Cyber Resilience

Opera­tional Resilience — Cyber resilience require­ments for institutions

Current key topics: Opera­tional Resilience and Cybersecurity

Attacks on the financial system can have serious conse­quences — not only for the affected company, but also for the entire public. Experts at the Bundesbank and security experts at BaFin and the ECB also cite cyber attacks and a lack of resilience to such attacks as the greatest threat posed by increasing digiti­zation in the financial sector. This is one of the reasons why more legal and regulatory frame­works are being created in order to establish uniform standards across the entire financial sector and increase the „opera­tional resilience“.

For both the ECB and BaFin, the focus in 2020 was on “opera­tional resilience” and “cyber­se­curity”. In addition, the TIBER-EU program was launched at European level, which the Bundesbank imple­mented as TIBER-DE in September 2020. Alongside this, the EU published its require­ments for opera­tional resilience and cyber­se­curity in October 2020 as part of the Digital Finance Package in the form of DORA (Digital Opera­tional Resilience Act).

The question for those respon­sible is how these various activ­ities interact and — even more relevant — how efficiently they contribute to the achievement of the objectives.

Revision of MaRisk and BAIT — Opera­tional IT Security

Domes­ti­cally, BaFin published its approaches to addressing opera­tional IT risks in October with the amendment of MaRisk and BAIT. The impor­tance of the topic is evident in the expansion of the BA IT require­ments as part of a new chapter. Imple­menting the specific require­ments formu­lated there is likely to pose major challenges on smaller and medium-sized insti­tu­tions, as they are aimed at operating a security infor­mation and event management system (SIEM), setting up and operating a security opera­tions center (SOC), as well as regular internal deviation analyses, vulner­a­bility scans, penetration tests and the simulation of attacks (“red teaming”). In practical terms, this requires the estab­lishment of a profes­sional cyber security department as well as independent internal infor­mation security struc­tures. This will pose major challenges on the insti­tu­tions concerned, due to the required expertise and limited resources on the labor market alone. Emergency management — also in a separate new chapter in the BA IT — is addressed as a further focal point.

The TIBER Program of the ECB and the Bundesbank

Back in 2018, the central banks of the European System of Central Banks launched the TIBER-EU (Threat Intel­li­gence-based Ethical Red Teaming) program. TIBER-EU serves as a framework on threat-led penetration testing that financial insti­tu­tions can use to put their own resilience to cyber­at­tacks to the test. The goal here is to create a “gold standard” of penetration testing. The clear reluc­tance to partic­ipate in TIBER-DE can be explained on the one hand by the complex scope of the project, the signif­icant risks and, on the other hand by the “voluntary nature” of partic­i­pation. Of course, especially in 2020, many internal forces are tied up elsewhere, also due to the Covid pandemic. The question arises as to whether the insti­tu­tions subjec­tively perceive the risk of a cyber attack as critically.

Digital Opera­tional Resilience Act (DORA) of the EU

With the publi­cation of the Digital Finance Package, the EU regulatory framework on digital opera­tional resilience contains a compre­hensive legislative proposal for the Europe-wide prevention and reduction of cyber risks. Up to now, national regula­tions for opera­tional resilience have been in place, but they do not do justice to the cross-border and global use of IT systems and are therefore not very effective. Moreover, this fragmen­tation also carries the risk of incon­sis­tencies and is also associated with additional high expenses for insti­tu­tions operating across Europe.

It is therefore highly desirable to strive for uniform regula­tions with DORA, in particular for risk management, testing, outsourcing emergency and incident management. In addition to improving and optimizing the resilience of the IT systems used, a signif­icant reduction in admin­is­trative effort for the insti­tu­tions will certainly also be achieved.

Increasing Cyber Resilience together

The SRC experts will gladly discuss the new devel­op­ments and their impact on the legal and regulatory level with you. Together we analyze your need for action and support you in the imple­men­tation. We evaluate the amendment of MaRisk and BA IT for your insti­tution, support you in the prepa­ration, execution and analysis of TIBER tests and analyze the planned require­ments of DORA. You can draw on our experience from countless penetration tests, banking compliance and infor­mation security management projects.

