Observe the obligation to use systems for the detection of attacks according to IT-SiG 2.0!

The IT Security Act 2.0 (IT-SiG 2.0) came into force in May 2021. This means that KRITIS operators will have to meet a number of new requirements, including the obligation to use systems for attack detection from 01.05.2023. This requirement must also be proven to the BSI in a suitable form.

For operators of energy supply networks and energy facilities, paragraphs (1d) and (1e) were added to §11 of the Energy Industry Act (EnWG) as part of the IT Security Act 2.0. Therein, the obligation to use systems for attack detection was anchored for these companies (paragraph 1d) and the obligation to provide evidence to the BSI was specified (paragraph 1e).

Especially for small and medium-sized public utilities as operators of energy supply networks, which are significantly below the threshold values according to the BSI KritisV, the question has arisen as to whether they also have to fulfil this requirement. We have now clarified this question with both the BSI and the BNetzA, as different opinions on the matter were circulating in the past.

Both federal agencies have agreed that all operators of energy supply networks (regardless of the size of the facilities) must introduce systems for attack detection and prove this to the BSI by 01.05.2023 at the latest (and then every two years). In addition, the BNetzA has pointed out that there may be exceptions with regard to the non-applicability of the obligation to provide proof within the framework of the IT security catalogue according to §11 (1a) EnWG.

Please do not hesitate to contact us if you have any questions.