In the end, draft followed draft – and then it happened very quickly. Last Wednesday, December 16, 2020, the cabinet passed the IT Security Act 2.0. Federal Minister of the Interior Horst Seehofer describes it as a “breakthrough for Germany’s security”. Industry associations and the UP KRITIS are sharply critical of the involvement of the experts there, both in terms of the content and the very short comment period of just a few working days for draft nos. 3 and 4. This does not reflect the importance of the planned amendments to the law.
Start of discussion in November
The discussion about the IT Security Act was surprisingly reignited in November with a third draft bill. After a long standstill, the discussion about critical infrastructures, their operators and the role of the BSI began to move again. The comments of the technical experts, which were aimed at improving the content of key points and clarifying open questions, e.g. the sometimes disproportionate level of sanctions, transition periods, the certification and reporting of the use of so-called critical components or the inclusion of new sectors such as waste management.
More powers for the BSI
It is clear that the BSI’s powers will be greatly expanded. This can be seen not only in the number of newly created positions, but also in the efforts to create a cyber intervention force as quickly as possible.
Evaluation of the IT-Sig 1.0
Furthermore, the legally stipulated evaluation of IT-SIG 1.0 in accordance with Article 10 is still outstanding. According to Section 9 KritisV, the BSI Critical Infrastructure Ordinance – and thus in particular the thresholds above which an operator is considered a critical infrastructure – must also be evaluated every two years.
Changes to content
In the view of the SRC experts, the following points are the main changes in the new IT-SIG:
- Regulations on the use of critical components
- Specification of the key figures and thresholds for the largest companies in Germany, insertion of a legal regulation on the disclosure of interfaces and compliance with established technical standards.
- Fines and sanctions
- Change to the requirements for the storage of log data
- Alignment of inventory data information with the requirements of the decision of the Federal Constitutional Court of May 27, 2020 (“Inventory Data Information II”)
- Limiting the implementation of detection measures for network and IT security (“hacker paragraph”)
- Amendment of deadlines for the KRITIS regulations in Section 8a BSIG and an adjustment or restriction of the obligation to submit operator documents if the registration obligation has not been fulfilled.
- Regulations on IT security for companies in the public interest: The self-declaration forms provided by the BSI are no longer binding; the submission of the self-declaration is subject to registration with the BSI.
- Temporary restriction of the BSI’s access authorization to check the requirements of EU Regulation 2019/881 (EU Cybersecurity Act).
In addition, conceptual adjustments and clarifications were made throughout the draft law. On 16.12.2020, the Federal Cabinet adopted the draft of the IT-SiG 2.0. The cabinet version is available for download.
Further regulation on IT security
The draft bill on the Telecommunications Modernization Act (Act on the Implementation of Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 on the European Electronic Communications Code (recast) and on the Modernization of Telecommunications Law), which was also submitted on 9 December 2020, also contains provisions on IT security.
The SRC experts will be happy to discuss the innovations and their effects with you and support you in implementing the requirements of the IT-SIG and BSIG as well as in providing evidence within the framework of §8(a) BSIG (“Kritis test”).
