Posts

IT-Security Law 2.0

Is the IT security law 2.0 on its way?

After a longer stand­still, the discussion about the IT Security Law (IT-SIG 2.0) is now beginning again. Recently, a 3rd draft of the bill was published by the Federal Ministry of the Interior, Building and Community (BMI).

Current status of the amendment

The amendment of the IT-SiG has now been in effect since April 2019, presumably delayed by the legal require­ments for the use of technical products from third countries by operators of critical infra­struc­tures. The third draft bill is now ready to be voted on by the various depart­ments. Adoption before the end of the first quarter of next year no longer seems unrealistic.

What are the main focuses of the draft law?

The new draft bill focuses on the threats to cyber security. In addition, the powers of the BSI will also be expanded and new areas of respon­si­bility will be created, e.g. as a national cyber security certi­fi­cation authority with the imple­men­tation of active detection measures.

The new draft also includes the notifi­cation of critical compo­nents in § 2 section 13:

“The use of a critical component (…), is to be indicated by the operator of a critical infra­structure to the Federal Ministry of the Interior, Building and Community before instal­lation. In the announcement the critical component and the kind of their employment are to be indicated “.

Critical compo­nents are especially those IT products that are used in KRITIS and are of high impor­tance for the functioning of the community. For telecom­mu­ni­ca­tions network operators or telecom­mu­ni­ca­tions service providers, these compo­nents are defined in more detail in the catalog pursuant to § 109 (6) TKG; all others are specified in a corre­sponding BSI catalog.

Only critical compo­nents may be used whose manufac­turers have issued a decla­ration of their trust­wor­thiness to the operator of the critical infra­structure (guarantee decla­ration). The BMI deter­mines the minimum require­ments for the guarantee decla­ration, taking into account superior public interests, in particular security policy concerns. The guarantee decla­ration must state whether and how the manufac­turer can adequately ensure that the critical component does not have any technical properties that could have an abusive effect on the security, integrity, avail­ability or operability of the critical infra­structure (such as sabotage, espionage or terrorism).

Here a new duty of disclosure arises for the operators of the compo­nents. Previ­ously, manufac­turers had to apply to the BSI for certi­fi­cation of these compo­nents. This new listing of critical compo­nents contains highly sensitive targets. Successful attacks by hackers or secret services can cause lasting damage to critical infra­struc­tures in the Federal Republic of Germany.

The discussion about require­ments for the IT products used, identi­fi­cation and authen­ti­cation proce­dures and their evalu­ation with regard to infor­mation security is also taken up and specified. These speci­fi­ca­tions lead to the devel­opment and publi­cation of a state of the art of security require­ments for IT products. In addition, there are require­ments for consumer protection and consumer information.

Conclusion

It remains to be seen whether this schedule can be met. In terms of content, the new draft is a signif­icant improvement, because it is more concrete than the draft of April 2019. It is critical that the evalu­ation of the IT-SIG of 2015, which should have taken place after four years at the latest, is still pending.

The SRC experts will be happy to discuss the innova­tions and their effects with you and to support you in imple­menting the require­ments of the IT-SIG and BSIG as well as in providing evidence within the scope of §8(a) BSIG (“Kritis-audit”).

Critical Day

Critical Day 2018 | on April 25, 2018, critical infra­structure operators meet at SRC

Critical infra­struc­tures and their signif­i­cance | Critical day 2018 makes an exchange possible 

Critical infra­struc­tures (KRITIS) are organ­i­sa­tions and facil­ities of major impor­tance to the public sector, the failure or impairment of which would result in sustainable supply shortages, major public security disrup­tions or other dramatic conse­quences. These critical infra­struc­tures are exposed to various dangers. Among other things, there are also various scenarios in which the security of infor­mation technology systems in critical infra­struc­tures takes centre stage. The starting point for the conference “Critical Day 2018” with accom­pa­nying barcamp.

Profes­sional “networking” with each other

With the aim of estab­lishing personal contacts and stimu­lating profes­sional exchange, the critical day offers a regular meeting place for people respon­sible for the protection of critical infra­struc­tures. The target group of the critical day are those people who work in a company or insti­tution that supplies the population with essential goods and services. Furthermore, the critical day addresses people who deal with the topic of critical infra­struc­tures in a practical, advisory, regulatory or scien­tific way. The first critical day will take place on 25 April 2018 at the SRC Conference Centre with accom­pa­nying barcamp. Tickets are now available.

The demand of the Critical Day

The Critical Day aims to provide a world-class platform for repre­sen­ta­tives of affected companies, the public sector, science and research to network and exchange experi­ences on devel­op­ments and best practices in IT and physical security of critical infra­struc­tures. It also plays a role that the partic­i­pants are encouraged to design the second part of the critical day as a barcamp. A barcamp is an open conference with open workshops, the contents of which are developed by the partic­i­pants themselves at the beginning of the conference and will be designed in the further course. Barcamps therefore serve the exchange of content and discussion.

Portfolio Items