NIS2 in Germany
EU NIS2 will be transposed in Germany into national law by NIS2UmsuCG, NIS2 implementation law. As in other EU member states, it is expected to come into force in late 2024. It transposes EU minimum requirements for cybersecurity of the EU NIS2 directive into German regulations and laws and extends them for German regulatory peculiarities.
The draft law has passed the consultation and awaits the federal legislative process by October 2024. The NIS2UmsuCG is an amendment that changes existing German CIP laws. In addition to NIS2, there will be another law, KRITIS-DachG, regulating operators. NIS2 will affect at least 30,000 companies in Germany, according to official estimates.
This is the English version of an article on German NIS2 implementation law, based on draft law from July 2024. Articles § cited refer to this draft law.
Implementation in Germany
Current status
There have been multiple draft laws in various states of finalization for the German NIS2 implementation NIS2UmsuCG. The law is developed by the Federal Interior Ministry, BMI.
No. | Version | Date | Comment |
---|---|---|---|
1. | Draft | April 2023 | |
2. | Draft | July 2023 | |
3. | Discussion paper | September 2023 | incomplete |
3a. | Machine room chat |
October 2023 | at BMI |
4. | Draft | December 2023 | |
5. | Formal draft | May 2024 | |
6. | Formal draft | June 2024 | |
6. | Formal draft | July 2024 | Government version |
Entities will be regulated by the BSI, the Federal Agency for Cybersecurity. The roadmap for new drafts, formal dates of publication and commencement deadline are currently unclear.
National differences
There are several changes and peculiarities in the German implementation of NIS2:
- The existing German method for identifying Critical Infrastructures, KRITIS, will stay in NIS2
- Existing German KRITIS operators with critical facilities and thresholds will carry over to NIS2 as third entity type operators of critical facilities
- NIS2 essential and important entities are called specially important and important entities
- NIS2 sectors in Annex I and II are defined slightly differently – ICT service management and digital infrastructure are rolled into the German IT/Telco sector
- Existing KRITIS sectors will remain as separate set for critical operators
- Sector Public Administration is defined differently in Germany and will (mostly) only include entities of the federal administration
Regulated operators
Companies in Germany
Affected companies in Germany are split into three groups: critical infrastructure operators (KRITIS operators), essential entities (besonders wichtige Einrichtungen), and important entities (wichtige Einrichtungen).
The German regulation classifies essential and important entities based on staff (FTE), yearly turnover and balance. Companies are affected if they operate in one of the NIS2 sectors.
- Essential entities based on company size in NIS sectors 1
Companies with ≥ 250 FTE or
Companies with > 50m EUR yearly revenue and balance > 43m EUR
Special cases: qTSP, TLD, DNS, telco, critical facilities, central government - Important entities based on company size in NIS sectors 1 2
Companies with ≥ 50 FTE or
Companies with > 10m EUR yearly revenue and balance > 10m EUR
Trust services - Operators of critical facilities (KRITIS) are still regulated based on KRITIS methods with individual infrastructure assets
critical facilities above threshold (usually ≥ 500k supplied persons) - Some federal entities are also regulated with separate requirements
Entities and operators
Essential and important entities
Essential entities §28 (1) are large enterprises operating in certain sectors, some companies independet of their size and operators of critical infrastructures. Important entities §28 (2) are large and medium enterprises in a broad spectrum of sectors.
Entity | Size | Sectors |
---|---|---|
Essential §28 (1) |
Large enterprises in annex 1 |
Energy, Transport, Finance, Health, Water/Waste Water, Digital Infrastructure, Space |
size-independent | Qualified trust services, TLD registries, DNS services | |
Medium enterprises | Providers of public telecommunication networks and services | |
size-independent | Operators of critical infrastructure (KRITIS operators) | |
Important §28 (2) |
Medium enterprises in annex 1 |
Energy, Transport, Finance, Health, Water/Waster Water, Digital Infrastructure, Space |
Large enterprises Medium enterprises in annex 2 |
Postal/Courier, Municipal Waste, Chemicals, Food, Manufacturing, Digital Services, Research | |
size-independent | Trust Services |
Company sizes
Companies regulated as entities are differentiated by their size: employees, annual revenue (turnover) and annual balance. NIS2 essential entities are defined in §28 (1) and important entities in §28 (2).
