NIS2 Directive Implementation Act – new cybersecurity regulation

The Act to Implement the EU NIS2 Directive and to Strengthen Cyber Security is currently at an advanced stage of the legislative process and is expected to come into force as early as March 2025. It introduces the EU-wide cyber security requirements of the EU NIS2 Directive into the German legal system.

Who is affected by the regulation?

Companies affected by NIS2 in Germany fall into three groups: existing operators of critical installations, essential entities and important entities.

Essential entities are companies operating in the energy, transport, financial and digital infrastructure sectors, among others, if they have 250 or more employees or a turnover of more than €50 million and a balance sheet total of more than €43 million. Important entities, on the other hand, are companies in the food, chemicals, waste management and digital services sectors if they have 50 or more employees or a turnover of more than €10 million and a balance sheet total of more than €10 million.

Obligations for essential entities and important entities

According to § 30, sec. 1 of the draft law, essential entities and important entities must take appropriate, proportionate and effective technical and organisational measures to avoid disrupting the availability, integrity and confidentiality of the information systems, components and processes they use to provide their services, and to minimise the impact of security incidents.

The assessment of the proportionality of the measures should take into account the level of risk, the size of the organisation, the cost of implementation and the probability and severity of security incidents, as well as their social and economic impact.

The measures shall be state-of-the-art, take into account relevant European and international standards and be based on a multi-risk approach.

The measures shall include at least the following:

risk analysis and information technology security concepts,
Security incident management,
Business continuity, such as backup management, disaster recovery and crisis management,
Supply chain security, including security-related aspects of the relationships between each organisation and its direct suppliers or service providers,
Security measures for the acquisition, development and maintenance of information technology systems, components and processes, including vulnerability management and disclosure,
Policies and procedures for evaluating the effectiveness of information technology security risk management measures,
basic cyber hygiene procedures and information technology security training,
Policies and procedures for the use of cryptography and encryption,
Personnel security, access control policies and facilities management,
The use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications and, where appropriate, secure emergency communication systems within the organisation.

Notification obligations

On the basis of section 32 Sec. 1 of the draft, essential and important entities are obliged to report the following information to the joint reporting office of the Federal Office and the Federal Office for Civil Protection and Disaster Assistance:

without undue delay and, in any case, no later than 24 hours after becoming aware of a significant security incident, an early initial notification indicating whether the significant security incident is suspected to be the result of unlawful or malicious action or to have cross-border implications.
without undue delay and, in any event, no later than 72 hours after becoming aware of a significant security incident, a notification on that security incident confirming or updating the information referred to in point 1 and providing a preliminary assessment of the significant security incident, including its severity and impact and, where applicable, the indicators of compromise.

Furthermore, according to § 33 sec. 1 of the draft law, essential and important entities are required to report information such as the name of the entity, address, contact information and the relevant industry. This information must be submitted to the Federal Office for Civil Protection and Disaster Assistance via the registration facility set up jointly by the Federal Office for Civil Protection and Disaster Assistance and the Federal Office for Civil Protection and Disaster Assistance no later than three months after the initial or renewed classification as an essential or important entity.

Responsibility

We recommend that you take a close look at the new cybersecurity regulations, as violations of the new law can result in fines of up to €10 million.

It should also be noted that it is not only the entrepreneurs who are liable, but also the management of the essential or important entities, which, according to Article 38 of the draft law, is obliged to take risk management measures and monitor their implementation. The management that violates the aforementioned obligations will be liable to the company for any culpably caused damage in accordance with the provisions of company law applicable to the legal form of the significant company.

Grau Rechtsanwälte PartGmbB advises and supports companies in the area of distribution law, labor law and data protection, as an external data protection officer.

If you have any further questions, please contact our law firm on +49 (0) 40 180 364 020 or office@graulaw.eu.

Do you have any questions or require our consultation?

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	This cookie is set by the GDPR Cookie Consent Plugin and is used to record the user's consent to the "Advertising" category cookies.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 Monate	Das Cookie wird durch die GDPR-Cookie-Zustimmung gesetzt, um die Zustimmung des Benutzers für die Cookies in der Kategorie "Funktional" aufzuzeichnen.
cookielawinfo-checkbox-necessary	11 Monate	Dieses Cookie wird vom GDPR Cookie Consent Plugin gesetzt. Das Cookie wird verwendet, um die Zustimmung des Nutzers für die Cookies der Kategorie "Notwendig" zu speichern.
cookielawinfo-checkbox-others	11 months	This cookie is set by the GDPR Cookie Consent Plugin. The cookie is used to save the user's consent for the cookies in the "Other" category.
cookielawinfo-checkbox-performance	11 months	This cookie is set by the GDPR Cookie Consent Plugin. The cookie is used to store the user's consent for the cookies in the "Performance" category.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not the user has consented to the use of cookies. It does not store any personal data.
wp-wpml_current_language	session	Cookie of the "WPML" plugin that saves the current language of the website.

Cookie	Duration	Description
CookieLawInfoConsent	1 year	Records the standard button status of the corresponding category and the status of the CCPA. It only works in coordination with the primary cookie.
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the content of the website in real time.

Cookie	Duration	Description
_ga	2 years	Used to distinguish users.
_ga_	2 years	Used to persist session state.
_gac_gb_	90 days	Contains campaign related information. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out.
_gid	24 hours	Used to distinguish users.

NIS2 Directive Implementation Act – new cybersecurity regulation

Who is affected by the regulation?

Obligations for essential entities and important entities

Notification obligations

Responsibility

CONTACT

Grau Law Firm

Areas of law