Home   >   News   >   New obligations for critical infrastructure companies
New obligations for critical infrastructure companies

After a new draft speaker became public in May 2020, the discussion about IT Security Law 2.0 is picking up speed again. Before we deal with this further development, we would like to look at another BSI document that could significantly determine the direction for critical infrastructure companies.

In February 2020, the BSI published a document entitled “Specification of the requirements for the measures to be implemented in accordance with Section 8a (1) BSIG”. This document is intended to provide information to critical infrastructure operators and is intended as a benchmark and aid.

The 100 requirements defined in this document are indeed very specific. Among other things, the operation of an ISMS is just as important as the setting up of a BCM. Furthermore, annual checks of the IT systems are required, as is the performance of an annual penetration test. Many requirements are based on standards such as ISO 27001.

Although the implementation of these requirements is not binding, it will have to be dealt with as a benchmark for the BSI. Even if the law does not explicitly require that an ISMS be set up, the question remains how the requirements of the IT Security Act can be met without the setting up of an ISMS. In fact, it can be concluded from this that critical infrastructures operators – if you have not yet done so – must set up and operate an ISMS for their critical infrastructure systems.

This view is reinforced by another innovation. The BSI has meanwhile proposed a new “Document P”. This document should summarise the previous forms PD, PE and PS. However, it also provides that the level of maturity of a critical infrastructure operator’s ISMS must be assessed. In addition, the level of maturity of a BCMS should be assessed analogously.

Even if this document of proof is not yet binding, it shows the direction in which the innovations of the IT security law could go. We recommend all critical infrastructure operators to deal with these requirements promptly. The above The BSI document can be found on the BSI website. We would be happy to provide this document to customers and interested parties on request and support it in its implementation.

Go to news overview