The European Union has published Directive (EU) 2022/2555 (NIS 2 Directive) to create a uniform approach and level of cybersecurity assurance for societal functions across Europe (we reported here and here ). The directive must be transpos into national law by October 17, 2024 First draft bill for.
A first draft bill for this article, presented by the Federal Ministry of the Interior and Home Affairs (BMI), dated April 3, 2023, is available and is present in this article. This presentation is not intend to be a comprehensive presentation of all the contents. We will refrain from describing changes to the regulations of federal administration institutions.
Impact of the NIS2UmsuCG on the BSIG
General information on the new BSI draft law First draft bill for
As a statutory instrument, the NIS2UmsuCG amends a number of laws. This is understandable, as the BSIG is the central law regulating information security in Germany and has significant overlaps with the subject matter of the NIS 2 Directive.
The first noticeable change to the BSIG is the name change: In the future, germany business fax list the BSIG will be call the “Act on the Federal Office for Information Security and on Information Technology Security of Operators and Institutions,” while the abbreviation BSIG will remain . This makes it clear that the new BSIG is a more comprehensive law that regulates more than “just” the tasks of the BSI.
Scope of application of the BSIG according to the new draft
Section 2 (14) of the old BSIG, which divides companies of special public interest (commonly abbreviat to “UBI”) into three categories, has been delet. The naming and categorization of UBI will not be continu in the new BSIG.
Section 28 (3) of the newly amended BSIG defines “particularly important facilities .” These include, among others, operators of critical facilities and large companies in the energy, traffic or transport, banking, financial market infrastructure, what is downloading? healthcare, drinking water, wastewater, digital infrastructure, management of ICT services (business-to-business), and space sectors.
Risk management measures
Section 30 of the new BSIG regulates the risk management measures to be implemented. It defines availability, integrity, authenticity, united states business directory and confidentiality as the protection goals of information security. When assessing the appropriateness of the implemented measures, not only economic but also, in particular, social impacts must be considered..
Reporting obligations
Reporting obligations under Section 31 of the new BSIG for security incidents apply to particularly important facilities and important facilities. An initial report must be submitt no later than 24 hours after becoming aware of the incident. Within 72 hours at the latest, the information the security incident, including its severity and impact, must be submitt.