IT Security Act 2.0

In January 2021, the Federal Government forwarded the "Draft of a Second Act to Increase the Security of Information Technology Systems", the so-called "IT Security Act 2.0", to the Federal Council for further consultation. The draft was labelled as "particularly urgent". It is intended to emphasise the great importance of information and cyber security in Germany and, among other things, regulate the protection of the federal administration, critical infrastructures (KRITIS) and companies in the special public interest. According to the Federal Minister of the Interior, "We have done a lot against terrorism in recent years. We must do just as much to prevent hackers and spies from hijacking the control centres of our hospitals or energy suppliers."

Under current law, critical infrastructures as defined by the German Federal Office for Information Security Act (BSI Act, BSIG), which has been expanded and adapted by the current IT Security Act, must take appropriate organisational and technical precautions to prevent disruptions to their information technology systems, components or processes. This concerns availability, integrity, authenticity and confidentiality, which are essential for the functionality of the critical infrastructures they operate. The critical infrastructures currently regulated in the BSIG include facilities, systems or parts thereof that

• belong to the energy, information technology and telecommunications, transport and traffic, health, water, food, finance and insurance sectors and
• are of great importance for the functioning of the community because their failure or impairment would result in significant supply bottlenecks or threats to public safety.

The operators of critical infrastructures must provide evidence of compliance with the requirements for appropriate organisational and technical precautions at least every two years. They must also

• disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that have led to a failure or significant impairment of the functionality of the critical infrastructures they operate, as well as
• significant disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that could lead to a failure or significant impairment of the functionality of the critical infrastructures they operate
• immediately to the Federal Office for Information Security via the contact point.

Failure to take action or report is subject to a fine.

The IT Security Act 2.0 has a much broader scope of application. According to the draft, companies in the special public interest are also required to submit a self-declaration on IT security to the Federal Office initially and then at least every two years,

• which IT security certifications have been carried out in the last two years and which test basis and scope have been defined for these,
• which other security audits or tests in the area of IT security have been carried out in the last two years and which test basis and scope have been defined for these, or
• how it is ensured that the IT systems, components and processes particularly worthy of protection for the company are adequately protected and whether the state of the art is complied with.

Companies in the special public interest are not themselves operators of critical infrastructures. However, these are companies that

• manufacture or develop certain goods in accordance with the Foreign Trade and Payments Ordinance, e.g. defence manufacturers or manufacturers of IT products for processing classified government information;
• are among the largest companies in Germany in terms of their domestic value added[1] and are therefore of considerable economic importance for the Federal Republic of Germany, or
• are operators of an upper-tier establishment within the meaning of the Hazardous Incident Ordinance as amended or are equivalent to these. This includes companies in which certain hazardous substances are processed.

They are obliged to register with the Federal Office at the same time as submitting the first self-declaration on IT security and to designate an office that can be contacted during normal business hours. Similar to critical infrastructures, they must report to the Federal Office any disruptions to the availability, integrity, authenticity and confidentiality of their IT systems, components or processes that have led to an incident in accordance with the Hazardous Incident Ordinance as amended or could lead to significant disruptions.

The explanatory memorandum to the law deliberately refers not only to cyber attacks, but also to the aforementioned (significant) disruptions in general. A disruption within the meaning of the BSI Act therefore exists if the technology used can no longer fulfil its intended function correctly or completely or if an attempt has been made to influence it accordingly. This also includes cases of security vulnerabilities, malware (without anyone actively trying to exploit them) and attacks on information technology security that have been carried out, attempted or successfully defended against, as well as unusual and unexpected IT-related technical defects (e.g. following software updates or a server cooling failure).

The provisions on fines have been significantly increased (from EUR 50,000 to EUR 500,000), e.g. for failing to report a malfunction, but remain below the limits of the GDPR.

The regulation on the obligation to notify and the possible prohibition of the operation of critical components is completely new. According to this, the operator of the critical infrastructure must notify the Federal Ministry of the Interior, Building and Community of the use of critical components prior to deployment.

