Since there were no express requests to speak on a total of 20 recommendations from the Main Committee on Internal Affairs, the Health Committee, the Environment, Nature Conservation and Nuclear Safety Committee and the Transport Committee on NIS2, votes were taken directly. Committee’s recommendations. All, without exception, were accepted by majority vote.
Advertisement
Manuel Atag is an IT security expert for critical infrastructure and is active online as @HonkHase.
The Federal Audit Office was recently much more open to criticism and understanding. As part of NIS2, the assistance provided by the Federal Office for Information Security (BSI) to police authorities and the Office for the Protection of the Constitution will in future be limited to federal authorities. As part of administrative assistance, these could be more easily refused in individual cases. However, BSI is now legally implementing a support service.
This should include a media-free, digitized reporting process in an online platform for voluntary exchange of relevant cyber security information. For this purpose, the EU requires electronic proof of identity with a “high” security level. Additionally, access to information on the physical security and resilience of critical infrastructure should be provided by the Federal Office for Civil Protection and Disaster Assistance. The whole thing should also be implemented in an end-to-end digitalized process.
If a breach of risk management measures or reporting obligations could result in a breach of the security of personal data, the BSI must inform the responsible data protection supervisory authorities in advance, not if this has “obvious consequences”. If the responsible IT security officer, in the course of carrying out his or her duties, determines that a breach of risk management measures or reporting obligations may result in a breach of the security of personal data in accordance with the GDPR, there is an obligation to notify.
BSI law as a benchmark
With the wording “through comparable state regulations”, the various regional authorities in the federal states will have to use the BSI Act as a benchmark in the future, even if it goes beyond the NIS2 minimum measures required in the EU. To ensure this does not happen, the wording should be changed to “State regulations implementing the NIS 2 Directive”. Otherwise, numerous and, above all, nationwide cybersecurity measures would have to be implemented in the 16 federal states.
Management should not only be trained themselves, but should also work clearly towards training for all employees. The intention is to reduce the administrative burden for institutions subject to NIS2 by allowing BSIs to be used as a central point of contact through an online form for the reports required under the GDPR.
sample contract, Comparable to EVB-ITShould be made available so that the IT service providers of the federal states can be informed at an early stage about the expectations and requirements of the customer “federal administration”. IT service providers in the federal states may also be affected Via German Administration Cloud And become the market through which federal administrations can also access services in the future.
It is welcome that the BSI supports not only the institutions of the federal administration, but also the federal states in the sense of the overall architecture. Technical Guidelines and Reference Architecture Should be provided.
Who is Kritis?
It should be examined whether not only the threshold value of approximately 500,000 people should be classified as KRITIS, but also whether other criteria should be included in the KRITIS regulation. There is a risk that, according to the current NIS2 draft, most hospitals – at least in North Rhine-Westphalia – are not relevant and therefore “the existing security threat will not be taken into account”. Above all, it would inadequately reflect the importance of hospitals in rural areas.
Big practices, MVZ and similar things can be related to KRITIS
In the draft KRITIS umbrella law – as in the NIS2 draft – the threshold values should also be fundamentally questioned due to the special status of public services in the health sector. Therefore, the usefulness of single decisive limit values should be re-examined in this background. AG KRITIS has also seen this point in almost all KRITIS sectors and industries for many years and would welcome it if it was finally adapted to the real situation.
In the healthcare sector, large practices, professional practice groups and medical care centers may become operators of important systems in the future. In addition, large outpatient facilities, high turnover practices in radiology and nuclear medicine, nephrology or laboratory medicine may be relevant as critical facilities.
The first evidence will be available in 2030 at the earliest
Since, according to Section 108 SGB V, hospitals only have to submit evidence after a five-year transition period, a similarly extended transition period was also required for critical facilities. The first evidence won’t come until 2030 at the earliest.
Overall, there are several sensible measures to reduce bureaucracy and deal with many marginal issues, but no huge leap forward, as the Federal Audit Office envisions. The topics are not even discussed. Both federal states and healthcare systems should approach cybersecurity only according to the minimum principle, which is that current threat situation like that This situation does not do justice to health at all,
(Mac)
