In Germany, the NIS-2 Directive is implemented by the NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG). Various laws such as the Telecommunications Act (TKG), the Energy Act (EnWG) and many others will be amended. According to the EU directive, member states have until 17 October 2024 to transpose the new rules into national law. However, our experts believe that this timetable is unlikely to be met.
The NIS 2 Directive applies in principle to companies or institutions with more than 49 employees or an annual turnover of at least €10 million, if they are active in one of the following sectors
Critical sectors (with high criticality)
- Waste water
- Banking services
- Digital infrastructure
- Energy
- Financial markets
- Healthcare
- B2B ICT Service Management
- Public Administration
- Transportation
- Drinking Water
- Space
Key sectors
- Waste Management
- Chemicals
- Digital services
- Research & Development
- Industry (Manufacturing)
- Food services
- Postal and courier services
In addition, organisations of any size may be covered by the Directive, for example if they play a significant role in the supply chain of critical infrastructure.
The NIS2UmsuCG prescribes various obligations. These include risk management measures in the area of cyber security, which must be proven through security audits, inspections or certifications. In addition, various registration, reporting and notification obligations must be fulfilled. Managing directors must fulfil authorisation, supervision and training obligations. In addition, there are registration obligations for certain providers and a separate database for the registration data of domain names.
In principle, the NIS2UmsuCG applies to all companies with more than 50 employees or an annual turnover of more than €50 million operating in sectors defined by the EU. In addition, there are specific rules that apply to certain organisations regardless of size, such as providers of public electronic communications networks. There is also an indirect impact on smaller companies that act as service providers or suppliers to directly affected companies.
Companies and organisations that fail to comply with NIS2 can be fined up to €10 million or two per cent of their total worldwide turnover in the previous financial year. These penalties underline the importance of compliance.
The NIS2 Directive entered into force on 16 January 2023. Member States must implement the Directive by 17 October 2024; in Germany, this is expected to be done through the NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG). A discussion paper from the Federal Ministry of the Interior and Home Affairs on "Business-related regulations for the implementation of the NIS-2 Directive in Germany" is currently available.
ISiCO offers comprehensive consultancy, training and support services to help organisations implement the NIS2 Directive. This includes the analysis of specific requirements, the development and implementation of appropriate security measures, and the training and awareness of employees.