NIS-2: Obligations for affected parties

 

This affects around 29,000 companies, which are divided into “essential” and “important” entities under the NIS 2 Directive. The obligations for those affected are as follows:

Registration requirement

  • “Essential” and “important” entities are required to register with the joint registration office of the BSI and BBK.
  • Registration must take place no later than three months after the entity is affected by the NIS 2 Directive for the first time or again. No transition periods are planned, meaning that the registration requirement will begin immediately upon the German NIS 2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) coming into force.
  • The following information must be provided during registration:
    • Name of the organization, legal form, and commercial register number, if applicable
    • Address and contact details (address, email address, public IP address ranges, telephone numbers)
    • Sector and industry according to Annex 1 or 2 of the NIS 2 Directive
    • List of Member States in which the organization provides services
    • Competent supervisory authorities at federal and state level
    • Changes must be reported to the BSI immediately, i.e. within two weeks at the latest
    • Separate registration requirements may apply to KRITIS operators and institutions in the digital services and digital infrastructure sectors

Reporting obligation

  • Affected companies must report significant security incidents to the BSI. The BSI will provide a definition of what constitutes a significant security incident in the near future.
  • Reporting deadlines: An initial report must be submitted within 24 hours of becoming aware of the security incident. The deadline for a detailed report is 72 hours and 30 days for the final report/follow-up report.
  • The report must include an assessment of the incident, including its severity, impact, indicators of compromise, and contact information.
  • The BSI acknowledges incoming reports, processes them, and contacts the reporting company if necessary.

Implement and document risk management

  • Companies are required to take and document appropriate, proportionate, and effective technical and organizational measures. The assessment of proportionality is based on the extent of risk exposure, the size of the affected institution and costs, as well as the probability of occurrence, severity, and possible consequences of security incidents.
  • Measures taken should prevent disruption of protection goals (availability, integrity, and confidentiality) and minimize the impact of security incidents. Note: The European NIS 2 Directive still refers to a fourth protection objective, “authenticity.” In the German implementation, this protection objective is located in the “integrity” protection objective.
  • Risk management must include all information technology systems, components, and processes that the institution uses to provide services.
  • Measures should comply with the state of the art, take relevant European and international standards into account, and be based on a cross-risk approach.
  • Risk management measures include at least the following:
    • Risk analysis
    • Management of security incidents
    • Maintenance of operations (e.g., backup management, disaster recovery, crisis management)
    • Supply chain security
    • Security measures for the acquisition, development, and maintenance of information technology systems, components, and processes
    • Effectiveness testing of risk management measures
    • Training and awareness-raising on cybersecurity
    • Cryptographic procedures
    • Concepts for personnel security (e.g., access control, management of ICT systems)
    • Multi-factor authentication, secure communication, and emergency communication if necessary

Your next step

Check whether your company is affected by the NIS 2 Directive. We would be happy to assist you with a legal assessment by our specialist lawyers for information technology law. Once you have determined whether your company is affected, you should evaluate your current status quo in terms of cybersecurity and identify the need for action. Our experts will support you from a gap analysis (actual/target status) to concepts and complete integration into your business processes. Please contact us for an individual consultation.

Similar posts

23. April 2024

NIS-2 is coming - prepare for it now

On 18 October 2024, the transposition law for the NIS-2 Directive is due to come into force. This will affect far more companies than the existing KRITIS organisations. Who is affected, what measures need to be implemented and where to start?
Cyber Security
IT security
Penetration test
Risk management
SOCaaS
Back

Felicitas Kellermann

IT-Consultant

To the profile of Felicitas Kellermann

Dr. Christian Lenz

Lawyer / Specialist lawyer for tax law / Specialist lawyer for information technology law

To the profile of Dr. Christian Lenz

Markus Müller

Certified Business Informatics Specialist, Certified Information Systems Auditor (CISA), Certified Data Privacy Solutions Engineer (CDPSE)

To the profile of Markus Müller

Cyber Security IT security IT law IT audit and consulting EU law

Contact

Get in touch with us

Mail Contact form Telefon +49 228 81000 0
By uploading the YouTube video, you consent to cookies being set by YouTube and Google and to data being transferred to these providers. We process the data in order to be able to analyse access to our YouTube videos or to evaluate the effectiveness of our advertising and ads. YouTube and Google also process the data for their own purposes. In addition, you also agree that your data may be transferred to the USA, although there is a risk in the USA that the US authorities may gain access to your data for surveillance purposes and that you may not have adequate legal protection against such. You will find further information in our Data Protection Policy.
Load YouTube Video
By uploading the podigee podcast, you consent to cookies being set by YouTube and Google and to data being transferred to these providers. We process the data in order to be able to analyse access to our YouTube videos or to evaluate the effectiveness of our advertising and ads. YouTube and Google also process the data for their own purposes. In addition, you also agree that your data may be transferred to the USA, although there is a risk in the USA that the US authorities may gain access to your data for surveillance purposes and that you may not have adequate legal protection against such. You will find further information in our Data Protection Policy.
Load podigee Podcast