After a lengthy standstill, the discussion about the IT Security Act (IT-SIG 2.0) is now back on track. A third draft bill was recently published by the Federal Ministry of the Interior, Building and Community (BMI).
Current status of the amendment
The amendment of the IT-SiG has been dragging on since April 2019, presumably delayed by the legal requirements for the use of technical products from third countries by operators of critical infrastructures. The third draft bill is now ready to go to departmental coordination. Adoption in the first quarter of next year no longer seems unrealistic.
What are the priorities of the draft law?
The new draft bill focuses on the threats to cyber security. In addition, the powers of the BSI will also be expanded and new areas of responsibility, e.g. as a national cyber security certification authority with the implementation of active detection measures.
The new draft also includes the notification of critical components in Section 2 (13):
“The operator of a critical infrastructure must notify the Federal Ministry of the Interior, Building and Community of the use of a critical component (…) prior to installation. The notification must specify the critical component and the nature of its use”.
Critical components are, in particular, IT products that are used in KRITIS and are of great importance for the functioning of the community. For telecommunications network operators or telecommunications service providers, these components are defined in more detail by the catalog pursuant to Section 109 (6) TKG; all others are specified by a corresponding BSI catalog.
Only critical components whose manufacturers have issued a declaration of trustworthiness to the operator of the critical infrastructure (guarantee declaration) may be used. The BMI determines the minimum requirements for the guarantee declaration, taking into account overriding public interests, in particular security policy concerns. The guarantee declaration must state whether and how the manufacturer can adequately ensure that the critical component does not have any technical properties that could be used to misuse the security, integrity, availability or functionality of the critical infrastructure (e.g. sabotage, espionage or terrorism).
This creates a new notification obligation for the operators of the components. Previously, manufacturers had to apply to the BSI for certification of these components. This new listing of critical components contains highly sensitive attack targets. Successful attacks by hackers or intelligence services can cause lasting damage to critical infrastructures in Germany.
The discussion on requirements for the IT products used, identification and authentication procedures and their evaluation with regard to information security is also included and specified. These specifications lead to the development and publication of a state of the art for security requirements for IT products. Requirements for consumer protection and consumer information have also been added.
Conclusion
It remains to be seen whether this timetable can be adhered to. In terms of content, the new draft is a significant improvement, because it is more specific, compared to the draft from April 2019. A critical point to note is that the evaluation of the IT-SIG from 2015, which should have taken place after four years at the latest, is still pending.
The SRC experts will be happy to discuss the innovations and their effects with you and support you in implementing the requirements of the IT-SIG and BSIG as well as in providing evidence within the framework of §8(a) BSIG (“Kritis test”).
