Skip to contents
NIS2 directive
AdminJul 31, 2024 3:24:00 PM3 min read

NIS2 Directive: More transparency in IT security?

 

The implementation deadline for the NIS2 Directive ends in October 2024, and a corresponding law is currently still being drafted. Now is therefore the best time to look back at the NIS Guideline from 2016 and take a look at the NIS2 Guideline that is now to be implemented as a further development.
 

NIS-Directive from 2016
The NIS Directive is the "Directive concerning measures to ensure a high common level of security of network and information systems across the Union". The aim was to improve cyber security in the EU and therefore also in Germany, particularly in the area of critical infrastructure. These are facilities of considerable importance to the common good, the failure of which can cause enormous damage and, in particular, endanger public safety. Examples include the energy, healthcare and telecommunications sectors. The fundamental aim of the NIS-Directive  was to create an EU-wide, uniform standard for IT security.

The NIS Directive was transposed into national law by the legislator in the Act Implementing the NIS Directive, which was announced in 2017.

Why NIS2?
After implementation, there were considerable differences in the Member States as to whether a company should be classified as a critical service provider or operator. As a result, the number of critical service providers by Member State ranged from 12 to 87. The discrepancy was even more extreme for operators of critical services, where the number ranged from 20 to 10,897. The NIS2 was issued to resolve this uncertainty.

Who is affected by NIS2 ?
The NIS2 directive contains a clear classification of which companies are critical service providers and which are not. This is accompanied by an enormous expansion of the scope of application. The NIS2 now distinguishes between "essential entities" and "important entities". There is also a list of which company is to be classified and how, so that the number of divergent classifications in the member states is to be significantly reduced. For example, companies from the energy, road transport, water and health sectors are classified as "essential entities", while companies from the waste management, food and digital providers sectors are classified as "important entities". This should lead to a Vereinheitlichung der IT-Sicherheit throughout the entire Union.

NIS2 – The draft bill is available
Whether this goal can be achieved with NIS2 remains to be seen in the future. A draft bill has already been published. In particular, this provides for amendments to the BSIG, the BNDG and other laws dealing with critical infrastructures (e.g. EnWG and TKG).

Among other things, the draft bill highlights the Russian war of aggression against Ukraine, which violates international law, as a driver that has exacerbated the IT security situation: Ransomware attacks, exploitation of vulnerabilities, open or incorrectly configured online servers and dependencies on the IT supply chain are therefore among the greatest threats. The aim is to increase the resilience of the German economy to the dangers of the digital world.

The draft bill – critical voices
However, there are also critical voices calling for improvements to the draft bill. For example, the Bundesvereinigung Deutscher Apothekenverbände e.V. sees a need for improvement in the definition of critical components in Section 2 I No. 22 BSIG-E so that there is clarity as to which components are to be classified as critical. This in turn has an impact on applicability. Criticism is therefore similar to that of the NIS Directive, which has led to a need for improvement. The German Wind Energy Association also expresses concerns: The classification of operating companies that are subsidiaries of large parent companies is unclear and not expedient. It would oblige the wrong companies, although this is not necessary.

Outlook
In conclusion, the national legislator still has some work to do before the deadline for transposition of the directive expires in October. However, a start has already been made with the draft bill, so that the remaining time can be used to make the required improvements. This means that the new law can be announced and come into force in October at the latest.

 

For Eticor customers

If the new obligations are relevant to your company, your Legal Expert will promptly update your individual legal register and automatically make the new tasks available to you in Eticor.

Your contact

Do you have any questions about our consulting services or our compliance management software Eticor? We look forward to your message or call.

hannah-kleen-rund
HANNAH KLEEN
Ass. jur.
Legal Compliance Expert
tim-bieber
TIM BIEBER

LL.M.
Legal Compliance Expert
t.bieber@eticor.com
+49 6022 2656 – 127