State­ment: the NIS2 Imple­men­ta­ti­on and Cyber Secu­ri­ty Streng­thening Act from a busi­ness perspective

On 7 May 2024, the Fede­ral Minis­try of the Inte­ri­or (BMI) published the first offi­ci­al draft of the NIS2 Imple­men­ta­ti­on and Cyber Secu­ri­ty Streng­thening Act (NIS2UmsuCG for short) and simul­ta­neous­ly laun­ched the con­sul­ta­ti­on with asso­cia­ti­ons. Despi­te some impro­ve­ments, the legis­la­tor has missed the oppor­tu­ni­ty to crea­te legal cla­ri­ty for the eco­no­my. Com­pa­nies are still faced with almost impos­si­ble tasks.

State­ment on the draft bill

As our detail­ed state­ment shows, the new draft bill con­ta­ins some impro­ve­ments com­pared to the pre­vious ver­si­on, but does not sol­ve the fun­da­men­tal pro­blems of the NIS2 Direc­ti­ve. The Ger­man legis­la­tor has missed seve­ral oppor­tu­ni­ties to crea­te legal cla­ri­ty. Ins­tead of a poli­ti­cal tug-of-war bet­ween the minis­tries and an ent­an­gle­ment of the NIS2UmsuCG with other poli­ti­cal demands, prag­ma­tism and a cla­ri­fi­ca­ti­on of the open legal issues at Euro­pean level are now requi­red in the fur­ther legis­la­ti­ve pro­cess. It remains to be seen whe­ther this will succeed.

What hap­pens next?

The offi­ci­al draft bill was published to mark the start of the con­sul­ta­ti­on pro­cess for asso­cia­ti­ons. Comm­ents can be sub­mit­ted until 28 May 2024. A hea­ring will take place on 3 June 2024. Howe­ver, the­re is only a short time left until 17 Octo­ber 2024. It is very unli­kely that the draft bill will pass the Bun­des­tag, be signed by the Fede­ral Pre­si­dent and published in the Fede­ral Law Gazet­te by then. As long as the NIS2 Direc­ti­ve has not been trans­po­sed into natio­nal law, it will not result in any obli­ga­ti­ons for companies.

First aid for companies

Affec­ted com­pa­nies do not have to ful­fil the requi­re­ments in Ger­ma­ny until the NIS2UmsuCG has been published in the Fede­ral Law Gazet­te. Howe­ver, as the ful­film­ent of the new requi­re­ments is asso­cia­ted with con­sidera­ble effort, com­pa­nies should start imple­men­ta­ti­on at an ear­ly stage. Com­pa­nies can only be recom­men­ded to ori­en­ta­te them­sel­ves on the wor­ding of the NIS2 Direc­ti­ve its­elf. If no chan­ges are made as part of the legis­la­ti­ve pro­cess, one or other of the pro­vi­si­ons of the NIS2UmsuCG will pro­ba­b­ly only have a short half-life. It is also alre­a­dy clear that the NIS2 Direc­ti­ve com­ple­te­ly fails to achie­ve the goal of har­mo­ni­s­ing cyber­se­cu­ri­ty law across Europe.

We will be hap­py to assist you with any ques­ti­ons you may have about how you are affec­ted by the NIS2 Direc­ti­ve and how you can imple­ment the requi­re­ments in your com­pa­ny. We will also sub­mit our cri­ti­cism of the draft bill for the NIS2UmsuCG to the legis­la­tor as part of the con­sul­ta­ti­on with the asso­cia­ti­ons and are con­fi­dent that the inte­rests of the busi­ness com­mu­ni­ty will still be suf­fi­ci­ent­ly taken into account. Plea­se cont­act dbu@reuschlaw.de direct­ly if you have any points that you would like us to include in the con­sul­ta­ti­on with the associations.

Fur­ther infor­ma­ti­on can be found here

back

Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.