IT Security Act 2.0

One year after the German Ministry of the Interior, Building and Community (BMI) has published its first draft of the “IT Security Act 2.0” for discussion with other government departments in Germany, the BMI’s revised draft bill has recently been leaked on the internet.

The revised draft contains several modifications and provides further regulatory detail. The key objectives of the IT Security Act 2.0, however, remain unchanged: Expanding mandatory IT security obligations in Germany, and equipping the BSI with additional powers to this end. In this article, I am giving a brief summary of some of the most significant aspects of the redraft.

A short recap to give context: Under the current BSI Act (BSIG), operators of critical infrastructures (KRITIS) must establish and demonstrate a minimum standard of IT security, report IT security incidents, and cooperate with the BSI as required. To a somewhat lesser degree, the BSIG also puts providers of digital services under certain IT security obligations.

According to the BMI’s revised draft of the IT Security Act. 2.0, the scope of the IT security obligations under the BSIG, and the responsibilities of the BSI are to be broadened in several ways:

Critical Infrastructures (KRITIS)

• The IT security obligations for operators of KRITIS will be tightened. For instance, the draft provides that KRITIS have to implement stateof-the-art systems to detect attacks on their IT, and must provide the BSI with a list of all hardware and software products relevant to the functioning of the KRITIS at hand.
• Operators of KRITIS will also be given additional rights to process personal data in order to improve their IT security, e.g. by verifying the trustworthiness of their employees.

Infrastructures in the special public interest

• The revised draft envisages operators of ‘infrastructures in the special public interest’ as new norm addressees of the BSIG. This includes regulated companies on the defense sector, regulated companies in the area of hazardous materials and other companies that are of special public interest. The BSI is to provide further criteria for such companies.
• According to the revised draft bill, operators of infrastructure in the special public interest will be put under the obligation to report certain IT security incidents to the BSI. Certain operators will also have to provide the BSI with an IT security concept. 

Critical Components

• Through the revised draft of the IT Security Act 2.0, provisions related to “critical components” will be introduced in the BSIG, which adds a new layer in the concept of IT security regulation. The term describes software and hardware products that are used by KRITIS and whose lack of availability, authenticity, or confidentiality could lead to an outage or to disruptions of the proper functioning of the KRITIS.
• Critical components that are subject to a mandatory certification, may only be used by KRITIS if the software/hardware manufacturer concerned has provided a ‘declaration of trustworthiness’, which must also cover the entire supply chain of the manufacturer. The details of such declaration is yet to be defined by the BSI.

Additional Powers of the BSI

• The BSI will be entitled to prohibit using critical components from manufacturers that are not considered trustworthy, e.g. in case the manufacturer has violated its declaration of trustworthiness, or implemented a backdoor in its product.
• The revised draft also emphasizes the BSI’s authority to examine “publicly accessible information technology systems” for malware and security gaps, and to demand any information from the manufacturers it deems necessary for this purpose. The BSI will be entitled to forward any information received from manufacturers to other government authorities.

GDPR-like Fines

• The fines for breaches of the IT security obligations will substantially be increased. The revised draft bill provides for fines of up to EUR 20,000,000.00 or 4% of the company’s annual revenue. Other infringements are still set to be punishable by a maximum fine of EUR 10,000,000.00 or 2% of the company's annual revenue.

When and in what form the revised draft of the BMI will be submitted to formal legislative procedure is open. Timing and next steps will largely depend on the comments and statements by companies and industry associations that are collected over the summer. In any case, the revised draft is not expected to be discussed in the German Parliament before fall/winter 2020 at the earliest.