Financial Crime World

Here is the converted article in markdown format:

EU’s NIS2 Directive: Strengthening Cybersecurity Across Europe

In a move to enhance cybersecurity collaboration between EU member states, the European Commission proposed the Network and Information Systems (NIS) 2 Directive in December 2020. This revised directive aims to strengthen cyber security, improve digitalization across the European Union, and encourage government bodies to supervise their cyber security processes.

Key Requirements

The NIS Directive applies to EU operators of essential services and digital service providers, including:

  • Energy
  • Healthcare
  • Transport
  • Online marketplaces
  • Other services within the digital infrastructure

These entities must:

  • Have proper cyber threat and risk management capabilities to implement Cyber Security Incident Response Teams (CSIRTs)
  • Implement data protection measures for safeguarding IoT and smart infrastructure
  • Regularly conduct cyber exercises
  • Be capable of cross-border collaboration with other countries within a CSIRT network
  • Conduct cyber security monitoring

Penalties for Non-Compliance

Entities that fail to comply with the NIS Directive will face fines of up to €17 million or 4% of their global annual turnover.

Germany’s Data Protection and Privacy Act

In December 2021, Germany merged its Telemedia Act (Telemediengesetz) and Telecommunications Act (Telekommunikationsgesetz) into a single act called the Data Protection and Privacy Act of Telecommunications and Telemedia Services (TTDSG).

Requirements for Compliance

The TTDSG stipulates security obligations for businesses and digital service providers to:

  • Implement state-of-the-art organizational and technical measures that prevent unauthorized access to systems and personal data
  • Prevent both internal and external malfunctions and cybersecurity incidents

Penalties for Non-Compliance

Violating the requirements of the TTDSG may result in fines up to €300,000. Violations of confidentiality in communication are punishable under both regulatory and criminal law by up to two years of imprisonment or heavy fines.

Cybersecurity Organizations

Germany has its own CERT (Computer Emergency Response Team), known as CERT-Bund, which provides information and guidelines on cybersecurity. Other organizations include:

  • Alliance for Cybersecurity: a cooperation platform that mediates the exchange of information between German science research sectors and the BSI
  • BSI’s IT crisis centers: for analyzing, assessing, monitoring, and reporting cybersecurity incidents, acting as an incident response support unit to aid companies in managing cyber incidents

Conclusion

The NIS2 Directive aims to strengthen cybersecurity across Europe by enhancing collaboration between member states. Germany’s Data Protection and Privacy Act (TTDSG) is a crucial part of implementing the directive, with penalties for non-compliance ranging from fines to imprisonment. Understanding these requirements and regulations is essential for businesses operating in the digital space.