Who is affected by the German IT Security Act (ITSG)?

Miriam Schuh, Expertin für healthcare und Kosmetik


On the basis of the Act to Strengthen the Security of Federal Information Technology (IT Security Act), which has been in force since July 2015, operators of ‘critical infrastructures’ have certain obligations regarding the security of their systems. In particular, these include adherence to a minimum level of IT security. In addition, the operators are under obligation to report major IT security incidents to the Federal Office for Information Security (BSI). Up to now, the fact that there was no conclusive legal definition of the term ‘critical infrastructure’ in the ITSG has been a problem. This made it more difficult to assess who was to be classified as operators of facilities or installations under the provisions of the ITSG and therefore had to meet the obligations associated with such classification, and led to legal uncertainty.

The current amendment

In the Regulation on the Identification of Critical Infrastructures under the BSI Act (BSI-KritisV), the legislators have now defined ‘critical infrastructures’ by compiling a definitive list of the facilities and installations they include. As early as May 2016, the first part of the regulation came into force, determining which facilities and installations in the energy, water, nutrition and IT and telecommunications sectors are deemed to be ‘critical infrastructures’. On 31 May 2017, the first part of the regulation amending the BSI-KritisV was now joined by the second and final part of the regulation, which was approved by the federal government. On the basis of the latter it is now possible to determine in detail which facilities and installations in the health, finance and insurance and transport sectors are to be classified as critical infrastructures, so that companies can now make a legally watertight assessment as to whether or not the ITSG applies to them. 

Practical impacts: compliance check in accordance with the ITSG

For companies which operate in the sectors mentioned above, it is therefore important to verify whether or not the ITSG applies to them. If it does, improved safety standards must be implemented in the companies concerned within two years after the first regulation amending the BSI-KritisV has come into force (which is expected to happen in June 2017). The ITSG affects the operators of facilities and installations directly. Indirectly, however, manufacturers of facilities and installations or components thereof will also feel the effects of the act, since the operators require their cooperation to ensure the conformity of their security systems and must therefore integrate them in their information security management systems. In this context, the manufacturers must ensure that all the product information which is necessary for the appropriate obligatory security level is duly made available.

Manufacturers should therefore implement structures by which they can first make contact with their customers and verify whether or not the latter are operators of facilities or installations of the kind designated in the ITSG. At the same time, they need to check whether or not they are faced with more stringent obligations regarding the provision of information, and whether or not the information required can be obtained in full and passed on to the customers.

[June 15th, 2017]