The legislative process for the Second Act to Increase the Security of Information Technology Systems (Zweites Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme, “IT Security Act 2.0”) has now been completed.
After being countersigned by the German Federal President and published in the Federal Law Gazette, most of the Act will come into force tomorrow (28 May 2021). With the IT Security Act 2.0, the First Act to Increase the Security of Information Technology Systems was updated to increase cyber and information security against the backdrop of increasingly frequent and complex cyber-attacks and the continued digitalisation of everyday life.
Due to the tightened IT security obligations and increased penalties, in particular the numerous amendments to Germany's central IT security law – the Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSI-Gesetz), “BSI Act") – are relevant for both the operators of critical infrastructure already covered by the BSI Act but also (i) companies active in the area of municipal waste disposal, (ii) manufacturers of IT products used in critical infrastructures, and (iii) the so-called companies in the special public interest.
Who is affected by the amendments to the BSI Act?
The extended scope of application of the BSI Act is one of the main changes brought about by the IT Security Act 2.0:
In addition to the critical sectors already anchored in the BSI Act (energy, information technology and telecommunications, transport and traffic, health, water, food, as well as finance and insurance), another sector, namely the municipal waste disposal sector, is now included in the regulatory scope of the BSI Act. The critical service in this sector is the disposal of municipal waste.
Suppliers, i.e. manufacturers of critical components, will also be subject to certain obligations – this is intended to safeguard the entire supply chain. Critical components are IT products (i) that are used in critical infrastructures; (ii) for which disruptions to availability, integrity, authenticity and confidentiality may lead to a failure or a significant impairment of the functionality of critical infrastructures or to threats to public safety; and (iii) that on the basis of a law regarding this provision are designated as a critical component, or realise a function designated as critical on the basis of a law.
“Companies in the special public interest” is a completely new category in addition to critical infrastructures. This includes companies that are not operators of critical infrastructures and that:
No. 1. – manufacture or develop goods pursuant to Section 60 para. 1 nos. 1 and 3 of the German Foreign Trade and Payments Ordinance (Außenwirtschaftsverordnung (AWV)) (defence manufacturers as well as manufacturers of IT products for the processing of classified state information)
No. 2. – in terms of their domestic value-added, are among the largest companies in Germany and are therefore of considerable economic importance for the Federal Republic of Germany, or which are of essential significance to such companies as suppliers because of their unique selling propositions (who is explicitly to fall under this category will be specified – as in the case of critical infrastructures – by means of an ordinance) or
No. 3. – operators of an upper-tier establishment within the meaning of the Hazardous Incident Ordinance (Störfall-Verordnung) or are equivalent to such operators pursuant to Article 1 para. 2 of the Hazardous Incident Ordinance.
What new IT security obligations are going to be introduced?
The IT Security Act 2.0 supplements the obligations already existing under the BSI Act and introduces new obligations:
1.)For operators of critical infrastructures, this concerns, in particular, the following new obligations:
Obligation to register a critical infrastructure with the Federal Office for Information Security (“BSI”): In addition to the already existing obligation of operators of critical infrastructures to designate a contact point for the critical infrastructure they operate that can be reached at any time, an obligation to register a critical infrastructure is now directly anchored in the BSI Act.
Obligation to use attack detection systems: The obligation of operators of critical infrastructures to take appropriate organisational and technical measures that are decisive for the functionality of the critical infrastructures they operate (please cf. Section 8a BSI Act) has been concretised. This obligation now also explicitly includes the use of attack detection systems, which must be state of the art.
Obligation to submit the documents required for an assessment from the point of view of the BSI and to provide the information: In connection with this new obligation, the BSI can, for example, request information on key figures relating to the respective thresholds if facts justify the assumption that an operator is not fulfilling its obligation to register.
Obligation to release the information necessary to manage the disruption: During a significant disruption, the BSI may, in agreement with the respective competent federal supervisory authority, demand that the affected operators of critical infrastructures or the companies in the special public interest hand over the information, including personal data, necessary to manage the disruption.
Obligations in connection with the use of critical components: The operator of critical infrastructure is also subject to obligations connected with the use of critical components.
The IT Security Act 2.0 introduces, on the one hand, the obligation of operators of critical infrastructures to notify the Federal Ministry of the Interior, Building and Community (“BMI”) of the planned first-time use of a critical component prior to its use.
On the other hand, the operator of critical infrastructure is obligated to obtain a declaration from the manufacturer of the critical components about its trustworthiness (so-called guarantee declaration). Only after obtaining such a guarantee declaration may the operator of a critical infrastructure use critical components. This declaration must be attached to the notification to the BMI.
Based on the notification described above and the guarantee declaration, the BMI carries out an ex-ante and an ex-post examination with regard to the use of critical components and can prohibit the plannedinitial or further use of a critical component vis-à-vis the operator of the critical infrastructure in agreement with the relevant ministries listed in the BSI Act and the Federal Foreign Office or issue orders “if the (further) use is likely to impair the public order or security of the Federal Republic of Germany”. It must be pointed out that the prohibition of the further use of a critical component of a manufacturer can have further consequences for the manufacturer.
