Germany: The IT Security Act 2.0

On 28 May 2021, the German IT Security Act 2.0 entered into force and introduces a number of changes to the existing regulation of critical infrastructures (corresponding to essential services under the NIS Directive) already covered by the BSI Act (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSI-Gesetz)). These changes include:

• expansion of scope of application to new sectors:
  • municipal waste with essential service municipal waste disposal (collection, disposal, recycling)
  • special public interest entities – “SPIE” (important but not critical infrastructure)
    • SPIE defense, arms, federal IT (export control)
    • 2. SPIE economic relevant entities
    • 3. SPIE hazardous materials (chemicals)).
• new IT security obligations incl. inter alia:
  • supply chain security; suppliers, i.e. manufacturers of critical components, will be subject to certain obligations to safeguard the supply chain
    • obligation to notify planned first-time use of a critical component
    • requirement to obtain a declaration from the manufacturer about its trustworthiness
  • obligation to register; operators of critical infrastructures will have to register the critical infrastructure with the BSI
  • mandatory use of state of the art attack detection systems; this is a concretisation of the obligation to take appropriate organisational and technical measures to ensure NIS security
  • obligation to disclose information necessary to handle a disruption to the BSI if requested
  • modified security obligations for SPIEs depending on the category the SPIE belongs to
• stronger enforcement:
  • specification of offences
  • extended catalogue of offences
  • increased fines to achieve a steering effect (administrative fines up to 2,000,000 EUR)
• new tasks for BSI:
  • tasks and powers of BSI as the national cybersecurity authority within the meaning of Art. 58 Cybersecurity Act are set out
  • consumer protection and consumer information in the area of IT security
  • development of specifications as well as the final evaluation of identification and authentication procedures from the point of view of information security
  • specification of task of development of requirements and recommendations together with conformity testing and confirmation for IT products
  • authorisation to query inventory data from providers of telco services to inform those affected about security vulnerabilities and attacks
  • authorisation to conduct port-scans and employ honeypots
  • competence to issue orders against telecommunications and telemedia providers to avert specific threats to IT security

The IT Security Act 2.0 is complemented by a new Regulation on Critical Infrastructures (Zweite Verordnung zur Änderung der BSI-Kritisverordnung) which will enter into force on 1 January 2022, which amends several existing sectors by introducing new critical infrastructure types. At the same time, thresholds for existing infrastructures are lowered, meaning that more infrastructures are encompassed as critical. Accordingly, similar to the Commission’s NIS 2.0 Proposal, not only are new sectors added, but several existing sectors are also amended.