NIS-2: What the end of the registration period means for management teams

§ 38 Abs. 3 of the BSI-Gesetz or BSIG (“Gesetz über das Bundesamt für Sicherheit in der Informationstechnik und über die Sicherheit in der Informationstechnik von Einrichtungen”) states that management should acquire sufficient knowledge and skills “in the field of information technology security” to be able to identify and assess risks and evaluate their impact on the services provided. This obligation applies to every member of management and cannot be delegated. Under certain circumstances, however, it may be advisable to extend the training to “quasi-equivalent positions in the company” or persons who assist management (§30 Abs. 2 Nr. 7 BSIG).

The BSI has published a preliminary guide entitled “NIS-2-Geschäftsleitungsschulung” as a recommendation for the training obligation for management with relevant content. Both training providers and management can use this as a guide. Potential providers of learning content should not only impart “abstract knowledge,” but also take into account the individual circumstances of the institution. For example, it is relevant here how the company is categorized (important or very important), which sector it comes from, or whether it is subject to KRITIS. Proof of training must be kept internally and presented upon request.

The BSI recommendation for management focuses on training content such as systematic risk management and knowledge of reporting processes in the event of a security incident. This is because companies and management must be aware of the risks relevant to them, assess them, and then establish appropriate technical and organizational protective measures, also taking economic efficiency into account. NIS-2 requires a robust overall system in which, for example, security along the supply chain § 30 Abs. 2 Nr. 4 BSIG) is also regulated. The content taught creates a new level of responsibility: those who are trained are much better able to assess risks and also take responsibility for them. Ultimately, the training requirement enables management to actively control the required risk management measures. Cyber risks are thus given the same priority as financial or regulatory risks. Risk management becomes an ongoing task for corporate management.

Not only is a structured approach to risk management crucial, but so is knowledge of the procedures to follow in the event of a security incident. Companies affected by NIS-2 are subject to a reporting obligation in the event of critical security incidents. The reporting deadlines that must be met are particularly important: An initial report must generally be made within 24 hours of becoming aware of the incident, and a further report on the status must be submitted within 72 hours at the latest. After one month, a detailed final report must be submitted, or alternatively an interim report on the status of the investigation if it has not yet been completed. Management teams should be aware of these requirements and familiar with the associated procedures in order to be able to act responsibly.

NIS-2 distinguishes between “particularly important” and “important” entities in critical sectors such as energy, health, transportation, digital infrastructure, and public administration. In reality, it is not always easy to clearly classify companies. Whether affected or not, documentation is crucial here. This should also be done if, after review, it turns out that the company does not fall under NIS-2 after all. Companies that fail to comply with the registration requirement should assess the situation realistically. If a security incident occurs after the registration deadline, especially if it is reportable, companies face a problem. On the one hand, submitting the report requires prior registration. Since a letter must be delivered, this takes several days, meaning that deadlines will be missed in any case. On the other hand, such an incident is an indication to the supervisory authority that companies are not sufficiently secure, making an audit pursuant to § 61f. BSIG possible. If this audit reveals that a company has not met the requirements of NIS-2, the risk of fines increases significantly – due to failure to register, reporting obligations, and violation of risk management requirements. In addition, management may also face personal liability, see § 38 BSIG.

Even though it is virtually impossible to register within the deadline, as formal requirements such as the ELSTER certificate take time, registration should be completed as soon as possible.

March 6 marks the end of the registration period, but it is also the beginning of a new obligation for companies and their management. A decisive change that comes with NIS-2 is the anchoring of information security competencies at the management level. The training requirement will permanently embed cybersecurity in corporate governance. IT security will thus become a visible component of modern corporate management. Those who embrace this requirement will gain more than regulatory compliance: they will gain strategic control in a digital economy where trust has become a decisive competitive factor and cyber threats should be proactively addressed.