IT Security Act 2.0 – more appearance than substance?

For three years now, the Federal Government has been discussing a new IT Security Act. In December 2020, a draft of an IT Security Act 2.0 was finally passed by the Cabinet and subsequently introduced into the parliamentary procedure. Whether the new draft will be approved, however, is more than questionable, as its contents have repeatedly been subject to sharp criticism.

 

Progress so far

The first IT Security Act was passed in 2015. The aim of the law was to improve IT security in companies, administration and the protection of citizens on the internet. The law provided for comprehensive changes to the previously applicable regulations on IT security, especially the strengthening of the Federal Office for Information Security (BSI) and new obligations for the operators of critical infrastructures (KRITIS). In 2016, the European initiative to improve the IT security standard followed in the form of the so-called NIS Directive. It was the first project on IT security at European level. As it is a Directive, it had to be transformed into national law, which was achieved by the NIS Implementation Act  2017 in Germany.

For three years now, the IT Security Act 2.0 has been discussed, which is supposed to modernise the security measures already taken. In July 2020, a  first draft was leaked. In addition to new powers for the BSI, the framework for fines should also be adapted to the General Data Protection Regulation (GDPR). In December, the Federal Ministry of the Interior (BMI) then published a  second draft, which was approved by the cabinet. The second draft has taken over some points of the first draft, but also no longer follows many original approaches. 

 

Overview of essential changes

  1. Extension of the powers of the BSI

The focus of the IT Security Act 2.0 is the BSI. In addition to the concretisation of already existing authorisations, the BSI is to function as an independent advisory, standardisation and certification body through the new draft law.

In addition, the authority’s powers will be expanded. The BSI will now be able to take active action against cyber attacks. This also includes the power to aggressively penetrate third party IT systems. This is why some call the BSI a “hacker authority” with the new powers of the IT Security Act 2.0. Thus, for the time being, the provisions of the first draft bill remain in place. 

  1. Expansion of the KRITIS concept

In addition to the previously known KRITIS sectors, municipal waste management is now to be included. In addition, “public interest entities” are not to be directly KRITIS, but they are to be treated as such. Accordingly, these are enterprises that manufacture or develop goods pursuant to section 60, paragraph 1, nos. 1 and 3 of the Foreign Trade and Payments Ordinance (AWV) – i.e. essentially armaments -, are among the largest enterprises in Germany in terms of their domestic value added, or are operators of an upper-tier operational area within the meaning of the Hazardous Incident Ordinance (Störfall-Verordnung, StöV) or are deemed equivalent to such pursuant to section 1, paragraph 2 of the StöV. (Section 2 para. 14 BSIG-E). The aforementioned companies are thus subject to the same obligations as an original KRITIS company.

In addition to the companies already mentioned, manufacturers of so-called critical components should also be held accountable. Critical components are IT products that are used in critical infrastructures and are of high importance for the functioning of the community. (Section 2 para. 13 BSIG-E). In order to install such a component, the manufacturer must submit a guarantee declaration and notify the BMI of its use. Among other things, the guarantee declaration must state how the manufacturer ensures that the critical component will not be misused for espionage purposes. The Federal Ministry of the Interior may prohibit the use of critical components.

Finally, the obligations of the KRITIS operators are also expanded. According to Section 8a para. 1a BSIG-E they must install systems for attack detection. In addition, there is to be an obligation to provide evidence pursuant to Section 8a para. 3 sentence 1 BSIG-E regarding compliance with the requirements of paragraphs 1 and 1a. Finally, a registration obligation for KRITIS operators will be established (Section 8b para. 3 BSIG-E).

  1. Consumer protection

Consumer protection is also to be strengthened. This goal is to be achieved by means of an IT security label, which will be affixed to the IT product or its packaging. Through the IT security label, the consumer can see the information on the security features of a product that the BSI has provided. The IT security label is not obligatory, but can be applied for voluntarily by companies.

  1. Adjustment of the fine scale

The first draft of the IT Security Act 2.0 still contained an adjustment of the fines to the fine framework of the GDPR. This increased the maximum fine from 100,000 EUR to a maximum of 20 million EUR or 4% of the worldwide annual turnover. A quite similar adjustment was also included in the current draft. The new catalogue of fines in Section 14 para. 5 BSIG-E provides for a maximum amount of EUR 2 million, which, however, increases to EUR 20 million if – which is likely to be the vast majority of cases – the fine is imposed on a legal person or association of persons.

 

Criticism

The new draft IT Security Act has been strongly criticised from all sides. At the association hearing in March this year, representatives of important economic sectors criticised the new draft. For example, they said, consumer protection has fared badly, as a voluntary IT security label would not lead to increased IT security of products. Products that do not meet the standard would simply not apply for a label.

The short decision-making period regarding critical components was also questioned in many quarters. The BMI is to be empowered to prohibit the use of critical components. However, the decision period is only one month. Whether this is sufficient for a sufficient evaluation is questionable. Finally, the confusing structure of authorities around the BSI was criticised at the hearing, which would not be improved by the new law.

It is also striking that the originally planned tightening of criminal law with regard to cybercrime has been dropped.

It remains to be seen whether the draft will be adopted by Parliament. Despite the partial weakening of the regulations compared to the first draft, it would represent a further step towards strengthening IT security in Germany.