Welcome, everyone. Thank you for being here. As we know, we have this session on regulations, so for the next couple of hours we'll be in this room. And in today's first session we have Stefan Hessel. He will be talking about the newest EU regulations, so we know about the NIS2 Directive, but also there's the Cybersecurity Resilience Act. So please welcome to the stage Stefan and he will be talking about these relevant topics. Please. Thank you very much. Good afternoon from my side.
My topic in the next few minutes is the EU cybersecurity regulations, scope, content and practical implementation. I will talk mostly about the NIS2 Directive and the Cyber Resilience Act, but especially at the end when we get to the topic best practices, I will also talk a bit about a few other acts we have in Europe. My name is, as you already heard, Stefan Hessel. I'm an attorney at law. I'm a salary partner at ReuschLaw. My team is the digital business unit. In our digital business unit we deal with all questions regarding cybersecurity, data protection and IT law.
So at the moment we already have implementation projects for NIS2 and also for the Cyber Resilience Act and I hope I can give you a short overview about practical aspects, about practical application of the EU cybersecurity law. What is on our agenda in the next few minutes? First the new cybersecurity regulations, some kind of broad view about the regulation. Then we will have a short deep dive on NIS2 Directive and on the Cyber Resilience Act and at the end I will talk about the best practices from the legal perspective. So first the new cybersecurity regulations.
We have on the one side the NIS2 Directive and on the other side we have the Cyber Resilience Act and I think both regulations are game changers because at the moment from a legal perspective we live in a world where it's not zero cybersecurity regulations but cybersecurity isn't strongly regulated at the moment. Of course you have the GDPR but it's necessary to process personal data to come into the scope of application of the GDPR. So there is no general law in the EU for cybersecurity and this is going to change with the NIS2 Directive and especially with the Cyber Resilience Act.
So both regulations are some kind of building blocks of the new European cybersecurity architecture of the new EU cybersecurity regulation framework. That's very interesting. So on the one side NIS2 it's a company related directive. The directives need to be transposed into national law so it's not as different to the Cyber Resilience Act where you have regulations. Regulations under EU law don't need to be implemented into national law. They apply directly in each European member state. That's different with the NIS2 Directive. NIS2 Directive needs to be implemented into each national law.
So for example German state needs to have some kind of implementation act to transpose the directive into German national law. The directive is company related so NIS2 targets at the cybersecurity management of companies. On the other hand Cyber Resilience Act is regulation targets at products. So it contains cybersecurity for products with digital elements. It's two different pillars of regulation. NIS2 Directive is already into force. As I already mentioned it needs to be transposed into national law. The Cyber Resilience Act is also will get into force in six days.
It has already been published in the European journal for legislation but there is some kind of transposition. So yes in six days Cyber Resilience Act will get into force. The time frame for application I will show you on the next slides. So we see on the one side cybersecurity regulation for companies. On the other side cybersecurity regulation for products with digital elements. That's huge from a legal perspective. NIS2 Directive doesn't target all companies in Europe. It only targets essential and important entities.
What you need to fulfill as requirements to become or to get in the scope of application I will talk a bit on the next slides. First let's have a look under the status of transposition into national law. The member states should implement the NIS2 Directive until October 2024. So at the moment we see most member states are not compliant with the requirements from the European level. For companies in the member states where we haven't addressed position yet that's no problem. There is no obligations coming up from NIS2 Directive if it's not implemented into national law.
But if you are in a state where the NIS2 implementation is completed and the national laws into force you have to fulfill all requirements. So for example if you are a company in Italy or in Belgium or you have a company in one of the other states, Romania, Estonia etc. In these countries you need to fulfill the NIS2 requirements at the moment.
In some other states we have some kind of draft status also in Germany at the moment we are discussing in Germany if the national NIS2 implementation law will be implemented or getting into force before our elections or after our elections and there are also some states where we don't have any implementation at the moment. For example Spain or other states there is no official draft, there's no unofficial draft. We still don't know if the Spain government wants to implement NIS2 and when it wants to.
