After a longer standstill, the discussion about the IT Security Law (IT-SIG 2.0) is now beginning again. Recently, a 3rd draft of the bill was published by the Federal Ministry of the Interior, Building and Community (BMI).
Current status of the amendment
The amendment of the IT-SiG has now been in effect since April 2019, presumably delayed by the legal requirements for the use of technical products from third countries by operators of critical infrastructures. The third draft bill is now ready to be voted on by the various departments. Adoption before the end of the first quarter of next year no longer seems unrealistic.
What are the main focuses of the draft law?
The new draft bill focuses on the threats to cyber security. In addition, the powers of the BSI will also be expanded and new areas of responsibility will be created, e.g. as a national cyber security certification authority with the implementation of active detection measures.
The new draft also includes the notification of critical components in § 2 section 13:
“The use of a critical component (…), is to be indicated by the operator of a critical infrastructure to the Federal Ministry of the Interior, Building and Community before installation. In the announcement the critical component and the kind of their employment are to be indicated “.
Critical components are especially those IT products that are used in KRITIS and are of high importance for the functioning of the community. For telecommunications network operators or telecommunications service providers, these components are defined in more detail in the catalog pursuant to § 109 (6) TKG; all others are specified in a corresponding BSI catalog.
Only critical components may be used whose manufacturers have issued a declaration of their trustworthiness to the operator of the critical infrastructure (guarantee declaration). The BMI determines the minimum requirements for the guarantee declaration, taking into account superior public interests, in particular security policy concerns. The guarantee declaration must state whether and how the manufacturer can adequately ensure that the critical component does not have any technical properties that could have an abusive effect on the security, integrity, availability or operability of the critical infrastructure (such as sabotage, espionage or terrorism).
Here a new duty of disclosure arises for the operators of the components. Previously, manufacturers had to apply to the BSI for certification of these components. This new listing of critical components contains highly sensitive targets. Successful attacks by hackers or secret services can cause lasting damage to critical infrastructures in the Federal Republic of Germany.
The discussion about requirements for the IT products used, identification and authentication procedures and their evaluation with regard to information security is also taken up and specified. These specifications lead to the development and publication of a state of the art of security requirements for IT products. In addition, there are requirements for consumer protection and consumer information.
Conclusion
It remains to be seen whether this schedule can be met. In terms of content, the new draft is a significant improvement, because it is more concrete than the draft of April 2019. It is critical that the evaluation of the IT-SIG of 2015, which should have taken place after four years at the latest, is still pending.
The SRC experts will be happy to discuss the innovations and their effects with you and to support you in implementing the requirements of the IT-SIG and BSIG as well as in providing evidence within the scope of §8(a) BSIG (“Kritis-audit”).