The European Union has published Directive (EU) 2022/2555 (NIS 2 Directive) to create a uniform approach and level of cybersecurity assurance for societal functions across Europe (we reported here and here ). The directive must be transpos into national law by October 17, 2024 the NIS 2 Directive .
A first draft bill for this article, presented by the Federal Ministry of the Interior and Home Affairs (BMI), dated April 3, 2023, is available and is present in this article. This presentation is not intended to be a comprehensive presentation of all the contents and consequences of the 243-page draft; that would excethe scope. Rather, it provides an initial impression of noteworthy and—hopefully for a large portion of the readership—practically relevant individual aspects. We will refrain from describing changes to the regulations of federal administration institutions.
Impact of the NIS2UmsuCG on the BSIG
General information on the new BSI draft law the NIS 2 Directive
As a statutory instrument, the NIS2UmsuCG amends a number of laws. The most extensive changes are made to the “Act on the Federal Office for Information Security (BSI Act – BSIG) .” This is understandable, as the BSIG is the central law regulating information security in Germany and has significant overlaps with the subject matter of the NIS 2 Directive.
The first noticeable change to the BSIG is the name change: In the future, canada business fax list BSIG will be call the “Act on the Federal Office for Information Security and on Information Technology Security of Operators and Institutions,” while the abbreviation BSIG will remain . This makes it clear that the new BSIG is a more comprehensive law that regulates more than “just” the tasks of the BSI.
The new BSIG is divided into ons of the BSIG draft after the amendment by the NIS2UmsuCG has come into force are referred to as “BSIG-neu”.several parts, some of which are further subdivid into chapters. The new table of contents clearly illustrates the scope of the regulations:
- Part 1 General provisions
- Part 2 The Federal Office
- Chapter 1 Tasks and powers
- Chapter 2 Data processing
- Part 3 Security in the information technology of operators and institutions
- Chapter 1 Scope
- Chapter 2 Risk management, reporting, registration, proof and information obligations
- Chapter 3 Security in the information technology of federal administration facilities
- Part 4 Database of domain name registration data
- Part 5 Certification and Marking
- Part 6 Authorisations to issue regulations, restrictions on fundamental rights, Council of IT Officers and reporting obligations
- Part 7 Fines and Supervision
Scope of application of the BSIG according to the new draft
Section 2 (14) of the old BSIG, which divides companies of special public interest (commonly abbreviat to “UBI”) into three categories, has been dele. The naming and categorization of UBI will not be continued in the new BSIG.
Section 28 (3) of the newly amended BSIG defines “particularly important facilities .” These include, among others, operators of critical facilities and large companies in the energy, traffic or transport, banking, financial market infrastructure, what is google news? what are its main features? healthcare, drinking water, wastewater, digital infrastructure, management of ICT services (business-to-business), and space sectors.
as well as certain service providers under Book V of the Social Code (SGB V), are cover by the definitions, the cybersecurity measures outlin below do not apply to them. According to the comments in the draft, the exceptions appear to still be under discussion. Regulations affecting institutions subject to the Digital Operational Resilience Act (DORA) – Directive (EU) 2022/2554 are also still undergoing interministerial coordination.
Risk management measures
Section 30 of the new BSIG regulates the risk management measures to be implement. It defines availability, integrity, united states business directory authenticity, and confidentiality as the protection goals of information security. When assessing the appropriateness of the implement measures, not only economic but also, in particular, social impacts must be consider.