Keywords
NIS 2, cybersecurity, compliance, infrastructure, EU regulations, risk management, small businesses, senior management, responsibilities, reporting obligations, Germany
Summary
Klaus Mochalski and attorney partner Thomas Schmeding (BBH Consulting) clarify the most important questions about NIS-2: Who is affected by the new thresholds? What liability risks do managers face, and how can implementation be successful? A mandatory update on cybersecurity.
Takeaways
The NIS 2 regulation no longer only affects traditional large-scale critical infrastructure facilities. Around 30,000 companies from sectors such as energy, water, telecommunications, healthcare, chemicals, and food now fall within the scope of the regulation as soon as theyreach the threshold of 50 employees or €10 million in annual turnover/balance sheet total.
General liability for managing directors remains in place but has been made much more specific. Management is now explicitly required by law to implement and monitor risk management measures and to undergo training in cybersecurity.
Companies must be able to report cyberattacks in a three-step cycle: An initial report must be made within 24 hours, followed by a follow-up report after 72 hours and a final report after one month at the latest.
Although the implementation of the required cybersecurity and physical protection measures incurs significant costs, which often have to be passed on to customers, these expenses are far less than the potential damage and liquidity bottlenecks caused by a successfulcyberattack.
Companies should carefully consider whether they actually fall under the NIS 2 Directive. Since the regulation entails enormous compliance costs, voluntary registration is not recommended if there is no legal obligation to do so.
Germany has transposed the provisions of the EU directive into national law almost 1:1, without any major national deviations or tightening of the rules.
Sound Bites
Klaus Mochalski: “NIS 2 [is] more of an extension of regulations that have been in place for much longer in other areas, especially for operator-critical infrastructure according to the legal definition.”
Thomas Schmeding: "But what is new, and why people are now talking about 30,000 companies being affected across the board [...] is that company-specific thresholds are now being considered. [...] It is enough that I employ 50 people or that I have an annual turnover of 10 million or a balance sheet total of 10 million, and then I am already affected."
Klaus Mochalski: "The costs arise either way. [...] if I engage in prevention, I distribute the costs evenly and they are incurred in advance, or it's like in Berlin, where an incident occurs and, of course, costs are incurred, and I would argue that the costs of repairing the damage in Berlin were probably much higher than anything that could have been spent on prevention over five years."
Thomas Schmeding: “So I [as managing director] am no more liable in my company than I was before, but I have a specific obligation written into my book [...] to take concrete implementation measures, and I have to do that right now. [...] And if I don't take care of it now and thecompany suffers damage, then I am also potentially liable as management.”
Klaus Mochalski: "My theory was that this is actually a concretization of regulations and liability that already existed before. But now it's being made concrete, which actually helps those affected because they now have a concrete framework."
Thomas Schmeding: "So I actually have to report a cybersecurity incident to the authorities within 24 hours. I have to follow up with another report within 72 hours. [...] and no later than one month after confirmation of the initial report, I have to make a final report."
Klaus Mochalski: “IT security should not be seen so much as a new risk, but rather as a business risk like many others, such as the risk of fire, burglary, or power failure.”
Thomas Schmeding: “Yes, what the [EU] directive stipulates is largely implemented in Germany. [...] That means I can't see any major tightening of the rules, at least.”
Chapters
00:00 Welcome and introduction
02:06 The bumpy road to NIS 2 implementation
05:14 Who is affected? New sectors and thresholds
09:21 Prevention versus response costs
14:17 Duties and personal liability of management
18:29 The strict deadlines in the new reporting system
20:50 German implementation compared to the EU
23:43 Conclusion and warning against voluntary registration
