Fortifying Critical Infrastructure Security

The new European Cybersecurity Directive NIS 2 will come into force on 16 January 2023. NIS 2 stands for "Second Directive concerning measures to ensure a high common level of security of network and information systems across the Union". As part of the European Cyber Security Strategy, the NIS Directive aims to strengthen the resilience of critical infrastructure. Operators of critical infrastructure (or KRITIS for short) are now required to meet minimum standards and take proactive measures to minimise risk.

NIS 1 has been implemented in Germany through the IT Security Act and the BSI-Act, which cover critical infrastructure. The NIS 2 Directive has yet to be transposed into national law and has an implementation deadline of 17 October 2024. The NIS 2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG) is expected to be promulgated in March 2024 and come into force in October 2024.

Businesses subject to the Civil Protection Regulations, and therefore the NIS2 Directive, are required to comply with information security, risk management and cyber security requirements. This includes regular penetration testing, setting up cyber incident reporting systems and conducting a risk assessment to identify potential IT security threats within the organisation.

The following sectors are affected by the NIS2 Directive:

The NIS2 Directive generally applies to organisations with at least 50 employees or an annual turnover or balance sheet total of more than EUR 10 million. In certain cases, such as providers of publicly available electronic communications services, the Directive applies regardless of size. The obligations are mainly based on classification as a "essential" or "important" entity. "Essential entities" include Annex I companies above certain thresholds, qualified trust service providers, communications network providers, central government entities, and other entities identified as significant. "Important entities" are those listed in Annex I or II that are not already considered as significant or those that are considered as significant by the Member State.

The NIS2 Directive requires EU Member States to introduce provisions on fines for breaches of Article 21 (risk management measures, see above) and Article 23 of the NIS2 Directive (notification of significant security incidents). At the same time, the NIS2 Directive already sets a minimum value for the upper limit of the range of fines:

A potential fine is only one of many supervisory and enforcement actions that a competent authority can take in the event of a (potential) breach. Managers of significant and important organisations should therefore address the obligation to implement risk management measures early and thoroughly in order to avoid heavy fines. It remains to be seen whether public administration organisations, such as public authorities, will be subject to fines under Art. 34 para. 7 of the NIS2 Directive.