IT Security Act 2.0: Additional obligations for CRITIS companies

The countdown is on: By May 1, 2023, operators of critical infrastructures (CRITIS) must have implemented enhanced security measures for their IT. This is the requirement of the IT Security Act 2.0, which came into force in May 2021 and significantly expands the provisions of the original IT Security Act (IT-SiG) of 2015. The aim is to increase the IT security of critical infrastructures in the face of rapidly increasing cyber attacks and ever-advancing digitalization.

Do you already comply with the provisions of the IT Security Act 2.0?

What obligations does the IT Security Act 2.0 define?

The elementary role that critical infrastructures play for the common good in Germany results in special IT security requirements that they must fulfill. For this reason, critical infrastructures are required to report significant disruptions to their IT to the Federal Office for Information Security (BSI) if they could have a negative impact on the availability of critical services.

The IT Security Act 2.0 stipulates that operators of critical infrastructures must update their IT systems to the latest state of the art in order to prevent disruptions to the systems. The state of the art is defined by the BSI. It can be proven via security audits, tests and certifications such as ISO27001. Critical infrastructure operators must register with the BSI and designate a point of contact that coordinates communication between the operator and the BSI.

In addition, critical infrastructures must implement cyber-attack detection systems based on algorithms that use log data to identify attacks on computers, servers or networks – ideally in real time. Intrusion Detection Systems (IDS) and Security Information Event Management (SIEM) tools are suitable solutions to meet the legal requirements regarding attack detection.

Furthermore, the IT Security Act 2.0 demands that the company’s ability to work must be restored as quickly and effectively as possible after an attack on its IT systems. To ensure this, operators must design so-called disaster recovery scenarios. These include response plans and preventive measures that are applied in the event of a massive supply disruption. With the help of predefined recovery processes, the critical infrastructure is able to resume its social utility as quickly as possible after a failure.

What does IT-SiG 2.0 mean for SAP systems?

SAP systems are very often part of critical infrastructures and must be protected accordingly. The SIEM solution of choice for SAP landscapes is SAP Enterprise Threat Detection (ETD). With it, companies gain real-time insights into critical actions and conspicuous processes within their SAP system landscape. As a result, they are able to detect, analyze, and neutralize cyber attacks on SAP applications early on, before serious damage is done.

In addition, operators of critical infrastructures are required to take preventive measures that make an attack on SAP systems as difficult as possible. These include, for example, the automated management of identities, a tailor-made authorization management, and a clear role concept. The topics of authentication and encryption are also on the agenda. Here, for example, a significantly higher level of protection can be achieved with multi-factor authentication (MFA).

Who are the operators of critical infrastructures?

In Germany, critical infrastructures are defined as organizations or facilities that are of vital importance to the state and whose failure or impairment would result in lasting supply bottlenecks, significant disruptions to public safety or other dramatic consequences for the economy, society and the state. Therefore, the availability and security of IT systems in the area of critical infrastructure play a decisive role.

According to the IT Security Act 2.0, companies from the following sectors are considered worthy of sustained protection:

• Food
• State and administration
• Energy
• Health
• IT and telecommunications
• Transport and traffic
• Media and culture
• Water
• Finance and insurance
• Waste management (newly added in IT-SiG 2.0)

What happens if IT security obligations are breached?

Companies that violate the IT Security Act 2.0 face severe sanctions in the form of fines. Compared to the IT Security Act, the rules on fines have been completely revised and the amounts payable have been significantly increased. Depending on the exact facts of the case, there are four different levels, ranging from 100,000 euros (for failure to contact the point of contact) to 2 million euros (for violation of a BSI order to remedy a security defect). Under certain conditions, fines can even rise to 20 million euros or 4% of the company’s global turnover.

Who else the IT Security Act 2.0 affects

In addition to critical infrastructure operators, the IT Security Act 2.0 also introduces the category of “companies of special public interest.” It includes companies from certain industries or of a certain size that are not part of the critical infrastructure but nevertheless have a special relevance: Companies in the defense industry, companies of particular economic importance, and companies that are subject to the Major Accidents Ordinance (Störfall-Verordnung, StöV). They must prove to the BSI every two years that their IT security is state of the art.

Other companies and organizations that are neither critical infrastructure nor “companies of special public interest” can use and implement the standards defined in the IT Security Act 2.0 on a voluntary basis.

Conclusion: More obligations for better protection

By tightening up the IT Security Act, legislators are ensuring that the IT systems of critical infrastructures function reliably and that the security of supply to the population is guaranteed in the long term. CRITIS operators must fulfill numerous new and far-reaching obligations. Fully complying with the extended provisions of the IT Security Act 2.0 requires not only careful planning, but also prompt implementation in view of the May 1, 2023 deadline.