Entity | Sectors | Size | Employees | Revenue and balance |
---|---|---|---|---|
Essential | 1 | Large enterprises Large enterprises |
≥ 250 |
> 50m + > 43m EUR |
Important | 1 2 | Medium enterprises and up Medium enterprises and up |
≥ 50 | > 10m + > 10m EUR |
Infrastructure operators
Existing German critical infrastructures (KRITIS), will be called operators of critical facilities in NIS2. §28 (6) German KRITIS methodology with KRITIS sectors, critical services and facilities with thresholds is retained. Operators will also become essential entities. §28 (1) No. 1
Operator | Size | Sectors |
---|---|---|
Critical Facility §28 (6) |
Facility above threshold §28 (7) |
Energy, Transport, Finance/Insurance, Health, Water, Food, IT and Telco, Space, Municipal waste |
NIS2 Sectors
German NIS2 defines two groups of sectors: Sectors for entities are defined in Annex 1 and 2 and KRITIS sectors for critical facilities are not defined in the law anymore. Sectors for entities are split into sectors of high criticality, annex 1, and other critical sectors, annex 2.
KRITIS | Sectors of High Criticality 1 | Other Critical Sectors 2 |
---|---|---|
Energy | Energy Power supply, district heating/cooling, fuel/heating oil, gas |
|
Transport | Transport Air, rail, shipping, road |
Transport Postal and courier |
Finance/Insurance | Finance Banks, financial market infrastructure |
Chemicals Trade, import (NACE 20) |
Health | Health Services, reference laboratories, R&D, pharma (NACE C 21), Medical devices |
Research Research institutions |
Water | Water/Waste water Drinking water, waste water |
Manufacturing Medical/diagnostics; IT, electronics, electrics, optical (NACE C 26 and 27); Mechanical engineering (NACE C 28), vehicles/parts (NACE C 29), vehicle construction (NACE C 30) |
IT and Telco | Digital Infrastructure IXPs, DNS, TLD, cloud providers, data center services, CDNs, TSP, electronic communication/services, managed services and security services |
Digital Services Marketplaces, search engines, social networks |
Space | Space Ground infrastructures |
|
Food | Food Wholesale, production, processing |
|
Municipal waste | Municipal waste Waste management |
Cybersecurity
Obligations
The requirements for critical infrastructures and entities will change significantly with NIS2 in Germany. The existing KRITIS obligations under the BSI law (BSIG from 2021) will be retained in their basic form but will be extended and restructured significantly.
Requirement | Critical Facilities | Essential Entity | Important Entity |
---|---|---|---|
Scope | Facility | Company | Company |
Risk management measures §30 | * | ✓ | ✓ |
Higher standards for KRITIS §31 (1) | ✓ | ||
Attack detection (SzA) §31 (2) | ✓ | ||
Reporting §32 | * | ✓ | ✓ |
Registration §33 §34 | ✓ | ✓ | ✓ |
Information (customers) §35 | * | ✓ | ✓ |
Governance §38 | * | ✓ | ✓ |
Audits §39 | ✓ | partly (§61) | partly (§62) |
Exclusions
There are several exceptions and special rules for companies regarding NIS2 requirements.
