IT Security Act 2.0 approved by the Bundesrat (Upper House)

IT Security Act 2.0 approved by the Bundesrat (Upper House)

On Friday, 07 May 2021, the Bundesrat finally approved the contro­versial IT Security Act 2.0. The Bundestag had already approved it at the end of April 2021. In this regard, Federal Minister of the Interior Horst Seehofer spoke of a “good day for cyber security in Germany”. He commented: “Digital­i­sation permeates all areas of life, and the pandemic has once again accel­erated this process enormously. Our protection mecha­nisms & defence strategies must keep pace — this is what the IT Security Act 2.0 is for”. As early as November 2020, the discussion about the IT Security Act was reignited with a third draft bill. In terms of content, many aspects that were already the subject of the government draft from 2020 have been retained. However, they have been modified in detail. Thus, the continuing industry-wide criticism of the IT Security Act 2.0 seems hardly surprising.

Expanded powers for the BSI, inventory data disclosure and the so-called “Huawei clause

A central aspect of the new IT Security Act is the expanded powers for the Federal Office for Infor­mation Security (BSI). There are improve­ments in the draft law at least in the concreti­sation of overriding protection goals and the work of the BSI geared to them. In addition, the handling of vulner­a­bil­ities and security gaps is to become more trans­parent. The new law is intended to make the BSI a key player in the fight against botnets and the spread of malware. To this end, 799 new positions will be created.

Detection of security vulnerabilities

The BSI will be empowered to detect security vulner­a­bil­ities at the inter­faces of IT systems to public telecom­mu­ni­ca­tions networks by means of port scans. In addition, it will be allowed to use honeypots and sinkholes to analyse malware and attack methods.

Storage and collection of inventory and log data

A partic­u­larly critical aspect of data protection is that in future the BSI will be allowed to store and evaluate “log data” and personal user infor­mation (such as IP addresses) generated during online commu­ni­cation between citizens and federal admin­is­trative insti­tu­tions for a period of 12 to 18 months. This also includes internal “logging data” from the author­ities. Furthermore, the BSI may obtain inventory data infor­mation from providers of telecom­mu­ni­ca­tions services. This is intended to protect those affected and to detect attacks, e.g. by Trojans such as Emotet.

The so-called “Huawei clause” — hurdle for the exclusion of equipment suppliers

The so-called “Huawei clause” sets the hurdle for the exclusion of individual equipment suppliers from network expansion for 5G, for example, quite high. It is also part of the amendment. The federal government is to be able to prohibit the use of “critical compo­nents” in the event of “probable impairment of public safety and order”. To this end, there will be a certi­fi­cation oblig­ation and manufac­turers will have to issue a guarantee declaration.

In this regard, the BSI tweets in the sense of a “self-image” that security vulner­a­bil­ities will be commu­ni­cated trans­par­ently and remedied quickly, consumers will be provided with even more neutral, up-to-date infor­mation on digital topics and critical infra­struc­tures will be supported with close-meshed advice and supervision.

Strength­ening consumer protection and more security for businesses

In addition, the new IT Security Act contains regula­tions to strengthen consumer protection and increase security for companies. To this end, consumer protection is included in the BSI’s catalogue of tasks. Furthermore, a uniform IT security label will in future make it clear to consumers which products already comply with certain IT security standards.

In order to increase corporate security, operators of critical infra­struc­tures and, in the future, other companies in the special public interest (e.g. arms manufac­turers or companies of partic­u­larly great economic impor­tance) must implement certain IT security measures and will be included in the trustful exchange of infor­mation with the BSI.

Draft of a second ordinance amending the BSI Criti­cality Ordinance (BSI-KritisV) published

The IT-SiG 2.0 not only refers to the Critis Ordinance, it also expands the existing oblig­a­tions of the CRITIS operators. For this reason, it is not surprising that on 26 April 2021, the Federal Ministry of the Interior published the draft of a second ordinance amending the BSI Critis Ordinance as part of the consul­tation of associ­a­tions, specialist groups and academia. Corre­sponding comments are to be submitted by 17 May 2021.

The draft bill contains consid­erable changes and adjust­ments to the content as well as new additions in the individual annexes to determine the categories of instal­la­tions and concrete threshold values, in particular in part also the individual numerical assessment criteria. In addition, software and IT services that are necessary for the provision of a critical service are now also identified as invest­ments within the meaning of the regulation. Furthermore, trading in securities and deriv­a­tives is included as a new critical service.

Support from SRC experts

The SRC experts will be happy to exchange views with you on the innova­tions as well as their effects and support you in the imple­men­tation of the require­ments from IT-SIG and BSIG as well as in the provision of evidence within the scope of §8(a) BSIG (“Critical Service Examination”).

