The new IT Secu­ri­ty Act 2.0: an overview

By way of the Second Act to Increase the Secu­ri­ty of Infor­ma­ti­on Tech­no­lo­gy Sys­tems (only in Ger­man) of 18 May 2021 (IT Secu­ri­ty Act 2.0), law­ma­kers have crea­ted new pro­tec­tion mecha­nisms and defen­se stra­te­gies for important are­as of IT secu­ri­ty in Ger­ma­ny. Fol­lo­wing up on from the first IT Secu­ri­ty Act from 2015, in addi­ti­on to streng­thening and expan­ding the com­pe­ten­ci­es of the Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI), num­e­rous new regu­la­ti­ons were intro­du­ced for ope­ra­tors of cri­ti­cal infra­struc­tures (CRITIS), for the use of “cri­ti­cal com­pon­ents” and for the new cate­go­ry of “com­pa­nies of spe­cial public interest”.

New regu­la­ti­ons for ope­ra­tors of cri­ti­cal infrastructures

A lar­ge num­ber of the new regu­la­ti­ons affect CRITIS ope­ra­tors. CRITIS are orga­niza­ti­ons or faci­li­ties of cri­ti­cal importance to the sta­te com­mu­ni­ty, the fail­ure or impair­ment of which would result in sus­tained sup­p­ly shorta­ges, signi­fi­cant dis­rup­ti­ons to public safe­ty, or other dra­ma­tic con­se­quen­ces. The IT Secu­ri­ty Act 2.0 now adds the new “muni­ci­pal was­te manage­ment” sec­tor to the alre­a­dy fami­li­ar CRITIS sec­tors, name­ly govern­ment and admi­nis­tra­ti­on, ener­gy, IT and tele­com, trans­port and traf­fic, health, media and cul­tu­re, water, food, finan­ce and insu­rance, to defend against epi­de­mic and envi­ron­men­tal thre­ats.

To the ext­ent that a com­pa­ny ope­ra­ting in one of the­se sec­tors rea­ches or exceeds a cer­tain thres­hold of covera­ge (the stan­dard thres­hold here is 500,000 per­sons ser­ved), the com­pa­ny is requi­red to com­ply with cer­tain legal obli­ga­ti­ons and safe­guards. For exam­p­le, § 8b(3) of the Act on the Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSIG) (only in Ger­man), which was intro­du­ced with the IT Secu­ri­ty Act 2.0, intro­du­ces a regis­tra­ti­on obli­ga­ti­on for CRITIS ope­ra­tors, which can also be enforced against their will if neces­sa­ry. In addi­ti­on, from 1 May 2023, the­re will be an expli­cit obli­ga­ti­on to use attack detec­tion systems.

Stric­ter regu­la­ti­ons also for the use of cri­ti­cal components

“Cri­ti­cal Com­pon­ents” are IT pro­ducts that are used in cri­ti­cal infra­struc­tures and for which dis­rup­ti­ons to avai­la­bi­li­ty, inte­gri­ty, authen­ti­ci­ty and con­fi­den­tia­li­ty can lead to a fail­ure or to a signi­fi­cant impair­ment of the func­tio­ning of infra­struc­tu­re or to thre­ats to public safe­ty.

CRITIS com­pa­nies are now requi­red to report Cri­ti­cal Com­pon­ents pri­or to their plan­ned deploy­ment. As part of the decision-making pro­cess on the use of a Cri­ti­cal Com­po­nent, they must also com­ply with the orders of the com­pe­tent Fede­ral Minis­try of the Inte­ri­or and, in the event of a ban, refrain from using the com­po­nent altog­e­ther. In addi­ti­on, § 9b(3) BSIG (only in Ger­man) intro­du­ces a man­da­to­ry gua­ran­tee by the manu­fac­tu­rer of the Cri­ti­cal Com­po­nent to the CRITIS ope­ra­tor, which must set out how the Cri­ti­cal Com­po­nent is pro­tec­ted against misu­se, sabo­ta­ge, espio­na­ge or ter­ro­rism. This indi­rect­ly expands the scope of appli­ca­ti­on of the BSIG enormously.

New regu­la­ti­ons for com­pa­nies of spe­cial public interest

The new cate­go­ry of “com­pa­nies of spe­cial public inte­rest” crea­ted by the IT Secu­ri­ty Act 2.0 includes com­pa­nies that eit­her fall under § 60 of the For­eign Trade and Pay­ments Ordi­nan­ce (AWV) (only in Ger­man), are among the lar­gest com­pa­nies in Ger­ma­ny, or fall within cer­tain are­as of the Dis­rup­ti­ve Inci­dents Ordi­nan­ce. Also included are sup­pli­ers that are essen­ti­al becau­se of their uni­que sel­ling pro­po­si­ti­ons.

The legal obli­ga­ti­ons for the­se com­pa­nies are in many cases based on the obli­ga­ti­ons of the CRITIS ope­ra­tors, but their scope is some­ti­mes redu­ced. For exam­p­le, com­pa­nies of spe­cial public inte­rest must also regis­ter with the Fede­ral Office for Infor­ma­ti­on Secu­ri­ty and demons­tra­te com­pli­ance with the requi­re­ments every two years. Howe­ver, a self-declaration on IT secu­ri­ty is suf­fi­ci­ent as evi­dence here; exter­nal pro­of is not requi­red. Like CRITIS ope­ra­tors, com­pa­nies of spe­cial public inte­rest also have an obli­ga­ti­on to report dis­rup­ti­ons affec­ting the pro­vi­si­on of added value wit­hout delay. In return, the­se com­pa­nies have the opti­on of reques­t­ing assis­tance from the BSI in the event of high-profile IT secu­ri­ty incidents.

Fur­ther inno­va­tions and stric­ter fines

In addi­ti­on to the new regu­la­ti­ons alre­a­dy men­tio­ned, the IT Secu­ri­ty Act 2.0 intro­du­ces a vol­un­t­a­ry IT secu­ri­ty label in the form of § 9c BSIG (only in Ger­man) to impro­ve con­su­mer infor­ma­ti­on. As ear­ly as the end of the year, the label will enable con­su­mers to easi­ly find out about secu­ri­ty fea­tures of pro­ducts and ser­vices assu­red by the manu­fac­tu­rer. In addi­ti­on, the BSI will also beco­me the cen­tral point for com­pa­nies to recei­ve and eva­lua­te reports on IT secu­ri­ty risks and will set up report­ing chan­nels that can be used anony­mously for this pur­po­se. Last but not least, with the new Secu­ri­ty Act, legis­la­tors have also signi­fi­cant­ly expan­ded the fine pro­vi­si­ons in § 14 BSIG (only in Ger­man) and con­sider­a­b­ly increased the fine frame­work for vio­la­ti­ons of the stan­dar­di­sed obli­ga­ti­ons. In all cases, com­pa­nies should the­r­e­fo­re careful­ly exami­ne whe­ther legal obli­ga­ti­ons ari­se from the IT Secu­ri­ty Act 2.0 or exis­ting IT secu­ri­ty regu­la­ti­ons and, if neces­sa­ry, quick­ly take appro­pria­te measures.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.