The NIS2 Directive in Germany: Looking Ahead

Scope of Application

The NIS2 Directive expands the scope of application compared to its predecessor, the original NIS Directive. While the scope of application remains complex and dependent on the individual case, the NIS2 Directive applies to essential companies operating in a broad range of sectors deemed essential and important for the economy and society. This includes:

• Energy
• Transport
• Banking
• Financial market infrastructures
• Health sector (including healthcare providers)
• Digital infrastructure 
• Public administrations

Furthermore, the Directive applies to important companies, providing platforms or services vital to digital infrastructure, such as search engines or social networks. While important companies are also required to implement robust security measures, their requirements are less stringent than those for essential companies. 

The Directive may also apply to service providers from outside the EU if they provide services within the EU. 

Obligations of Affected Companies

Affected companies are required to implement a series of technical and organizational measures to secure their information systems and respond appropriately to cybersecurity incidents. 

Key obligations include:

• Risk management: Companies must regularly identify and assess potential threats and take appropriate action to mitigate these risks. These include regular tabletop simulations and the implementation of incident response plans.
• Security measures: Companies must implement robust cybersecurity measures, including data encryption, network and system security, access controls, and regular security reviews. The requirements for security measures also depend on the sector in which companies operate. For example, security requirements in the healthcare or financial sector may be stricter than in other sectors. Companies must also ensure that their services are available at all times and their systems are resilient to attacks.
• Supply chain security: Companies must also implement appropriate technical, operational and organizational measures to ensure supply chain security concerning the relationships between each entity and its direct suppliers or service providers.
• Incident Reporting: If a significant security incident occurs, companies must report it to a joint registration office set up by the Federal Office for Information Security and the Federal Office for Civil Protection and Disaster Assistance within 24 hours at the latest. The initial report must be updated within 72 hours with an assessment of the incident. Finally, a comprehensive final report detailing the incident and remedial actions taken must be submitted no later than one month after the incident.

NIS2 Management's Responsibility

The NIS2 Directive explicitly assigns responsibility for implementing and complying with the requirements to the company's management. 

• Resources: Management is required to allocate sufficient resources for the implementation of cybersecurity measures, including financial resources, personnel and technology.
• Strategic Risk Management Approach: A strategic risk management approach that identifies potential threats early and takes appropriate protective measures also falls within the management's responsibilities. 
• Training and Awareness: Management must also ensure that all employees – including management itself – receive training in cybersecurity and develop an awareness of potential risks. 
• Management Duty and Liability: Management is responsible for actively overseeing the company's cybersecurity strategy and ensuring that all departments implement established security measures. This includes regular internal audits and assessments. While delegation of management duties is permissible, management remains ultimately accountable for compliance with the Directive's requirements.

Possible Fines

Failure to comply with the NIS2 Directives requirements can have serious consequences for companies. Sanctions may include fines or, in severe cases, the closure of business facilities. 

• Companies that fail to meet NIS2 requirements may face significant fines. These can vary in amount depending on the severity of the violation, with penalties reaching up to EUR 10 million or 2% of the global annual turnover. 
• In addition, companies may also be held liable for damages caused by a cybersecurity incident, including harm to third parties, or damage to infrastructure.

In addition, affected companies may suffer damage to their reputation and a loss of trust from their customers and partners. 

Looking Ahead: Compliance with NIS2 Starts Now

While the NIS2 Directive is not directly binding and has to be transposed in local law, it is only a matter of time before this occurs. Affected companies should therefore begin implementing appropriate risk management systems now to ensure they are prepared when national regulations come into force. Establishing the necessary security measures and a comprehensive risk management system will require both time and resources. Therefore, companies should start their preparations immediately. This applies all the more since the first member states have already implemented the NIS2 directive. German companies may already be subject to the Directive’s provisions due to obligations arising from laws enacted in other EU countries.

Authored by Angelina Leder, Philip Matthey, and Jonas Grimm.