IT Security Act 2.0 passed by the cabinet

IT Security Act 2.0 passed by the cabinet

In the end, draft followed draft — and then it happened very quickly. Last Wednesday, 16 December 2020, the cabinet passed the IT Security Act 2.0. Federal Minister of the Interior Horst Seehofer calls it a “break­through for Germany’s security”. Industry associ­a­tions as well as the UP KRITIS are sharply critical of the involvement of the experts there, both in the content and the very short comment period of only a few working days for draft nos. 3 and 4. This does not reflect the impor­tance of the planned amend­ments to the law.

Start of discussion in November

Surpris­ingly, the discussion on the IT Security Act was reignited in November with a third draft bill. After a long stand­still, the discussion about critical infra­struc­tures, their operators and the role of the BSI got moving again. The comments of the technical experts, which were aimed at improving the content of essential points as well as clari­fying open questions, e.g. the partly dispro­por­tionate level of sanctions, transition periods, the certi­fi­cation and notifi­cation of the use of so-called critical compo­nents or also the inclusion of new sectors such as waste management.

More powers for the BSI

It is clear that the BSI’s powers will be greatly expanded. This can be seen not only in the number of newly created posts, but also in the effort to create a cyber inter­vention force as quickly as possible.

Evalu­ation of the IT-Sig 1.0

Furthermore, the legally stipu­lated evalu­ation of the IT-SIG 1.0 according to Article 10 is still pending. Also according to Article 9 of the Critical Infra­structure Ordinance (KritisV), the BSI Critical Infra­structure Ordinance — and thus in particular the threshold values above which an operator is considered a critical infra­structure — must be evaluated every two years.

Changes in content

In the view of the SRC experts, the following points are the main changes in the new IT-SIG:

  • Regula­tions on the use of critical components
  • Concreti­sation of key figures and threshold values for the largest companies in Germany, insertion of a legal regulation on the disclosure of inter­faces and compliance with estab­lished technical standards.
  • Regula­tions on fines and sanctions
  • Amendment of the provi­sions on the storage of log data
  • Alignment of inventory data disclosure with the require­ments of the BVerfG decision of 27 May 2020 (“Inventory Data Disclosure II”).
  • Limitation of the imple­men­tation of detection measures for network and IT security (“Hacker Paragraph”)
  • Amendment of deadlines for the KRITIS regula­tions in Section 8a BSIG and an adjustment or limitation of the oblig­ation to submit operator documents, insofar as the regis­tration oblig­ation has not been fulfilled.
    Regula­tions on IT security of companies in special public interest: Self-decla­ration forms provided by the BSI are no longer binding, with the submission of the self-decla­ration there is an oblig­ation to register with the BSI.
  • Temporal restriction of the BSI’s right of entry to check the require­ments of EU Regulation 2019/881 (EU Cyber­se­curity Act).

In addition, conceptual adjust­ments and concreti­sa­tions were made throughout the entire bill. On 16 December 2020, the Federal Cabinet adopted the draft for the IT Security Act 2.0. The cabinet version is available for download.

Further regulation on IT security

The draft bill on the Telecom­mu­ni­ca­tions Moderni­sation Act (Act on the Imple­men­tation of Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 on the European Electronic Commu­ni­ca­tions Code (recast) and on the Moderni­sation of Telecom­mu­ni­ca­tions Law), which was also presented on 09.12.2020, also contains provi­sions on IT security.

The SRC experts will be happy to exchange views with you on the innova­tions as well as their effects and support you in imple­menting the require­ments from IT-SIG and BSIG as well as in providing evidence within the scope of §8(a) BSIG (“Kritis-Prüfung”).

IT-Security Law 2.0

Is the IT security law 2.0 on its way?

After a longer stand­still, the discussion about the IT Security Law (IT-SIG 2.0) is now beginning again. Recently, a 3rd draft of the bill was published by the Federal Ministry of the Interior, Building and Community (BMI).

Current status of the amendment

The amendment of the IT-SiG has now been in effect since April 2019, presumably delayed by the legal require­ments for the use of technical products from third countries by operators of critical infra­struc­tures. The third draft bill is now ready to be voted on by the various depart­ments. Adoption before the end of the first quarter of next year no longer seems unrealistic.

What are the main focuses of the draft law?

The new draft bill focuses on the threats to cyber security. In addition, the powers of the BSI will also be expanded and new areas of respon­si­bility will be created, e.g. as a national cyber security certi­fi­cation authority with the imple­men­tation of active detection measures.

The new draft also includes the notifi­cation of critical compo­nents in § 2 section 13:

“The use of a critical component (…), is to be indicated by the operator of a critical infra­structure to the Federal Ministry of the Interior, Building and Community before instal­lation. In the announcement the critical component and the kind of their employment are to be indicated “.

