In the end, draft followed draft — and then it happened very quickly. Last Wednesday, 16 December 2020, the cabinet passed the IT Security Act 2.0. Federal Minister of the Interior Horst Seehofer calls it a “breakthrough for Germany’s security”. Industry associations as well as the UP KRITIS are sharply critical of the involvement of the experts there, both in the content and the very short comment period of only a few working days for draft nos. 3 and 4. This does not reflect the importance of the planned amendments to the law.
Start of discussion in November
Surprisingly, the discussion on the IT Security Act was reignited in November with a third draft bill. After a long standstill, the discussion about critical infrastructures, their operators and the role of the BSI got moving again. The comments of the technical experts, which were aimed at improving the content of essential points as well as clarifying open questions, e.g. the partly disproportionate level of sanctions, transition periods, the certification and notification of the use of so-called critical components or also the inclusion of new sectors such as waste management.
More powers for the BSI
It is clear that the BSI’s powers will be greatly expanded. This can be seen not only in the number of newly created posts, but also in the effort to create a cyber intervention force as quickly as possible.
Evaluation of the IT-Sig 1.0
Furthermore, the legally stipulated evaluation of the IT-SIG 1.0 according to Article 10 is still pending. Also according to Article 9 of the Critical Infrastructure Ordinance (KritisV), the BSI Critical Infrastructure Ordinance — and thus in particular the threshold values above which an operator is considered a critical infrastructure — must be evaluated every two years.
Changes in content
In the view of the SRC experts, the following points are the main changes in the new IT-SIG:
- Regulations on the use of critical components
- Concretisation of key figures and threshold values for the largest companies in Germany, insertion of a legal regulation on the disclosure of interfaces and compliance with established technical standards.
- Regulations on fines and sanctions
- Amendment of the provisions on the storage of log data
- Alignment of inventory data disclosure with the requirements of the BVerfG decision of 27 May 2020 (“Inventory Data Disclosure II”).
- Limitation of the implementation of detection measures for network and IT security (“Hacker Paragraph”)
- Amendment of deadlines for the KRITIS regulations in Section 8a BSIG and an adjustment or limitation of the obligation to submit operator documents, insofar as the registration obligation has not been fulfilled.
Regulations on IT security of companies in special public interest: Self-declaration forms provided by the BSI are no longer binding, with the submission of the self-declaration there is an obligation to register with the BSI.
- Temporal restriction of the BSI’s right of entry to check the requirements of EU Regulation 2019/881 (EU Cybersecurity Act).
In addition, conceptual adjustments and concretisations were made throughout the entire bill. On 16 December 2020, the Federal Cabinet adopted the draft for the IT Security Act 2.0. The cabinet version is available for download.
Further regulation on IT security
The draft bill on the Telecommunications Modernisation Act (Act on the Implementation of Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 on the European Electronic Communications Code (recast) and on the Modernisation of Telecommunications Law), which was also presented on 09.12.2020, also contains provisions on IT security.
The SRC experts will be happy to exchange views with you on the innovations as well as their effects and support you in implementing the requirements from IT-SIG and BSIG as well as in providing evidence within the scope of §8(a) BSIG (“Kritis-Prüfung”).