Due to the tightened IT security obligations and increased penalties, in particular the numerous amendments to Germany's central IT security law – the Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSI-Gesetz), “BSI Act") – are relevant for both the operators of critical infrastructure already covered by the BSI Act but also (i) companies active in the area of municipal waste disposal, (ii) manufacturers of IT products used in critical infrastructures, and (iii) the so-called companies in the special public interest.
The extended scope of application of the BSI Act is one of the main changes brought about by the IT Security Act 2.0:
No. 1. – manufacture or develop goods pursuant to Section 60 para. 1 nos. 1 and 3 of the German Foreign Trade and Payments Ordinance (Außenwirtschaftsverordnung (AWV)) (defence manufacturers as well as manufacturers of IT products for the processing of classified state information)
No. 2. – in terms of their domestic value-added, are among the largest companies in Germany and are therefore of considerable economic importance for the Federal Republic of Germany, or which are of essential significance to such companies as suppliers because of their unique selling propositions (who is explicitly to fall under this category will be specified – as in the case of critical infrastructures – by means of an ordinance) or
No. 3. – operators of an upper-tier establishment within the meaning of the Hazardous Incident Ordinance (Störfall-Verordnung) or are equivalent to such operators pursuant to Article 1 para. 2 of the Hazardous Incident Ordinance.
The IT Security Act 2.0 supplements the obligations already existing under the BSI Act and introduces new obligations:
Based on the notification described above and the guarantee declaration, the BMI carries out an ex-ante and an ex-post examination with regard to the use of critical components and can prohibit the planned initial or further use of a critical component vis-à-vis the operator of the critical infrastructure in agreement with the relevant ministries listed in the BSI Act and the Federal Foreign Office or issue orders “if the (further) use is likely to impair the public order or security of the Federal Republic of Germany”. It must be pointed out that the prohibition of the further use of a critical component of a manufacturer can have further consequences for the manufacturer.
2.) In accordance with the above-described obligation of the operators of critical infrastructures to use critical components only from those manufacturers who have issued a declaration of their trustworthiness to the operator of the critical infrastructure, the manufacturers will (have to) issue corresponding guarantee declarations vis-à-vis the operator of the critical infrastructure about the entire supply chain.
3.) The obligations applicable to operators of critical infrastructures are to be extended in a slightly modified form to further economic sectors, the companies in the special public interest. The obligations of companies in the special public interest differ depending on the category to which such a company belongs: The obligations to be imposed on companies subject to regulation under the Hazardous Incident Ordinance are not as extensive as the obligations of defence manufacturers and manufacturers of IT products for the processing of classified state information, as well as companies which, based on their domestic value-added, are among the largest companies in Germany and are therefore of considerable economic importance for the Federal Republic of Germany, or which are of essential significance to such companies as suppliers because of their unique selling propositions.
The catalogue of provisions on fines has been completely revised: The offences subject to fines have been specified for better enforcement, especially of obligations to provide information and evidence, and have been considerably expanded in accordance with the newly introduced obligations described above.
For example, an administrative offence was introduced for those operators of critical infrastructures who do not ensure that the contact point to be designated can be reached at all times or – in the case of qualification as a company in the special public interest pursuant to Section 2 para. 14 sentence 1 nos. 1 and 2 of the BSI Act – do not submit a self-declaration, do not submit it correctly, do not submit it completely or do not submit it on time.
The fines themselves were drastically increased to achieve a steering effect, as stated in the reasoning of the law. Instead of the fines of up to 100,000 EUR or up to 50,000 EUR possible under the previous BSI Act, administrative offences can now – depending on the case – be punished with a fine of (i) up to 2,000,000 EUR, (ii) up to 1,000,000 EUR, (iii) up to 500,000 EUR or (iv) up to 100,000 EUR.
The BSI's existing authority under the BSI Act to warn and advise users of products in the area of information technology security is supplemented by the new regulation on a voluntary IT security mark. The IT security mark is affixed as a label on the respective product or on its outer packaging (if this is possible according to the nature of the product) or is published electronically and is intended to give consumers orientation regarding the IT security of products and services in the IT sector.
The IT security mark does not make any statement about the data protection properties of a product and may only be used for a product if the BSI has approved the IT security mark for this product. Approval is granted upon application by the manufacturer if the requirements specified in the BSI Act in connection with the IT security mark are met and is only granted for products in the categories for which the BSI has already introduced the IT security mark by public announcement.
The IT Security Act 2.0 imposes a number of new and far-reaching obligations on operators of critical infrastructures, which require careful planning and timely implementation. When assessing when and how to implement the new requirements, current developments in the European Union must also be considered – the Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive) is currently being revised.
According to the Proposal for a Directive on measures for a high common level of cybersecurity across the EU (so-called NIS 2 Directive) published on 16 December 2020, in particular, the list of sectors and activities subject to cybersecurity obligations is to be expanded, as well as the legal security and reporting obligations are to be harmonised to a greater extent. Both sets of regulations contain similar and related requirements for IT security. A coordinated implementation taking into account existing and planned future requirements can significantly limit the (financial) effort. In addition, at the national level, the ordinance for the determination of critical infrastructures is currently being further developed – according to the current draft, in particular, new definitions and thresholds for critical infrastructures are to be introduced.
