NIS-2 compact: What matters for businesses

Klaus Mochalski and attorney partner Thomas Schmeding (BBH Consulting) clarify the most important questions about NIS-2: Who is affected by the new thresholds? What liability risks do managers face, and how can implementation be successful? A mandatory update on cybersecurity.

Duration:

26 min

Guest in this episode:

Thomas Schmeding

Attorney and Partner bbh consulting

Summary

‍

Sound Bites

Klaus Mochalski: “NIS 2 [is] more of an extension of regulations that have been in place for much longer in other areas, especially for operator-critical infrastructure according to the legal definition.”

Thomas Schmeding: "But what is new, and why people are now talking about 30,000 companies being affected across the board [...] is that company-specific thresholds are now being considered. [...] It is enough that I employ 50 people or that I have an annual turnover of 10 million or a balance sheet total of 10 million, and then I am already affected."

Klaus Mochalski: "The costs arise either way. [...] if I engage in prevention, I distribute the costs evenly and they are incurred in advance, or it's like in Berlin, where an incident occurs and, of course, costs are incurred, and I would argue that the costs of repairing the damage in Berlin were probably much higher than anything that could have been spent on prevention over five years."

Thomas Schmeding: “So I [as managing director] am no more liable in my company than I was before, but I have a specific obligation written into my book [...] to take concrete implementation measures, and I have to do that right now. [...] And if I don't take care of it now and thecompany suffers damage, then I am also potentially liable as management.”

Klaus Mochalski: "My theory was that this is actually a concretization of regulations and liability that already existed before. But now it's being made concrete, which actually helps those affected because they now have a concrete framework."

Thomas Schmeding: "So I actually have to report a cybersecurity incident to the authorities within 24 hours. I have to follow up with another report within 72 hours. [...] and no later than one month after confirmation of the initial report, I have to make a final report."

Klaus Mochalski: “IT security should not be seen so much as a new risk, but rather as a business risk like many others, such as the risk of fire, burglary, or power failure.”

Thomas Schmeding: “Yes, what the [EU] directive stipulates is largely implemented in Germany. [...] That means I can't see any major tightening of the rules, at least.”

‍

Chapters

‍

00:00 Welcome and introduction

02:06 The bumpy road to NIS 2 implementation

05:14 Who is affected? New sectors and thresholds

09:21 Prevention versus response costs

14:17 Duties and personal liability of management

18:29 The strict deadlines in the new reporting system

20:50 German implementation compared to the EU

23:43 Conclusion and warning against voluntary registration

‍

Keywords

‍

NIS 2, cybersecurity, compliance, infrastructure, EU regulations, risk management, small businesses, senior management, responsibilities, reporting obligations, Germany

‍

FAQ

Facts on the topic

Who is affected by liability under NIS2?

Germany has implemented the requirements of the EU directive into national law almost 1:1, without major national deviations or additional tightening.

General liability for managing directors remains in place but has been significantly specified. Management is now explicitly required by law to implement and monitor risk management measures and to undergo training in the field of cybersecurity.

Which companies and sectors fall under NIS2?

The NIS2 regulation no longer applies only to traditional large-scale critical infrastructure operators. Around 30,000 companies from sectors such as energy, water, telecommunications, healthcare, chemicals, and food are now within its scope.
Companies should carefully assess whether they actually fall under the NIS2 directive. Since the regulation entails a substantial compliance burden, voluntary registration is not recommended if there is no legal obligation.

What thresholds apply under NIS2?

Companies fall under the NIS2 implementation law once they reach a threshold of 50 employees or €10 million in annual turnover or balance sheet total. An updated overview of thresholds can also be found at www.opentkritis.de.

What reporting procedures and requirements must be followed under NIS2?

Companies must be able to report cyber incidents in a three-stage process: an initial report within 24 hours, followed by an update within 72 hours, and a final report no later than one month after the incident.

What costs should be considered in connection with NIS2?

Although implementing the required cybersecurity and physical protection measures involves significant costs—which often need to be passed on to customers—these expenses are far lower than the potential damages and liquidity risks resulting from a successful cyberattack.