The regulation maze – EU and German cyber security laws for critical service providers
11-21, 11:00–11:30 (Europe/Berlin), Auditorium

Reeling under the blows of the Russian assault on Ukraine and the ever-increasing threats to networks and utilities, the European regulatory regime for critical infrastructures is undergoing profound changes. Both cyber and physical security of essential service providers are covered by the recent EU directives NIS 2 and CER, with several additional initiatives targeting specific areas: DORA (the operational resilience act for the financial sector), the upcoming Cyber Resilience Act for secure hardware and software, the EU certification scheme for cloud services and more. All are either subject to being transposed into national legislation or effective immediately all over the Union – and they hold consequences for all types of industries, telecommunication and digital infrastructure being just the most prominent sector to be held responsible to rules and regulations regarding their perimeter and information security.

Network operators are particularly exposed to the new rulesets – their criticality does not rely solely on their services being considered critical in their own right: they inherit the requirements from their customers when those are within the scope of critical infrastructure regulation. The entire sector of digital infrastructure, plus managed service and security providers, is undergoing the most significant change, with implementing acts to specify technical and methodological requirements from the NIS 2 directive being prepared.

What does all that mean for operators? More money to spend on security, eventually, since the budget increase necessary to fulfil the obligations is estimated at anywhere between 15 and 25 percent compared to before NIS 2 and CER. Technical compliance for network operations not only requires implementing security measures – you need to prove it via audits, certificates, mandatory reporting.

This talk is going to take you on a speed run through the maze of legal and regulatory thickets both in the European Union and especially in Germany. Entertaining as it may seem, there may be dizzying side effects from the drastic changes in both direction and speed. Buckle up, buttercup, it’s a bumpy one.

See also: The Regulation Maze - presentation slides (3.6 MB)

Senior Information Security Consultant with nGENn GmbH since 2022, after five years as inhouse CISO for two Berlin-based companies. Further down the timeline: 2005-2017 political advisor to members of the German Bundestag. Former managing director at nGENn upon return return from five years in Japan as representative for European ISPs and software development businesses. Roots in the Internet industry extend back to 1995. Pre-IP data communications provider for newspapers and correspondents from 1988. Journalist by training.