New challenges for the digitization of Germany: what the IT Security Act 2.0 and the new KRITIS-Ordinance entail

The effective date of the IT Security Act 2.0 is one step closer. With the resolution passed by the Federal Council (Bundesrat) on 7 May 2021, there are no longer any significant obstacles to the implementation of the amendments to the Federal Security Act (Bundessicherheitsgesetz, in the following “BSIG”); essentially, only the signature of the Federal President is missing. In addition, on 27 April 2021, the Federal Ministry of the Interior, for Building and Home Affairs (in the following “BMI”) published the consultation version of the “Second Ordinance Amending the BSI-Kritis-Ordinance ” (in the following “Second KRITIS-Ordinance”) and sought comments from affected associations, specialist groups and the scientific community until 17 May 2021.

Expansion of the Target Group by the IT Security Act 2.0

The IT Security Act 2.0 adds the waste management sector to the group of potential operators of critical infrastructure alongside the energy, information technology and telecommunications, transport and traffic, health, water, food, and finance and insurance sectors.

Companies of special public interest are now also subject to the BSIG. However, such companies are not considered operators of critical infrastructure but are bound by their own additional obligations (see below). Companies of special public interest are, e.g.:

• Defense contractors (Sec. 1 (14) no. 1 IT Security Act 2.0, Sec. 60 (1) nos. 1 and 3 Foreign Trade and Payments Ordinance);
• Chemical companies (Sec. 1 (14) no. 3 IT Security Act 2.0, Sec. 1 (2) Major Accidents Ordinance); and
• Germany’s largest companies (Sec. 1 (14) no. 2 IT Security Act 2.0).

It is still unclear which economic indicators will be used to determine the largest companies. The BMI will define these key figures on a separate ordinance. Nevertheless, the largest listed companies in Germany should expect to fall within the scope of the IT Security Act 2.0.

Additional Expansion of the Target Group by the Second KRITIS-Ordinance

In addition, it is expected that the adaption of the KRITIS-Ordinance will significantly expand the application of the BSIG. Generally, a company is only considered an operator of critical infrastructure if a facility of the company falls within the definition of the facility according to the KRITIS-Ordinance and reaches the thresholds provided for in the Annexes to the KRITIS-Ordinance. The Second KRITIS-Ordinance provides for the following:

• According to Sec. 1 no. 1 of the draft, not only business premises or machines and devices are to be considered as a “facility”, but also “software and IT-services that are necessary for the provision of a critical service”.
• The individual numerical assessment points for the facilities have been significantly lowered. Now, considerably more companies meet the threshold and will be considered operators of critical infrastructure in the future.

According to reports, the Second KRITIS-Ordinance will increase the number of operators of critical infrastructure from around 1,600 to approx. 1,870. This number will further increase in the course of another, foreseeable amendment of the KRITIS-Ordinance, as the Second KRITIS-Ordinance does not currently contain an annex for the waste management sector.

Expansion of Obligations for Companies

The IT-Security Act 2.0 imposes a number of obligations on operators of critical infrastructure. Among other things, operators must:

• provide for minimum security standards for critical infrastructures (e.g., the use of intrusion detection systems in accordance with Sec. 8a IT Security Act 2.0);
• comply with security requirements for critical components (see below); and
• comply with information obligations and reporting requirements vis-á-vis the Federal Office for Information Security (in the following “BSI”) (e.g., list all IT products that are important for the functionality of critical infrastructures, report malfunctions).

The companies of special public interest also have to:

• register with the BSI and appoint a contact person for the BSI; and
• submit a self-declaration to the BSI regarding certifications, security audits and checks, and the safeguarding of IT systems, components and processes requiring special protection at least every two years as from the promulgation of the IT Security Act 2.0.
  

Supply chain comes into focus

A key amendment is the focus on critical components. Critical components are IT products that are

• used in critical infrastructures;
• important for the functionality of the community (as they ensure availability, integrity, authenticity and confidentiality of the critical infrastructures); and
• either designated as critical components by law or implement a critical function of an company.

Critical components may only be deployed if the BMI has been notified in advance, certification of the component is available, and the component manufacturer has provided a declaration of guarantee. The declaration of guarantee covers the manufacturer’s entire supply chain. Finally, the BMI can refuse both the initial use and the further use of critical components by an operator of critical infrastructure, if public safety and order are likely to be impaired. Impairment is said to exist if, e.g., the government of a third country controls the manufacturer or the manufacturer does not comply with the obligation to provide a warranty statement.

No more grace period: Time is pressing for implementation

For companies, the interaction of the IT Security Act 2.0 and the Second KRITIS-Ordinance may have far-reaching consequences in some cases. Whereas previously there was a transition period for implementing new requirements, now companies must comply with the requirements of the BSIG from the first working day on which they reach the thresholds of the Second KRITIS-Ordinance. This means that from the first day after the IT Security Act 2.0 and the Second KRITIS-Ordinance come into force, potential operators of critical infrastructure must comply with the requirements of the IT-Security Act 2.0. If the requirements are not complied with, significant fines of up to 20 million Euros may be imposed by the BSI.

Therefore, companies must now verify whether they fall within the scope of the IT Security Act 2.0 and the Second KRITIS-Ordinance. Expert advice and, if necessary, legal counsel should be sought in this regard.