By way of the Second Act to Increase the Security of Information Technology Systems (only in German) of 18 May 2021 (IT Security Act 2.0), lawmakers have created new protection mechanisms and defense strategies for important areas of IT security in Germany. Following up on from the first IT Security Act from 2015, in addition to strengthening and expanding the competencies of the Federal Office for Information Security (BSI), numerous new regulations were introduced for operators of critical infrastructures (CRITIS), for the use of “critical components” and for the new category of “companies of special public interest”.
New regulations for operators of critical infrastructures
A large number of the new regulations affect CRITIS operators. CRITIS are organizations or facilities of critical importance to the state community, the failure or impairment of which would result in sustained supply shortages, significant disruptions to public safety, or other dramatic consequences. The IT Security Act 2.0 now adds the new “municipal waste management” sector to the already familiar CRITIS sectors, namely government and administration, energy, IT and telecom, transport and traffic, health, media and culture, water, food, finance and insurance, to defend against epidemic and environmental threats.
To the extent that a company operating in one of these sectors reaches or exceeds a certain threshold of coverage (the standard threshold here is 500,000 persons served), the company is required to comply with certain legal obligations and safeguards. For example, § 8b(3) of the Act on the Federal Office for Information Security (BSIG) (only in German), which was introduced with the IT Security Act 2.0, introduces a registration obligation for CRITIS operators, which can also be enforced against their will if necessary. In addition, from 1 May 2023, there will be an explicit obligation to use attack detection systems.
Stricter regulations also for the use of critical components
“Critical Components” are IT products that are used in critical infrastructures and for which disruptions to availability, integrity, authenticity and confidentiality can lead to a failure or to a significant impairment of the functioning of infrastructure or to threats to public safety.
CRITIS companies are now required to report Critical Components prior to their planned deployment. As part of the decision-making process on the use of a Critical Component, they must also comply with the orders of the competent Federal Ministry of the Interior and, in the event of a ban, refrain from using the component altogether. In addition, § 9b(3) BSIG (only in German) introduces a mandatory guarantee by the manufacturer of the Critical Component to the CRITIS operator, which must set out how the Critical Component is protected against misuse, sabotage, espionage or terrorism. This indirectly expands the scope of application of the BSIG enormously.
New regulations for companies of special public interest
The new category of “companies of special public interest” created by the IT Security Act 2.0 includes companies that either fall under § 60 of the Foreign Trade and Payments Ordinance (AWV) (only in German), are among the largest companies in Germany, or fall within certain areas of the Disruptive Incidents Ordinance. Also included are suppliers that are essential because of their unique selling propositions.
The legal obligations for these companies are in many cases based on the obligations of the CRITIS operators, but their scope is sometimes reduced. For example, companies of special public interest must also register with the Federal Office for Information Security and demonstrate compliance with the requirements every two years. However, a self-declaration on IT security is sufficient as evidence here; external proof is not required. Like CRITIS operators, companies of special public interest also have an obligation to report disruptions affecting the provision of added value without delay. In return, these companies have the option of requesting assistance from the BSI in the event of high-profile IT security incidents.
Further innovations and stricter fines
In addition to the new regulations already mentioned, the IT Security Act 2.0 introduces a voluntary IT security label in the form of § 9c BSIG (only in German) to improve consumer information. As early as the end of the year, the label will enable consumers to easily find out about security features of products and services assured by the manufacturer. In addition, the BSI will also become the central point for companies to receive and evaluate reports on IT security risks and will set up reporting channels that can be used anonymously for this purpose. Last but not least, with the new Security Act, legislators have also significantly expanded the fine provisions in § 14 BSIG (only in German) and considerably increased the fine framework for violations of the standardised obligations. In all cases, companies should therefore carefully examine whether legal obligations arise from the IT Security Act 2.0 or existing IT security regulations and, if necessary, quickly take appropriate measures.back