German Bundestag adopts IT Security Act 2.0 – update for companies

Background

On 7 May 2021 the German Bundesrat (upper house of the German parliament) endorsed [1] the IT Security Act 2.0 (IT-Sicherheitsgesetz 2.0 – "IT-SiG 2.0"), which the German Bundestag had adopted on 23 April 2021. Our initial blog on this subject (for a shortened version in English click here) outlined the content of the draft IT-SiG 2.0. This draft law as amended on 25 January 2021 (Bundestag printed paper (BT-Drucksache) 19/26106) has now passed through the Bundestag with the amendments proposed by the Committee on Internal Affairs and Community (BT-Drucksache 19/28844). 

We have set out below the key amendments to the IT-SiG 2.0 with the most practical relevance that have been adopted by the Bundestag.

Powers of the BSI

• The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – "BSI") has now been assigned the task of establishing binding minimum standards for IT security in consultation with the departments. [1]

• The BSI's powers to receive information on IT vulnerabilities and to notify affected IT manufacturers are expanded, and it is also clarified that the BSI is not entitled to refuse to accept information.[²]

Data protection

• The IT-SiG 2.0 simplifies the data protection requirements that apply to the BSI with regard to the processing of log data.

• Under sec. 5 para. 1 sentence 1 no. 1, para. 2 of the Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik – "BSIG"), which applies unchanged, the Federal Office may, in order to avert threats to federal communication technology, collect and analyse in an automated manner log data generated during the operation of federal communication technology, to the extent that this is necessary to identify, mitigate or remedy faults or defects in federal communication technology or attacks on federal information technology. The IT-SiG 2.0 extends the time limit for storing log data prescribed in the (still) current version of sec. 5 para. 2 BSIG beyond the period required for automated analysis from a maximum of three months to a maximum of 18 months.[3]

• However, the new law essentially retains the restriction that such a storage of data is permitted only if there are actual indications that, if a suspicion pursuant to sec. 5 para. 3 sentence 2 BSIG is confirmed, the data in question could be required in order to avert threats posed by the malicious program found or in order to identify and protect against other malicious programs.

Product-related rules

• The amendment of the IT-SiG 2.0 clarifies that the BSI is responsible for describing instead of authoring technical guidelines for IT security and that it should involve the key players (manufacturers, developers, business) in this process, while taking into account the international standards and norms.[4]

• Changes to the IT security mark (IT-Sicherheitskennzeichen) itself were not made in comparison with the version of the IT-SiG 2.0 dated 25 January 2021.[5] The IT security mark therefore still consists of two components: 1) the manufacturer's declaration and 2) updatable product safety information that can be called up on the BSI's website (via a link or QR code as an electronic product insert leaflet).

• However, in connection with the IT security mark, the IT-SiG 2.0  now provides more specifically for the BSI to determine, by way of a legal regulation, which norms, standards or IT security specifications the manufacturer is to comply with for a given product category in order to meet the IT security requirements that are expected to be the subject of the manufacturer's declaration.[6] If no such legal regulation exists, the manufacturer must adhere to the requirements in the Technical Guideline published by the BSI for the category in question.[7]

Inclusion of companies from the supply chain of the newly introduced "companies of particular public interest" category

• The government draft of the IT-SiG 2.0 had already created a new category of companies requiring special protection – so-called "companies of particular public interest". These include, for instance, companies in the defence industry and others with particular significance for the German economy. The Federal Interior Minister, Horst Seehofer, under whose remit the new law falls, cited German automotive manufacturers as an example during the debate on the draft.

• These companies are to be subject to a similar regime of protection and obligations as critical infrastructures; this regime consists, among other things, of registration, a voluntary declaration every two years, including IT certifications, audits and safeguards as well as the reporting of disruptions, and the disclosure of related information, without undue delay.

• In addition, firms from the supply chain of these companies of particular public interest are now to be included for the first time.[8] Such companies in the supply chain are also to be deemed companies of particular public interest if "as suppliers, they are of material significance to such companies due to their unique selling points". According to the reasons given by the Committee on Internal Affairs, which is responsible for this amendment, those suppliers are to be included that "have an influence on value creation at the largest companies, for example because any failure to supply their products or to provide their services could also prevent value creation at the largest companies". [9]

• As a result, particularly successful and important suppliers of the companies that are of most significance to the German economy will, in future, have to meet and document much stricter IT security requirements and to report to the BSI.

Critical components

• One of the main reforms under the IT-SiG 2.0 is that the BMI can prohibit the use of so-called critical components "if the use is expected to undermine public order or security in the Federal Republic of Germany". [10] In particular, it is important to examine whether a manufacturer of critical components is controlled by the government of another country or already is/has been involved in activities that adversely affect public order or security in the Federal Republic of Germany or another EU member state. [11] This reform takes into account one of the core requirements of the EU 5G Toolbox[12] adopted by the European Commission regarding the handling of 5G cybersecurity risks. [13]

• Furthermore, the IT-SiG 2.0 defines in more detail the requirements of the so-called guarantee declaration that manufacturers of critical components are to be obliged to issue to the BSI.[14]

• The BMI now also has more time to assess whether to potentially prohibit the first-time use of critical components (ex ante prohibition) The draft law as amended on 23 April 2021 provides for two months or the option of an additional four-month extension if "the assessment poses particular difficulties of a factual or legal nature".[15]

Outlook

Contrary to the recommendation of the responsible Committee for Internal Affairs, the Bundesrat adopted the bill and did not call on a Mediation Committee. In the next step, therefore, the law will be executed, i.e. signed, and promulgated in the Federal Law Gazette (Bundesgesetzblatt). Nonetheless, further changes in the law governing IT security are on the cards: for example, the new Cybersecurity Strategy for the EU[17] is expected to be implemented shortly, in particular in the form of a Directive on measures for a high common level of cybersecurity across the EU[18] and a new Directive on the resilience of critical entities[19].

Authored by Nicole Böck, Martin Strauch, David Bamberg, and Jakob Theurer.