NIS2 Directive: Transposition in Germany:
Requirements
The requirements are specifically designed to increase resilience to cyber attacks and to ensure a rapid and effective response in the event of a security incident.
Since the requirements depend on the company's risk profile, operators of critical infrastructure are subject to higher obligations and security requirements, which are not considered in the following. The same applies to companies that are already regulated by DORA or TKG. In NIS2, there are exceptions here that take into account multiple regulation. In addition, there are many exceptions and deviating regulations, particularly in the IT sector, which are not considered in the following.
However, these exceptions and special regulations are taken into account in our NIS2 Assistant.
1. Registration requirements:
Important and particularly important entities must register. Registration is carried out via a registration option set up jointly by the Federal Office BSI (Bundesamt für Sicherheit und Informationstechnik) and the Federal Office BBK (Bundesamt für Bevölkerungsschutz und Katastrophenhilfe).
This registration requirements includes basic information such as name, contact details and the sector of the entity.
2. Minimum requirements for risk management measures:
The measures should comply with the state of the art, take into account the relevant European and international standards and must be based on an approach that covers all hazards.
-
Concepts relating to risk analysis and information technology security.
-
Management of security incidents.
-
Maintaining operations, such as backup management and disaster recovery, and crisis management.
-
Security of the supply chain, including security-related aspects of the relationships between the individual entities and their direct providers or service providers.
-
Security measures for the acquisition, development and maintenance of information technology systems, components and processes, including management and disclosure of vulnerabilities.
-
Concepts and procedures for evaluating the effectiveness of risk management measures in the area of information security.
-
Basic procedures in the area of cyber hygiene and training in the area of information security.
-
Concepts and procedures for the use of cryptography and encryption.
-
Security of personnel, concepts for access control and for the management of entities.
-
Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communication, and, where appropriate, secure emergency communication systems within the facility.
3. Reporting requirements:
Essential entities and important entities are obliged by the NIS2 regulation to report significant security incidents immediately and to inform the recipients of their services about such incidents. The Federal Office for Information Security (BSI) offers feedback and support in dealing with the incidents.
-
Within 24 hours of becoming aware of the incident.
-
Update of the report within 72 hours of becoming aware of the incident.
-
Interim report at the request of the Federal Office.
-
A final report no later than one month after submission of the report of the security incident.
4. Duty to inform
The company must immediately inform the recipients of its services about significant security incidents that could affect the provision of the respective service. This information can also be provided by publishing it on the institution's website.
5. Duties for managing directors:
-
Approval and monitoring obligation: The management of particularly important institutions and important institutions are obliged to implement the risk management measures to be taken by these institutions in accordance with Section 30 and to monitor their implementation.
-
Claims for compensation by the company against the management: Managements that violate their obligations under paragraph 1 are liable to their institution for any culpably caused damage in accordance with the rules of company law applicable to the legal form of the institution. According to this law, they are only liable if the relevant company law provisions for the institution do not contain any liability provisions.
-
Training requirement: The management boards must regularly attend training courses in order to acquire sufficient knowledge and skills to identify and assess risks and risk management practices in the area of information technology security, as well as to assess the impact of risks and risk management practices on the services provided by the institution.
4. Enforcement measures and BSI supervision
The BSI (Bundesamt für Sicherheit und Informationstechnik) can verify compliance with the obligations of important and particularly important entities.
The following enforcement measures can be taken, for example:
-
Ordering audits, inspections or certifications.
-
Defining technical and organizational requirements.
-
Ordering measures to prevent or remedy a security incident.
-
Providing information about cyber threats.
-
Publicly disclosing violations.
-
Reporting to the relevant supervisory authority.
Suspending the license and prohibiting the activity.
5. Fine regulations
Fines for Important entities: Fines of between €100,000 and €7 million (or up to 1.4 percent of annual turnover) depending on the infringement.
Fines for Essential entities: Fines of between €100,000 and €10 million (or up to 2 percent of annual turnover) depending on the infringement.
These fines are individually addressed in detail in our NIS2 Assistant.
Complete and highly detailed guide to NIS2 in Germany: who is affected and NIS2 requirements and learn more about your obligations and possible fines for non-compliance.
(currently only available in German)
Our Services:
Requirements elicitation:
Gap analysis
Defining the solution architecture
-
We create a gap analysis against security best practices and specific standards
-
Carry out a risk analysis to assess the specific cyber security risks.
-
The result is processed as a heat map of the entire control standard.
-
We create an action plan with prioritization and milestones.
-
Consulting and implementation planning to eliminate audit issues
-
IS policies: creation of company-specific information security guidelines
Project Management
-
Business Plan (Scope, Costs, Benefit, Risik, Roadmap)
-
Project Organisation,
-
Project Management,
-
Programm Management.
Certificates:
Prince2 (classic & agil)
Scrum Product Owner
Scrum Master
ITIL4
CISSP
Business Analysis
Requirements Engineering
Arrange a consultation appointment:
Dr. Johannes Faassen
mobil: +49 170 4168039