On Friday, 07 May 2021, the Bundesrat finally approved the controversial IT Security Act 2.0. The Bundestag had already approved it at the end of April 2021. In this regard, Federal Minister of the Interior Horst Seehofer spoke of a “good day for cyber security in Germany”. He commented: “Digitalisation permeates all areas of life, and the pandemic has once again accelerated this process enormously. Our protection mechanisms & defence strategies must keep pace — this is what the IT Security Act 2.0 is for”. As early as November 2020, the discussion about the IT Security Act was reignited with a third draft bill. In terms of content, many aspects that were already the subject of the government draft from 2020 have been retained. However, they have been modified in detail. Thus, the continuing industry-wide criticism of the IT Security Act 2.0 seems hardly surprising.
Expanded powers for the BSI, inventory data disclosure and the so-called “Huawei clause
A central aspect of the new IT Security Act is the expanded powers for the Federal Office for Information Security (BSI). There are improvements in the draft law at least in the concretisation of overriding protection goals and the work of the BSI geared to them. In addition, the handling of vulnerabilities and security gaps is to become more transparent. The new law is intended to make the BSI a key player in the fight against botnets and the spread of malware. To this end, 799 new positions will be created.
Detection of security vulnerabilities
The BSI will be empowered to detect security vulnerabilities at the interfaces of IT systems to public telecommunications networks by means of port scans. In addition, it will be allowed to use honeypots and sinkholes to analyse malware and attack methods.
Storage and collection of inventory and log data
A particularly critical aspect of data protection is that in future the BSI will be allowed to store and evaluate “log data” and personal user information (such as IP addresses) generated during online communication between citizens and federal administrative institutions for a period of 12 to 18 months. This also includes internal “logging data” from the authorities. Furthermore, the BSI may obtain inventory data information from providers of telecommunications services. This is intended to protect those affected and to detect attacks, e.g. by Trojans such as Emotet.
The so-called “Huawei clause” — hurdle for the exclusion of equipment suppliers
The so-called “Huawei clause” sets the hurdle for the exclusion of individual equipment suppliers from network expansion for 5G, for example, quite high. It is also part of the amendment. The federal government is to be able to prohibit the use of “critical components” in the event of “probable impairment of public safety and order”. To this end, there will be a certification obligation and manufacturers will have to issue a guarantee declaration.
In this regard, the BSI tweets in the sense of a “self-image” that security vulnerabilities will be communicated transparently and remedied quickly, consumers will be provided with even more neutral, up-to-date information on digital topics and critical infrastructures will be supported with close-meshed advice and supervision.
Strengthening consumer protection and more security for businesses
In addition, the new IT Security Act contains regulations to strengthen consumer protection and increase security for companies. To this end, consumer protection is included in the BSI’s catalogue of tasks. Furthermore, a uniform IT security label will in future make it clear to consumers which products already comply with certain IT security standards.
In order to increase corporate security, operators of critical infrastructures and, in the future, other companies in the special public interest (e.g. arms manufacturers or companies of particularly great economic importance) must implement certain IT security measures and will be included in the trustful exchange of information with the BSI.
Draft of a second ordinance amending the BSI Criticality Ordinance (BSI-KritisV) published
The IT-SiG 2.0 not only refers to the Critis Ordinance, it also expands the existing obligations of the CRITIS operators. For this reason, it is not surprising that on 26 April 2021, the Federal Ministry of the Interior published the draft of a second ordinance amending the BSI Critis Ordinance as part of the consultation of associations, specialist groups and academia. Corresponding comments are to be submitted by 17 May 2021.
The draft bill contains considerable changes and adjustments to the content as well as new additions in the individual annexes to determine the categories of installations and concrete threshold values, in particular in part also the individual numerical assessment criteria. In addition, software and IT services that are necessary for the provision of a critical service are now also identified as investments within the meaning of the regulation. Furthermore, trading in securities and derivatives is included as a new critical service.
Support from SRC experts
The SRC experts will be happy to exchange views with you on the innovations as well as their effects and support you in the implementation of the requirements from IT-SIG and BSIG as well as in the provision of evidence within the scope of §8(a) BSIG (“Critical Service Examination”).