For a long time now, an uninterrupted supply of electricity, telecommunications services and other critical services has been fundamental to our society. Therefore, the critical infrastructure (KRITIS) must be protected from IT disruptions and cyber attacks. The 2015 German IT Security Act and the EU Directive on the security of network and information systems (NIS Directive) adopted in 2016 take this need for protection into account.

But the ever-increasing pace of digitalisation means our economy and society are now linked in ways that extend far beyond critical infrastructure. Digital services such as

• online search engines
• cloud computing services and
• online marketplaces

also need to run with no disruptions, while offering users an appropriate level of security.

The NIS Directive therefore provides a framework for regulating digital service providers in a way that is harmonised throughout the EU. The regulations were transposed into national law back in the summer of 2017 by the Act on the Implementation of the NIS Directive (Gesetz zur Umsetzung der NIS-Richtlinie). These regulations came into force in Germany on 10 May 2018. The aim is to achieve a standard minimum level of IT security for digital services throughout the EU.

As the national authority responsible for cyber security, the BSI offers support in implementing these new requirements. The BSI also receives reports submitted in response to the obligation to report security incidents.

For answers to frequently asked questions about this type of regulation, see our FAQ. If you have any other questions, please feel free to contact our operative arm.