Entity | Section | Exclusion |
---|---|---|
DNS, TLD, Cloud Computing, Data Centers, CDNs, Managed Services and Security Services, Online Marketplaces and Search Engines, Social Networks, Trust Services (Sector IT) | §30 (3) | NIS2 Measures §30 (2) (Implementing Act) |
Public telecommunications networks and services | §28 (4) | KRITIS requirements reporting, evidence, audit, §§30, 31, 32, 35, 36, 38, 39, 61, 62 |
Energy networks and energy facilities | §28 (4) | |
Companies under DORA (EU) 2022/2554 | §28 (5) | NIS2 and KRITIS reporting, customers, evidences, management, §§30, 31, 32, 35, 36, 38, 39 |
German healthcare telematics | §28 (5) | |
National security, public security, defense, law enforcement | §37 | Risk management and reporting §§30,32 + registration §§33-34 |
Federal administration (§29) | §28 (1) §28 (2) | Important and essential entities |
Public bodies | §28 (8) |
Security and risk management
Essential and important entities must take appropriate, proportionate and effective technical and organizational measures to protect the IT and processes of their services to avoid incidents, disruptions and to minimize the impact of disruptions. §30 (1)
Entities should take into account their risk exposure, size, implementation costs, probability of occurence and severity of security incidents and social and economic impact. §30 (1)
Measures
The measures to be implemented by operators and entities must be based on an all-hazards approach and should take European and international standards into account. The measures should comply with the state of the art and must cover at least the following topics: §30 (2)
- Risk analysis and security for information systems
- Incident response and management
- Maintenance and recovery, backup management, crisis management
- Supply chain security, security between entities, service provider security
- Security in development, procurement, and maintenance
- Vulnerability management
- Assessment of cybersecurity and risk management effectiveness
- Training covering cybersecurity and cyber hygiene
- Cryptography and encryption
- Personnel security, access control, and facility management
- Multi-factor authentication and continuous authentication
- Secure communication (voice, video, and text)
- Secure emergency communication
Entities must document the implementation of their security measures. §30 (1)
Sector regulation
Some sectors are partially excluded from the risk management requirements in §30 and §31. For these sectors, corresponding measures will be specified in equivalent sector regulation.
- DNS, TLD, Cloud Computing, Data Centers, CDNs, Managed Services and Security Services, Online Marketplaces and Search Engines, Social Networks, and Trust Services will (should) receive EU requirements for measures according to §30 (2) through an Implementing Act.
- Public telecommunications networks and services will receive requirements for equivalent measures according to §30 through new TKG and the BNetzA Security Catalog.
- Energy supply networks and energy facilities will receive requirements for equivalent measures according to §30 through new EnWG and the BNetzA Security Catalog.
- Entities according to Article 2 (4) of Regulation (EU) 2022/2554 will receive equivalent measures through DORA. (Parts of the financial sector)
Official guidance
Detailed guidance for implementing measures by German BSI or public associations is not yet known, but there will certainly be developments throughout 2024. Similarly, there are still no official adaptions of existing Cybersecurity Standards such as ISO 27001 or C5 to NIS2 available.
Existing ISMS certifications will generally not be sufficient for NIS2 – scope of NIS2 might be beyond existing certificates and measures are sometimes deeper.
There is an OpenKRITIS NIS2 mapping to ISO 27001:2022 controls as well as a mapping of the EU NIS2 Implementing Act.
EU Implementing acts
According to Article 21 (5) of NIS2, the Commission can issue specific technical and method requirements in Implementing Acts, which then become directly binding and take precedence over the requirements in §30 (2) from German law. §30 (4) If the legal acts are not exhaustive, the German Federal Ministry of the Interior can issue its own specifications. §30 (5)
For operators of DNS, TLD, Cloud Computing, Data Centers, CDNs, Managed Services and Managed Security Services, Online Marketplaces, Search Engines, Social Networks, and Trust Services, the EU Commission will establish binding measures in a separate Implementing Act by October 2024, §30 (2) only applies to them secondarily. §30 (3)
Critical facilities
For operators of critical facilities (KRITIS), higher standards and additional requirements apply when selecting measures and assessing adequacy:
- Even more elaborate measures are considered proportionate for §30 §31 (2)
- Use of Attack Detection Systems (OH SzA) §31 (2)
- Audit obligations (KRITIS audits) for measures and IDS §39 (1)
Reporting
Registration and contact
Entities and operators must self-identify and register with the regulation authority BSI. There are more specific registration rules for certain companies. §33 §34
Essential and important entities as well as DNS registries must register with the BSI within three months, including: Name, legal form, contact details, email/telephone, IP address ranges, sector and sub-sector, EU countries with business activities. §33 (1)
Operators of critical facilities must provide additional information during registration. §33 (2) Registration with BBK government authority via the KRITIS-DachG is not entirely clear.
Changes to the data as specified in (1) and (2) must be reported annually to the BSI, all other information immediately, within two weeks. §33 (5)
The BSI can register essential and important entities as well as DNS registries on its own powers. For this, the BSI may request documents and details. §33 (2) (6)
Some operators defined in §60 must register with the BSI within three months §34, this includes DNS and TLD, Cloud Computing, Data Centers, CDNs, Managed Service Providers and Managed Security Service Providers, Online Marketplaces, Search Engines, Social Networks, when the main establishment in the EU is in Germany.
