cal faci­li­ties, which only form a sub­set of the par­ti­cu­lar­ly important enti­ties. Howe­ver, this approach is not man­da­to­ry, as the NIS2 Direc­ti­ve does not pro­vi­de for an obli­ga­ti­on to regu­lar­ly pro­vi­de evi­dence. It mere­ly obli­ges the mem­ber sta­tes to aut­ho­ri­se the super­vi­so­ry aut­ho­ri­ties to request appro­pria­te evidence.

Scope of application

The dis­cus­sion paper sim­pli­fies the defi­ni­ti­on of the scope of appli­ca­ti­on with regard to both the draft bills and the text of the Direc­ti­ve by now wri­ting out the thres­holds for small and medium-sized enter­pri­ses and, unli­ke in the text of the Direc­ti­ve, no cum­ber­so­me refe­rence is made to the EU Commission’s defi­ni­ti­on of SMEs. In Annex 1, the insu­rance sec­tor is no lon­ger included in the list of sec­tors of high cri­ti­cal­i­ty – unli­ke in the draft bill. This sec­tor is also not men­tio­ned as a rele­vant sec­tor in the NIS2 Direc­ti­ve, mea­ning that the mem­ber sta­tes are free to deci­de whe­ther to include it. Howe­ver, the­re is a hea­ding “Finan­ce and insu­rance” in Annex 1, wit­hout insu­rance being included in the list. This sug­gests a draf­ting error. This is why the insu­rance indus­try in Ger­ma­ny should also prepa­re for the upco­ming imple­men­ta­ti­on of the requirements.


Even though the obli­ga­ti­on to pro­vi­de evi­dence will not take effect until three years after the imple­men­ta­ti­on law comes into force, com­pa­nies must be pre­pared to pro­vi­de regu­lar evi­dence of the imple­men­ta­ti­on of the requi­red risk manage­ment mea­su­res in future. In the mean­ti­me, a work­shop dis­cus­sion on the dis­cus­sion paper has also taken place. The lea­k­ed docu­ments show that the BMI is curr­ent­ly ela­bo­ra­ting a second draft bill, which will then go to the second depart­ment­al vote. Howe­ver, no signi­fi­cant devia­ti­ons from the Direc­ti­ve are expec­ted. The trans­po­si­ti­on into Ger­man law should be com­ple­ted by 17 Octo­ber 2024, and the new requi­re­ments should then app­ly from 18 Octo­ber 2024 wit­hout a tran­si­tio­nal period.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.