Cryptocurrencies ECB Digital Euro

Cryptocur­rencies — When and how will the Digital Euro emerge?

The European Central Bank’s (ECB) public consul­tation on the Digital Euro concluded on January 12, 2021. Based on the state­ments received, a funda­mental decision on the contin­u­ation of this major project is expected in the summer of 2021. In this context, the devel­op­ments of the private sector cryptocur­rencies Bitcoin and Diem (formerly Libra) are also considered. Other central banks’ activ­ities, e.g. in Sweden regarding the “E‑Krona” as well as in China, will certainly have an impact in this regard as well.

Statement of the German Banking Industry Committee

In its statement on the Digital Euro, the German Banking Industry Committee expressed its support for the ECB’s activ­ities and pledged its assis­tance with the design and project planning.

“For the German Banking Industry Committee, the intro­duction of a Digital Euro by the Eurosystem has the potential to strengthen Europe’s compet­i­tiveness, depending on how it is designed. However, it also carries the risk of funda­men­tally changing the geometry of the European banking system. Banks in Germany and Europe play a key role in the economic cycle and make an indis­pensable contri­bution to the efficient supply of financial resources to companies and consumers. That alone is why it is important to involve the banking industry in the consid­er­a­tions of a digital currency at an early stage.”

Karl-Peter Schackmann-Fallis, Executive Member of the Board of the German Savings Banks Association.

Predom­i­nantly positive tenor

The tenor of the German Banking Industry Committee statement is mostly positive. The Digital Euro is considered to be a pioneering payment method in a digital economy, which coher­ently comple­ments the existing and proven systems and struc­tures. The aim should be to achieve the greatest possible synergies with existing payment trans­action solutions in order to ensure access to digital central bank money for end consumers. There is consensus that digiti­zation is changing payment trans­ac­tions and that the ECB needs to carefully design the Digital Euro to ensure financial stability. To implement the targeted activ­ities, high invest­ments are inevitable for both insti­tu­tions and the economy. But the use of modern tokenization solutions, e.g. through Distributed Ledger Technology (DLT), enables the imple­men­tation of innov­ative payment solutions. In this context, the use of smart contracts and micro­pay­ments, services such as “Blockchain as a Service”, “Smart Contracts as a Service” or payment offers in the Internet-of-Things (IoT) are conceivable.

Need for clarification

It is considered critical that the proven two-tier banking system with central bank and commercial banks could be called into question. According to the German Banking Industry Committee, this constel­lation is essential for money market stability, the supply of loans to companies and private individuals, and the accep­tance of and trust in the payment methods issued. The estab­lished banking system is seen as a crucial component for ongoing economic growth.

Another open question is to what extent a Digital Euro is to be regarded as a crypto-asset in the sense of MiCA (Proposal for a regulation on Markets in Crypto-assets) and what impli­ca­tions this might have. The German Banking Industry Committee has also issued a statement on the ECB’s proposed regulation.

There is a need for further clari­fi­cation with regard to some regulatory issues. In this context, the German Banking Industry Committee proposes an orien­tation towards existing standards. All parties involved should at least comply with the require­ments of

From the German Banking Industry Committee‘s point of view, legal certainty, uniform speci­fi­ca­tions for a token-based fiat money and an appro­priate regulatory standard are the basic prereq­ui­sites for consumer accep­tance and trust in the Digital Euro.

Courses of action for payment institutions

The discussion on the Digital Euro has to be seen in the context of the general increase in the impor­tance of cryptocur­rencies. Many companies have long since recog­nized that Distributed Ledger Technology can help to efficiently digitize complex supply relation­ships. It is therefore a logical conse­quence that there is also growing interest in using this new technology to process payments as well. In the future, it will certainly not only be central bank-issued cryptocur­rencies that will be used. For payment insti­tu­tions, the generally growing interest in cryptocur­rencies increas­ingly results in the need to offer their own customers storage of and trading in cryptocur­rencies. In addition, oppor­tu­nities may also arise for insti­tu­tions that offer their corporate customers self-issued cryptocur­rencies to support them in the digital­ization of their business processes.

