Find out today what the legal world will be talking about tomorrow.
IT Security Act 2.0 in the German Bundestag - what's new?
In January 2021, the German government submitted its draft for the ‘Second Act to increase the security of Information Technology Systems’ (IT Security Act 2.0) to the German Bundestag for consultation. Following fierce criticism of the draft bill from May 2020 from the business community and the political discussion about the development of the 5G infrastructure in Germany, the draft law has been amended again. It can currently be assumed that the Bundestag will in the near future pass the IT Security Act 2.0 in the version submitted. The statement of the Bundesrat has been available since February 12, 2021.
In addition to around 1,500 new posts in various ministries of the federal administration, the draft Act primarily provides for amendments to the BSIG. In particular, the category of companies in the special public interest establishes additional addressees of the BSIG. Furthermore, the BSIG will also regulate the use of critical components in the future and give the BSI the option of prohibiting the use of critical core components from untrusted manufacturers. Also new is the voluntary IT security mark.
We briefly summarize what you need to know for these three keywords below:
Companies in special public interest
In addition to the “critical infrastructures” and “digital services” that are already regulated, “companies in the special public interest” will also be directly obligated by the BSIG in the future. Companies in the special public interest are:
- Companies that manufacture or develop goods within the meaning of Section 60 (1) No. 1, 3 AWV;
- Companies that are among the largest companies in Germany in terms of their domestic value and therefore are of considerable economic importance. The relevant key figures will be specified separately by the BSI by statutory order; and
- Companies that are operators of an operating right of the upper class of the Major Accidents Ordinance or equivalent to them.
Companies as defined in numbers 1 and 2 must register with the BSI, designate an office that can be reached by the BSI, and submit a self-declaration on IT security to the BSI every two years. For companies as defined by number 3, this is optional in each case.
In addition, companies in the special public interest must report significant disruptions to their systems, components, and processes with an impact on their value creation to the BSI.
Another new aspect is the regulation of critical components by the amended BSIG, which has been publicly discussed especially in the context of the 5G infrastructure.
The term “critical components” describes - in highly abbreviated form - software and hardware that is used for core functions of a critical infrastructure (CRITIS) and which has either been designated as a critical component by law or implements a function designated as critical by law.
The regulation of critical components thus primarily affects CRITIS operators. In the future, critical components may only be used if the manufacturer of the component has issued a warranty declaration to the CRITIS operator. This must also state whether and how the manufacturer sufficiently ensures that the critical components do not have any technical properties that could improperly affect the security, integrity, availability or functionality of the CRITIS. The BMI specifies the requirements for the warranty statement separately.
In addition, the BSI will in future have the authority to prohibit the use of critical components and, in individual cases, even the operation of the critical infrastructure itself if the manufacturer of the components has proven to be untrustworthy. Indirectly, the regulation of critical components thus also has a substantial impact on manufacturers of critical components.
IT security mark
To improve consumer information on IT product security, the IT Security Act 2.0 introduces a uniform IT security mark for product categories to be defined separately by the BSI.
Manufacturers or suppliers of products in these categories can apply to the BSI for approval to use the IT security mark. If the BSI grants the requested approval, the manufacturer can use the mark for the product by affixing the IT security mark to the product or publishing it electronically.
The label consists of an assurance from the manufacturer that the product meets certain IT security requirements (manufacturer's declaration) and information from the BSI about security-relevant IT properties of the product (security information). The label of the IT security mark refers to a website where the manufacturer's declaration and security information for the product can be accessed.
The IT security mark is voluntary. The IT security mark is not a prerequisite for the sale of products in Germany, nor does the IT Security Act 2.0 expressly provide for a legal effect of the IT security mark vis-à-vis consumers. Indirectly, the mark may nevertheless be binding, for example as part of the contractually owed quality of the product.