Notifications
With NIS2, affected entities have many information and reporting obligations that go beyond the existing §8b BSIG reporting obligations (KRITIS).
Security incidents
Essential entities (including operators of critical facilities) and important entities must report security incidents to the BSI within very short deadlines (24 hours) and with incremental follow-up reports: §32
- Initial report on significant security incidents immediately, but no later than within 24 hours
- Follow-up report on a significant security incident within 72 hours, including an evaluation of the initial report (severity, impact, compromise)
- Intermediate reports upon request from the BSI
- Final report or progress report within one month, including description, causes, measures, and cross-border impacts
- Operators of critical facilities must also report the facilities, critical service, and impacts
The BSI establishes the reporting option in agreement with the BBK, for NIS2 and the KRITIS-DachG. The BSI may issue further provisions on the reporting procedure. §32 (4)
Customers and public
In the event of significant security incidents, the BSI may instruct essential and important entities to inform their customers (recipients of their services). §35 (1)
Entities in the financial and insurance sectors, information technology and telecommunications, ICT services, and digital services must immediately inform potentially affected customers of a significant cyber threat, including possible countermeasures. §35 (2)
BSI will respond, if possible, within 24 hours of receiving a notification from companies, possibly with queries, offers of support, and information. §36 (1) If raising public awareness is necessary or in the public interest, the BSI may inform the public or ask the company to do so. §36 (2) This also applies if the company is a federal entity. §4 (3)
Evidence and audits
Operators of critical facilities must demonstrate the implementation of NIS2 measures to the BSI every three years. Depending on their own registration, audits must then be conducted every three years, similar to existing KRITIS compliance audits.
Operators of critical facilities | Entities | |||
---|---|---|---|---|
Essential | Important | |||
Law | NIS2UmsuCG | DachG | NIS2UmsuCG | NIS2UmsuCG |
Timeframe | from 2025 | from 2026 | from 2024 | from 2024 |
Requirement | §39 (1) | §11 | §63 | §64 |
Form | Audits | part of Audits | Sampled by BSI | |
Content | IT security Notifications SzA |
Resilience | IT security Notifications |
IT security Notifications |
Scope | Facility/entity | Facility | Entity | Entity |
Frequency | every three years | Sample | Sample | as needed |
Recipient | BSI | BBK | BSI | BSI |
Operators of critical facilities
Operators of critical facilities must provide evidence for the measures according to §30, §31 and §38 through Audits, Inspections, or Certifications every three years to the BSI, as previously done in KRITIS audits. §39(1)
For operators already being audited as KRITIS operators, the BSI will set the deadline for providing evidence to at least three years after the provision of the last evidence according to §8a(3) BSIG – so the next submission might be postponed by a year.
BSI has the authority to independently audit operators of critical facilities as essential entities §61 and can establish requirements for audits. §39 (2)
Entities
Entities must document the implementation of the measures. §30 (1) They are not required to regularly provide audits to the BSI for the implementation of §30 measures and §32 reporting obligations after registration. BSI can, however, compel entities to undertake audits, request evidence, and conduct their own audits. §61 (1) (3) (5)
BSI has enforcement rights for evidence from essential and important entities. §61 §62
When selecting entities, the BSI should proceed in a risk-oriented manner, taking into account the extent of risk exposure, the size of the entity, the likelihood and severity of potential security incidents, as well as their possible societal and economic impact. §61 (4)
The BSI can establish requirements for these audits. §61 (2)
Roadmap
Legislation
The German NIS2 Implementation law was planned to come into force in October 2024 to supersede the existing KRITIS regulation (BSIG 2021). Drafts of the law have been public since Summer 2023. It is not yet clear if the October 2024 deadline will be kept.
