German NIS2 implementation poses challenge for thousands of organisations

The NIS2 Implementation Act was passed by Germany’s parliament, bringing it into line with the EU’s NIS2 directive – more than a year after it was originally meant to be implemented.

The cybersecurity directive significantly increases the number of companies and organisations which come under the enhanced scope of scrutiny brought by NIS2 – and while the German Office for Information Security (BSI) has indicated it will not immediately begin enforcement, the implementation by the German government means the act comes into effect immediately, with no formal transition period.

The NIS2 Implementation Act will significantly expand the range of entities subject to cybersecurity obligation, with companies which employ more than 50 people or generate more than €10m in turnover brought within its scope.

This means as many as 30,000 companies now fall under the remit of the enhanced cybersecurity regulations, following a prolonged delay which saw Germany become one of several countries censured by the EU for failing to implement the terms of the NIS2 directive on time.

Organisations with key roles in infrastructure – such as energy, health or transport – will face much stricter conditions of cybersecurity implementation, while many of the others now falling into scope may not be aware of their obligations, warned Lars Hettich, a regulatory expert with Pinsent Masons in Dusseldorf.

“The broader nature of the directive means many more will need to be aware of their obligations as they would now be classified as important,” he said.

“Cyber threats are growing rapidly so it is important organisations coming under the scope of NIS2 review their processes and adapt their governance to meet the requirements of the act. This is all the more true given that enormous investments are being made, particularly in the areas of digital transformation, energy and infrastructure, through current government funding measures.”

Under the terms of the NIS2 implementation, companies falling under the scope of the act need to register with the BSI within three months, with risk management and governance responsibility falling to leadership teams in a move to extend cybersecurity from being purely an IT issue.

In line with other countries, cybersecurity breaches must be reported to the authorities within 24 hours of parties becoming aware, and detailed reporting provided within 72 hours before a final report is provided within 30 days, upping the need for clear governance and procedures to be in place.