The German Federal Government resolves final details for implementing the NIS2 Directive

On 24 July, the German Federal Government resolved final details for the Implementation Act of the NIS2 Directive (Umsetzungs- und Cybersicherheitsstärkungsgesetz). The Implementation Act should soon pass parliamentary approval (right after the summer holidays) before the implementation deadline lapses on 17 October 2024. It is expected that with NIS2, approximately 29,500 companies and institutions will directly fall under its scope in Germany, dramatically increasing the number of regulated entities against the current number of less than 2,000.

The NIS2 Directive expands relevant sectors and introduces new obligations for the affected "essential" and "important" entities in those sectors. Regulated entities will need to conduct dedicated cyber risk assessments and introduce risk management measures; they are subject to more detailed incident notification obligations (with a cascade of 24 hours, 72 hours and 1 month reporting obligations); and will need to observe EU cyber certification schemes for ICT products. NIS2 requires Member States to introduce clear rules on personal liability of board members for failure to achieve NIS2 compliance and provides much higher level of sanctions (up to 7 million euros or 1.4% of a company's global turn-over).

Authors: Alexander Duisberg (Partner); David Plischka (Associate); Lisa Kopp (Associate)