Version | Status | Date | Responsible |
---|---|---|---|
NIS | Deadline implementation | May 2018 | EU member states |
IT security act 2.0 | In force | May 2021 | Federal council |
NIS2 | EU 2022/2555 Final | Dec 2022 | EU |
NIS2 Implementation Law | Draft | Apr 2023 | Interior ministry |
NIS2 Implementation Law | Draft | Jul 2023 | Interior ministry |
NIS2 Implementation Law | Discussion paper | Sep 2023 | Interior ministry |
NIS2 Implementation Law | Draft | Dec 2023 | Interior ministry |
NIS2 Implementation Law | Draft | May 2024 | Interior ministry |
NIS2 Implementation Law | Draft | June 2024 | Interior ministry |
NIS2 Implementation Law | Draft | July 2024 | Cabinet approval |
NIS2 Implementation Law | Announcement | not clear | Parliament |
KRITIS Ordinances | not clear | Interior ministry | |
NIS2 Implementation Law | Planned | Oct 2024 | Parliament |
NIS2 Implementation Law | Commencement | not clear | Federal gazette |
NIS2 | Deadline implementation | Oct 2024 | EU member states |
Deadlines
Various deadlines for the implementation of the obligations are specified in the law. The NIS2 Implementation law NIS2UmsuCG is set to come into effect in October 2024 – still TBC.
Essential entities
- Registration within three months after identification §33 (1)
Important entities
- Registration within three months after identification §33 (1)
Operators of critical facilities
- Registration within three months after identification §33 (1) and §33 (2)
- Initial evidence of implementation of measures to be provided no later than a date determined by the BSI and BBK at registration: at least three years after the law comes into effect §39 (1), i.e., from 2027.
- Ongoing evidence of implementation of measures every three years thereafter §39 (1)
Additional legislation
Various requirements of the NIS2UmsuCG are intended to be specified or defined by one or more legal ordinances (KRITIS-Verordnungen): §56
- Services considered to be critical, their level of supply, and which facilities or parts thereof are considered critical infrastructure under the law §56 (4)
- Details on the issuance of security certificates and recognition according to §52 §56 (1)
- Specifics of the IT security label according to §55, as well as the determination of the suitability of industry-specific IT security requirements and their approval §56 (2)
- Products, services, or processes used by essential or important entities that must have certification under §30 (6) §56 (3)
The regulation is intended to be defined in accordance with the KRITIS-DachG and consolidate operators and entities in one regulation so that affected companies can find relevant categories and thresholds in a single table.
A draft of the regulation(s) is not yet available.
EU Requirements and Implementing Acts
The EU Commission may issue its own requirements through Implementing Acts to define the measures in §30 (2), which would take precedence over national law, generally in §30 (4) and specifically for certain IT operators in §30 (3).
If this does not occur, the German Federal Ministry of the Interior will issue technical, methodological, and sectoral definitions for clarification purposes. §30(5)
Industry Standards
Essential entities, including operators of critical facilities, can continue to propose sector-specific security standards (B3S) for implementing the measures in §30 (1) The BSI determines the suitability of the B3S. §30(9)
Further Information
Most of these links and documents are in German (DE).
Literature
- Statement BSI Cybersecurity Responsibilities and Tools in the Federal Republic of Germany, Bundestag, public hearing Committee on Digital Affairs, January 25, 2023
- Update for European Cyber Security, Mit Sicherheit BSI Magazin 2022/02, December 14, 2022
- Draft by the BMI: NIS2UmsuCG, various versions, AG KRITIS 2023
Sources
- Workshop Discussion Paper, by the BMI for economic-related regulations for the implementation of the NIS-2 Directive, German Federal Ministry of the Interior, Intrapol, October 26, 2023
- Discussion Paper by the Federal Ministry of the Interior and for Homeland NIS2UmsuCG, third draft, AG KRITIS, September 27, 2023
- Draft by the BMI: NIS-2 Implementation and Cybersecurity Strengthening Act NIS2UmsuCG, draft law for the implementation of the NIS-2 Directive and the regulation of essential aspects of information security management in federal administration, AG KRITIS, July 3, 2023
- Draft by the BMI: NIS-2 Implementation and Cybersecurity Strengthening Act NIS2UmsuCG, draft law for the implementation of the NIS-2 Directive and the regulation of essential aspects of information security management in federal administration, Intrapol, April 3, 2023
- Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive), December 27, 2022
- Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive), December 27, 2022