NIS2/CER: Is the cybersecurity directive implementation on schedule?

  • Lisa Fröhlich
  • March 28, 2024

Table of content

    NIS2/CER: Is the cybersecurity directive implementation on schedule?

    Both Germany’s critical infrastructure – and its economy more widely – are increasingly dependent on digital infrastructure. At the same time, threats in cyberspace are constantly on the rise and the security of IT systems is more of a focus for companies than ever before. At the same time, the physical security of critical infrastructures should also be strengthened.  

    To increase cybersecurity in Europe and counter threats such as ransomware, DDoS attacks and supply chain attacks, the European Union (EU) has adopted the Network and Information Security (NIS2) Directive. The second directive to come into force, the Critical Entities Resilience Directive (CER), is intended to ensure physical security 

    What is the purpose of the NIS2 Directive and why is it important for EU cybersecurity?

    The NIS2 Directive contributes to establishing a consistent and high level of security, protecting critical infrastructure, promoting risk management, and strengthening cybersecurity governance. It pursues several important objectives in the context of cybersecurity in the EU. These include: 

    • Harmonizing and enhancing cybersecurity in Europe. By laying down uniform cybersecurity requirements, the directive aims to ensure a high level of security throughout the EU. For the first time, the directive also explicitly includes the security of supply chains.  
    • Protection of critical infrastructures and certain economic sectors. By tightening the requirements, these facilities and companies are to be better protected against cyberthreats. 
    • Introduction of risk management measures. Affected institutions and companies are obliged to take appropriate technical and organizational measures to protect their networks and information systems. 
    • Reporting obligations and registration requirements. In the event of cybersecurity incidents, German companies must submit initial reports to the responsible Federal Office for Information Security (BSI) within 24 hours. 
    • Importance of governance. Cybersecurity is seen as the responsibility of management, and managing directors are personally liable for implementing the necessary measures. 

    What is the aim of the KRITIS-Dachgesetz (KRITIS DachG), which reflects the CER Directive in Germany?

    The new KRITIS DachG (CER law) aims to unite the digital and analog threats and their defensive measures into a holistic concept. The law implements an EU directive to strengthen the resilience of operators of critical facilities and supplements the obligations that are expected to apply to digital protection with the NIS-2 Implementation and Cybersecurity Strengthening Act.  

    It is a response to the increasing importance of protecting critical infrastructure from hybrid threats, which include both digital attacks and physical sabotage. The law is linked to the operation of “critical facilities”, which are of great importance to the functioning of the community. Affectedness is determined based on qualitative and quantitative criteria, considering the state of the art and the criticality of the services. 

    Operators of critical facilities must register and implement resilience measures based on risk analyses and assessments. These measures are intended to prevent incidents, limit their impact, and restore services as quickly as possible. 

    There is no exhaustive list of measures, but examples include emergency preparedness, property protection, access control, and alternative supply chains. The measures taken must be proven and reporting obligations to the relevant authorities apply. 

    The KRITIS DachG increases the responsibilities for the management of critical facilities and requires the implementation of holistic concepts that require appropriate preparation efforts.  

    What is the status of implementation in Germany?

    The clock is ticking: The two European cybersecurity and resilience directives NIS2 and CER must be transposed into national law by October 17, 2024. The KRITIS DachG is still in the ongoing legislative process and is expected to come into force by July 17, 2026. 

    While the implementation of the CER Directive into the KRITIS DachG has already been completed in consultations with the federal states and associations, the German government intends to tighten the EU requirements as part of NIS2. These discussions are currently leading to delays in the NIS2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG).  

    The status of the NIS2UmsuCG is characterized by discussions and delays, due to the German government’s intention to tighten the EU requirements. There have been several draft bills, but the implementation deadline of October 2024 is unlikely to be met. 

    Regarding implementation at the national level, federal states have taken different approaches, particularly around cybersecurity requirements for the administration. A survey by Karsten U. Bartels LL.M. shows that there is no uniform approach and that most countries will not go beyond the minimum requirements. 

    What characterizes the NIS2UmsuCG?

    According to the second draft of the NIS2UmsuCG from July 2023, companies belonging to certain sectors are classified as “important” companies, regardless of their size. This applies, for example, to companies in the defense industry and their suppliers as well as fleet operators that transport hazardous substances.  

    The introduction of liability for managing directors and board members with their private assets in the event of breaches is intended to further raise awareness of cybersecurity among decision-makers. In addition, fines can be imposed by supervisory authorities, for example up to 2 percent of global annual turnover for “particularly important” companies. 

    One reason for the delays is the differing views of various ministries, in particular the Federal Ministry of Justice and the Federal Foreign Office. There are also budgetary concerns that could affect the implementation of the law. 

    Not much seems to have happened regarding the actual obligations for the economy. Discussions are mainly focused on the tightening of requirements for the federal government and the financial implications for companies. 

    Despite the delays and discussions, preparations for the implementation of the NIS2 Directive are continuing at EU level and in the member states. However, it remains to be seen how the situation will develop and when the NIS2UmsuG will finally be adopted. 

    What challenges and concerns are associated with NIS2 implementation?

    The implementation of NIS2UmsuCG poses major challenges for companies. The extensive and complex catalog of requirements means a high need for investment and additional administrative work. Companies must adapt their IT infrastructure and processes, train staff, and ensure compliance with the new requirements. 

    The extended liability regulation for management also harbors an additional risk. There is still uncertainty regarding the interpretation and application of the regulation. 

    What measures should companies take to prepare for the NIS2 Directive and improve their cybersecurity?

    To meet the challenges of the NIS2UmsuG, companies should: 

    • Take stock of the current IT security situation and the requirements to be met. 
    • Develop a strategy and an implementation plan with clear priorities and responsibilities. 
    • Implement suitable technical and organizational security measures and processes. 
    • Sensitize their employees to cybersecurity issues. 
    • Regularly review and adapt the security measures. 

    The NIS2 directive must be implemented in national legislation by October 18. Until then, there are still some hurdles for companies to overcome, but there is also an opportunity to significantly improve cybersecurity. With an early and proactive approach, affected companies can minimize the risks and reap the benefits of the new directive. 

    AI-supported protective shield for your digital assets

    Cyberattacks have become commonplace. DDoS attacks paralyze companies, authorities, and KRITIS operators and cause immense damage. But there is good news: Our AI-supported, automated, and cloud-based platform solution offers you effective protection, proactively and all-round. The scalable solution can be quickly and easily integrated into your IT infrastructure. Rely on forward-looking technology that is constantly evolving and has your back. 

    Our experienced team is always on hand with help and advice. Benefit from comprehensive support and move confidently into the digital future with Link11. 

    Contact us now >>

    Protecting Web Applications without Disrupting the Business
    Link11 Awarded Patent for DDoS Protection Filter