Draft of an Implementation Law for NIS2 – Comprehensive Extension of Cybersecurity Obligations and Direct Liability of the Management

Since 16 January 2023, the Network and Information Security 2 or NIS2 Directive (Directive (EU) 2022/2555) has been in force. It extends the scope of the cybersecurity obligations, which until now mainly applied to operators of critical infrastructures and providers of digital services, to large parts of the economy and significantly tightens the sanction regime in case of violations. This also has consequences for co-determination at the workplace.

Unlike other digital legal acts of the EU, however, the NIS2 Directive still requires implementation by the national legislators. Now the first Draft of an implementation law with the sonorous name “NIS-2-Implementation and Cybersecurity Strengthening Act” has become known, which partly even goes beyond what the NIS2 Directive requires. The core of the draft law is a revision of the BSI Act (“Act on the Federal Office for Information Security” (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik) in future extended by the addition “and on the security of information technology of operators and facilities” (und über die Sicherheit in der Informationstechnik von Betreibern und Einrichtungen) – hereinafter “BSIG V.2”). Although the NIS2 Directive grants an implementation deadline until 17 October 2024, the German legislator wants to report implementation already in spring 2024. We give here a first overview of the regulations that companies have to prepare for in the next months.

Extended scope of application

Cybersecurity requirements already affect many companies indirectly via data protection. However, the data protection requirements are rather vague and only oriented towards the protection of personal data. More extensive cybersecurity requirements only apply to certain companies, especially in the area of critical infrastructures and digital services. NIS2 and BSIG V.2 considerably extend the list of sectors in which binding cybersecurity obligations shall apply: 

• Energy,
• Transport, 
• Banking, 
• Financial market infrastructure,
• Health care, 
• Drinking water, 
• Waste water, 
• Digital infrastructure,
• Administration of information and communication technology services (business-to-business), 
• Public administration, 
• Space, 
• Postal and courier services, 
• Waste management, 
• Production, manufacture and trade of chemical substances, 
• Production, processing and distribution of food, 
• Manufacturing/production of goods, 
• Providers of digital services, 
• Research. 

Whether a company that falls under these sectors has to fulfil specific cybersecurity obligations and if so, which ones, depends on the size of the company as well as on the types of facilities it operates. The BSIG V.2 differentiates between critical facilities, essential/very important facilities and (merely) important facilities. Above the threshold of micro or small enterprises with less than 50 employees or an annual turnover that does not exceed EUR 10 million, an applicability of the new cybersecurity obligations for companies of the above sectors is relatively likely. As can be seen in particular from the category “Manufacturing/production of goods”, a “technology affinity” of the company is not required to be subject to cybersecurity obligations.

For companies, it is therefore important to first check carefully whether and in what role they fall within the personal scope of the new cybersecurity legislation because this determines the obligations they have to fulfil and the sanctions they have to fear.

More specific and extended catalogue of obligations

The new BSIG V.2 provides for a comprehensive catalogue of cybersecurity obligations, which is both more extensive than the current cybersecurity law and goes into more detail.

These obligations are essentially divided into preventive obligations to prevent or limit the consequences of security incidents and reactive obligations to report these incidents.

The preventive obligations include – summarised – the following cybersecurity measures (detailed in Art. 21 para. 2 NIS2 and § 30 para. 4 BSIG V.2):

• Risk analysis and information security concepts, including authorisation concepts and procedures for assessing the effectiveness of risk management;
• Security incident management;
• Business continuity management including backups and emergency plans;
• Security management of own personnel (including cybersecurity requirements and training) and of the supply chain, especially of suppliers/service providers;
• Security measures for acquisition, development and maintenance;
• Cryptography and, where appropriate, encryption;
• Authentication procedures and secure communication channels.

This catalogue is partly further specified by implementing acts of the European Commission for certain categories of providers.

An interesting special case of the obligation to conduct cybersecurity training is regulated by § 38 para. 4 BSIG V.2, according to which the management of essential/very important and (merely) important facilities mustregularly participate in training courses.

In addition, the obligation from § 8a para. 1a BSIG to use systems for attack detection for operators of critical facilities (§ 39 BSIG V.2) remains in place. The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik - “BSI”) has recently published a guidance document on this. 

The reactive reporting obligation provides for a staggered reporting to the BSI in the case of significant security incidents, which is stricter in terms of deadlines and also organisationally more complex than the data protection obligation to report so-called data breaches (§ 31 BSIG V.2):

1. Without undue delay, but no later than within 24 hours after becoming aware, an initial report must be submitted, which indicates whether there is a suspicion that the security incident is due to unlawful or malicious actions or could have cross-border effects. 
2. Also without undue delay and no later than within 72 hours, i.e. within the same period as the notification of a data breach to the data protection supervisory authority, the initial report must be updated. In this update, the severity and impact of the security incident must be assessed for the first time, if necessary indicating indicators of compromise.
3. If the BSI asks, interim reports must be submitted, which further update the report.   
4. Within one month after the update of the initial report, a final report must be submitted. This final report must contain a detailed description and analysis of the security incident. If the security incident is still ongoing at this point, a progress report must be submitted instead and then a final report one month after the completion of the handling of the security incident. 