Critical components in this sense are IT products that

• are used in critical infrastructures,
• are of great importance for the functioning of the community because disruptions to the availability, integrity, authenticity and confidentiality of these IT products can lead to a failure or to a significant impairment of the functionality of critical infrastructures or to threats to public security and
• are designated as a critical component on the basis of a law or realise a function designated as critical on the basis of a law.

They may only be used if the manufacturer has issued a declaration of trustworthiness to the operator of the critical infrastructure (guarantee declaration). This declaration covers the manufacturer's entire supply chain. The guarantee declaration must state whether and how the manufacturer can reasonably ensure that the critical component does not have any technical properties that could be misused, in particular for the purposes of sabotage, espionage or terrorism, to affect the security, integrity, availability or functionality of the critical infrastructure. It must also cover possible risks and breaches of certain duties to act arising from the manufacturer's organisational structures or other possible legal obligations. The Federal Ministry of the Interior, Building and Community will determine the exact content of the guarantee declaration by means of a general ruling.

The Federal Ministry of the Interior, Building and Community may prohibit the use of a critical component vis-à-vis the operator of the critical infrastructure or issue orders if overriding public interests, in particular security policy interests of the Federal Republic of Germany, conflict with its use. It can also prohibit the further operation of a critical component vis-à-vis the operator or issue orders if the manufacturer of the critical component has proven to be untrustworthy. This is the case if

• he has violated the obligations and assurances given in the guarantee declaration,
• the facts stated in the guarantee declaration are untrue,
• it does not support security checks and penetration analyses on its product and in the production environment to the required extent in an appropriate manner,
• it does not immediately report known or discovered vulnerabilities or manipulations to the operator of the critical infrastructure and rectify them, or
• the critical component has or has had technical properties that are or were capable of improperly affecting the security, integrity, availability or functionality of the critical infrastructure.

In addition, the use of other critical components of the same type or all critical components of the manufacturer may be prohibited.

It should be noted that the obligations arising from the guarantee declaration do not relate solely to the time of installation. They must be complied with continuously, i.e. also during the operation of the components. This requires a continuous assessment of reliability.

The requirement for the critical infrastructure operator to notify critical components and provide a manufacturer's warranty declaration covering the entire supply chain entails extended preventive measures. For example, the operator of the critical infrastructure will have to subject the manufacturer of the critical component(s) it uses to an extended risk analysis. This must not only take into account aspects such as availability, integrity, authenticity and confidentiality, but also vulnerability to sabotage, espionage or terrorism. Otherwise, he would run the risk of the authorities prohibiting the use of the critical component. This could jeopardise the business model of the operator of the critical infrastructure. It is therefore important to introduce appropriate risk analyses and flank them with the corresponding processes and controls.

In addition to the component itself, the manufacturer of the critical component will also have to undergo a risk analysis (integrity due diligence) focussing on sabotage, espionage and terrorism risks with regard to the issue of trustworthiness. The same applies to the other parties and components involved in the supply chain. This can entail an effort that should not be underestimated and represents a new dimension of risk assessment. It is also important to bear in mind that not only is the state of the art in terms of the risk exposure of components evolving, but the assessment of the integrity of manufacturers and suppliers is also subject to change. In both cases, continuous monitoring and regular review of the risk assessment and any adjustments to safety measures must be carried out.

The draft bill still has to go through the legislative process. Companies should check for themselves whether they belong to the critical infrastructures or companies in the special public interest and prepare for the corresponding technical and organisational measures, notification and reporting obligations. Critical infrastructures should analyse the supply chain of their critical components. They should already create the conditions for the corresponding risk analyses, integrity due diligences and the associated processes, controls and responsibilities.

Do you have any questions? Our forensic and cyber specialists will be happy to support you with all questions and measures relating to the IT Security Act 2.0.