The German NIS Directive Implementation Act, will come into effect on 30 June 2017. The provisions on providers of digital services only apply as of 10 May 2018.
Implementation Act (Federal Law Gazette, BGBl. I 2017 of 29 June 2017, p. 1885) amends the Act on the Federal Office for Information Security ("FOIS Act"), Atomic Energy Act, Energy Industry Act, Social Insurance Code V, and the Telecommunication Act.
Operators of critical infrastructures must immediately report to the Federal Office for Information Security (FOIS) (i) disruptions [and (ii) significant disruptions] of the availability, integrity, authenticity and confidentiality of their IT systems that have led [might lead] to a failure or significant impairment of the operability of the critical infrastructure (Section 8b para. 4 of the FOIS Act).
Providers of digital services must immediately report to the FOIS any security incident that has significant impact on the provision of the digital service provided the EU (Section 8c para. 3 of the FOIS Act). The term "significant" is defined in the implementing acts pursuant to Art. 16 para. 8 of NIS Directive. No report is required if the provider does not have sufficient access to information as may be necessary to evaluate the impact of the security incident.
Section 14 of the FOIS Act provides for administrative fines of up to EUR 50.000, in particular in the following cases:
Operators of critical infrastructures wilfully or negligently
Providers of digital services wilfully or negligently
Infringements of providers of digital services are only sanctioned by the German authorities, if the provider (i) has no main establishment in another EU member state, or (ii) where it has no establishment in another EU member state, has appointed a representative there and offers the digital services in that EU member state.
Further, the Implementation Act amends the sanction rules under the Atomic Energy Act, Energy Industry Act, Social Insurance Code V and Telecommunication Act, whilst the administrative fines remain as before:
Operators of critical infrastructure are subject to German law if the infrastructure is located in Germany.
The reporting obligations do not apply to providers of digital services that have their main establishment in another EU member state or have appointed a representative in another EU member state, in which they offer the digital services. Consequently, other obligations (e.g. to implement appropriate TOMs) apply to providers even though their main establishment is outside Germany (provided, of course, that information security in Germany is concerned, see "competent authorities").
Last reviewed 28.02.2018
NIS Directive and the energy sector: a patchwork of national implementations
Cyber security: the regulators bare their teeth
D Day for NISD as the EU's Network and Information Systems Directive (NISD) is implemented on May 9, 2018
What is NISR and who is impacted?
What exactly is a Digital Service Provider in the context of NIS Directive? Could you be a DSP and not know it?
NISR: Key deadline ahead as UK DSPs must register by November 1, 2018
NISD: First key deadline as Essential Operators required to register by August 10, 2018
As the implementation date of the NIS Directive approaches we ask: are Digital Service Providers (DSPs) aware of their compliance obligations?
Last month, we launched our 5th Global Women’s Development Programme with 20 associates from across the firm. The p… https://t.co/Z99ScgyKzW
We are now only a week away from our Annual TechLaw Event where we will discuss practical tips and some of the lega… https://t.co/4s8t7pAkza
The EC is proposing to regulate digital operational resilience for the #financialsector which could impact ICT serv… https://t.co/QVt1h6aqZc