The IT Security Act 2.0
In eigener Sache IT-Security, KRITIS, Sicherheitsgesetz
The IT Security Act in Germany requires operators of critical infrastructures to comply with the KRITIS Ordinance to ensure cybersecurity within KRITIS systems. This measure aims to ensure the provision of services to the economy and society within KRITIS sectors through enhanced cybersecurity protocols.
In 2021, the IT Security Act 2.0 and the KRITIS Regulation 1.5 brought a significant expansion of regulation. The EU NIS2 and RCE will further develop regulation in Europe, while the German KRITIS umbrella law and IT Security Act 3.0, as well as new legal ordinances, will provide further updates from 2023.
From 2023 and 2024, the scope of the KRITIS regulation will be significantly expanded. This expansion will be twofold; The breadth of its coverage will increase as many more companies fall under its purview (NIS2). In addition, the depth will increase with the introduction of specific measures (NIS2) as well as more resilience (RCE, umbrella law) in addition to the existing focus on cyber security.
Who is affected?
The KRITIS Regulation defines eight KRITIS sectors of the German economy in which KRITIS operators provide essential public utility services:
category |
Sectors |
Primary care |
Energy, water, nutrition, health |
Supply |
Transportation & traffic, waste disposal (2.0) |
Services |
IT and TC |
Extension 2023-2024
The EU's NIS 2 regulation expands key sectors in the EU and will be relevant to Germany's national KRITIS regulation by October 2024:
category |
Sectors |
Annex 1 |
Energy, transportation, banking, financial markets, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space |
Annex 2 |
Post and courier, waste management, chemicals, food, industry, digital services, research |
A possible KRITIS protection law in 2023 will include more companies beyond KRITIS operators based on EU RCEs (CERs):
category |
Sectors |
KRITIS DACH |
Energy, Transportation, Banking, Financial Markets, Health, Drinking Water, Wastewater, Food, Digital Infrastructure, Public Administration, Space |
New obligations for KRITIS operators
Attack detection
KRITIS operators are now required to integrate attack detection systems into their technical and organizational security measures. §Section 8a (1a) stipulates that these systems must be capable of detecting and preventing threats through pattern recognition when in operation. As of May 1, 2023, this requirement will become mandatory, and proof of compliance must be provided during CRITIS audits.
According to the definition in §2 (9b), technical tools and supporting processes are mentioned. The OH SZA Guide, published in 2022, outlines the requirements for operators from the BSI perspective from 2023.
Reporting requirements
Disturbances
KRITIS operators and UBI are newly required under §8b (4a) to provide the BSI with essential information, including personal data, necessary to remedy significant disruptions.
In addition, there is now an obligation to disclose the use of essential components under §9b.
Indirect registration.
Under the amended §8b (3), operators must promptly register as a KRITIS operator with the BSI after identification and provide a point of contact. The recently introduced IT-SiG 2.0 also empowers the BSI to independently register operators as Critical Infrastructure. With the addition of §8b (3a), the BSI can request access to operator documents under certain circumstances if registration obligations have not been met.
Critical components
According to the new §9b, KRITIS operators must notify the Ministry of the Interior of the use of so-called critical components, certain IT products §2(13). Critical components and functions must be regulated in the law, which currently applies in the telecommunications sector only until TKG 2021.
Guarantee statement
Critical components can only be used in KRITIS systems with a (new) manufacturer's warranty. The statement must meet the minimum requirements established by the Department of the Interior and must be submitted by the KRITIS operator to the Department of the Interior upon notification of use in the KRITIS system. The use may be prohibited
Use may be prohibited
The Department of the Interior may prohibit the use of critical ingredients in the following cases:
- Violation of public order and security - if a) the manufacturer is under the control of a government, authority or armed forces of a third country, b) the manufacturer has carried out activities that affect public order and security in Germany, the EU, EFTA or NATO, or c) the use does not meet the security policy objectives of Germany, the EU or NATO.
- Lack of confidence due to manufacturer's warranty claims, security and vulnerability tests, and counterfeiting of related products. List
Inventory
In order to be able to notify the BSI of the use of critical components in KRITIS systems in accordance with Section 9b, operators in these sectors must carry out an inventory of IT products in KRITIS systems - with up-to-date information on types, etc. So far, this only applies to the KRITIS Telecom sector.
Other changes for violations
Strengthened penalties
Infractions and fines are noticeably increased in the Information Security Act 2.0
Ordinary Offenses
- §14 (1-4) identifies more intentional or negligent violations of CRITIS specifications than administrative violations, including:
Violations |
BSIG-E |
Missing evidence |
§8a(3) |
Missing incident reports, lack of cooperation |
§5b(6) §7c(1) §8a(3) §8b(6) §8b(4) §8c(3) §8f(7) |
Missing measures |
§8a(1) §8c(1) §8f(1) |
Missing registration and contact point |
§8b(3) §8f(5) |
Missing information |
§7a(2) §8c(4) §8a(4) §8b(3a) |
Errors in certifications |
§9a(2) §9c(4) Art. 55 and 56 (EU) 2019/881 |
Fines
- §14 (5) defines significantly higher fines for these administrative offenses for this purpose. There are now fines up to 2 million EUR, with reference to §30 para 2 OWiG up to 20 million EUR as a legal person (body).
More detailed information can be found at the following sources:
- Second Act to Increase the Security of Information Technology Systems, IT Security Act 2.0, Federal Law Gazette, 2021 No. 25, May 27, 2021
- Bundesrat Decision - Second Act to Increase the Security of Information Technology Systems, Bundesrat, Drucksache 324/21 (Beschluss), 07.05.21
- BSI Criticality Ordinance, of April 22, 2016 (BGBl. I p. 958), as last amended by Article 1 of the Ordinance of September 6, 2021 (BGBl. I p. 4163)
- Appendix 1: Draft of a Second Ordinance Amending the BSI Criticality Ordinance with Preliminary Sheet and Explanatory Memorandum, Intrapol.org, 4/26/2021
- Appendix 2: Unofficial reading version of the amending ordinance, Intrapol.org, 4/26/2021
- Law to increase IT security passed with coalition majority, Bundestag 23.04.2021
- Recommendation for a decision and report on the bill of the Federal Government Draft of a second law to increase the security of information technology systems, German Bundestag, printed matter 19/28844, 21.4.2021
- Committee gives green light to IT Security Act 2.0, Bundestag Interior and Home Affairs/Committee - 21.04.2021 (hib 527/2021)
- Draft of a Second Law to Increase the Security of Information Technology Systems of 25.01.2021 (IT Security Act 2.0), Draft Law of the Federal Government, Printed Paper 19/26106
- Draft of a second law to increase the security of information technology systems (IT Security Act 2.0), press release Ministry of the Interior 16.12.2020
- Cabinet approves draft IT Security Act 2.0, press release Ministry of the Interior 16.12.2020
- IT Security Law 2.0 - all available versions, AG KRITIS, April 21, 2021