With the IT Security Act 2.0 (IT-SiG 2.0), an important law came into force in Germany that is intended to protect critical infrastructures (CRITIS) in particular. In this blog post, Ferdinand Grieger, Chief Legal Counsel of DGC Switzerland AG, describes related tasks and challenges, shows where companies stand in 2022 and explains how DGC can support the implementation of the IT Security Act.
What is the IT Security Act 2.0?
In spring 2021, the new IT Security Act 2.0 – a further development of the IT Security Act 1.0 enacted in 2015 – was passed in Germany. The law places greater obligations on operators of critical infrastructures (CRITIS). The German state now has more powers and is entitled to information from the relevant organizations: from disclosure and proof of extensive systems for attack and anomaly detection to extended reporting obligations for incidents and warranty collection from system manufacturers. If the operators and companies concerned fail to comply with these obligations, they face severe fines of up to two million euros.
These companies are affected by the IT Security Act 2.0
In general, companies from the energy, information technology and telecommunications, transportation and traffic, health and water, food, finance and insurance, and municipal waste disposal sectors are considered critical infrastructures. The exact criteria are defined in the CRITIS Regulation.
In addition to the CRITIS companies affected to date, however, another sector has been included in the group of CRITIS companies: facilities for the disposal of municipal waste (Section 2 (10) Sentence 1 No. 1 Alt.8 BSIG). Companies from this sector have to deal with the requirements for CRITIS companies for the first time. In addition, so-called companies in the special public interest have been included in the scope of the BSIG (Section 2 (14) BSIG).
These include defense manufacturers and manufacturers of IT products for processing classified government information (Sec. 2 (14) Sentence 1 No. 1 BSIG), Germany’s largest companies in terms of domestic value chain with significant economic importance (Sec. 2 (14) Sentence 1 No. 2 BSIG), and operators of an upper-tier facility as defined in the Major Accidents Ordinance and those deemed equivalent to such pursuant to Sec. 1 (2) of the Major Accidents Ordinance (Sec. 2 (14) Sentence 1 No. 3 BSIG).
IT Security Act 2.0: These are the new obligations for companies
Under the updated law, the affected companies must comply with the following obligations in particular: They must be registered with the German Federal Office for Information Security (BSI) as well as maintain a contact point that can be reached at any time. In addition, operators are required to use state-of-the-art attack detection systems. They must submit documentation for an assessment by the BSI of whether the obligations to implement appropriate organizational and technical precautions, including an attack detection system, have been met – and in the event of a malfunction, they must also provide the BSI with all the information required to deal with the malfunction.
Furthermore, the German Federal Ministry of the Interior must be notified if a CRITIS company plans to use critical components for the first time. A warranty declaration must then be obtained from the manufacturer of these components and submitted to the Federal Ministry of the Interior. Their use can be prohibited by the Federal Ministry of the Interior.
Attack detection: Part of the IT Security Act 2.0 from 2023
From May 2023, attack detection systems will be mandatory for operators of critical infrastructures and other defined companies. The term attack detection systems is legally defined in the BSIG (Section 2 (9b) BSIG). This includes processes supported by technical tools and organizational integration for detecting attacks on information technology systems, whereby attack detection is performed by comparing the data processed in an information technology system with information and technical patterns that indicate attacks.
In short, a company needs to have a system that aims at attack detection, is preventive, is continuously in use, performs attack detection based on information and technical patterns already known from security incidents that have occurred, and is implied by a technical tool and organizational integration.
Why are attack detection systems so important for CRITIS operators, but also for other companies?
These systems see vulnerabilities and threats before they can be exploited by cyber criminals. With the help of the use of such attack detection systems, risks can be reduced from the outset. Attacks would not be successful and legal liability regimes would not trigger liability consequences. Attack detection systems are therefore a more effective protection against cyber attacks and potential liability risks.
IT-SiG 2.0: Where companies stand in 2022 and what the consequences will be if they fail to implement it
The implementation status varies from company to company. You would be well advised to press ahead with the preparation and implementation of the IT Security Act 2.0 in the coming months. This is because the fine provisions of the BSIG have been extensively revised and clarified to improve the enforcement of disclosure and verification obligations. Even the failure of each CRITIS operator to designate a contact point is subject to a fine. Instead of the fines of up to EUR 100,000 possible under the previous BSIG, administrative offenses can now be punished with a fine of up to EUR 2,000,000. Thus, in view of the significantly increased threat of fines, the companies addressed are urged to speed up implementation.
How can DGC help companies implement the IT Security Act?
DGC first analyzes a company for the current state of its existing cyber security and contrasts this with the target state. Then, companies are “picked up” from where they are in terms of implied – or not yet implied – cyber security measures and accompanied on the path to comprehensive cyber compliance. Thanks to DGC’s holistic approach to cyber security partnerships, our IT security experts are also able to minimize the risks of a cyber incident. Damages, expenses and other consequences resulting from a successful cyber attack can thus be averted from the company, its employees, executives, shareholders, suppliers, etc.
You will soon find out what role the BSI plays in the implementation of the IT Security Act 2.0 and what other effects this may have on the IT security of many companies in the future in our second part: “BSIG: The BSI as a hub in the defense against information security threats”.