What changes and tasks result from the updated IT Security Act 2.0 – and which companies are affected? Ferdinand Grieger, Chief Legal Counsel of DGC Switzerland AG, presents the important innovations: This time, the question is what role the BSI plays in the implementation of IT-SiG 2.0 and what impact this may have on the IT security of many companies.
In this two-part blog post, Ferdinand Grieger, Chief Legal Counsel at DGC Switzerland AG, comments on the updated IT Security Act 2.0 and explains how DGC can support companies in implementing the IT Security Act. While the first part was primarily about the innovations introduced by the updated law, this second part deals with the changed powers of the BSI (Federal Office for Information Security) and the outlook for legally regulated IT security in Germany.
What is the BSI Act (BSIG)?
In 1991, the law establishing the Federal Office for Information Security in Germany came into force. In August 2009, the Establishment Act was supplemented by an Act to Strengthen Federal Information Technology Security. This in turn is the basis for the currently valid BSI Act.
Information technology has developed rapidly since then – and so have the actions of cyber criminals. Accordingly, the law and the BSI’s powers have been repeatedly adapted and expanded over time. In April 2021, the German parliament passed the IT Security Act 2.0. This gives the BSI a wide range of new powers to respond effectively to current security risks in the IT sector.
BSIG: The expanded role of the BSI through the IT-SIG 2.0
The updated IT Security Act 2.0 defines the BSI as the central authority for information security in the national context. In the future, it will serve as an information hub for the defense against IT threats. As such, the BSI will also become the reporting point for operators of critical infrastructures (KRITIS operators) in all IT-related security matters. As a result, the BSI’s range of tasks has become significantly more complex.
For example, the BSI will become the national authority for cyber certification, among other things, as part of the new catalog of tasks. The office is also responsible for the development of specifications and the final evaluation of identification and authentication procedures from the point of view of IT security.
Addition to BSIG: Numerous New Authorities for the BSI
Under the amended Federal Security Information Act (BSIG), the BSI now has the authority to conduct security risk assessments, port scans of federal facilities, KRITIS companies, digital service providers, and companies in the special public interest. In addition, the BSI is empowered to use systems and procedures that simulate a successful attack to an attacker in order to collect and evaluate the use of malware or other attack methods – so-called honeypots.
The BSI as the central institution for IT security
Under the updated law, the BSI is permitted to query inventory data from telecommunications service providers in order to inform those affected about security vulnerabilities and attacks. Furthermore, the BSI has the authority to issue orders to telecommunications and telemedia providers to avert specific threats to information security. The implementation of the IT Security Act 2.0 clearly shows that companies must interpret the BSI’s “new role” as a central institution for security in information technology, a point of contact and an auditor.
Who belongs to the critical infrastructure?
Awareness of cybersecurity is growing
Regardless of the effectiveness of individual obligations and increased fines, it is good that the topic of cybersecurity is being given greater legislative priority – after all, the number of cyberattacks is growing massively from year to year. According to the BKA, the number of recorded cybercrimes reached a new high in 2021 as well. And yet: currently, the biggest hurdle facing the German corporate landscape when it comes to cybersecurity is a lack of awareness of the dangers.
Impact of IT-SIG 2.0 on the IT industry
A comprehensive assessment of all effects on the IT industry is currently not possible. Based on the workload, the IT or cybersecurity service providers serving companies affected by the implementation of the IT Security Act are currently equally busy with both the steadily increasing number of cyberattacks and the implementation of the new obligations that have arisen with the IT Security Act 2.0. This is particularly true for operators of critical infrastructures.
Perspectives: This is what companies should prepare for
In all likelihood, the legal standards on cybersecurity for CRITIS companies will be extended to other sectors, albeit initially in a weakened form. This is intended to contribute to a uniform level of security. At least that is what can be inferred from the discussions surrounding the European Commission’s revised Network and Information Systems Security Directive (NIS 2).
First, however, an adjustment to the BSI KRITIS Regulation will ensure that more companies are classified as KRITIS companies. In addition, legally defined security standards for companies outside of the KRITIS regulation can also be expected. Many developments are currently taking place in terms of cyber security. To what extent this will affect legislation or everyday business remains to be seen.
It is already clear that the IT Security Act 2.0 will not be the last change to German IT security law. A draft of the European Commission’s second NIS Directive is already available. Once it is issued, further changes, especially to the BSI Act, will be unavoidable. The extent to which the catalog of obligations for companies will change as a result is not yet predictable now.
How DGC can support your company in implementing IT-SiG 2.0? You can find out in our first blog post “IT Security Act 2.0: What will change for companies” or by contacting us directly.