The SRC experts will keep an eye on the exciting devel­op­ments in the field of cryptocur­rency and the Digital Euro for you and support you in the realization of your crypto storage service. We will gladly inform you about the options to get involved in this innov­ative sector.

BSI Medical and Care Products

BSI publishes study results on the security of medical products and care products

The thoughts of unsafe medical or care products is discon­certing. Especially in a sensitive area such as the health care sector, the affected person trusts in the best possible help. But especially with the advancing digital­i­sation in the healthcare sector, vulner­a­bil­ities are increas­ingly appearing in networked medical‑, IoT- and elderly care products. If such vulner­a­bil­ities are discovered or even exploited, this often poses a major problem for users and manufac­turers of these products.
The Federal Office for Infor­mation Security (BSI) therefore initiated the projects “ManiMed — Manip­u­lation of Medical Devices” and “eCare — Digiti­sation in Care” in order to be able to assess the IT security of selected products.

he studies now published by the BSI enable manufac­turers to improve the IT security features of their products. In addition, users of medical devices are informed about which IT security features could be critical. Improved IT security features strengthen the confi­dence of patients and doctors in the security of networked medical devices. In the study, a total of six products from different categories were examined in terms of IT security.

SRC played a major role in the prepa­ration of the eCare study. The study focused on networked products (both medical and IoT products) that are used in the field of care for the elderly or sick. These include, for example, devices for measuring vital data or a tablet for senior citizens. A total of six products from different categories were examined from an IT security perspective. The results of the study can be found on the BSI website for Download.

In summary, the IT security level of the products examined can be rated as poor to very poor. The results lead us to believe that none of the products examined, including their inter­faces, apps, etc., have been subjected to a profes­sional security evalu­ation, an independent penetration test or similar.

IT Security Act 2.0 passed by the cabinet

IT Security Act 2.0 passed by the cabinet

In the end, draft followed draft — and then it happened very quickly. Last Wednesday, 16 December 2020, the cabinet passed the IT Security Act 2.0. Federal Minister of the Interior Horst Seehofer calls it a “break­through for Germany’s security”. Industry associ­a­tions as well as the UP KRITIS are sharply critical of the involvement of the experts there, both in the content and the very short comment period of only a few working days for draft nos. 3 and 4. This does not reflect the impor­tance of the planned amend­ments to the law.

Start of discussion in November

Surpris­ingly, the discussion on the IT Security Act was reignited in November with a third draft bill. After a long stand­still, the discussion about critical infra­struc­tures, their operators and the role of the BSI got moving again. The comments of the technical experts, which were aimed at improving the content of essential points as well as clari­fying open questions, e.g. the partly dispro­por­tionate level of sanctions, transition periods, the certi­fi­cation and notifi­cation of the use of so-called critical compo­nents or also the inclusion of new sectors such as waste management.

More powers for the BSI

It is clear that the BSI’s powers will be greatly expanded. This can be seen not only in the number of newly created posts, but also in the effort to create a cyber inter­vention force as quickly as possible.

Evalu­ation of the IT-Sig 1.0

Furthermore, the legally stipu­lated evalu­ation of the IT-SIG 1.0 according to Article 10 is still pending. Also according to Article 9 of the Critical Infra­structure Ordinance (KritisV), the BSI Critical Infra­structure Ordinance — and thus in particular the threshold values above which an operator is considered a critical infra­structure — must be evaluated every two years.