Because of this I would say bad situation, it's always not good if you have a directive and it's not implemented into national law. The EU Commission last week started an action on each government in the EU which hasn't transformed the directive. So the EU Commission is getting tries to push the member states into implementation. So at the moment I would say yes it's a bit difficult to have this implementation into national law. Other side or maybe the question when is NIS2 applicable, you have this scope of implementation very important. The focus of NIS2 is the individual legal entity.
So if you are a group of companies and you have maybe 50 different individual legal entities within this company group you need to check the application of NIS2 for every legal entity in Europe. We have this size cap rule as individual legal entity you need to have 50 or more employees or an annual turnover and annual balance sheet total of more than 10 million euros. So if you are a very small company you are not affected by NIS2.
Very important also if you are a group company the employees and the annual turnover and annual balance sheet total need to be determined in accordance with this recommendation of the EU Commission and if you have some other companies which you are connected to it is possible that you have to add their employees to your own employees. So it's possible you have maybe a legal entity with as I say 49 employees but you are linked to another company which has 150 employees.
There is a possible situation that you have to put these employees together and in this case it will be in the scope of application of NIS2. Second point you need to perform services or activities in one of the 18 regulated sectors. You can see them on the other side of the slide. We have in the next one 11 sectors of high criticality for example yes public administration, healthcare, banking, transport, energy, financial services, waste management and also a digital infrastructure that's very important if you look at company IT.
There is also an example on the next slide you will see in this digital sector many companies who are not in the for example energy, transport, banking or another highly critical sector they are affected because of their company IT because company IT can be in this sector digital infrastructure. On the other side we have a next tool with seven other critical sectors that's mainly industrial production for example yes distribution of chemicals, production manufacturing, producing devices, classical production activities but also research or space some kind of special fields of regulation.
We have from our law firm this free quick check nistwo-check.com it's also available in German. I think it gets you a good starting point to check if you are affected by this tool. In detail it can be very complicated. One example in the digital infrastructure sector we have this point or this main sub-sector data center service providers. Data center service providers are defined in the nistwo regulation.
It's everything you can perform within a data center so classical as you see it here on the on the picture wiring, storing of data, exchange of data, all this is data centers or all these activities are data center services. And we have recital 35 of the nistwo directive where you can read the term data center service should not apply to in-house corporate data centers and now it's important owned and operated by the entity concerned for its own purposes.
So if you have a bigger group of companies and one company within this group provides data center services to other companies within the group you are not in the exception of the nistwo directive at this point because you provide your services to another legal entity and it doesn't make any difference between if it's a company of your group or another company on the free market.
So at the moment we see many companies affected because they are data center service providers to other companies in the group and especially this IT department situation of for example the parent company or an IT subsidiary leads to the application of the nistwo directive and this is also a wanted effect of the regulation. The German ministries and the German regulators especially clarified we want company IT, we want the IT departments of bigger companies providing services within the group to be regulated by nistwo.
So we see the scope of application maybe it's not 30 or 40 000 companies within Germany, maybe it's more because it's just an estimation how many companies are affected and if I look at the field of data center service providers and especially company IT I think there are even more companies affected. Interesting question is now what are the key obligations for affected companies?
First you have this requirement governance by the management bodies so cyber security needs to be a thing you have top down into your company the management needs to implement cyber security and has the governance obligation for cyber security within the company and it is not possible to delegate it. So you can have a CISO in your company to perform some practical aspects of cyber security to be the head of the cyber security management but at the end you as a CEO are responsible you as a CEO is responsible to the governance of cyber security in the company.
Second you have awareness and training every employee in the company needs to be trained regarding cyber security you have training regarding the cyber security risks and you have training regarding the cyber security management that's on both sides the practical aspects regarding training and awareness.
In the center here you see risk management and state-of-the-art measures that's the heart the core piece of the two directive it's a directive targeted at cyber security so it's totally clear that you need to implement cyber security measures in the company and these are the risk management measures I will show you an overview on the next slide.
You have also reporting obligations in the event of a significant cyber security incident if there is a significant cyber security incident you need to go to the public authorities and raise your hand and say okay we have we have a significant security incident and in this situation you need to exchange information with the authorities and they will try to help you to mitigate the incident.
