On May 1, 2023, a new era of cyber security began in Germany. Since that day, operators of critical infrastructures (CRITIS) have had to comply with the provisions of the IT Security Act 2.0 (IT-SiG 2.0). The IT-SiG 2.0 aims to enable critical infrastructures such as energy and water supply, transport and medical care to protect themselves more effectively against cyber attacks and ensure permanent availability.
The most important information on NIS 2 at a glance
More CRITIS obligations through IT-SiG 2.0
With the IT Security Act 2.0, lawmakers are significantly expanding the provisions of the previously applicable CRITIS regulation of 2015 – with regard to cyber security requirements, the number of companies and organizations affected, the level of fines for violations, and the powers of the state and regulatory authorities. Among other things, it will become mandatory for critical infrastructure operators to implement an attack detection system to identify and neutralize cyber attacks as quickly as possible. Likewise, they must regularly update their IT systems to the latest state of the art in order to effectively prevent disruptions to the systems.
From IT Security Act 2.0 to NIS 2
However, it is already clear that the IT Security Act 2.0 will only have a limited lifespan. This is due to the European directive NIS 2, which came into force in January 2023. The EU member states must have implemented the provisions of NIS 2 in national law by October 2024 at the latest. For Germany, it can be assumed that the NIS 2 regulations will result in an IT Security Act 3.0.
NIS 2 regulations
In its provisions, the NIS 2 directive goes well beyond the IT Security Act 2.0. All companies covered by NIS 2 are required to implement a range of cyber security measures to protect their IT infrastructure, networks and critical services.
These include, among other things, the development of a risk management concept, the introduction of emergency plans and the establishment of a system for the prompt reporting of security incidents to the responsible supervisory authority. Prescribed technical measures include systematic data backup, concepts for access control, encryption of information, management of vulnerabilities, and employee training. Similar to the IT Security Act 2.0, NIS 2 also stipulates that companies must develop protection concepts for securing their supply chains so that cyber criminals cannot penetrate other companies’ systems via suppliers.
Significantly tougher sanctions
In the event of violations of the regulations of NIS 2, companies face severe fines of up to ten million euros or 2% of annual sales. In addition to the risk of fines, NIS 2.0 also entails a considerable liability risk for company management. In the event of violations, the management of the operators can be held liable. Thus, with NIS 2 at the latest, cyber security becomes an indispensable part of corporate management.
NIS 2 expands the scope
NIS 2 defines the validity of the provisions for a total of 18 sectors, which are divided into the categories “Essential” and “Important”. For the complete list of affected sectors, please refer to our fact sheet on NIS 2, which is available for free download.
The “size-cap rule” specifies that NIS 2 is mandatory for all companies in the above sectors that employ more than 50 people and have annual sales of more than 10 million euros. NIS 2 thus goes well beyond the scope of the IT Security Act 2.0. According to experts, around 40,000 additional companies in Germany could be affected by NIS 2 that do not fall within the scope of the IT Security Act 2.0. All previously unregulated companies should therefore check whether the provisions of NIS 2 apply to them. If this is the case, it is advisable to start implementing the necessary measures now. After all, there is not much time left until October 2024.