The countdown is on! Companies will soon have to expect the NIS 2 Directive to come into force. By October 18, 2024 at the latest, the EU requirements should actually be implemented via national laws in the member states. It is already clear that the obligations to implement cybersecurity measures and report cyberattacks will be extended to significantly more companies in different sectors.
Almost 30,000 companies have to take additional measures
In Germany alone, the Federal Ministry of the Interior, which is in charge of the project, expects around 29,500 companies to be additionally obliged to implement cybersecurity measures. Previously, the measures were limited to operators of critical infrastructures, providers of digital services and companies in the special public interest.
The reason for the significant expansion is the introduction of the categories "important entities" and "essential entities" in the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). However, the law has not yet been enacted.
For companies in the commercial sector, this is a 1:1 implementation of the NIS 2 Directive. This means that the NIS2UmsuCG does not go beyond the requirements of European law.
According to the Federal Office for Safety and Security, the NIS 2 impact assessment is the central tool for checking whether a company is likely to be covered by the national implementation of the NIS 2 Directive in Germany.
Particularly important facilities and important facilities
A glance at the draft bill already shows which companies are to be regulated by NIS-2. The identification of affected companies as "particularly important institutions" or "important institutions" is likely to be based on key figures and thresholds relating to annual turnover or the number of employees.
According to Section 28 (1) NIS2UmsuCG, particularly important facilities are:
- Operators of critical systems,
- qualified trust service providers, top level domain name registries or DNS service providers,
- Providers of publicly accessible telecommunications services or operators of public telecommunications networks that employ at least 50 people or have an annual turnover and an annual balance sheet total of more than 10 million euros each,
- other natural or legal persons or legally dependent organizational units of a local authority that offer goods or services to other natural or legal persons in return for payment, which are assigned to one of the types of facilities specified in Annex 1 and which employ at least 250 employees or have an annual turnover of more than 50 million euros and an annual balance sheet total of more than 43 million euros.
According to Section 28 (2) NIS2UmsuCG, the following are considered important facilities
- Trust service provider,
- Providers of publicly accessible telecommunications services or operators of public telecommunications networks that employ fewer than 50 employees and have an annual turnover and an annual balance sheet total of EUR 10 million or less,
- natural or legal persons or legally dependent organizational units of a local authority that offer goods or services to other natural or legal persons in return for payment, which are assigned to one of the types of facilities specified in Annexes 1 and 2 and which employ at least 50 employees or have an annual turnover and an annual balance sheet total of more than 10 million euros each.
Reading tip: Cookie banner regulation adopted: What's new now!
Company classification according to certain types of facilities
§ Section 28 (1) no. 4 and Section 28 (2) no. 3 NIS2UmsuCG also refer to the allocation to certain types of facilities.
Particularly important facilities ("essential") include companies that are of significant importance to the community. Their failure would have serious consequences. NIS-2 specifically names eleven areas:
- Energy (electricity, district heating, crude oil, natural gas, hydrogen)
- Transportation (air transport, rail transport, shipping, road transport)
- Banking
- Financial markets
- Health (including healthcare providers, medical research, pharmaceuticals, medical devices)
- Drinking water (water supply)
- Waste water (sewage disposal)
- Public administrations
- Digital infrastructure (Internet nodes, cloud providers, data centers, electronic communication)
- ICT service management (B2B) (Managed Service Providers, Managed Security Service Providers)
- Space
The following seven sectors are counted as "important":
- Postal and courier services
- Waste
- Food
- Chemicals
- Digital services (search engines, online marketplaces, cloud services, social networks),
- Industry (including mechanical engineering, vehicle construction, data processing equipment)
- Research
If the size of the company and the type of facility coincide, the NIS-2 Directive applies. If a company carries out a critical activity and there is a risk of an impact on public order if this activity fails, it may also fall under NIS-2 if the company size has not been reached.
Reporting obligation for NIS 2 regulated companies
The aim of the NIS 2 Directive is to introduce binding measures for public authorities and businesses to ensure a high common level of cyber security throughout the European Union. Important and particularly important institutions are to be protected from damage caused by cyber attacks and the functioning of the European internal market is to be improved. As the list above shows, this goes hand in hand with a significant expansion of the scope of application.
Some of the companies affected are likely to be required to provide proof of IT security. NIS-2-regulated companies will also be obliged to report IT security incidents to the Federal Office for Security.
Source: Draft of the NIS-2 Implementation and Cybersecurity Strengthening Act