The implementation of the NIS2 Directive in Germany: The challenge of determining the scope of application for corporate groups

The Network and Information Security Directive 2 ("NIS2 Directive") is in force in the EU since December 2022. A key objective of the NIS2 Directive is to improve cybersecurity in companies and organizations in all EU member states to increase overall resilience to cyberattacks. The member states now have until October 2024 to transpose the NIS2 Directive into national law following the planned implementation deadline.

The German legislator has already published several drafts for the NIS2 Implementation and Cyber Security Strengthening Act ("NIS2UmsuCG"). The latest draft of the NIS2UmsuCG dates from December 22, 2023. The central component will be the fun-damentally revised Act on the Federal Office for Information Security and on the Security of Information Technology of Institutions ("BSIG-new").

Like the previous drafts, the current draft clearly shows that the German legislator wants to significantly expand the already broad scope of application of the NIS2 Directive. At the same time, the currently planned regulations raise considerable questions when determining the scope of application. This is particularly true in the case of companies that are part of group structures.

Based on the current draft bill of the NIS2UmsuCG, an initial overview of the determination of the scope of application in group relationships and the associated challenges is provided below.

A. Who should the new BSIG apply to?

Two main criteria are relevant when determining the scope of application of the new BSIG:

On the one hand, the type of activity of a company or organization is decisive (details on the sectors covered here). On the other hand, it is important that the respective companies and organizations reach the required thresholds. This is to be calculated on the basis of the number of employees and annual turnover or annual balance sheet total.

Companies and organizations must therefore check whether they fall within the sectors covered on the one hand and meet the relevant thresholds on the other. Particularly in the case of group companies that are part of a corporate group, special challenges can regularly arise.

B. IT group companies as a separate addressee

In group structures, the procurement and provision of IT services are regularly outsourced to individual group companies. In this case, the question arises as to whether such IT group companies fall within the scope of the new BSIG.

IT services provided by group companies include data center services in particular. Providers of data center services are explicitly included in the current draft of the new BSIG in connection with the "information technology and telecommunications" sector. According to Recital 35 of the NIS2 Directive, companies and organizations that only operate "internal data centers" are not considered providers of data center services. However, this only covers data centers that are operated within their own company or organization. The exception in recital 35 therefore does not apply to providers of data center services that are (exclusively) provided to other group companies.

This means that traditional IT group companies can regularly be classified as "providers of data center services" if they offer corresponding data center services within the group.

In addition, depending on the constellation, other IT group companies may also be covered by the new BSIG if they do not provide data center services but at least other IT services within the group. This is because the BSIG-new also covers providers of managed services (so-called managed service providers) and providers of managed security services (so-called managed security service providers).

In terms of terminology, the category of managed service providers includes group companies that provide services in connection with the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems through support or active management. Managed security service providers in turn include providers of managed services that specifically perform or provide support for activities related to risk management in the area of cyber security.

In corporate groups in particular, it is therefore necessary to examine whether and to what extent certain group companies provide corresponding data center services or administrative services in connection with the ICT and security infrastructure.

C. Calculation of company key figures in group structures

Another problem that regularly arises in corporate group concerns the question of which companies within the sectors covered meet the relevant thresholds and how companies should actually determine these.

The requirements of the NIS2 directive are quite clear:

According to Art. 2 of the NIS2 Directive, it applies to all public or private entities that qualify as medium-sized enterprises according to Art. 2 of the Annex to Recommendation 2003/361/EC ("SME Recommendation") or exceed the thresholds for medium-sized enterprises and provide their services or carry out their activities in the Union.

According to this definition, the NIS2 Directive applies to all at least "medium-sized companies", i. e. all companies with at least 50 employees and either an annual turnover of EUR 10 million or an annual balance sheet total of at least EUR 10 million.

The BSIG-new deviates from this by now including all companies and organizations that either have at least 50 employees (regardless of turnover or balance sheet total) or (regardless of the number of employees) have an annual turnover and an annual balance sheet total of more than 10 million euros each. As expected, this will lead to a considerable expansion of the scope of application of the new BSIG.

Particularly in connection with the calculation of the relevant key figures in group relationships, great care is required. This is because, according to the SME recommendation, the focus is not always on the individual company. Rather, in certain circumstances, the key figures of other companies must also be taken into account. Therefore, if a company has so-called partner or affiliated companies within the meaning of the SME recommendation, not only the key figures of the actual company but also the key figures of all partner or affiliated companies are taken into account when determining the above-mentioned thresholds.

This problem is exacerbated by the draft of the new BSIG. This is because it states that such an attribution of key figures should not take place in the following two exceptional cases:

• Legally dependent organizational units of a local authority and
• Companies that are independent of partner or affiliated companies, taking into account the legal, economic and factual circumstances with regard to the nature and operation of the information technology systems, components and processes.

Regarding to the second exception, the intention of the legislator is certainly to be wel-comed: the idea behind this is that a group company that can decide independently about its IT infrastructure must also be considered independently when calculating the threshold. Nevertheless, it must be noted that this exception is not provided for in the NIS2 Directive and that compliance with EU law is therefore highly doubtful. In case of doubt, there is therefore a risk that this regulation will be declared invalid by the ECJ in the future.

D. Conclusion

The NIS2 Directive is a central component of the European cybersecurity strategy and can help to significantly increase the level of cybersecurity in the EU.

In corporate groups in particular, however, the question of the scope of application of the proposed new BSIG as part of the German transposition law for the NIS2 Directive poses various challenges. This applies with regard to the identification of the relevant areas of activity or sectors and the calculation of the relevant thresholds. As shown above, there is a risk that the scope of application for group companies will not be defined correctly. This can result in severe regulatory measures.

Whether the current draft of the BSIG-new will enter into force in this form and, above all, when this will be the case, cannot be predicted at present. As things stand, the NIS2UmsuCG is not expected to be adopted on time by October 2024. Companies, especially group companies, should therefore follow the legislative process closely. It remains exciting!