The ZVEI has expressed its concerns in a statement on the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). In particular, the Association of the Electrical and Digital Industry criticizes the high level of resources that the current draft bill requires in order to meet the required standards. Small and medium-sized enterprises (SMEs) in particular are facing major challenges, which is why the ZVEI is calling for these companies to be provided with supportive guidance.
NIS 2 directive must be implemented effectively and unbureaucratically
In view of the growing threat of cyber attacks, the NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG) offers an opportunity to strengthen the cyber resilience of the state and the economy. However, it is crucial that the requirements of the law are implemented effectively and with minimal bureaucracy. Unfortunately, we have to note that the points we identified as critical in the discussion paper published in October 2023 appear almost unchanged in the draft bill that has now been published.
The extension of the scope of the NIS 2 Directive means that the electrical and digital industry is significantly more affected by the legislation than under the first NIS Directive. For the companies affected, this requires a more intensive examination of the national implementation law, accompanied by adjustments that require a great deal of resources. The current draft bill of the NIS2UmsuCG was submitted for consultation less than 6 months before the deadline for transposition of the EU Directive. Comprehensive and far-reaching requirements - e.g. ensuring the security of the supply chain (pursuant to Section 30 (2) sentence 4) - confront smaller companies in particular with challenges for which they do not yet have adequate solutions. Against this background, attention should be paid to a sensitive and practical design of the NIS2UmsuCG.
Guidance for affected companies
Affected companies should be provided with guidance so that they can use their limited resources in a targeted manner. In addition, EU-wide uniformity should be the overriding principle in the national implementation of the NIS 2 Directive. Many of our companies operate at least on a European level, if not internationally, and any deviation in national implementation will result in unnecessary additional work. Regulatory discrepancies require adjustments that tie up resources and hamper German economic strength. It is therefore essential that the member states work closely together to develop and implement consistent and harmonized regulations.
From the ZVEI's perspective, the following aspects are problematic for the effective implementation of the NIS2UmsuCG:
- The currently used definition of “Managed Service Provider” or “MSP” pursuant to Section 2 (1) sentence 30 is problematic in that it could be used to classify entities as particularly important entities that were originally only intended to be classified as important entities.
- The anticipated amendment to the Energy Industry Act harbors the risk of double regulation for certain facilities. In addition, so-called virtual power plants should also be included in the scope of application.
- The use of CSA schemes in accordance with Section 30 (6) should be carried out with a sense of proportion and in a targeted manner. The specification by means of statutory orders raises fundamental legal questions, in particular whether such a comprehensive requirement as a potential ban on use should only be made by means of a statutory order.
- The practical implementation of the reporting obligations under Section 32 remains unclear. The current requirement could be interpreted in such a way that the 24-hour period for initial notifications begins from the time at which the affected facility learns of a security incident without having had the opportunity to check its “materiality” within the meaning of Section 30 (1) sentence 1.
- It should be ensured that registration obligations pursuant to Sections 33 and 34 only have to take place in the country where the head office is located. A uniform European solution is absolutely preferable to nationally deviating regulations.
- The national certification introduced with Section 55 leads to uncertainties as a result of inconsistent regulations in the EU internal market
The entire ZVEI statement is available to download free of charge.