Germany Braces for Major Cybersecurity Changes with NIS-2 Directive
Germany braces for significant changes in cybersecurity regulations. Around 29,500 companies across various sectors, including energy, health, transport, and digital services, will be impacted by the incoming NIS-2 directive. The Bundesrat has proposed improvements, and the federal government's draft is set for October discussions.
The NIS-2 directive, aiming to bolster cybersecurity awareness, will require affected companies to report cyber-attacks promptly - within 24 hours, followed by interim and final reports within 72 hours and a month, respectively. They must also implement protective measures such as risk analyses and backup concepts.
The Federal Office for Information Security (BSI) will gain enhanced supervisory powers and the ability to impose fines for severe violations. The directive, while adding to the economy's workload, is deemed necessary due to the rising threat of ransomware and state-sponsored cybersecurity attacks, particularly from Russia and China.
Hesse's Interior Minister Roman Poseck recently warned about the vulnerability of infrastructure, citing a cyber-attack on a service provider that caused significant disruptions at Berlin's airport.
Germany faces an October 2024 deadline to implement the NIS-2 directive, with an infringement procedure already underway. The directive's impact will be substantial, affecting nearly 30,000 companies. The Bundesrat's proposed improvements and the federal government's draft aim to clarify obligations and strengthen cybersecurity awareness across critical sectors.
