IT Security Act 2.0: BMI draft bill

The powers of the Federal Office for Information Security (BSI) are to be expanded and reporting obligations for IT security incidents extended. The draft provides for fines modeled on the GDPR for violations of IT security obligations.

Photo credits: sdecoret - fotolia.com

At the end of March, the Federal Ministry of the Interior, Building and Community (BMI) introduced a draft bill for the “Second Act to Increase the Security of Information Technology Systems (IT Security Act 2.0)” for coordination by government departments. Following on from the IT Security Act, which entered into force in June 2015, and its amendment by the EU NIS Directive, the protection of information technology systems in public administration and the private sector is to be further improved.

For this purpose, the draft bill provides in particular for adaptations of the BSI Act, the Telemedia Act and the Telecommunications Act, as well as the introduction of new criminal offenses related to IT security. Some key aspects of the current draft are summarized below.

Expansion of IT security requirements and reporting obligations for security incidents

The obligations to comply with a minimum standard of IT security and to report IT security incidents are to be considerably extended. The draft bill defines additional KRITIS sectors and will also directly obligate suppliers of KRITIS operators by law in the future. The requirements for measures to protect information technology are also to be tightened, such as by requiring the use of systems to detect attacks.

New reporting obligation for providers of IT products

In addition, providers of IT products are also to be obligated to report to the BSI any significant malfunctions in their IT products that could lead to impairment of KRITIS systems or systems used for “infrastructures in the special public interest.” The draft further provides for new reporting obligations for manufacturers of “KRITIS core components.” An Ordinance will specify what those “KRITIS core components” are.

Additional powers of the BSI

The powers and tasks of BSI are to be expanded. The draft bill contains further powers of the BSI, such as the authority to check “publicly accessible information technology systems” for malware and security gaps, and provides for the introduction of an IT security label, the use of which the BSI may grant to providers of IT products. The IT security label is intended to provide consumers with relevant information on the security of an IT product.

Fines modeled on the GDPR

Finally, the framework for fines for breaches of IT security obligations is to be substantially increased. In particular, if companies fail to comply with enforceable BSI orders on IT security, the draft bill provides for fines of up to EUR 20,000,000.00 or 4% of the company’s annual revenue. Other infringements are still set to be punishable by a maximum fine of EUR 10,000,000.00 or 2% of the company's annual revenue.

Practical tip:

The BMI draft bill is at an early stage. Whether and in what form the draft will be submitted to formal legislative procedure will also largely depend on comments and statements by companies and industry associations. It is further unclear how the draft will fit into ENISA’s regulatory competence, as resolved by the Cybersecurity Act in March.