Changes in content

In the view of the SRC experts, the following points are the main changes in the new IT-SIG:

  • Regula­tions on the use of critical components
  • Concreti­sation of key figures and threshold values for the largest companies in Germany, insertion of a legal regulation on the disclosure of inter­faces and compliance with estab­lished technical standards.
  • Regula­tions on fines and sanctions
  • Amendment of the provi­sions on the storage of log data
  • Alignment of inventory data disclosure with the require­ments of the BVerfG decision of 27 May 2020 (“Inventory Data Disclosure II”).
  • Limitation of the imple­men­tation of detection measures for network and IT security (“Hacker Paragraph”)
  • Amendment of deadlines for the KRITIS regula­tions in Section 8a BSIG and an adjustment or limitation of the oblig­ation to submit operator documents, insofar as the regis­tration oblig­ation has not been fulfilled.
    Regula­tions on IT security of companies in special public interest: Self-decla­ration forms provided by the BSI are no longer binding, with the submission of the self-decla­ration there is an oblig­ation to register with the BSI.
  • Temporal restriction of the BSI’s right of entry to check the require­ments of EU Regulation 2019/881 (EU Cyber­se­curity Act).

In addition, conceptual adjust­ments and concreti­sa­tions were made throughout the entire bill. On 16 December 2020, the Federal Cabinet adopted the draft for the IT Security Act 2.0. The cabinet version is available for download.

Further regulation on IT security

The draft bill on the Telecom­mu­ni­ca­tions Moderni­sation Act (Act on the Imple­men­tation of Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 on the European Electronic Commu­ni­ca­tions Code (recast) and on the Moderni­sation of Telecom­mu­ni­ca­tions Law), which was also presented on 09.12.2020, also contains provi­sions on IT security.

The SRC experts will be happy to exchange views with you on the innova­tions as well as their effects and support you in imple­menting the require­ments from IT-SIG and BSIG as well as in providing evidence within the scope of §8(a) BSIG (“Kritis-Prüfung”).

gi-geldinstitute reports on EPEC

gi-Geldin­stitute reports on EPEC and the change in payment traffic in Europe

gi-Geldin­stitute, the trade journal for IT, organ­i­sation and commu­ni­cation in credit insti­tu­tions reports on EPEC, the European Payment Expert Consortium for payment trans­ac­tions and its consulting services.

With a view to devel­op­ments and standards in Europe’s payment traffic, three European experts for the standard­i­s­ation of payments have founded the European Payment Expert Consortium (EPEC). Besides the German SRC Security Research & Consulting GmbH, these are the French companies ELITT and FrenchSys. SRC reported in the article Frenchsys, Elitt and SRC found the EPayStan­dards Consortium.

The EPEC consortium combines the know-how of three European experts acquired in various standard­i­s­a­tions. EPEC offers consulting services for European payment service providers. Both the harmonised European standards and local specifics are taken into account. The offer covers, among other things, the use of payment standards, imple­men­tation guide­lines, as well as functional and security speci­fi­ca­tions for pan-European solutions for card, mobile and internet payments.

The gi-Geldin­stitute reports on EPEC. The title Der Zahlungsverkehr befindet sich im Wandel. The article describes the environment and upcoming challenges of EPEC.

IT-Security Law 2.0

Is the IT security law 2.0 on its way?

After a longer stand­still, the discussion about the IT Security Law (IT-SIG 2.0) is now beginning again. Recently, a 3rd draft of the bill was published by the Federal Ministry of the Interior, Building and Community (BMI).

Current status of the amendment

The amendment of the IT-SiG has now been in effect since April 2019, presumably delayed by the legal require­ments for the use of technical products from third countries by operators of critical infra­struc­tures. The third draft bill is now ready to be voted on by the various depart­ments. Adoption before the end of the first quarter of next year no longer seems unrealistic.

What are the main focuses of the draft law?

The new draft bill focuses on the threats to cyber security. In addition, the powers of the BSI will also be expanded and new areas of respon­si­bility will be created, e.g. as a national cyber security certi­fi­cation authority with the imple­men­tation of active detection measures.

The new draft also includes the notifi­cation of critical compo­nents in § 2 section 13:

“The use of a critical component (…), is to be indicated by the operator of a critical infra­structure to the Federal Ministry of the Interior, Building and Community before instal­lation. In the announcement the critical component and the kind of their employment are to be indicated “.

Critical compo­nents are especially those IT products that are used in KRITIS and are of high impor­tance for the functioning of the community. For telecom­mu­ni­ca­tions network operators or telecom­mu­ni­ca­tions service providers, these compo­nents are defined in more detail in the catalog pursuant to § 109 (6) TKG; all others are specified in a corre­sponding BSI catalog.

