Amendment to the BSI KRITIS Regulation: Additional companies obliged to protect their IT

The security and reporting requirements introduced by the German IT Security Act now also apply to companies on the health, finance and insurance, and transportation sectors.

On May 31, 2017, the Federal Government approved the First Amendment the BSI KRITIS Regulation submitted by the Federal Ministry of the Interior. The amendment is expected to enter into force in June 2017. For the first time, the BSI KRITIS Regulation will then also establish the thresholds for qualifying as critical infrastructure in the health, finance and insurance, and transportation sectors.

If a company meets the criteria of the BSI KRITIS Regulation, it needs to designate a contact point to the Federal Office for Information Security (BSI) within six months and must in the future report significant disruptions to its systems, components, and processes. As an operator of a critical infrastructure, it is also obligated to take technical and organizational measures to adequately protect its information technology systems within two years and to provide regular evidence of said protection.

The amendment to the BSI KRITIS Regulation is the final step towards full implementation of the IT Security Act, which entered into force in 2015. For operators of critical infrastructures in the energy, IT and telecommunications, water, and food sectors, the reporting and security requirements have already been in force since May 2016.