Bundestag discusses NIS2UmsuCG – Implementation of the NIS2 Directive is approaching

Under the NIS2UmsuCG, companies in scope will have to comply with different measures. In this context, it should be noted that, although the NIS2UmsuCG, like the NIS2 Directive, differentiates between very important and important entities (referred to as "essential" and "important" in the NIS2 Directive), the applicable measures are almost identical. Differences, however, exist in particular concerning supervision and the amount of possible fines.

Particularly noteworthy regulations under the NIS2UmsuCG are the obligation to train management and their personal liability, the implementation of a comprehensive risk analysis and the new reporting obligations for significant security incidents:

• Training obligation for management and liability:
  Under the NIS2UmsuCG, the respective management is immediately responsible for compliance: they are not only responsible for ensuring that the necessary measures are implemented and complied with, they can also be held personally liable for damages caused by a culpable breach of their duties under the applicable general liability regimen. This is likely to concern, for example, a loss of profit caused by a significant security incident at the institution concerned. In order to sensitize management to cybersecurity, they must also participate in regular training courses.
• Risk analysis:
  Companies in scope must take appropriate technical and organizational measures, which in particular include the ten areas listed in Section 30 (2) BSIG-RegE. This will require a comprehensive risk assessment for the organization in question, including the identification of their risk exposure. In this context, it is also worth highlighting the need for affected companies to identify, analyze and address potential risks in their supply chain. This will likely require the execution of vendor assessments. Contract adjustments and even the replacement of suppliers may also be necessary in this context if companies in scope do not want to risk a compliance violation.
• Reporting obligations:
  If a significant security incident occurs within an organization in scope, they are obligated to report it to the competent authority under the NIS2UmsuCG. Similar reporting obligations are already known from the GDPR but go even further under the NIS2UmsuCG: An early initial notification must be made no later than 24 hours after becoming aware of the incident. The close-knit and comprehensive reporting obligations will require companies in scope to implement identification, reporting and incident management processes.

In addition, the NIS2UmsuCG provides for other obligations, such as the registration of affected companies with the Federal Office for Information Security. Special measures still apply to certain facilities. Companies should therefore deal with their impact and the relevant catalogue of obligations in advance.

Why companies should consider the NIS2UmsuCG in advance

The current government draft does not include any transitional periods for companies. Accordingly, all provisions of the NIS2UmsuCG will apply upon entry into force. For the measures presented to be implemented appropriately and in a timely manner for the respective organization, a structured project approach is required that leaves sufficient time for the implementation of the individual steps.

Do you have any questions or would you like to receive advice on your impact under the NIS2UmsuCG or the Catalogue of Obligations? Then please feel free to contact us!