(Bild: BMI/ Henning Schacht)
The directive increases the cybersecurity requirements of certain companies and the federal administration. The Federal Office for Information Security (BSI) occupies a key position in both areas. It will become the supervisory authority for the companies affected by the directive; In addition, in the role of Chief Information Security Officer (CISO), it will be the central point for cybersecurity in the federal administration.
The NIS 2 Implementation Act includes an amendment to the BSI Act (BSIG), which previously covered around 4,500 institutions in the economic area: operators of critical infrastructures, providers of digital services and companies in the special public interest. With the entry into force of the NIS 2 Act, this radius will be expanded to include the categories of “important facilities” and “particularly important facilities”, so that the BSI will in future supervise around 29,500 facilities to which new legal obligations in IT security apply: Affected companies must register with the BSI, report significant security incidents and implement technical and organizational risk management measures.
The law requires the federal administration’s institutions to meet minimum information security requirements, which result from, among other things, the BSI’s IT-Grundschutz compendium and the federal government’s minimum standards for security in information technology. The tense situation in cyberspace must also be countered by a robust IT governance structure in the federal administration that extends across all departments, authorities and institutions and serves the goal of jointly organizing and continuously improving IT security. In the future, the BSI will be responsible for coordinating these activities in the role of Chief Information Security Officer (CISO Bund).
BSI President Claudia Plattner: “With this law, Germany has reached an important milestone on the way to becoming a resilient cyber nation, because we are protecting a crucial part of our digital attack surface much better than before. I expressly thank the Federal Minister of the Interior and all members of the Federal Government and the German Bundestag who made this possible. I would also like to thank the Federal Digital Minister for his support – we are very much looking forward to intensifying our cooperation. It is of great benefit that the mandate, expertise and resources for the operational implementation of cybersecurity within the federal administration are now available We are happy to take on this task, but we are also more than aware of its size. We will therefore significantly strengthen the urgently needed resilience of the federal administration in collegial cooperation with the government departments, constructively support the federal government’s digitalization projects and ensure not only the necessary expertise, but also neutrality, effort efficiency and continuity. We are already doing a lot with a wide range of advice and support We will expand these support offers again when the law comes into force.”
With a starter package, the BSI wants to provide affected companies with clear information in order to successfully implement the obligations resulting from the NIS 2 directive. Once it comes into force, the BSI will also offer virtual kick-off seminars in which companies will receive, among other things, step-by-step instructions for checking whether the impact is affected as well as registration and reporting processes.