Only critical compo­nents may be used whose manufac­turers have issued a decla­ration of their trust­wor­thiness to the operator of the critical infra­structure (guarantee decla­ration). The BMI deter­mines the minimum require­ments for the guarantee decla­ration, taking into account superior public interests, in particular security policy concerns. The guarantee decla­ration must state whether and how the manufac­turer can adequately ensure that the critical component does not have any technical properties that could have an abusive effect on the security, integrity, avail­ability or operability of the critical infra­structure (such as sabotage, espionage or terrorism).

Here a new duty of disclosure arises for the operators of the compo­nents. Previ­ously, manufac­turers had to apply to the BSI for certi­fi­cation of these compo­nents. This new listing of critical compo­nents contains highly sensitive targets. Successful attacks by hackers or secret services can cause lasting damage to critical infra­struc­tures in the Federal Republic of Germany.

The discussion about require­ments for the IT products used, identi­fi­cation and authen­ti­cation proce­dures and their evalu­ation with regard to infor­mation security is also taken up and specified. These speci­fi­ca­tions lead to the devel­opment and publi­cation of a state of the art of security require­ments for IT products. In addition, there are require­ments for consumer protection and consumer information.

Conclusion

It remains to be seen whether this schedule can be met. In terms of content, the new draft is a signif­icant improvement, because it is more concrete than the draft of April 2019. It is critical that the evalu­ation of the IT-SIG of 2015, which should have taken place after four years at the latest, is still pending.

The SRC experts will be happy to discuss the innova­tions and their effects with you and to support you in imple­menting the require­ments of the IT-SIG and BSIG as well as in providing evidence within the scope of §8(a) BSIG (“Kritis-audit”).

20 years SRC

20 years SRC

20 years ago, on 27 November 2000, the founding meeting of the share­holders of SRC took place. That is a long time, but in retro­spect it does not seem to be the case for the acting persons. This perception is of course subjective, but a decisive factor will certainly be the rapid devel­opment in the field of infor­mation technology.
The complexity of digital­i­sation and the constantly growing need to create trust in new solutions is the business basis of SRC, the essential reason why SRC exists. At the same time this is also a big oblig­ation — namely to ensure that new digital solutions are really trustworthy.
SRC’s work on such things that many people experience in their daily life can be explained vividly. These are, above all, contactless payment by card and mobile phone, secure access to bank accounts by third parties, electronic patient files, secure commu­ni­cation in connection with the Galileo system and in the Bundeswehr, or even quite “mundane” things such as bottle deposit machines or tamper-proof cash registers — all topics of digiti­sation with which millions of people come into contact in one way or another every day. The devel­opment does not end there, with Open Finance, IoT and the increased use of AI methods there are still many exciting topics to be addressed.
None of these solutions has been produced or is operated by SRC itself, but we have made a decisive contri­bution to all of them: We provide confi­dence in these digital solutions — for relia­bility, security and future-proofness. We create “a good feeling” in dealing with digitalisation:
— Standards for new technologies create investment security,
— Reliable function­ality of new solutions through testing,
— Technical safety of new solutions through safety concepts and tests.
In fact, this “good feeling”, the trust, is something like the lubricant of digital­i­sation. For many people, the digiti­sation and mecha­ni­sation of everyday life means that processes are no longer manageable and the truth content of infor­mation is sometimes unclear. Trust makes it possible to reduce this complexity and often opens the door to accep­tance of the new ways of experi­encing and acting that digiti­sation aims to create.
The complexity of digital­i­sation and the constantly growing need to create trust in new solutions is the business basis of SRC, the essential reason why SRC exists. At the same time this is also a big oblig­ation — namely to ensure that new digital solutions are really trustworthy.
In the 20 years of SRC’s existence we have carried out more than 20,000 projects. Every year there have been more and also SRC has grown year by year — not only in terms of the number of employees, but especially in terms of the expansion of expertise, partly in areas that did not exist at the time of the foundation of SRC.
The current pandemic situation does not allow us to adequately celebrate our 20th anniversary, which we would have liked to do together with our customers. We are thinking about making up for this at a suitable time. But even without a party, we would be pleased if you, our customers, continue to place your trust in us.

