The new IT Secu­ri­ty Act 2.0: an overview

By way of the Second Act to Increase the Secu­ri­ty of Infor­ma­ti­on Tech­no­lo­gy Sys­tems (only in Ger­man) of 18 May 2021 (IT Secu­ri­ty Act 2.0), law­ma­kers have crea­ted new pro­tec­tion mecha­nisms and defen­se stra­te­gies for important are­as of IT secu­ri­ty in Ger­ma­ny. Fol­lo­wing up on from the first IT Secu­ri­ty Act from 2015, in addi­ti­on to streng­thening and expan­ding the com­pe­ten­ci­es of the Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI), num­e­rous new regu­la­ti­ons were intro­du­ced for ope­ra­tors of cri­ti­cal infra­struc­tures (CRITIS), for the use of “cri­ti­cal com­pon­ents” and for the new cate­go­ry of “com­pa­nies of spe­cial public interest”.

New regu­la­ti­ons for ope­ra­tors of cri­ti­cal infrastructures

A lar­ge num­ber of the new regu­la­ti­ons affect CRITIS ope­ra­tors. CRITIS are orga­niza­ti­ons or faci­li­ties of cri­ti­cal importance to the sta­te com­mu­ni­ty, the fail­ure or impair­ment of which would result in sus­tained sup­p­ly shorta­ges, signi­fi­cant dis­rup­ti­ons to public safe­ty, or other dra­ma­tic con­se­quen­ces. The IT Secu­ri­ty Act 2.0 now adds the new “muni­ci­pal was­te manage­ment” sec­tor to the alre­a­dy fami­li­ar CRITIS sec­tors, name­ly govern­ment and admi­nis­tra­ti­on, ener­gy, IT and tele­com, trans­port and traf­fic, health, media and cul­tu­re, water, food, finan­ce and insu­rance, to defend against epi­de­mic and envi­ron­men­tal thre­ats.

To the ext­ent that a com­pa­ny ope­ra­ting in one of the­se sec­tors rea­ches or exceeds a cer­tain thres­hold of covera­ge (the stan­dard thres­hold here is 500,000 per­sons ser­ved), the com­pa­ny is requi­red to com­ply with cer­tain legal obli­ga­ti­ons and safe­guards. For exam­p­le, § 8b(3) of the Act on the Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSIG) (only in Ger­man), which was intro­du­ced with the IT Secu­ri­ty Act 2.0, intro­du­ces a regis­tra­ti­on obli­ga­ti­on for CRITIS ope­ra­tors, which can also be enforced against their will if neces­sa­ry. In addi­ti­on, from 1 May 2023, the­re will be an expli­cit obli­ga­ti­on to use attack detec­tion systems.

Stric­ter regu­la­ti­ons also for the use of cri­ti­cal components

“Cri­ti­cal Com­pon­ents” are IT pro­ducts that are used in cri­ti­cal infra­struc­tures and for which dis­rup­ti­ons to avai­la­bi­li­ty, inte­gri­ty, authen­ti­ci­ty and con­fi­den­tia­li­ty can lead to a fail­ure or to a signi­fi­cant impair­ment of the func­tio­ning of infra­struc­tu­re or to thre­ats to public safe­ty.

CRITIS com­pa­nies are now requi­red to report Cri­ti­cal Com­pon­ents pri­or to their plan­ned deploy­ment. As part of the decision-making pro­cess on the use of a Cri­ti­cal Com­po­nent, they must also com­ply with the orders of the com­pe­tent Fede­ral Minis­try of the Inte­ri­or and, in the event of a ban, refrain from using the com­po­nent altog­e­ther. In addi­ti­on, § 9b(3) BSIG (only in Ger­man) intro­du­ces a man­da­to­ry gua­ran­tee by the manu­fac­tu­rer of the Cri­ti­cal Com­po­nent to the CRITIS ope­ra­tor, which must set out how the Cri­ti­cal Com­po­nent is pro­tec­ted against misu­se, sabo­ta­ge, espio­na­ge or ter­ro­rism. This indi­rect­ly expands the scope of appli­ca­ti­on of the BSIG enormously.

New regu­la­ti­ons for com­pa­nies of spe­cial public interest

The new cate­go­ry of “com­pa­nies of spe­cial public inte­rest” crea­ted by the IT Secu­ri­ty Act 2.0 includes com­pa­nies that eit­her fall under § 60 of the For­eign Trade and Pay­ments Ordi­nan­ce (AWV) (only in Ger­man), are among the lar­gest com­pa­nies in Ger­ma­ny, or fall within cer­tain are­as of the Dis­rup­ti­ve Inci­dents Ordi­nan­ce. Also included are sup­pli­ers that are essen­ti­al becau­se of their uni­que sel­ling pro­po­si­ti­ons.

The legal obli­ga­ti­ons for the­se com­pa­nies are in many cases based on the obli­ga­ti­ons of the CRITIS ope­ra­tors, but their scope is some­ti­mes redu­ced. For exam­p­le, com­pa­nies of spe­cial public inte­rest must also regis­ter with the Fede­ral Office for Infor­ma­ti­on Secu­ri­ty and demons­tra­te com­pli­ance with the requi­re­ments every two years. Howe­ver, a self-declaration on IT secu­ri­ty is suf­fi­ci­ent as evi­dence here; exter­nal pro­of is not requi­red. Like CRITIS ope­ra­tors, com­pa­nies of spe­cial public inte­rest also have an obli­ga­ti­on to report dis­rup­ti­ons affec­ting the pro­vi­si­on of added value wit­hout delay. In return, the­se com­pa­nies have the opti­on of reques­t­ing assis­tance from the BSI in the event of high-profile IT secu­ri­ty incidents.

Fur­ther inno­va­tions and stric­ter fines

In addi­ti­on to the new regu­la­ti­ons alre­a­dy men­tio­ned, the IT Secu­ri­ty Act 2.0 intro­du­ces a vol­un­t­a­ry IT secu­ri­ty label in the form of § 9c BSIG (only in Ger­man) to impro­ve con­su­mer infor­ma­ti­on. As ear­ly as the end of the year, the label will enable con­su­mers to easi­ly find out about secu­ri­ty fea­tures of pro­ducts and ser­vices assu­red by the manu­fac­tu­rer. In addi­ti­on, the BSI will also beco­me the cen­tral point for com­pa­nies to recei­ve and eva­lua­te reports on IT secu­ri­ty risks and will set up report­ing chan­nels that can be used anony­mously for this pur­po­se. Last but not least, with the new Secu­ri­ty Act, legis­la­tors have also signi­fi­cant­ly expan­ded the fine pro­vi­si­ons in § 14 BSIG (only in Ger­man) and con­sider­a­b­ly increased the fine frame­work for vio­la­ti­ons of the stan­dar­di­sed obli­ga­ti­ons. In all cases, com­pa­nies should the­r­e­fo­re careful­ly exami­ne whe­ther legal obli­ga­ti­ons ari­se from the IT Secu­ri­ty Act 2.0 or exis­ting IT secu­ri­ty regu­la­ti­ons and, if neces­sa­ry, quick­ly take appro­pria­te measures.