A few days ago, the AG KRITIS published the latest draft bill on the NIS-2 Implementation Law (NIS2UmsuCG) on its website. Which requirements could become relevant for you if the law is passed in this version? Our experts have analyzed the draft for you and summarized the most important aspects:
What is the draft based on?
The current draft is based on the government draft of 2 October 2024. Revisions from the meeting of the 4th Committee on 29 November 2024 were only partially adopted.
Further important changes:
General changes to terms and adjustments
- The definition of “critical service” has been clarified: social security institutions and basic security for jobseekers have been removed, with a general reference to “finance and insurance” instead.
- The new asset category of digital energy services has been introduced. Like large parts of the previous energy sector, those must report to the Bundesnetzagentur (BNetzA) and not to the Federal Office for Information Security (BSI).
Modifications to risk management requirements
- The requirements for risk management are specified in more detail and the definitions of terms are clarified.
- The mandatory operation of an attack detection system for operators of critical systems is limited to the critical system and associated components.
- Deletion of the passage stating that voluntary reporting cannot lead to further consequences.
- The minimum requirements for protecting the federal administration will be specified in future and will be based on the IT-Grundschutz compendium from BSI.
- Important: According to our experts, IT-Grundschutz is only mandatory for public authorities. Companies can use it, but can also continue to use other standards
Reporting and compliance obligations
- The obligation for federal administration institutions to regularly provide the Federal Office with proof of compliance with legal requirements has been reduced from five to three years.
- Good news for KRITIS operators: The new law also provides for a three-year verification interval. This means that the interval has been extended from 2 to 3 years. The obligation to provide evidence will also initially only apply to the critical system.
- For particularly important facilities, the Federal Office can specify for whom verification is required at the same interval.
Special clarifications in the explanatory memorandum
- Cloud computing services (IaaS, PaaS, SaaS, NaaS) are covered. In contrast, services where the available resources are specified in advance (e.g. simple web hosting) should not be included.
- DNS services are only considered independent if they are not an inseparable part of an Internet access service.
- The role of the MSP (Managed Service Provider) is supplemented by a description that clarifies that companies that exclusively take over the central IT operation of a group of companies also generally fall under the term MSP and are thus regulated.
For most affected companies, the current draft bill barely brings any noticeable changes compared to the previous versions. The existing structure with the division between important companies, particularly important companies and KRITIS companies remains unchanged.
One positive aspect for KRITIS operators is that the obligation to have an attack detection system now relates exclusively to the respective system - no longer to the entire company. In addition, the draft finally clarifies that outsourced IT units are also covered as managed service providers. The most important new development for me is that the legislation is finally making progress.Vinzent Ratermann, Managing Consultant and expert for IT security of critical infrastructures
We will keep you up to date on further developments and the legislative process. If you have any questions or need advice on the NIS-2 Directive, our experts will be happy to help. Get in touch with us.