2.) In accordance with the above-described obligation of the operators of critical infrastructures to use critical components only from those manufacturers who have issued a declaration of their trustworthiness to the operator of the critical infrastructure, the manufacturers will (have to) issue corresponding guarantee declarations vis-à-vis the operator of the critical infrastructure about the entire supply chain.
3.)The obligations applicable to operators of critical infrastructures are to be extended in a slightly modified form to further economic sectors, the companies in the special public interest. The obligations of companies in the special public interest differ depending on the category to which such a company belongs: The obligations to be imposed on companies subject to regulation under the Hazardous Incident Ordinance are not as extensive as the obligations of defence manufacturers and manufacturers of IT products for the processing of classified state information, as well as companies which, based on their domestic value-added, are among the largest companies in Germany and are therefore of considerable economic importance for the Federal Republic of Germany, or which are of essential significance to such companies as suppliers because of their unique selling propositions.
What are the possible consequences of violating IT security obligations due to the amendments to the BSI Act?
The catalogue of provisions on fines has been completely revised: The offences subject to fines have been specified for better enforcement, especially of obligations to provide information and evidence, and have been considerably expanded in accordance with the newly introduced obligations described above.
For example, an administrative offence was introduced for those operators of critical infrastructures who do not ensure that the contact point to be designated can be reached at all times or – in the case of qualification as a company in the special public interest pursuant to Section 2 para. 14 sentence 1 nos. 1 and 2 of the BSI Act – do not submit a self-declaration, do not submit it correctly, do not submit it completely or do not submit it on time.
The fines themselves were drastically increased to achieve a steering effect, as stated in the reasoning of the law. Instead of the fines of up to 100,000 EUR or up to 50,000 EUR possible under the previous BSI Act, administrative offences can now – depending on the case – be punished with a fine of (i) up to 2,000,000 EUR, (ii) up to 1,000,000 EUR, (iii) up to 500,000 EUR or (iv) up to 100,000 EUR.
What new tasks will be assigned to the BSI?
The IT Security Act 2.0 also expands the role of the BSI. The BSI is given several new tasks, including the following:
The performance of the tasks and powers of the BSI as the national cybersecurity certification authority within the meaning of Article 58 of Regulation (EU) 2019/881 of 17 April 2019 will be included in the catalogue of tasks of the BSI.
In order to take into account the growing importance of cyber and information security for consumers, especially due to the increasing interconnectedness of private households and the dissemination of connected consumer products, consumer protection and consumer information in the area of information technology security will be established as an additional task of the BSI.
Furthermore, the competence of the BSI for the development of specifications as well as the final evaluation of identification and authentication procedures from the point of view of information security will be clarified by law.
Given the increasing networking of IT products and the necessity of corresponding requirements for IT security for the purpose of consumer protection, the competence of the BSI for the development of requirements and recommendations together with conformity testing and confirmation for IT products, in particular in the form of technical guidelines, is explicitly specified.
The new provisions further stipulate the authority of the BSI to be able to query inventory data from providers of telecommunications services to inform those affected about security vulnerabilities and attacks.
In order to check for the existence of security vulnerabilities and other security risks in the information technology of the Federation and in the information technology of critical infrastructures, digital services and companies in the special public interest, the authority of the BSI to conduct so-called port scans is created. New Section 7b para. 4 of the new BSI Act also stipulates the authority of the BSI to use systems and procedures to fulfil its tasks, which simulate a successful attack in order to collect and evaluate the use of malware or other attack methods (so-called honeypots).
Finally, the BSI will have the power to issue orders vis-à-vis telecommunications and telemedia providers to avert specific threats to information security.
What changes with the introduction of the voluntary IT security mark?
The BSI's existing authority under the BSI Act to warn and advise users of products in the area of information technology security is supplemented by the new regulation on a voluntary IT security mark. The IT security mark is affixed as a label on the respective product or on its outer packaging (if this is possible according to the nature of the product) or is published electronically and is intended to give consumers orientation regarding the IT security of products and services in the IT sector.
The IT security mark does not make any statement about the data protection properties of a product and may only be used for a product if the BSI has approved the IT security mark for this product. Approval is granted upon application by the manufacturer if the requirements specified in the BSI Act in connection with the IT security mark are met and is only granted for products in the categories for which the BSI has already introduced the IT security mark by public announcement.
The IT Security Act 2.0 imposes a number of new and far-reaching obligations on operators of critical infrastructures, which require careful planning and timely implementation. When assessing when and how to implement the new requirements, current developments in the European Union must also be considered – the Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive) is currently being revised.
According to the Proposal for a Directive on measures for a high common level of cybersecurity across the EU (so-called NIS 2 Directive) published on 16 December 2020, in particular, the list of sectors and activities subject to cybersecurity obligations is to be expanded, as well as the legal security and reporting obligations are to be harmonised to a greater extent. Both sets of regulations contain similar and related requirements for IT security. A coordinated implementation taking into account existing and planned future requirements can significantly limit the (financial) effort. In addition, at the national level, the ordinance for the determination of critical infrastructures is currently being further developed – according to the current draft, in particular, new definitions and thresholds for critical infrastructures are to be introduced.