The European Network and Information Security Directive 2 (NIS-2) is set to be transposed into German law this year without any transition periods. This means that not only large KRITIS companies, but also many other organisations will face new cybersecurity requirements. A free white paper from digital consultancy Althammer & Kill provides a concise overview of what needs to be done now and how companies can best prepare for the upcoming obligations.
According to Althammer & Kill, a consulting firm specialising in data protection, information security, artificial intelligence (AI) and compliance, up to 40,000 companies and organisations are directly or indirectly affected by NIS-2. These are companies that exceed the thresholds (e.g. more than 50 employees or an annual turnover of more than €10 million) or are considered very important or important institutions for other reasons. Similar to the Supply Chain Due Diligence Act, NIS-2 also covers service providers and suppliers.
"The Bundestag has passed NIS-2 and we assume that it is only a matter of weeks before the German implementation law is fully in force. The EU's NIS-2 regulation has been in force across the board for some time. Anyone who has not yet started should do so as soon as possible," says Thomas Althammer, Managing Director of Althammer & Kill GmbH & Co.KG. The affected, particularly important or important companies must then immediately implement the extended risk management obligations. Important to know: Management and the board of directors will then be liable for breaches of duty in the implementation and monitoring of risk management measures (Section 38 (2) BSIG-E).
Smaller companies may also fall under NIS-2
For many smaller companies and organisations below the thresholds in areas such as energy, transport and traffic, health, digital infrastructure and IT service providers, and many others, there is still uncertainty. They are generally exempt, but may be covered if they provide critical services or are of particular importance at national level.
There are also indirect obligations, depending on the size, structure and range of services offered by the companies and organisations. ‘We assume that NIS-2 and the other regulations will develop into a cross-sector orientation framework that will assess “maturity” and “state of the art” in the future,’ says Thomas Althammer, Managing Director of Althammer & Kill GmbH & Co.KG.
- GDPR Art. 32 ‘State of the art’: The General Data Protection Regulation imposes a number of obligations to ensure information security. In the event of data protection incidents or cyber attacks, the data protection supervisory authorities regularly inquire about the technical and organisational protective measures that have been taken to prevent incidents. These must be documented.
- Cyber insurance: If companies have taken out cyber insurance, providers usually require appropriate precautions to be taken to prevent potential risks as far as possible. This usually involves setting up and operating an information security management system (ISMS).
Excluding local authorities and administrations is not a good idea
Excluding local authorities and smaller administrations sends out the wrong signal, says Althammer. Recent events have shown that local authorities and administrations have been paralysed by cybercriminals, in some cases resulting in the leakage of sensitive data. Although the inclusion of administrative and educational institutions is not mandatory, it has been implemented in many other EU countries.
‘The current cyber threat situation, general legal requirements and duty of care for the people entrusted to their care require a more active approach to information security and business continuity management for many small and medium-sized enterprises across all industries, as well as authorities and local authorities,’ Althammer continues. ‘We would like to provide guidance here with our white paper, which is available free of charge.’
The NIS 2 white paper from Althammer & Kill highlights what companies should consider when implementing NIS 2 and is available to download free of charge:
Download
