Last week, the German Federal Ministry of the Interior (BMI) published a new draft bill on the NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG) with a processing status of 7 May 2024. Associations can comment on this until 28 May 2024. A hearing for associations at the BMI in Berlin is planned for 3 June 2024. This means that the legislative process for implementing the EU NIS 2 Directive is finally gathering pace. However, there are general doubts as to whether it will still be possible to transpose the directive into national law by October 2024.
In terms of content, it should be noted that many requirements for particularly important facilities and important facilities now appear to be quite stable and there are hardly any significant changes to previous draft bills. For example, affected organisations must take risk management measures that apply to the entire organisation. And for CRITIS operators, for example, the verification cycle has been extended to 3 years. However, the position of the German Federal Office for Information Security (BSI) has been weakened with regard to supervisory and enforcement measures. The BSI can only order some measures in consultation with the relevant supervisory authority, while other measures can only be ordered by the supervisory authority itself after notification by the BSI.
At the same time, figures and expenditure have been finalised. It is now assumed that there are 8,250 particularly important organisations and 21,600 important organisations. This means that almost 30,000 companies in Germany are directly affected by NIS2UmsuCG. Added to this is the supply chain, which also needs to be secured, and this number may even double. This inevitably leads to a significant increase in administrative costs. In addition to a four-digit increase in posts in the federal ministries and the federal administration, the BSI alone is planning to increase its workforce by almost 600 employees.
Affected companies in Germany should urgently acquaint themselves with the NIS2UmsuCG, as the requirements will apply as soon as it comes into force. The NIS 2 Directive already provides for this. An impact analysis is therefore recommended, followed by an inventory in order to define and implement targeted risk management measures.
Our experts at TÜV TRUST IT will provide you with sound and competent support right from the start in order to avoid legal violations that could lead to severe fines.