After the IT Security Act 2.0 (IT-SiG 2.0) was passed by the Bundestag at the end of April and approved by the Bundesrat in May, it entered into force on 28 May 2021. The focal points – as already known from earlier drafts – continue to be that the Federal Office for Information Security (BSI) will take over consumer protection as a task and introduce an IT security mark, as well as the assumption of more extensive tasks with regard to ensuring IT security at federal authorities.
In addition, the IT Security Act 2.0 contains further significant innovations:
BSI as national authority for cyber security certifications
The BSI is designated as the national authority for cyber security certification under the Cyber Security Act of the European Union. The BSI is thus given extensive powers with regard to cyber security certifications in Germany. For example, it approves and monitors conformity assessment bodies and can revoke corresponding certifications if necessary.
Requirements for the use of “critical components”
In future, CRITIS operators must notify the BMI of the use of so-called “critical components” before they are used. The manufacturers of these critical components must submit a declaration of trust, compliance with which is monitored by the BSI. The BMI can prohibit the use of these components under certain conditions, especially in the case of violations of the declaration of trustworthiness. In the case of gross violations, the use of all critical components of a manufacturer can even be prohibited.
Coverage of companies in the public interest
In addition to municipal waste disposal as a new KRITIS sector, “companies in the public interest” are now also covered by the IT-SiG 2.0. These include, for example, defence companies and the largest companies in Germany due to their economic importance. Who exactly must then meet the requirements of the IT-SiG is to be regulated in a legal ordinance. In addition to the establishment of a reporting office to the BSI, an IT security level in accordance with the state of the art must be proven to the BSI by means of a self-declaration.
Attack detection systems
By 01.05.2023 at the latest, CRITIS companies must implement “attack detection systems” and prove this to the BSI.
New rules for fines
The new rules on fines are based on administrative offences and can be up to 2 million euros. Under certain circumstances, however, fines can be increased to up to 20 million euros. The reason given for the design of the fines is harmonisation with other standards, especially at EU level.
Amendment of the EnWG
The IT-SiG 2.0 also supplements the Energy Industry Act (EnWG). For example, the new paragraphs 1d to 1f of §11 EnWG require the use of attack detection systems for energy suppliers and producers. The implementation deadline must also be by 01.05.2023. Here, too, corresponding proof to the BSI is required.
New BSI Critical Infrastructure Ordinance
In addition, a draft amendment to the BSI Critis Ordinance was published at the end of April 2021 and an association hearing was held on it. In addition to a large number of general term adjustments and additions, threshold values or their definition were made, particularly for energy producers and in the transport and traffic sector. As a result, more than 200 new CRITIS operators are to fall under the IT Security Act. This new BSI CritisP is to come into force on 01.01.2022.
However, threshold values for the new KRITIS sector of municipal waste management have not yet been set. This is to follow shortly. A further, corresponding amendment to the BSI CritisP is expected by the end of 2021.