The IT Security Act 2.0 extends the protection of critical infrastructures (KRITIS) to include municipal waste disposal and companies of particular public interest. It lowers thresholds to oblige more organizations to increase their IT security, especially those that serve more than 500,000 people.
Request Offer
In a digitally networked world, a secure IT infrastructure is more important than ever. Companies that are classified as "critical infrastructures" (KRITIS) are considered to be particularly worthy of protection. If a KRITIS company fails, this can result in long-term supply bottlenecks and public safety can also be jeopardised.
Until recently, seven different sectors in Germany belonged to the KRITIS. These include, for example, the energy, water, food, telecommunications, healthcare and finance sectors. As part of the IT Security Act 2.0 (IT-SIG 2.0), the sectors of municipal waste disposal and companies in the special public interest (UBI/UNBÖFI) have now also been added.
By lowering the thresholds in the KRITIS Regulation, the IT-SiG 2.0 now requires significantly more organisations to take effective measures to increase their IT security. In principle, the aim is to cover all companies that supply more than 500,000 people with their services and products.
Companies that supply more than 500,000 people with their services and products and are active in the following sectors:
The regulations on critical infrastructures (KRITIS) from the Federal Office for Information Security (BSI) supplement the IT Security Act, which has been in force since July 2015. Following the IT Security Act 2.0 in 2021, the government has now adopted BSI-KritisV 1.5 and brought it into force on 1 January. It specifies the provisions of the IT Security Act and defines thresholds, annexes and implementation requirements.
These threshold values should be checked by companies in the border area at regular intervals for updates. The obligation regarding high requirements in the area of IT security should be complied with and disruptions to IT systems should be reported directly to the BSI.
Deadlines due to the new KRITIS Regulation 1.5:
Proof of implementation through KRITIS audits by 1 April 2024 at the latest
The KRITIS sector of municipal waste disposal and the UBI/UNBÖFI will be defined in a separate KRITIS Regulation 2.0 and a UBI Regulation in 2022.
The BSI requires operators of critical infrastructure to meet certain requirements. Here is an overview of the measures to be implemented:
Companies must register with the BSI and designate a contact point immediately upon being identified as a KRITIS operator. The BSI may register operators as critical infrastructure on its own initiative and, in certain circumstances, request access to documents if they fail to comply with their registration obligation.
Under IT-SiG 2.0, intrusion detection systems (IDS) are now explicitly included among the technical and organisational security measures in KRITIS facilities. These systems must continuously and automatically collect and analyse appropriate parameters and characteristics from ongoing operations. To this end, they should be capable of continuously identifying and preventing threats, as well as providing for appropriate remedial measures in the event of incidents. This requirement can be met, for example, through a Security Operations Centre (SOC) or Security Information and Event Management (SIEM).
The use of SzA will be mandatory from 1 May 2023 at the latest.
Operators of critical infrastructure and organisations of particular public interest are required, in the event of significant disruptions, to provide the BSI, upon request, with the information necessary to resolve the disruption.
Companies must report the use of critical components in certain sectors. The use of such components may be prohibited. According to Section 2 of the IT Security Act (IT-SiG), critical components are IT products whose failure would significantly impair the functioning of the system. These components are yet to be defined for the respective sectors.
Operators must compile an inventory of critical IT products in KRITIS facilities — including up-to-date information on manufacturers and product types. Until now, this requirement applied only to the telecommunications KRITIS sector.
The KRITIS protection objectives (availability, confidentiality, integrity and authenticity) must be defined on the basis of the operationally relevant components, incorporated into the risk assessment and taken into account throughout all processes. The impact on the operational capability of the critical infrastructure and the critical service should serve as a guide to the extent of the risk to the general public.
If security measures are feasible and appropriate according to the current state of the art, the operator must implement them. As a general rule, transferring risks – for example, to insurance companies – is not possible and is no substitute for security measures.
A purely business-oriented risk assessment is generally insufficient.
In accordance with Section 8a(3) of the Federal Information Security Act (BSIG), operators of critical infrastructure must demonstrate to the Federal Office for Information Security (BSI) every two years, through security audits, that they have implemented appropriate measures and are complying with technical standards.
The implementation of an Information Security Management System, or ISMS for short, is mandatory for operators of critical infrastructures in order to be able to implement the new security standards. An ISMS not only relates to the company's IT security, but also contributes to the optimisation of company processes and structures in order to reduce disruptions and risks with regard to information security management.
KRITIS operators can, for example, through certification in accordance with ISO 27001 with the additional aspects of the KRITIS protection goals in accordance with §8a BSIG to fulfil the requirements of the BSI.
Another way of providing evidence is to use an industry-specific security standard (B3S) recognised by the BSI or the BSI's guidance document as a basis for testing.
In a digitally networked world, a secure IT infrastructure is more important than ever. Companies that are classified as "critical infrastructures" (KRITIS) are considered to be particularly worthy of protection. If a KRITIS company fails, this can result in long-term supply bottlenecks and public safety can also be jeopardised. In our brochure, we provide you with initial information and share with you our experiences with implementation and certification.
Here you will find the most important information at a glance:
As a reliable partner organisation, we support you in implementing and maintaining a functioning information security management system. With certification from us, your company fulfils the requirements set out in the IT Security Act and can also prove this to the outside world with a corresponding certificate.
