This criticism was not necessarily to be expected: In a report, the German Federal Audit Office has called for improvements to the NIS-2 Implementation Act. The Federal Government was endangering information and cyber security in Germany.
"Information and cyber security of all parties at risk"
As the Tagesspiegel reports, the report by the Federal Audit Office has been forwarded to the Budget Committee and the Interior Committee of the Bundestag. The auditors criticize the fact that the draft law on the implementation of the Network and Information Security Directive (NIS-2), which was drawn up by the Federal Ministry of the Interior and passed by the Federal Cabinet at the end of July, falls short of the goals it set itself in key points, even after multiple departmental consultations.
"Important regulations should not be uniformly binding for the entire federal administration. The result would be a 'patchwork quilt' that could jeopardize the information and cyber security of all parties involved," writes the Bundesrechnungshof in the report on NIS 2 implementation.
In its report, Germany's highest audit authority calls for the draft law to be amended in the parliamentary process. In particular
- the exceptions to the central requirements for information and cyber security are limited and
- the information security coordinator should be given appropriate tasks and powers.
The needs of the federal authorities for additional budget funds should also be critically scrutinized.
Reading tip: NIS 2 Directive - these companies are affected
NIS-2 transposition law arrives late
The NIS 2 Directive should actually be implemented by national laws in the member states by October 18, 2024 at the latest. The obligations to implement cybersecurity measures and report cyberattacks will then be extended to significantly more companies in various sectors. In Germany alone, the Federal Ministry of the Interior, which is in charge, expects around 29,500 companies to be additionally obliged to implement cybersecurity measures. Until now, the measures were limited to operators of critical infrastructures, providers of digital services and companies of particular public interest.
It is already clear that the NIS-2 Act will come into force in Germany after a delay. The Federal Council will deal with the bill on September 27. Although it does not have to approve the law, according to the Tagesspiegel, it has already registered requests for amendments. The Bundestag could then also deal with the NIS-2 Implementation Act in the second week of October at the earliest. The Federal Audit Office has more than clearly pointed out the critical points.
Source: Draft of the NIS-2 Implementation and Cybersecurity Strengthening Act