Key Topics Digitalization Cyber ecsolutions Cyber Industries Social Economy Church Healthcare Industry Insurance Policies Digital Security and Technology Cyber Insurance

NIS-2 and NIS2UmsuCG

New EU directive for more cybersecurity and its implementation in German law

In January 2023, the EU adopted the so-called NIS-2 directive. The revised legislative document imposes stricter cybersecurity rules on operators of critical infrastructure, but also on many smaller hospitals, care facilities, health and therapy centers. NIS-2 should actually be transposed into national law by October 2024 at the latest. However, the current official draft bill suggests that implementation will not take place until the beginning of 2025 at the earliest. Nevertheless, it is important for potentially affected institutions to address the requirements at an early stage.

The European security directive NIS-2 (short for: Network and Information Systems Directive 2) replaces the previously valid NIS directive from 2016. The previous version already defined initial cybersecurity obligations for companies and institutions in critical infrastructure (KRITIS) and in six other sectors. With NIS-2, the number of affected companies and institutions is increasing significantly. At the same time, the requirements are becoming more stringent and the penalties for non-compliance are being increased. In May 2024, an official draft bill appeared in the form of the NIS 2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG for short), which is the official data basis for the assessments of the cyber experts at the Ecclesia Group. However, the regulations can of course still be amended before the official implementation.

 

Smaller institutions also affected

The NIS2UmsV CG distinguishes between two categories. The particularly important organizations include, in particular, critical infrastructure companies and institutions, but also, for example, healthcare institutions with at least 250 employees or an annual turnover of 50 million euros or more. The newly defined category of important institutions includes additional sectors such as research or digital service providers, but also companies and institutions in the sectors defined in the first category that do not meet the size requirements here. In this category, organizations with at least 50 employees or an annual turnover of more than ten million euros are affected.

 

Comprehensive security measures required

“We clearly see that significantly more companies and institutions will be affected by the new directive than before,” says Robert Drexler, head of Ecclesia Cyber. ”It is extremely important to address the requirements as early as possible and to set up IT security management in line with them.” Those affected must be able to guarantee that they are ready to implement extensive measures in the area of cyber security. These include, for example, risk analysis concepts, control measures, ensuring the maintenance of operations in an emergency, access control concepts and secure emergency communication systems.

 

Reversal of the reporting requirement

In the future, relevant security incidents must be reported to the responsible authority within 24 hours. After 72 hours, an initial assessment of the security incident, including its severity and impact, as well as the indicators of compromise if applicable, must also be submitted, followed by a progress and final report after one month. However, the biggest change lies in the reversal of the reporting requirement, as Robert Drexler emphasizes: “In the future, those affected will be obliged to actively demonstrate to the BSI that they are meeting the requirements by a certain deadline. The onus here is clearly on the companies and institutions.” Since the proof must be provided in a very detailed manner, the requirements for documenting the measures are also increased.

 

High risk – also in terms of management liability

Draconian penalties are imposed for non-compliance: particularly important organizations face a fine of up to ten million euros or two percent of global revenue, and important organizations face a fine of up to seven million or 1.4 percent of global revenue. The higher amount is decisive in each case. The new requirements are also particularly relevant for managing directors and board members, as management obligations in connection with cybersecurity are likely to be tightened. Tasks can still be delegated here as well. However, the responsibility for monitoring and for selecting and instructing the persons to whom tasks are delegated remains in any case.

 

Meeting challenges with the necessary expertise

The requirements present a number of challenges for those affected and cannot always be met without external support. “We are happy to advise you on all relevant questions concerning NIS-2 and help you to prepare optimally for the new requirements,” says Robert Drexler. In addition to independent, needs-based advice, Ecclesia Cyber's holistic IT security management also includes support in an emergency, including an emergency service. In the area of directors and officers liability, the Ecclesia Group consults specialists who have the necessary expertise and many years of experience in this field. This way, you receive comprehensive advice from a single source.