Critical compo­nents are especially those IT products that are used in KRITIS and are of high impor­tance for the functioning of the community. For telecom­mu­ni­ca­tions network operators or telecom­mu­ni­ca­tions service providers, these compo­nents are defined in more detail in the catalog pursuant to § 109 (6) TKG; all others are specified in a corre­sponding BSI catalog.

Only critical compo­nents may be used whose manufac­turers have issued a decla­ration of their trust­wor­thiness to the operator of the critical infra­structure (guarantee decla­ration). The BMI deter­mines the minimum require­ments for the guarantee decla­ration, taking into account superior public interests, in particular security policy concerns. The guarantee decla­ration must state whether and how the manufac­turer can adequately ensure that the critical component does not have any technical properties that could have an abusive effect on the security, integrity, avail­ability or operability of the critical infra­structure (such as sabotage, espionage or terrorism).

Here a new duty of disclosure arises for the operators of the compo­nents. Previ­ously, manufac­turers had to apply to the BSI for certi­fi­cation of these compo­nents. This new listing of critical compo­nents contains highly sensitive targets. Successful attacks by hackers or secret services can cause lasting damage to critical infra­struc­tures in the Federal Republic of Germany.

The discussion about require­ments for the IT products used, identi­fi­cation and authen­ti­cation proce­dures and their evalu­ation with regard to infor­mation security is also taken up and specified. These speci­fi­ca­tions lead to the devel­opment and publi­cation of a state of the art of security require­ments for IT products. In addition, there are require­ments for consumer protection and consumer information.

Conclusion

It remains to be seen whether this schedule can be met. In terms of content, the new draft is a signif­icant improvement, because it is more concrete than the draft of April 2019. It is critical that the evalu­ation of the IT-SIG of 2015, which should have taken place after four years at the latest, is still pending.

The SRC experts will be happy to discuss the innova­tions and their effects with you and to support you in imple­menting the require­ments of the IT-SIG and BSIG as well as in providing evidence within the scope of §8(a) BSIG (“Kritis-audit”).

NextGenPSD2 certification

New BSI guidance on evidence according to § 8a paragraph 3 BSIG

The IT Security Act (IT-Sig) in conjunction with the KRITIS regulation has been in use for over five years. The main objective is the regulation of KRITIS operators according to the BSI Act. The Federal Office for Infor­mation Security (BSI) accom­panies law and regulation with the so-called BSI Orien­tation Guide to Evidence.

IT-Sig 2.0 — Is it coming or not?

Unfor­tu­nately, the topic “IT security law 2.0” has become very quiet lately. Therefore no amendment of the KRITIS regulation is to be expected in the short term. However, the current draft of the IT-Sig 2.0 can be taken from the present speaker draft. For example, the inclusion of waste management in the existing sectors is being considered. In addition, an expansion of the target group beyond the KRITIS operators to include companies in the special public interest (e.g. due to their economic impor­tance) is also being considered. For these companies, the prepa­ration of safety concepts, the oblig­ation to report incidents, the regis­tration and management of a reporting office and the trust­wor­thiness of the employees in the area are important. The planned tight­ening of the framework for fines from the previous maximum of EUR 100,000 to a maximum of EUR 20,000,000 (or 4% of the total annual company turnover worldwide in the previous business year) is partic­u­larly striking.

New guidance on evidence

While IT-Sig 2.0 is still a long way off, in the second half of August the BSI published its new “Guidance on evidence pursuant to Section 8a (3) BSIG”. Version number 1.1 already suggests it: the changes include many concreti­sa­tions and clari­fi­ca­tions of the facts and require­ments. In addition, there are further signif­icant changes. For example, the new Form P combines the infor­mation contained in the previ­ously used forms PD (test perfor­mance), PE (test results) and PS (testing body). In addition to the written submission, a digital/­ma­chine-readable copy is now also required. The list of safety deficiencies and the imple­men­tation plan are now combined in one document, while existing test results (maximum 12 months old) must be explicitly checked for topicality and stock. A clear innovation is the well-founded assessment of the maturity levels of the management systems for infor­mation security (ISMS) and business conti­nuity (BCMS). The strong focus on the aspect of trace­ability is also very noticeable. This becomes visible at various points:

  • Detailed description of the scope (with its inter­faces, depen­dencies and parts of the critical service operated by third parties) and
  • the instal­lation (including associated parts of the critical service and all essential features) as well as
  • Provision of a compre­hen­sible network structure plan.
  • In addition, a list of deficiencies must also be compre­hen­sible without the need for further documents.

Even without IT-Sig 2.0, the new BSI orien­tation guide requires attention. SRC experts will be pleased to discuss the innova­tions and their effects with you and support you in the imple­men­tation of the extended requirements.