IT Security Act 2.0 and NIS 2: Who Needs to Take Action and Where?
The IT Security Act 2.0 has been put into practice. The NIS 2 implementation is coming. And with it, expanded sectors, stricter regulations and new obligations. The aim of the directive: a high common level of protection in the European Union. Some of this is already part of the IT Security Act. Others are yet to be added. Find out what already applies today, what will come in the future and why your implementation status should be put to the test now. An overview.
IT Security Act 2.0/Part1
Valid since December 2021. Application to KRITIS operators. TARGET Comprehensively secure availability, integrity, authenticity & confidentiality of data.
CHANGE Compared to the IT Security Act 1.0 from 2015, the Act primarily contains further developments regarding IT security precautions with the following most important innovations:
SECTORS As in IT Security Act 1.0.
Energy (electricity & gas)
Water & waste water
Finance & Insurance + NEW
Municipal waste disposal & municipal services
UBI operator (public interest entity) IT-SIG2.0/Part 2
NEW REPORTING AND AUDIT OBLIGATIONS The 2-year implementation period from the IT Security Act 1.0 no longer applies. Instead, the deadlines apply from day 1 of the corresponding company classification. The deadline also applies if your company suddenly exceeds thresholds and becomes a UBI or KRITIS during the term of the law. For KRITIS-operators applies:
Registration obligation of the KRITIS facilities with indication of the contact persons
Reporting of facts concerning the correctness of the information to the BSI
Reporting information on incident management and other safety precautions
The use of critical components must be indicated
Manufacturer's warranty declarations must be handed over for critical new and existing components (concerns manufacturers + suppliers of the entire supply chain)
For new launches, 2 - 4 months waiting period before installation applies
Minimum security standards must be met (e.g. attack detection systems)
IT Security Act 2.0/Part 2
Valid from May 2023. Application to UBI operators.
UBI1: Companies that fall under the Foreign Trade and Payments Ordinance, e.g. manufacturers of armaments or IT products for classified government information.
UBI2: Companies that are among the largest companies in Germany in terms of domestic value added, e.g. Dax corporations (further in BSI KRITIS Regulation 2.0)
UBI3: Operator of an operating area in the upper class of the Hazardous Incident Ordinance (for example companies in the chemical industry, ...)
Companies < 50 persons, < 10 Mio € turnover are not affected
NEW REPORTING AND AUDIT OBLIGATIONS
Registration obligation at the BSI with indication of contact persons
Issuance of self-declarations (e.g. on certifications, safeguarding of processes in IT security (systems, components, ...)
Once initial, then every two years
Reporting of significant disturbances is mandatory
But: No reporting obligation with regard to critical components
ADJUSTED FINE FRAMEWORK
A fine of up to two million euros is possible. For example, in the case of KRITIS: No accessibility of the contact point. At UBI: Self-declaration not submitted
Fine also against traders
EU Directive NIS 2
In force since January 16, 2023. To be implemented in national law by the member states by 2024. Background: The new European directive is based on the NIS 1 directive from 2016, whose scope and security requirements no longer reflected actual developments. In addition, there was insufficient harmonization among member states regarding the categorization of cybersecurity incidents, reporting requirements and sanctions.
TARGET A high common level of protection in the European Union.
CHANGE NIS 2 restricts the member states' scope for action and specifies how the directive is to be implemented in national law. Germany already meets a large part of the requirements with its IT Security Act 2.0. The extent to which the new requirements will be anchored in it or whether there will be an IT Security Act 3.0 is not clear yet. In addition to the expansion of sectors and obligations, the main changes are the personal liability of managing directors and the amount of possible fines for non-compliance. National authorities will be responsible for monitoring and enforcing the regulations.
SECTORS Expansion of defined CRITIS sectors/essentials:
Energy (electricity & gas)
Water & waste water
Finance & Insurance
Transport & Traffic
Plus NEW sectors/important:
ICT Service Management (in B2B)
Public administration (hydrogen district heating/municipal utilities & energy suppliers)
Postal & courier services
Digital services (search engines, social networks)
NEW REPORTING AND AUDIT OBLIGATIONS Minimum requirements for contractors and operators:
Analysis and assessment of IT security risks
Establish an IT incident management system that includes: Prevention, detection of security incidents, identification, containment, mitigation and response.
Ensuring business continuity
Establishment of a crisis management
Ensuring security in the procurement, development and maintenance of networks and information systems
Ensure controls of safety requirements also of suppliers in the supply chain
Initial report: reporting of significant incidents mandatory within 24 hours, final report within one month
EXTENSION OF THE RANGE OF FINES
Own, personal liability for managers
Fines attract up to €10 million or two percent of annual worldwide turnover
Exceptions for small and micro enterprises, e.g., in the case of monopolies or when public communications networks are affected.
By October 2024, Germany must implement NIS 2 EU Directive into national law. This means that waiting is not an option. The threat level is higher than ever and the challenges in the cyber space will continue to increase rapidly. We recommend that all organizations put their own IT security implementation status to the test and see where work needs to be done. IT Risk Analyses and monitoring of your organization-wide IT attack surface provide the necessary transparency and are ideal preparation for upcoming inspections and certifications. In addition, an intelligent Supplier Risk Management spares many manual processes and makes administration significantly more efficient.
Request your personal Live-Demo now
Identify and reduce your cyber risks through a comparable and understandable overview of your IT security. Let our experts advise you and find out how LocateRisk can help you solve your cyber risks.
Learn more, book a demo, or just have a quick chat? Alex is happy to help!
Your personal consultant AlexanderFeldmann Consulting
Technical storage or access is strictly necessary for the lawful purpose of enabling the use of a particular service expressly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a message over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that have not been requested by the subscriber or user.
The technical storage or access, which is carried out exclusively for statistical purposes.Technical storage or access used solely for anonymous statistical purposes. Without a subpoena, the voluntary consent of your Internet service provider, or additional records from third parties, information stored or accessed for this purpose alone generally cannot be used to identify you.
Technical storage or access is necessary to create user profiles, to send advertisements, or to track the user on a website or across multiple websites for similar marketing purposes.