The dangers in the area of cybercrime have been steadily increasing for years. The risks range from data theft and espionage to IT failures and production stoppages. In view of this, it comes as no surprise that several legislative procedures have already been introduced to raise security standards in information technology.
However, with the new NIS-2 Directive, the addressees of the special cybersecurity regulations will increase significantly. Dr. Hanna Schmidt and Annabelle Marceau provide an overview of the upcoming changes as well as the IT and labour law implications.
1. Development of legislation in the field of IT security and the current legal situation
With the German IT Security Act 1.0 [IT-Sicherheitsgesetz 1.0], operators of critical infrastructure, especially those in the areas of electricity and water supply as well as finance and food, became the addressees of special regulations concerning cybersecurity for the first time in 2015. Since then, the German Act on the Federal Office for Information Security [Gesetz über das Bundesamt für Sicherheit in der Informationstechnik, BSIG] has obliged them to take precautions according to the state of the art among other things. Should a significant security incident occur, it must be reported to the Federal Office for Information Security [Bundesamt für Sicherheit in der Informationstechnik, BSI].
Similar regulations have been in place since 2017 in the form of the German Act Implementing the European Directive on Ensuring a High Level of Network and Information Security [Gesetz zur Umsetzung der europäischen Richtlinie zur Gewährleistung einer hohen Netzwerk- und Informationssicherheit] (NIS Directive). The NIS Directive aims to establish a uniform EU-wide legal framework for expanding national cybersecurity capacities. The German Implementing Act has expanded the regulations for critical infrastructure and introduced regulations for the providers of digital services.
Since 2021, so-called companies in the special public interest must also fulfil special cybersecurity obligations based on the "Second Act to Increase the Security of Information Technology Systems" (IT Security Act 2.0) [IT-Sicherheitsgesetz 2.0]. According to this, affected companies must submit a self-declaration on certifications, security audits and protective measures on a regular basis every two years. In the event of an incident, they are also obliged to notify the competent authorities. .
2. New NIS-2 Directive
Directive (EU) 2022/2555 on measures for a high common level of cybersecurity in the Union, amending Regulation (EU) 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS-2 Directive) significantly expands the addressees of specific cybersecurity regulations. Companies now covered by the Directive include energy, transportation, banking, financial market infrastructure, healthcare, digital infrastructure, and information and communications service management. In addition to the essential entities, other entities explicitly mentioned as important include: postal and courier services, waste management, chemicals (manufacturing and trading), food (production, processing and distribution), digital service providers and research institutions. As regards company size, the Directive prescribes a uniform EU-wide threshold for the first time. In principle, it covers only medium and large entities in the sectors in question. However, a catalogue, which can still be expanded by the member states, is to include specific companies regardless of their size.
With the implementation of the NIS-2 Directive, affected companies and entities will be required in future to implement appropriate and proportionate risk management measures, taking into consideration the state of the art and the cost of their implementation. In particular, concepts must be developed for risk analysis and security for information systems, for managing security incidents, for maintaining operations in the event of incidents and crisis management, for supply chain security and for the security of personnel, as well as for the use of solutions for authentication (cf. Art. 21 (2) NIS-2 Directive).
A multi-level approach is envisaged for reporting security incidents. If a significant security incident occurs, an early warning must be sent immediately and within 24 hours at the latest. This must be followed by a report within 72 hours of becoming aware of the security incident. A final report must be submitted within one month. It is also foreseeable that the authorities will be empowered to take stricter supervisory and enforcement measures. For example, the Directive provides for on-site inspections, regular safety inspections, and ad hoc inspections, among other things.
Sanctions in the event of non-compliance must be defined by the member states. However, the Directive already provides for a maximum liability limit of at least EUR 7 million or 1.4% of worldwide annual turnover in the case of important entities and at least EUR 10 million or 2% of worldwide annual turnover in the case of essential entities. The Directive also regulates the personal liability of the company's management.
The NIS-2 Directive was published on 27 December 2022. It will enter into force on the twentieth day following its publication, i.e. on 16 January 2023. The member states must transpose the Directive into national law by 17 October 2024.
3. IT compliance for the affected companies
For the affected companies, it will be even more important than before to address the issue of IT compliance. The management, in this case primarily but not exclusively the member of the management responsible for the topic "IT", must also demonstrate sufficient risk management knowledge. Competencies need to be developed both in the area of IT itself and in emergency communications.
Companies are advised to already implement an information security management system (ISMS), for example according to the requirements of ISO 27001 or BSI IT Baseline Protection [IT-Grundschutz], before the statutory implementation deadline. Additionally, an ISMS can be used to control and monitor IT security measures within the company. If the ISMS is certified in an audit, this can also be used as legally secure proof for insurers and authorities.
When commissioning IT service providers, companies should always contractually agree with such providers that they also have an appropriate, documented and implemented security concept and an ISMS, in each case e.g. according to ISO 27001, including emergency management. This should always be contractually agreed when commissioned.
The security concept must be in line with ISO 27017. If personal data is processed, it must also comply with ISO 27018. In addition, companies are advised to have the contractor confirm this by presenting valid certificates or equivalent evidence. The security concept, ISMS and certificates must, to the extent applicable to the service to be provided, fully cover such service and must be renewed in accordance with the specified audit frequency in the relevant standard.
4. Labour law implications
The increased cybersecurity compliance requirements created by the NIS-2 Directive also have implications for labour law. The measures to be implemented have implications at the levels of both individually bargained law and shop constitution law.
For example, IT security guidelines in particular will doubtlessly have to be updated and made a part of the employment relationships with employees. As a rule, corresponding guidelines can be introduced unilaterally on the basis of the employer's right of direction (Sec. 106 German Industrial Code [Gewerbeordnung, GewO]). The consent of the respective employee is only required if, contrary to previous practice, the new regulations concretise the duties in existing employment relationships or establish new duties.
Depending on the content of the IT security guideline, the works council may also have co-determination rights insofar as this affects the orderly conduct of employees within the meaning of Sec. 87 (1) no. 1 German Shop Constitution Act [Betriebsverfassungsgesetz, BetrVG]. If, on the other hand, the IT security guideline merely concretises the employees' duty to work (for example, by specifying conduct in the event of a cybersecurity incident), this is not subject to co-determination by the works council.
The NIS-2 Directive provides for the implementation of cybersecurity training, which means that - depending on the concrete implementation by the member states – employees may acquire a claim to training. In this case, the works council would have a right of co-determination pursuant to Sec. 98 (1) BetrVG with regard to the specific type and nature of the training. If the training is carried out by means of software, the works council would also have co-determination rights with regard to the introduction of such IT software pursuant to Sec. 87 (1) no. 6 BetrVG.
Since the NIS-2 Directive significantly increases the requirements for corporate measures to ensure cybersecurity, companies are already required - also in their own interest - to review and update their currently used IT security systems. In this connection, the works council also has a right of co-determination pursuant to § 87 (1) no. 6 BetrVG.
System updates may also result in a need to train those employees who use and administer the systems. Also in this context, the works council must be involved in accordance with Sec. 98 (1) BetrVG.
The legal requirements in the area of cybersecurity are being significantly expanded by the NIS-2 Directive. Companies should therefore already examine the extent to which they themselves will be affected by the innovations coming over the next few years and should deal with the implications for their own business in good time, both in terms of IT compliance issues and implementation under labour law.
Especially in view of the shortage of skilled workers on the IT market, forward-looking planning is vital. Ultimately, an IT security architecture that is in line with the state of the art will not only serve the purpose of meeting the increased legal requirements, but will also be in every companies' own interest if production processes and sensitive company data are to be protected.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.