The current draft bill of the Federal Ministry of the Interior for the implementation of the NIS-2 Directive has been met with significant criticism from the data protection supervisory authorities of the federal states. The criticism centers on the inadequate obligation of the IT security authorities to inform the data protection supervisory authorities and the lack of interaction between the reporting obligations under the NIS 2 Directive and those of the GDPR. What the data protection authorities are now demanding.
Background and objectives of the NIS 2 Directive
With the NIS-2 Directive (Directive (EU) 2022/2555), the European Union is pursuing the goal of strengthening the cybersecurity of critical infrastructures and digital services in Europe. It is a further development of the original NIS Directive from 2016 and significantly expands the scope of application compared to the previous directive. While previously only operators of critical infrastructure (KRITIS) were covered, in future a large number of so-called "essential" and "important" institutions will be subject to the directive, including those from the healthcare, digital services, public administration and manufacturing sectors.
A central element is the obligation to report significant security incidents. These may also concern aspects relevant to data protection law, in particular if personal data are affected.
Reading tip: NIS 2 Directive - these companies are affected
Point of criticism 1: Limited information obligations of the BSI
Art. 35 para. 1 NIS-2 obliges the competent IT security authorities to inform data protection supervisory authorities if security incidents have consequences relevant to data protection law within the meaning of Art. 33 NIS-2. GDPR could have.
However, the current draft law limits the obligation of the Federal Office for Information Security (BSI) to provide information to "obvious" data breaches. In the opinion of the state data protection authorities, this contradicts the clear wording of the directive.
The data protection supervisory authorities are therefore calling for Section 61 (11) of the draft to be amended so that even potential data breaches, and not just obvious ones, trigger an obligation to notify the BSI. This would meet the requirements of Art. 35 NIS-2 and strengthen the effectiveness of cooperation between the authorities.
Point of criticism 2: Lack of bundling of reporting obligations
According to § 40 of the draft bill, the Federal Office for Information Security (BSI) as the central reporting office for IT security incidents. In future, essential and important institutions in accordance with NIS-2 are to submit their reports there in accordance with Section 32 of the Implementation Act.
However, § 40 does not provide for this: A linking or integration of the parallel reporting obligation from Art. 33 GDPR. In other words, the obligation to report data breaches to the competent data protection supervisory authorities. This means that the opportunity to handle two frequently coinciding reporting processes via a joint portal or procedure remains unused.
Consequence: duplication of work for companies
In practice, this means that companies in which an IT security incident also personal data (which is often the case) must submit two separate reports:
- A notification to the BSI in accordance with the NIS-2 Implementation Act
- A second notification to the data protection supervisory authority pursuant to Art. 33 GDPR
This leads to increased administrative effort, inconsistent data bases and possible delays.
Requirement of the supervisory authorities
The Data protection conference therefore proposes an extension of Section 40: "The BSI should be legally obliged to develop an integrated electronic procedure through which companies can simultaneously fulfill their obligations under Section 32 (NIS-2) and Article 33 of the GDPR. GDPR can comply with."
Such a bundled reporting process would not only reduce bureaucracy, but also promote cooperation between the BSI and data protection authorities. Other EU countries such as Luxembourg and Denmark are already demonstrating that this integration is technically feasible.
In addition, the supervisory authorities recommend an internal administrative regulation for coordination between the BSI and data protection authorities as well as the establishment of a central office at the Data protection conference (DSK) to systematically manage the exchange.
Establishment of a DSK office with NIS-2
The Data protection conference (DSK) of the federal states is not yet a legally institutionalized body. The statement suggests that a statutory DSK office should also be created as part of the implementation of NIS 2. This could act as a coordination office for notifications in accordance with Art. 33 GDPR and thus further professionalize and centralize cooperation with the BSI.
Conclusion on the NIS 2 draft referendum
The opinion of the state data protection supervisory authorities puts its finger in the wound of the NIS 2 implementation: A more comprehensive information obligation of the BSI and the bundling of the notification processes with the GDPR notification would above all be practicable and less bureaucratic.
The ball is now in the legislator's court. A revision of the draft bill to include data protection requirements could significantly improve the acceptance of the new regulations and implement the EU's goal of a high, uniform level of cybersecurity in a data protection-friendly manner.
German 
English 
Italian 
French