TIBER-DE

TIBER-DE | Increasing the cyber resilience of the financial system

Digiti­sation of the financial sector — Chances & cyber risks

The increasing digital­i­sation of the financial sector not only provides new oppor­tu­nities, but also leads to increased cyber risks. In particular, attacks on the financial system can have serious conse­quences not only for the affected company, but also for the entire public. For this reason, the central banks of the European System of Central Banks have already launched the TIBER-EU (Threat Intel­li­gence-based Ethical Red Teaming) programme in 2018. TIBER-EU serves as a framework for threat-based penetration tests.

In the summer of 2019, the Deutsche Bundesbank and the German Federal Ministry of Finance (BMF) decided to implement TIBER-DE as a national framework for financial companies to test their own resis­tance to cyber attacks. This imple­mention has now taken place.

To whom is TIBER-DE addressed?

TIBER-DE partic­u­larly addresses critical companies in the financial sector, such as large banks and insurance companies and their IT service providers and payment service providers. In its TIBER imple­men­tation, the Deutsche Bundesbank empha­sises that the purpose of conducting TIBER-DE tests is to “establish a network of national companies belonging to the target group in order to improve the cyber-resis­tance of the financial sector in a sustainable and cooper­ative way, together and by conducting TIBER-DE tests.

What happens in a TIBER-DE test?

In a TIBER-DE test, commis­sioned hackers (“Red Team”) use infor­mation from a threat intel­li­gence provider (“spy”) to test the cyber resis­tance of a company. The primary goal is to identify security gaps in the production systems (“critical functions”) within the framework of an attack scenario that is as real as possible. The TIBER-DE test consists of three phases, which are presented here in a shortened form:

  • In the prepa­ration phase the initi­ation, the kick-off, the deter­mi­nation of the test scope and the procurement takes place. In particular, the corre­sponding contracts with all parties involved are concluded, the test scope is deter­mined and the financial super­visory authority is informed about the intended TIBER-DE test.
  • In the test phase, infor­mation on the threat situation is collected and the Red Team penetration test is conducted on the basis of the previ­ously defined test scope.
  • Finally, the final phase includes the prepa­ration of the test reports, a replay and feedback, a remedi­ation plan for found vulner­a­bil­ities as well as a final report and the attes­tation including the transfer of results.

Risks of the TIBER-DE Test

The TIBER-DE test targets the productive systems with the “critical functions” of an institute in order to realis­ti­cally evaluate their cyber-resis­tance. However, this is also accom­panied by risks, e.g. regarding the confi­den­tiality, integrity or avail­ability of the data or systems. In any case, the institute has to perform a detailed risk analysis and take appro­priate measures to minimise the risks before a TIBER-DE test is performed.

Furthermore, companies are confronted with organ­i­sa­tional, technical and data protection challenges. Critical business processes have to be identified, defensive measures have to be estab­lished and documented. In addition, TIBER-DE tests must be coordi­nated with the various stake­holders concerned, e.g. service providers. Furthermore, a confi­den­tiality oblig­ation must be observed by all parties.

Currently the partic­i­pation in TIBER-DE tests is based on a voluntary basis. Along with the not incon­sid­erable risks this seems to be the reason for the hesitation to perform a TIBER-DE test.

Team up for a successful TIBER-DE test

The experts of SRC can prepare a TIBER test together with you. This includes the company-wide scoping of the critical business processes to be tested and support in estab­lishing compliant reporting channels and processes to control and execute TIBER tests. This means that the internal prepa­ra­tions are now in place to have a TIBER-compliant penetration test performed by a service provider. With the experience gained from countless penetration tests, bank compliance and infor­mation security management projects, we are happy to support you through the entire process of a TIBER test.

