The Federal President of Germany passed the Information Technology Security Act 2.0 on May 27, 2021. The IT Security Act 2.0 has updated the First Act to increase the Security of Information Technology Systems increasing Cyber and Information security against the cyberattacks and digitalization of everyday life.
Due to the tightened IT security obligations and increased penalties, the Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSI-Gesetz), “BSI Act”) – are relevant for both the operators of critical infrastructure already covered by the BSI Act but also (i) companies active in the area of municipal waste disposal, (ii) manufacturers of IT products used in critical infrastructures, and (iii) the so-called companies in the special public interest.
Key takeaways from the IT Security Act 2.0:
- Obligation for operators of critical infrastructure is introduced to register a critical infrastructure with the Federal Office for Information Security (“BSI”);
- The IT Security Act 2.0 introduces, on the one hand, the obligation of operators of critical infrastructures to notify the Federal Ministry of the Interior, Building and Community (“BMI”) of the planned first-time use of a critical component prior to its use and on the other hand, the operator of critical infrastructure is obligated to obtain a declaration from the manufacturer of the critical components about its trustworthiness (so-called guarantee declaration). Only after obtaining such a guarantee declaration may the operator of a critical infrastructure use critical components. This declaration must be attached to the notification to the BMI.
- In accordance with the above-described obligation of the operators of critical infrastructures to use critical components only from those manufacturers who have issued a declaration of their trustworthiness to the operator of the critical infrastructure, the manufacturers will issue corresponding guarantee declarations vis-à-vis the operator of the critical infrastructure about the entire supply chain.
- The obligations applicable to operators of critical infrastructures are to be extended in a slightly modified form to further economic sectors, the companies in the special public interest. The obligations of companies in the special public interest differ depending on the category to which such a company belongs.
- The offences subject to fines have been specified for better enforcement, especially of obligations to provide information and evidence, and have been considerably expanded in accordance with the newly introduced obligations described above. The fines themselves were drastically increased to achieve a steering effect, as stated in the reasoning of the law. Instead of the fines of up to 100,000 EUR or up to 50,000 EUR possible under the previous BSI Act, administrative offences can now – depending on the case – be punished with a fine of (i) up to 2,000,000 EUR, (ii) up to 1,000,000 EUR, (iii) up to 500,000 EUR or (iv) up to 100,000 EUR.
- The IT Security Act 2.0 also expands the role of the BSI. The BSI is given several new tasks, including the following:
- The performance of the tasks and powers of the BSI as the national cybersecurity certification authority within the meaning of Article 58 of Regulation (EU) 2019/881 of 17 April 2019 will be included in the catalogue of tasks of the BSI.
- In order to take into account the growing importance of cyber and information security for consumers, especially due to the increasing interconnectedness of private households and the dissemination of connected consumer products, consumer protection and consumer information in the area of information technology security will be established as an additional task of the BSI.
- Furthermore, the competence of the BSI for the development of specifications as well as the final evaluation of identification and authentication procedures from the point of view of information security will be clarified by law.
- The Technical guidelines for the purpose of consumer protection, the competence of the BSI for the development of requirements and recommendations together with conformity testing and confirmation for IT products is explicitly specified.
- The Act stipulates the authority of the BSI to be able to query inventory data from providers of telecommunications services to inform those affected about security vulnerabilities and attacks.
- To keep a check on the existence of security vulnerabilities and other security risks in the information technology of the Federation and in the information technology of critical infrastructures, digital services and companies in the special public interest, the authority of the BSI to conduct so-called port scans is created. New Section 7b para. 4 of the new BSI Act also stipulates the authority of the BSI to use systems and procedures to fulfil its tasks, which simulate a successful attack to collect and evaluate the use of malware or other attack methods (so-called honeypots).
- Finally, the BSI will have the power to issue orders vis-à-vis telecommunications and telemedia providers to avert specific threats to information security.
*Tanvi Singh, Editorial Assistant has put this story together.