Regulatory Deep Dive
Regulatory Deep Dive
Stricter European cyber security requirements affect many German companies
In times of increasing cybercrime, the European Union has once again turned its attention to cyber security. Two new European legal acts have come into force at the beginning of 2023: the second version of the Network and Information Security Directive (NIS2) and the Digital Operational Resilience Act (DORA). Our experts Johannes Helke, Stephan Halder and Hans-Peter Toft from our cooperation partner BDO Legal provide an overview of the new guidelines.Numerous companies affected by NIS for the first time
As a European directive, NIS2 is not directly applicable, but must be translated into national law by October 17, 2024. In Germany, this is to be done through a revision of the Act on the Federal Office for Information Security (BSIG). The more comprehensive cyber security requirements of the new BSIG will affect an extended group of institutions and companies. In the event of breaches, significantly stricter sanctions will apply, which can affect not only the regulated companies themselves, but also their management bodies personally. As time is of the essence, companies should check now whether they are subject to the new cyber regulations. However, this is not always easy to find out.Companies that were already subject to cyber requirements under KRITIS continue to be obliged to comply. Nothing changes here. In addition, companies or parts of companies that are active in one of the sectors listed in Section 28 BSIG may be subject to the new regulation. In particular, the inclusion of the new sectors "processing/manufacturing and food" means that up to 30,000 German companies will be subject to cyber security regulation and sanctions for the first time.
The cyber requirements will then depend on the specific activity and other key figures (number of employees/turnover/balance sheet total). The draft law includes simplifications and exemptions for smaller companies.
Cyber regulation of the financial sector through DORA
The DORA has many parallels to NIS2 and is directly applicable, but it is limited to the financial sector. Not only credit institutions, trading venues and insurance companies are affected, but also, for example, insurance brokers, management companies or occupational pension schemes and their digital service providers (so-called ICT third-party service providers). Here too, it is important for affected companies to examine the specific cyber security requirements of DORA.Interdependencies between DORA and NIS2
While NIS2 creates a high level of digital security for affected companies in the EU through a uniform governance framework, DORA is a derivative of the NIS2 directive for the financial sector with sector-specific cyber security requirements. As a more specific regulation, DORA takes precedence over the provisions of NIS2.Short implementation deadlines and increased cyber requirements require companies to take a strategic approach. The status quo of current security facilities and protected business processes must be assessed and compared with the requirements of DORA and NIS2. This results in an urgent need for action.
Obligations arising from NIS2
NIS2 divides affected companies into three categories: operators of critical facilities (which are subject to the most stringent cyber requirements), particularly important and – thirdly – important companies, for which the cyber requirements are gradually weakened respectively.The requirements of NIS2 aim to protect network and information systems and their physical security from disruption - based on cyber security standards such as:
- Guidelines for risk analysis and information system security
- Dealing with ICT incidents with aspects of increased operational resilience
- BCM with disaster recovery and crisis management
- Security of the ICT supply chain in relation to direct service providers or suppliers
- Security in the procurement, development, and maintenance of network and information systems
- Concepts and procedures for assessing the effectiveness of cyber security risk management measures
- Fundamental strengthening of the "human firewall" via different measures, e.g. cyber security training
- Concepts and procedures relating to the use of cryptography and encryption
- Personnel security via access control guidelines
- User authorization management with the use of multi-factor or continuous authentication methods
Obligations arising from DORA
The requirements of DORA stipulate that affected companies define a governance and control framework in corresponding guidelines in order to enable the secure operation of ICT systems and information. Risk management is of great importance here. Overall responsibility lies with the company's management body. Specialist training must enable those responsible to assess ICT risks and their impact on business activities. Particular attention is paid to the management of ICT service provider risks, for which the commissioning company remains responsible at all times.Proof of compliance with the DORA requirements is to be provided once a year by internal or external bodies, whereby outsourcing the review does not release the financial company from responsibility for compliance.
In addition to the DORA priorities already listed, stricter requirements are also defined for the following areas:
- Expansion of ICT incident management through reporting processes with predefined classification
- Voluntary reporting of significant cyber threats
- Improved vulnerability management through basic tests and advanced Threat Led Penetration Tests (TLPT)
- Establishment of the risk management control function such as CISO, ISO or ISB
- Asset management taking into account secure and authorized software and hardware
- Source code analysis and testing of proprietary software
- Improved network security through secure processes and procedures
- Increased operational stability through comprehensive BCM specifications
- Specifications for identity access management
- Stricter requirements for the use of encryption
Regulatory oversight, fines and compensation for damages
NIS2 complements the stricter cyber requirements with a registration obligation for all affected companies, extended supervisory powers of the authorities and stricter sanctions for violations.In the event of breaches of cyber obligations, companies face fines of up to ten million euros or two percent of global turnover if this is higher. The catalog of sanctions is therefore similar to that of the GDPR.
For the first time, NIS2 also obliges national legislators to introduce direct personal liability of the responsible management bodies for the consequences of non-compliance with cyber security obligations. Therefore, managers – as well as the company – may be directly liable to data subjects.