With the IT Security Act 2.0 and the amendments to the Act on the Federal Office for Information Security (BSIG) contained therein, German legislators introduced companies of special public interest (also known as UBIs or UNBÖFIs). In order to provide affected companies an overview of their rights and obligations, the Federal Office for Information Security (BSI), as the competent supervisory authority, has published FAQs (only in German). The following is a summary of the key messages from the agency information and our recommendations for implementation.
What are companies of special public interest?
Companies of special public interest are defined in § 2(14) BSIG (only in German). The Act distinguishes between the following three categories of companies:
- Pursuant to § 2(14)1 BSIG, companies are encompassed “that manufacture or develop goods in accordance with § 60(1), Nos. 1 and 3 of the Foreign Trade and Payments Ordinance, as amended.” This includes, in particular, companies from the field of weapons, armaments or ammunition production, as well as manufacturers of products that produce IT security functions for processing of sensitive matters or supply essential components for them.
- § 2(14)2 BSIG encompasses companies “which, in terms of their domestic value added, are among the largest companies in Germany and are therefore of considerable economic importance for the Federal Republic of Germany”. However, the precise economic indicators for identifying the companies concerned have yet to be defined by legal ordinance. As soon as the legal ordinance is available, the Federal Ministry of the Interior will publish the unique selling propositions for the suppliers of the affected companies, which are also encompassed. Encompassed suppliers must then also comply with the requirements for companies of special public interest.
- Pursuant to § 2(14)3 BSIG, companies of special public interest may also be “the operators of an upper-tier operating area in the terms of the Major Incidents Ordinance” or companies equivalent to these in accordance with § 1(2) of the Major Incidents Ordinance (only in German).
The requirements for companies of special public interest are not relevant to operators of critical infrastructures, since a company cannot be an operator of a critical infrastructure and a company of special public interest at the same time. However, the BSI emphasizes in its FAQ that each company, i.e., each legal entity, in a group of companies is considered separately.
What legal obligations must be observed?
Companies subject to § 2(14)1 BSIG or § 2(14)2 BSIG must comply in particular with the following legal requirements:
- obligation to register for designation as a contact point (§ 8f(5) BSIG) (only in German)
- obligation to report security incidents (§ 8f(7) BSIG)(only in German)
- obligation to make a self-certification on IT security every two years (§ 8f(1), Nos. 1 to 3 BSIG) (only in German)
It should be noted, however, that companies under § 2(14)1 BSIG must comply with the new obligations as early as 1 May 2023 (§ 8f (1) and (4), Sentence 1 and (7) BSIG), while companies under § 2(14)2 BSIG must do so no earlier than two years after issuance of the legal ordinance that has not yet been issued (§ 8f (1) and (4), Sentence 2 and (7) BSIG).
For companies under § 2(14)3 BSIG, there is neither an obligation to register nor an obligation to submit a self-certification on IT security. However, voluntary registration in accordance with § 8f(6) BSIG is possible. However, as early as 1 November 2021, companies will have to report incidents that meet the definition of § 8f(8) BSIG to the BSI without delay.
What should companies do in light of the new requirements?
In its current recommendations, the BSI focuses very strongly on the legal deadlines, but recommends that companies “[…] continuously improve and increase their own IT security level at all times and for each company” due to the IT security situation. Our consulting practice also shows that there is still considerable uncertainty among many companies as to whether and to what extent they must observe and implement the IT Security Act 2.0. Based on this, we advise companies to implement cybersecurity compliance management that allows for strategic implementation of legal cybersecurity requirements, even beyond the IT Security Act 2.0.
With the publication of information on the obligations for companies of special public interest, the BSI is continuing its information campaign on the IT Security Act 2.0. In this respect, the frequently asked questions now published supplement the information already provided on the voluntary IT security mark. From a business perspective, the BSI’s publication of additional information is expressly welcome, as it allows companies to better prepare for the implementation of regulatory requirements and the associated interpretations of the BSIG as part of their cybersecurity compliance management. At the same time, however, the new information also demonstrates the increasing complexity of regulatory requirements for cybersecurity and the associated challenges for companies.back