The new EU directive “on measures for a high common level of cybersecurity throughout the Union” (NIS2) obliges numerous companies to provide more IT security. Public administration is explicitly excluded from the German implementation of NIS2, which surprises not only KRITIS expert Manuel Atug in his commentary on NIS2. Aren’t municipal services critical to public life? Numerous ransomware attacks on municipalities speak a different language.
Advertisement
The basis for the exception for municipal IT is a resolution of the IT Planning Council from November 2023, according to which municipalities and educational institutions should be excluded from the scope of application of the European NIS2 Directive. The IT Planning Council is the central political IT steering committee between the federal and state governments.
His decision is based on a status report from the Information Security Working Group of the IT Planning Council from September last year. The report recommends that the NIS2 directive not be extended to local governments and educational institutions. However, the IT Planning Council ignores the second part of the recommendation of the Information Security AG, which the FragDenStaat initiative published.
It was not meant like that
It says that the states should create regulations in their respective state law, since regulation within the framework of NIS2 does not offer any significant advantages compared to standardization tailored to the respective administrative structure of the state. Based on the federal government's planned NIS2 Implementation and Cybersecurity Strengthening Act, the states could independently regulate information and cybersecurity requirements for local authorities and educational institutions. Whether this will happen at some point is anyone's guess.
(odi)