The challenge for companies in cybersecurity is enormous, says Martin Wansleben, managing director of the German Chamber of Commerce and Industry (DIHK). However, the sum of bureaucratic challenges increases the workload on companies and endangers the acceptance of even sensible measures. Companies have been given a fatal impression: “The state is collapsing. Isn’t security a fundamental state task?” The principle of hope still reigns among many medium-sized companies. It is clear: “There is no digitalization without cybersecurity, there is no increase in productivity without digitalization.” And this is what determines the country’s economic performance.
Advertisement
If warfighting is the goal, cybersecurity is the first priority and then other regulations such as the Supply Chain Act have to be deprioritized. “When it comes to security, it’s really all about the sausage,” says Wansleben. Karl-Sebastian Schulte, managing director of the Central Association of German Crafts (ZDH), makes a similar argument with regard to companies’ financial prospects: “If the state has a tight budget, this process in the industry has already started at least two years ago.”
NIS2 Implementation: How BMI is Ruining Administration’s IT SecurityPlattner seeks collaboration rather than approval
The criticism from business was not explicitly directed at the Federal Information Security Office (BSI). Its president, Claudia Plattner, is calling for more commitment in Berlin. “We cannot afford it if billions of dollars go out of our country,” she says, referring to the economic consequences and ransomware payments. “We cannot afford to be divided by disinformation. And we cannot afford to have information turned to the Ummah either.” Allowing sabotage is also unacceptable, Plattner warned.
Therefore, the new EU regulations NIS2 and the Cyber ​​Resilience Act, which she sees as twins, need to be infused with practical life. Companies will achieve significant improvements in IT security through modern methods such as the consistent use of software bills of materials (BOMs). Plattner asks from the point of view of software supply chains, “How many manufacturers really know which libraries and which versions are installed in their products?”
The BSI wants to focus primarily on cooperation with the NIS2 application, the BSI chairman announced. The interest from companies is so great – the authority had to find a new webinar solution to do justice to it. It is impossible to address 29,000 companies in person. “So far we do not plan to create any jobs for the NIS2 implementation,” says Plattner. “We cannot carry on as before,” added the BSI chairman, noting the more than six times more companies and authorities that will then fall under the KRITIS guidelines, which the BSI has to regulate, advise and, in an emergency, assist.
The Federal Interior Ministry warns against excessive criticism of the rules
Already 36,000 times BSI NIS2 Checker was used, reveals Friederike Dahns, head of the cyber and information security department at the Federal Ministry of the Interior. At the same time, she warns against sweeping decisions about the rules. It is justifiable to be upset, but: “There are a lot of powers out there that no longer make their rules based on democratic consensus. They will not ask any of you before passing laws to declare vulnerabilities, to conduct intrusion tests, to nationalize companies.” Before her new role in the Ministry of the Interior, Dahns was also responsible for counterintelligence. She takes aim at company representatives: “Over the years in counterintelligence I have seen every day how you are all attacked. In every way. And how you, helpless and powerless, rightly demanded that the German state protect you, even against good law and order.”
To make this successful, the legal framework must be defined more precisely with the NIS2 Implementation and Cybersecurity Strengthening Act. Tomorrow the German Bundestag will discuss this in its first reading. State Secretary of the Interior Ministry Markus Richter says he sees a need for adjustments in the legal framework beyond the existing law – especially when it comes to federalism: “The important thing is that we know: Who responds to which attack with what authority.” Today it is mainly a question of when the incident occurred, which official is responsible, Richter said.
(MMA)
Federal Council insists on IP data retention heise online
