The act implementing the European Network and Information Security Directive (NIS Directive) was proclaimed on 29 June 2017. Essentially, it serves to implement the NIS Directive, which came into force in August 2016. This defines measures to ensure a high common level of security of network and information systems in the European Union. The directive created a uniform legal framework for the EU-wide development of national cyber security capacities, stronger cooperation between the member states of the European Union, and minimum security requirements and reporting obligations for critical infrastructures, as well as for some providers of digital services such as cloud services and online marketplaces. Against this background, the BSI receives new functions and powers -- an important prerequisite for further improving cyber security in Germany.

Implementation for digital services by May 2018

The NIS Directive is an important step towards more cyber security in Europe. The directive must be transposed into national law by the member states of the European Union. They have until May 2018 to achieve this. With the implementation law proclaimed on 29 June 2017, the German legislator has already done its homework. The starting conditions were favourable: since the IT Security Act came into force in July 2015, Germany already had a uniform legal framework for cooperation between the state and companies for more cyber security in critical infrastructures (KRITIS). This requires KRITIS operators to implement IT security according to the "state of the art" and to report significant IT security incidents to the BSI. The draft law to implement the NIS Directive now expands the BSI's supervisory and enforcement powers in connection with KRITIS operators.

The only completely new regulations created in Germany were those for digital service providers. Unlike the supplemented regulations for KRITIS operators, however, these only apply from 10 May 2018.

Beyond the implementing the NIS Directive, the Implementation Act strengthens the cooperation between the federal states and the BSI. The BSI has the opportunity to support the federal states even more comprehensively in the future and to make its technical expertise available to them.

More powers for the BSI

Despite stronger powers, the BSI will work to ensure that the cooperative approach anchored in the IT Security Act, which has been practised in the CIP Implementation Plan (UP KRITIS) for 10 years, is also pursued in the implementation of the NIS Directive: the challenges can only be met of government and business work together. The BSI is thus living up to its pioneering role in Europe in the field of cyber security. At the same time, the draft law is a useful addition to the IT Security Act. In future, providers of digital services will also be subject to minimum requirements and reporting obligations. This affects online marketplaces and search engines as well as providers of cloud computing services. The Federal Ministry of the Interior expects that between 500 and 1,500 companies in Germany will be affected by the new regulation In future, the BSI will act as a supervisory authority to ensure compliance with the new requirements.

How the BSI supports companies

Critical infrastructures connected to the Internet are a target for cyber attacks. In addition to supply failures that the public wish to avoid, damages costing millions of Euros can be caused by the downtimes during attacks alone. Mobile Incident Response Teams (MIRTs) have been set up to support companies even more effectively. These special task forces include cyber security experts from the BSI, who investigate particularly serious cyber attacks on site at the request of the KRITIS operators and help to deal with them. A cyber attack that paralyses important IT controls at a power plant is one such example. An attack on a chemical plant, where a great danger to the population could be assumed, would also justify the use of an MIRT.