IT Secu­ri­ty Act 2.0: BSI publishes new gui­dance for companies

With the IT Secu­ri­ty Act 2.0 and the amend­ments to the Act on the Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSIG) con­tai­ned the­r­ein, Ger­man legis­la­tors intro­du­ced com­pa­nies of spe­cial public inte­rest (also known as UBIs or UNBÖ­FIs). In order to pro­vi­de affec­ted com­pa­nies an over­view of their rights and obli­ga­ti­ons, the Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI), as the com­pe­tent super­vi­so­ry aut­ho­ri­ty, has published FAQs (only in Ger­man). The fol­lo­wing is a sum­ma­ry of the key mes­sa­ges from the agen­cy infor­ma­ti­on and our recom­men­da­ti­ons for implementation.

What are com­pa­nies of spe­cial public interest?

Com­pa­nies of spe­cial public inte­rest are defi­ned in § 2(14) BSIG (only in Ger­man). The Act distin­gu­is­hes bet­ween the fol­lo­wing three cate­go­ries of companies:

  • Pur­su­ant to § 2(14)1 BSIG, com­pa­nies are encom­pas­sed “that manu­fac­tu­re or deve­lop goods in accordance with § 60(1), Nos. 1 and 3 of the For­eign Trade and Pay­ments Ordi­nan­ce, as amen­ded.” This includes, in par­ti­cu­lar, com­pa­nies from the field of wea­pons, arma­ments or ammu­ni­ti­on pro­duc­tion, as well as manu­fac­tu­r­ers of pro­ducts that pro­du­ce IT secu­ri­ty func­tions for pro­ces­sing of sen­si­ti­ve mat­ters or sup­p­ly essen­ti­al com­pon­ents for them.
  • § 2(14)2 BSIG encom­pas­ses com­pa­nies “which, in terms of their dome­stic value added, are among the lar­gest com­pa­nies in Ger­ma­ny and are the­r­e­fo­re of con­sidera­ble eco­no­mic importance for the Fede­ral Repu­blic of Ger­ma­ny”. Howe­ver, the pre­cise eco­no­mic indi­ca­tors for iden­ti­fy­ing the com­pa­nies con­cer­ned have yet to be defi­ned by legal ordi­nan­ce. As soon as the legal ordi­nan­ce is available, the Fede­ral Minis­try of the Inte­ri­or will publish the uni­que sel­ling pro­po­si­ti­ons for the sup­pli­ers of the affec­ted com­pa­nies, which are also encom­pas­sed. Encom­pas­sed sup­pli­ers must then also com­ply with the requi­re­ments for com­pa­nies of spe­cial public interest.
  • Pur­su­ant to § 2(14)3 BSIG, com­pa­nies of spe­cial public inte­rest may also be “the ope­ra­tors of an upper-tier ope­ra­ting area in the terms of the Major Inci­dents Ordi­nan­ce” or com­pa­nies equi­va­lent to the­se in accordance with § 1(2) of the Major Inci­dents Ordi­nan­ce (only in German).

The requi­re­ments for com­pa­nies of spe­cial public inte­rest are not rele­vant to ope­ra­tors of cri­ti­cal infra­struc­tures, sin­ce a com­pa­ny can­not be an ope­ra­tor of a cri­ti­cal infra­struc­tu­re and a com­pa­ny of spe­cial public inte­rest at the same time. Howe­ver, the BSI empha­si­zes in its FAQ that each com­pa­ny, i.e., each legal enti­ty, in a group of com­pa­nies is con­side­red separately.

What legal obli­ga­ti­ons must be observed?

Com­pa­nies sub­ject to § 2(14)1 BSIG or § 2(14)2 BSIG must com­ply in par­ti­cu­lar with the fol­lo­wing legal requirements:

  • obli­ga­ti­on to regis­ter for desi­gna­ti­on as a cont­act point (§ 8f(5) BSIG) (only in German)
  • obli­ga­ti­on to report secu­ri­ty inci­dents (§ 8f(7) BSIG)(only in German)
  • obli­ga­ti­on to make a self-certification on IT secu­ri­ty every two years (§ 8f(1), Nos. 1 to 3 BSIG) (only in German)

It should be noted, howe­ver, that com­pa­nies under § 2(14)1 BSIG must com­ply with the new obli­ga­ti­ons as ear­ly as 1 May 2023 (§ 8f (1) and (4), Sen­tence 1 and (7) BSIG), while com­pa­nies under § 2(14)2 BSIG must do so no ear­lier than two years after issu­an­ce of the legal ordi­nan­ce that has not yet been issued (§ 8f (1) and (4), Sen­tence 2 and (7) BSIG).

For com­pa­nies under § 2(14)3 BSIG, the­re is neither an obli­ga­ti­on to regis­ter nor an obli­ga­ti­on to sub­mit a self-certification on IT secu­ri­ty. Howe­ver, vol­un­t­a­ry regis­tra­ti­on in accordance with § 8f(6) BSIG is pos­si­ble. Howe­ver, as ear­ly as 1 Novem­ber 2021, com­pa­nies will have to report inci­dents that meet the defi­ni­ti­on of § 8f(8) BSIG to the BSI wit­hout delay.

What should com­pa­nies do in light of the new requirements?

In its cur­rent recom­men­da­ti­ons, the BSI focu­ses very stron­gly on the legal dead­lines, but recom­mends that com­pa­nies “[…] con­ti­nuous­ly impro­ve and increase their own IT secu­ri­ty level at all times and for each com­pa­ny” due to the IT secu­ri­ty situa­ti­on. Our con­sul­ting prac­ti­ce also shows that the­re is still con­sidera­ble uncer­tain­ty among many com­pa­nies as to whe­ther and to what ext­ent they must obser­ve and imple­ment the IT Secu­ri­ty Act 2.0. Based on this, we advi­se com­pa­nies to imple­ment cyber­se­cu­ri­ty com­pli­ance manage­ment that allows for stra­te­gic imple­men­ta­ti­on of legal cyber­se­cu­ri­ty requi­re­ments, even bey­ond the IT Secu­ri­ty Act 2.0.


With the publi­ca­ti­on of infor­ma­ti­on on the obli­ga­ti­ons for com­pa­nies of spe­cial public inte­rest, the BSI is con­ti­nuing its infor­ma­ti­on cam­paign on the IT Secu­ri­ty Act 2.0. In this respect, the fre­quent­ly asked ques­ti­ons now published sup­ple­ment the infor­ma­ti­on alre­a­dy pro­vi­ded on the vol­un­t­a­ry IT secu­ri­ty mark. From a busi­ness per­spec­ti­ve, the BSI’s publi­ca­ti­on of addi­tio­nal infor­ma­ti­on is express­ly wel­co­me, as it allows com­pa­nies to bet­ter prepa­re for the imple­men­ta­ti­on of regu­la­to­ry requi­re­ments and the asso­cia­ted inter­pre­ta­ti­ons of the BSIG as part of their cyber­se­cu­ri­ty com­pli­ance manage­ment. At the same time, howe­ver, the new infor­ma­ti­on also demons­tra­tes the incre­asing com­ple­xi­ty of regu­la­to­ry requi­re­ments for cyber­se­cu­ri­ty and the asso­cia­ted chal­lenges for companies.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.