At the end you have also this obligation for registration so every company affected by this tool needs to register at their competent agency at the competent public authority and needs to give some information who is what is the company address who is the spokesperson for cyber security questions etc and at the end all public authorities in Germany will have a list with the critical and important entities and we will see how many entities we have in Europe because at the moment our EU commission doesn't know how many critical and important entities we have in Europe and Germany and that's some kind of that's the goal of this registration aspect.
Accountability has also to do with the authorities as a company who is affected by this tool if you are an essential entity that's some kind of more critical entity you need to prove your compliance with the requirements directly to the authorities if you are an important entity you don't have so high requirements but you also have to prove your compliance with the requirements of the agency or when the public authority asks you to do so so at the end you have also this strong accountability aspects of the initiative that's the list of cyber security risk management measures you need to fulfill as an regulated entity I think it's nothing surprising if you are keen with ISO 2701 or with other common cyber security standards on the market you will see it's not such a big gap between these two requirements and everything we have from a technical perspective.
Interesting in my opinion are two aspects first the black highlighted incident handling business continuity and emergency communication systems so the legislator sees companies in the obligation to have some kind of second line of defense and that's I think an interesting aspects of course it's from a technical perspective it's not a huge new aspect but from the legal aspect I think it's the first clear stipulation of this requirement in law and also very interesting the red highlighted point supply chain cyber security so as a company you have to look also into your supply chain and see what cyber security requirements do you need to have a cyber secure supply chain you have to look at your suppliers you have to check if they are ready or if they have some kind of cyber security management at the moment so it's not a thing you have to deal with only within your own company it also affects your suppliers for the moment that's I think enough for a short overview about the NIS2 directive now to the cyber resilience act cyber security for products with digital elements yes okay great perfect that's that's totally enough the scope of application of the cyber resilience act are products with digital elements that's on the one side software on the other side hardware including remote data processing obligations so if you have some remote data processing solutions so if you have some kind of IOT device also the back-end servers are within the scope of the NIS2 direction we also have this quick check but I think more interesting are the categories of products with digital elements so we have 90 percent of the products with digital elements in the market as standard products for example image and word processing network speakers hard drives games etc so all devices or software solutions where you don't have any risks and you have on the other side these 10 of the products with some kind of higher risks the only difference between the single fields is the question how do you get your declaration of conformity so the essential obligations for manufacturers are all the same you need to be conformed with the cyber security requirements you need to assess cyber risks coming up from your product you need to provide free cyber security updates you also have reporting obligations in the event of security breaches and you have this point technical documentation what your products need to fulfill you see on this slide it's very detailed and I think it's a very strong requirement for cyber security of products for example if you put a device into the market you are not allowed to have vulnerabilities within this device what's the best practice to deal with this to a CRA and all the other acts we have for example AI act for example data act etc I think you need to check if you are affected by this to by the cyber resilience act or any other upcoming new digital regulation you need to clarify your role are you a critical entity are you an essential entity are you manufacturer or another player on the market you need to implement the requirements here we have of course technical measures you need to take you need to perform a gap analysis to check what has your product what has your company on the other side we will also see the necessity of legal measures contract design with suppliers with other persons you need to provide your products on the market and at the end don't forget we are in a very volatile situation everything is in change so you need to monitor the legal development you need to check ourness to up in this two transpositions international law in other member states are not and also yes the authorities which will give you some clarifications on different aspects of the new regulation so that's from my side short overview about this too and this cyber resilience act thank you stefan I know it's not easy to summarize these two regulations in just 20 minutes but thank you I believe we have maybe time for only one question I'd be interested to understand about the evaluation of products under the CRA is it going to be common criteria like ISO 15406 or how is it going to be done yes so so it depends if you are if you have a standard product you as a manufacturer can declare the conformity of your product yourself you just have this you take the requirements of the cyber resilience act and check is your product compliant or not if you have an important product there you can implement harmonized standards that's what you meant with some kind of ISO norms for example in Europe we will have norms by for example and if you apply these standards you don't need a conformity assessment of a third party if you don't use the harmonized standards you need a conformity assessment of a third party in this level important products class one if you have an important product class two you will always have a conformity assessment of a third party and for critical products you have a special certification scheme for this product on the market but yes you there will be some orientation on the existing standards for products have to be some certificate some certification providers yes that will do the testing yes okay thank you thank you Stefan
