Anja
Bruchmann
Attacks on the IT security of companies are no longer a rarity. The new BSIG and the so-called NIS-2 requirements are therefore intended to oblige companies to check the security of their systems and supply chains and to take appropriate measures to minimize the consequences of such attacks. The scope of the law includes not only operators of critical infrastructures and IT companies, but also a large number of other companies that, as "important" and "essential" entities, contribute to the functioning of the internal market.
Background: What is NIS-2 and the BSIG?
The NIS-2 Directive (EU 2022/2555) obliges EU member states to ensure a significantly higher level of cybersecurity for critical and important entities. In Germany, implementation took place through a fundamental renewal of the Act on the Federal Office for Information Security and on the Information Security of Entities, the so-called BSIG. The obligations that companies based in Germany must comply with therefore derive from the BSIG. However, because this is based on the NIS-2 Directive, colloquial reference is still made to "NIS-2 obligations".
The new BSIG significantly expands the scope of affected companies. The Federal Government estimates that in Germany, around 8,250 companies will be classified as essential entities and around 21,600 companies as important entities in the future. In order to make the information security of these companies more resilient against attacks, the BSIG provides for extensive obligations for these companies. This leads to an annual compliance cost for the economy of around 2.3 billion euros.
The new regulations already apply. The registration deadline for companies that meet the requirements for important or essential entities expired at the beginning of March. However, a large number of companies are unprepared or only insufficiently prepared. This is not least due to the fact that the regulations of the BSIG are complex and it is unclear to many companies whether they really fall into the target group of the BSIG as an "important" or even "essential" entity.
Who is affected? Sectors and thresholds
The BSIG essentially distinguishes between two categories: Essential entities and so-called important entities. Particularly important (essential) entities include, in particular, operators of critical infrastructures as well as qualified trust service providers, top-level domain name registries, or DNS service providers, regardless of their size.
Otherwise, the interplay of sector and company size is generally decisive for being affected.
An "essential entity" is defined as a company that employs at least 250 people or has an annual turnover of over 50 million euros and an annual balance sheet total of over 43 million euros, and can be assigned to one of the types of entities specified in Annex 1 to the BSIG. This includes companies operating in the following sectors:
Energy (electricity, district heating or cooling supply, fuel and heating oil supply, gas supply),
Transport (air, rail, water, road),
Finance (banking and financial market infrastructure),
Health,
Water (drinking water supply and wastewater disposal),
Digital infrastructure (including cloud computing service providers, data center service providers, managed service providers) and
Space
However, the scope of the BSIG is significantly expanded by the definition of "important entities". These include companies operating in the above-mentioned sectors of Annex 1 or in one of the sectors of Annex 2, provided they employ at least 50 staff or have an annual turnover and an annual balance sheet total of over 10 million euros each. The sectors named in Annex 2 include:
Transport and logistics (postal and courier services)
Waste management,
Production, manufacture, and trade of chemical substances,
Production, processing, and distribution of food (food businesses),
Manufacturing/production of goods (manufacture of medical devices and in vitro diagnostic medical devices, manufacture of computer, electronic and optical products, manufacture of electrical equipment, mechanical engineering, manufacture of motor vehicles and motor vehicle parts, other transport equipment manufacturing)
Providers of digital services, as well as
Research organizations
The scope of application is therefore very broad. The goal of this wide-ranging impact is to safeguard the overall stability and functionality of the internal market.
Classification based on economic activities in the relevant NACE classes
The assignment to the NACE classes named in Annex 2 (NACE = "Nomenclature statistique des activités économiques dans la Communauté européenne"), currently published in version NACE Revision 2 Update 1 (NACE Rev. 2.1), is decisive. Legal uncertainties already threaten in this context, because the BSI Act (including the BSI's FAQs on the subject of NIS-2) refers to the predecessor version NACE Rev. 2.
"Negligible activities" – a disservice by German legislation?
Further uncertainty arises for companies whose activity only partially falls into the regulated sectors. This includes, for example, companies whose activity predominantly consists of sales activity without their own production, but which also partially have their own production. Section 28 (3) of the BSIG provides that business activities that are "negligible with regard to the overall business activity of the entity" shall be disregarded when assignment to the types of entities is determined. The law leaves open under what conditions such a business activity is "negligible". At the same time, there is debate as to whether the exception violates EU law because the NIS2 Directive does not provide for such a restriction.
At the same time, the NACE classification provides that a company's economic activity should only be assigned to a single NACE class. Within the framework of a "layering" process, therefore, only that class is applied in which, taking into account turnover, employees used, and other key figures, the decisive value of the company is created. If these principles are applied consistently, however, Section 28 (3) BSIG would be superfluous. Instead, the regulation in Section 28 (3) BSIG means that even stricter standards apply. Instead of just looking at a company's main activity, only "minor secondary activities" are neglected. No corresponding wording can be found in the implementation laws of other EU member states. It therefore remains to be seen whether the German legislature has done a "disservice" to the economy with the additional wording in Section 28 (4) BSIG.
Outsourcing - Attribution of contract manufacturing?
A further special constellation arises, in particular, for companies in the manufacturing sector. This is because the explanatory notes to the NACE classification provide that manufacturing by a third party must also be attributed under certain conditions, so that the company is also to be assigned to the (regulated) NACE class 28 even if it does not carry out any manufacturing itself. If the contractor outsources the entire production process of a good or service, its main activity is generally classified as if it were performing the production process itself. This is the case if the company is not only the owner of the final product, but additionally either a) is also the owner of the materials and raw materials required for the production process, or b) is the owner of the intellectual property rights required for manufacturing (e.g. patents). The explanatory notes to the NACE classes list metal processing, metal working (e.g., chrome plating), the manufacture and finishing of clothing, and similar elementary parts of the production process as examples. This means that a distinction must be made in each case as to whether it is a (previously unregulated) activity of "trade" or an outsourced production.
As with "negligible activities", however, it remains open for now whether the NACE attribution rules for outsourced manufacturing are also to be applied in relation to the BSIG.
Obligations for affected companies
Essential entities and important entities are obliged to take appropriate, proportionate, and effective technical and organizational measures. The goal of such measures is to prevent disruptions to the availability, integrity, and confidentiality of the information technology systems, components, and processes used by companies to provide their services, and to minimize the impact of security incidents as much as possible. Section 30 (2) of the BSIG contains a catalog of measures to be implemented as a minimum, each of which is based on an all-hazards approach and should comply with the state of the art.
In addition, important and essential entities must register with the BSI and henceforth report significant security incidents to the BSI within legally defined periods.
We would be pleased to assist you in checking whether your company is affected by the BSIG as an important or essential entity and what legal consequences are associated with this.