IT Security Act 2.0 – What Will Change for Businesses

The Act on Enhancing the Security of Information Technology Systems, also known as the IT Security Act, has been in effect since July 2015. With this legislation, the German regulator also meets the requirements of the European NIS Directive. The purpose of the law is to make the IT systems and digital infrastructures of operators of critical infrastructure (KRITIS) in Germany more secure in order to ensure sustainable availability and security. A noble endeavor, yet one that is also urgently needed in light of the rapidly increasing digitization of everyday processes.

Since then, IT security management systems have been implemented not only in federal administrations but, above all, in infrastructure operators such as electricity and water utilities, financial institutions, and hospitals, in order to demonstrate compliance with the law by the deadline of June 30, 2019, at the latest.

Now, the scope of the German IT Security Act is to be expanded and its obligations supplemented. In May 2020, the German Federal Ministry of the Interior, Building, and Community (BMI) published a new draft that further revises the March 2019 draft. Nevertheless, the draft of the IT Security Act 2.0 remains highly controversial among experts.

I discussed exactly what companies can expect from the IT Security Act 2.0 (IT-SiG 2.0) and which changes experts view so critically with Erik Rusek, Senior Manager and expert on IT security management at PwC Austria.

Mr. Rusek, the IT Security Act is set to be revised again after just five years. Was “IT-SiG 1.0” flawed, or why is there a need for an IT-SiG 2.0?

IT-SiG 1.0 was the first step in the right direction. Since then, areas in need of improvement have been identified and incorporated into IT-SiG 2.0. These include, among other things, expanding the scope of affected companies and sectors, requiring a declaration of trustworthiness for the use of IT systems relevant to critical infrastructure, and expanding the authorities’ powers.

A key objective and significant innovation is the so-called holistic approach, which focuses not on individual components but on the entirety of an organization’s interconnected components.

Controversial is the planned reporting requirement for the use of critical components, under which operators of critical infrastructure must report these components to the Federal Ministry of the Interior, Building, and Community.

In addition, penalties have been significantly increased to underscore the importance of the matter.

A holistic approach to IT security makes sense for companies, government agencies, and citizens alike. What changes can be expected in IT-SiG 2.0 based on the current draft from May 2020?

There are a number of changes: For instance, the aforementioned holistic approach enables a more comprehensive assessment and extends coverage to networked systems that may have vulnerabilities capable of impacting the operation of critical infrastructure.

Another change is the requirement for a declaration of trustworthiness from manufacturers of components used in the operation of critical infrastructure. These components must meet minimum standards set by the Federal Office for Information Security (BSI). If a manufacturer of a critical component is not deemed trustworthy, the Federal Ministry may prohibit the use of components from that manufacturer under certain circumstances, such as to safeguard national security interests.

Furthermore, the current draft law specifically calls for the introduction of systems and processes to detect and handle attacks or attempted attacks, such as a Security Incident & Event Management (SIEM) solution. Until now, such detection systems were only required implicitly.

The BSI’s responsibilities are also being expanded. For example, consumer protection in the area of information security is defined as an additional task for the BSI. The BSI will also introduce the IT security label to make the IT security of products visible and will collaborate more closely with security authorities.

This sounds very much like significantly more companies will need to give serious thought to information security management. Which industries will the future IT-SiG 2.0 particularly affect?

The sectors remain largely the same, with waste management being defined as a new critical sector. Specifically, according to the current draft, the law applies to energy, water, information technology and telecommunications, food, health, finance and insurance, transport and traffic, as well as the new sector of waste management.

Another new feature is the definition of infrastructures of particular public interest, such as defense contractors.

Specifically, it will only be possible to say exactly which sectors and organizations are included once the IT-SiG is finalized. Until then, changes may still be made as the draft is revised.

And what are the risks if a company cannot demonstrate compliance with the IT-SiG 2.0?

Regarding fines for violations, the framework is based on the GDPR and sets maximum penalties of 20 million euros or four percent of the global annual turnover achieved in the previous fiscal year—whichever amount is higher.

The amount of individual fines will, of course, be determined on a case-by-case basis and depending on the severity of the violation. It therefore remains to be seen how high the fines will actually be.

What about regulatory requirements for IT security in Austria?

In Austria, the European NIS Directive (Network and Information Security) has been implemented through the Network and Information Security Act (NISG) and the Network and Information Security Regulation (NISV). The NISG governs the general implementation of the EU Directive. The NISV specifies the sector-specific obligations of individual KRITIS organizations.

Should we expect changes here as well?

In principle, future adaptations and updates cannot be ruled out. The regulation, which governs the obligations of individual operators of critical infrastructure depending on their sector, entered into force in July 2019. The focus is therefore initially on the implementation of the measures by the individual KRITIS organizations.

Doesn’t this clearly make IT security an issue for CEOs and supervisory boards?

Definitely! Due to increasing connectivity and digitalization, as well as the constant rise in cybercrime, IT security is an essential component of every organization. Security incidents, encryption trojans, and data breaches in the recent past have shown that IT security is a challenge that all organizations must face and that must be addressed at the highest management level. Ultimately, this responsibility falls to top management.

Last but not least, the most important question: When will the law be enacted, and what recommendations do you have for those subject to IT-SiG 2.0 regarding when and how they should address the issue of IT security?

The current version is a preliminary draft. It is not yet possible to say with certainty exactly when the final version will ultimately come into effect.

Regardless, all organizations in the potentially affected sectors should already be familiarizing themselves with the contents of the draft, as it already defines requirements for the respective security strategies and sets clear objectives. Any organization that begins implementing these requirements now—such as the requirement for detecting attack attempts—will not only create significant added value for its own cybersecurity but also gain a head start in terms of the IT-SiG 2.0 implementation deadline.

Thank you very much, Mr. Rusek, for the insightful interview on this very important topic!

(The interview was conducted by Dr. Jana Beez, Business Coach at DATAREALITY VENTURES)

Akarion also offers a module for Information Security Management (ISMS) in the Akarion GRC Cloud to enable the maintenance of tamper-proof evidence of compliance with legal requirements.

With the Akarion GRC Cloud, business processes, assets, and information assets can be intuitively defined while taking client segregation into account, and corresponding risks and protection requirements can be established. This allows you to create a protection requirement and risk analysis tailored to your company or organization and to implement any necessary measures. As a result, you will have evidence of compliance with legal requirements, such as those specified by the IT Security Act for Critical Infrastructure.

In addition, with Akarion’s ISMS, you can also individually document compliance with other regulations, such as BSI standards and ISO 27001, and store the complete documentation history in a tamper-proof and thus audit-proof manner. You can create evidence quickly and easily, for example in the form of a report on information security management.

We would be happy to introduce you to our ISMS in the Akarion GRC Cloud and support you with our technology in implementing your information security management system: Please get in touch with us!