The BSI shall also be able to instruct companies under certain conditions to inform the recipients of their services (i.e. usually the customers) about the security incident (§ 35 BSIG V.2). A mandatory public information about the security incident is also possible (§ 36 BSIG V.2). In addition, the BSI shall be able to oblige companies to inform the recipients of their services about (merely) potential cyber threats and measures taken against them, and possibly even to make public information about legal violations (§ 64 para. 4, 65 para. 3 BSIG). Similar to the data protection obligation to inform the data subjects, such far-reaching reporting and information obligations can be even more damaging to a company's business than the data security incident itself.

In addition to these operational obligations, most companies that fall under the BISG V.2 have an obligation to register with the BSI. Operators of critical facilities and essential/very important facilities must also prove to the BSI that their cybersecurity measures meet the legal requirements (§§ 32 ff., 39 para. 2 BSIG V.2). The BISG V.2 thus establishes a kind of accountability obligation, which some companies may already know from data protection compliance.

Sanctions and increased liability

Like almost all legal acts of the European digital strategy, NIS-2 Directive and BSIG V.2 provide for considerable fines in case of violations. Fines of up to EUR 10 million or 2% of the worldwide previous year's turnover can be imposed on operators of critical facilities or essential/very important facilities, while for operators of (merely) important facilities the upper limit is still EUR 7 million or 1.4% of the turnover.

Remarkably, the wording of the maximum limit from the directive has been adopted so literally in the current version of the draft of the BSIG V.2 that the above maximum limits are not clearly defined. The directive wants to allow the member states even higher limit values and therefore speaks of “maximum amounts of at least X” (Art. 34 para. 4, 5 NIS2). The adoption of this wording into national law, however, takes away the character of a maximum limit (cf. § 60 para. 7 BSIG V.2: “fine […] with a maximum amount of at least 2%”). It is to be hoped that the legislator will correct this presumed editorial mistake in the course of the legislative process.

Further peculiarities are offered by the BSIG V.2 in the regulation of the liability of management. According to this, the managers shall approve the cybersecurity measures to be taken by the company and monitor their implementation, without being able to delegate this to third parties (§ 38 para. 1 BSIG V.2). This makes cybersecurity legally a top management issue, as it is rightly already internally provided for in many companies.

It is explicitly regulated that managers are liable to the company for violations of their corresponding obligations (§ 38 para. 2 BSIG V.2). This essentially corresponds to the current law, but the clarification is intended to provide legal certainty here. However, it is new that, according to the explanatory memorandum, fines are also to be covered by the concept of damage. This question is highly controversial in the context of antitrust fines, and the clear legislative assessment could now pave the way for proponents of a recourse liability of the management for fines, at least in the area of cybersecurity.

Considerable practical difficulties will be caused by the regulation that a waiver of or a settlement on claims for damages against the management are invalid, unless there is (imminent) insolvency or a settlement by insolvency plan (§ 38 para. 3 BSIG V.2). This deprives companies of a proven means of safeguarding the company's interest in the case of unclear prospects of litigation. The purpose of the regulation is also questionable because a settlement on corresponding claims for damages is already subject to approval by the shareholders` meeting. It is therefore to be hoped that the legislator will reconsider this inflexible and inappropriate prohibition in the course of the legislative process. 

In addition to fines and claims for damages, the BSIG V.2 also provides for an extension of the catalogue of other supervisory measures. These include, for example, rights of entry and inspection, which not only operators of critical infrastructures have to expect, instructions to prevent security incidents or to establish the required level of security, instructions to inform about cyber threats and measures taken against them (§ 64 para. 1-3 BSIG V.2). Under certain conditions, the BSI shall even be able to prohibit persons of the management or legal representatives from exercising management tasks (§ 64 para. 6 no. 2 BSIG V.2). 

What's next?

The draft of the BSIG V.2 is so far only a draft by the ministry, so it still has a number of coordination processes between the ministries and parliamentary groups ahead of it. Nevertheless, the draft assumes that the NIS-2-Implementation and Cybersecurity Strengthening Act will be promulgated in March 2024 and then – after a six-month implementation period – enter into force on 1 October 2024. This would mean that Germany would fulfil its implementation obligation well two weeks earlier than legally required.

It is also conceivable that a further coordination of the draft with the efforts to adopt a KRITIS umbrella law, for which key points were presented in December 2022, and to implement the so-called Critical Entities Resilience (CER) Directive will lead to delays. However, after there were several sensitive and public cyber attacks on German companies in spring 2023 alone, a swift implementation of the NIS2 Directive is likely. 

Given the difficulties that can arise in implementing cybersecurity measures in the company or even in the group – from the allocation of budgets to data protection checks to the selection and commissioning of service providers – the good year that companies have to prepare for the new cybersecurity regime is not an excessively long time. At least one hurdle that is usually high for companies when introducing new processes could cause less difficulties here than usual. This is because the described extensions of legal obligations not only restrict entrepreneurial decisions, but also the scope for co-determination at the workplace. Any introduction and extension of IT security systems that is legally required does not need to be negotiated with the works council (§ 87 para. 1 introductory half-sentence Work Council Co-Determination Act - Betriebsverfassungsgesetz).