IT compliance through the intro­duction of an ISMS

Increasing compliance requirements

“The depen­dency of core and value-added processes on the IT infra­structure and the IT systems operated there is constantly increasing at credit insti­tu­tions. This means that the associated compliance require­ments are also increasing almost to the same extent”. In an article that has just been published on the specialist platform “Security Insider”, SRC expert Dagmar Schoppe explains the different regulatory and legal require­ments that determine the daily business of credit insti­tu­tions and how IT compliance is improved by the intro­duction of an ISMS.

Value creation processes are threatened

The protection of these value-added processes through compliance with regulatory and legal require­ments, e.g. from BAIT, MaRisk or the IT Security Act, is a very topical issue. After all, the danger of hacker attacks is a real and current threat. This is one of the reasons why IT security is one of the central audit focuses of the BaFin. The TIBER-EU programme, which is intended to strengthen the resilience of the financial world against cyber attacks, also aims in this direction.

Holistic infor­mation security management system creates security

For a holistic approach to the protection of corporate values, the various organ­i­sa­tional and technical aspects must be combined into a holistic concept. This leads to the intro­duction of an infor­mation security management system, e.g. on the basis of ISO 27001.

The experts of the SRC division Banking Compliance will gladly advise you on regulatory and legal require­ments and their imple­men­tation, e.g. by intro­ducing an infor­mation security management system (ISMS) or by carrying out TIBER tests. SRC is a member of the Cyber-Alliance.

NextGenPSD2 certification

New BSI guidance on evidence according to § 8a paragraph 3 BSIG

The IT Security Act (IT-Sig) in conjunction with the KRITIS regulation has been in use for over five years. The main objective is the regulation of KRITIS operators according to the BSI Act. The Federal Office for Infor­mation Security (BSI) accom­panies law and regulation with the so-called BSI Orien­tation Guide to Evidence.

IT-Sig 2.0 — Is it coming or not?

Unfor­tu­nately, the topic “IT security law 2.0” has become very quiet lately. Therefore no amendment of the KRITIS regulation is to be expected in the short term. However, the current draft of the IT-Sig 2.0 can be taken from the present speaker draft. For example, the inclusion of waste management in the existing sectors is being considered. In addition, an expansion of the target group beyond the KRITIS operators to include companies in the special public interest (e.g. due to their economic impor­tance) is also being considered. For these companies, the prepa­ration of safety concepts, the oblig­ation to report incidents, the regis­tration and management of a reporting office and the trust­wor­thiness of the employees in the area are important. The planned tight­ening of the framework for fines from the previous maximum of EUR 100,000 to a maximum of EUR 20,000,000 (or 4% of the total annual company turnover worldwide in the previous business year) is partic­u­larly striking.

New guidance on evidence

While IT-Sig 2.0 is still a long way off, in the second half of August the BSI published its new “Guidance on evidence pursuant to Section 8a (3) BSIG”. Version number 1.1 already suggests it: the changes include many concreti­sa­tions and clari­fi­ca­tions of the facts and require­ments. In addition, there are further signif­icant changes. For example, the new Form P combines the infor­mation contained in the previ­ously used forms PD (test perfor­mance), PE (test results) and PS (testing body). In addition to the written submission, a digital/­ma­chine-readable copy is now also required. The list of safety deficiencies and the imple­men­tation plan are now combined in one document, while existing test results (maximum 12 months old) must be explicitly checked for topicality and stock. A clear innovation is the well-founded assessment of the maturity levels of the management systems for infor­mation security (ISMS) and business conti­nuity (BCMS). The strong focus on the aspect of trace­ability is also very noticeable. This becomes visible at various points:

  • Detailed description of the scope (with its inter­faces, depen­dencies and parts of the critical service operated by third parties) and
  • the instal­lation (including associated parts of the critical service and all essential features) as well as
  • Provision of a compre­hen­sible network structure plan.
  • In addition, a list of deficiencies must also be compre­hen­sible without the need for further documents.

Even without IT-Sig 2.0, the new BSI orien­tation guide requires attention. SRC experts will be pleased to discuss the innova­tions and their effects with you and support you in the imple­men­tation of the extended requirements.