The draft for an IT Security Act 2.0 – does the end justify the means?

By Jan Pohle

Recently, the German Federal Ministry of the Interior introduced a draft bill for the planned IT Security Act 2.0 (IT-SiG 2.0), which amends the Act on the German Federal Office for Information Security (BSIG) (the draft referenced as BSIG-E). With this draft, the ministry is pursuing the goal of effectively averting threats to cyber and information security for the state, the economy and society, but also for citizens. To this end, the competences of the Federal Ministry for Information Security (BSI) are to be extended considerably. In addition, new consumer protection regulations and adaptions of German regulations are planned in the Criminal Code (StGB), the Code of Criminal Procedure (StPO), the Telecommunications Act (TKG), the Telemedia Act (TMG) and other legislation.

The BSIG already provides for comprehensive measures to make Germany’s IT infrastructures the most secure infrastructures in the world. Critical infrastructures (KRITIS) and digital services (online market places. Search engines and cloud services) are particularly worthy of protection, but companies, administrations and private individuals also need strong protection in the context of their online activities. Driven by increasingly complex cyber attacks, such as the one on the Federal Foreign Office (2018) or the doxing of private data of members of the German Parliament (2019), as well as by the digitization of everyday life and networking in the Internet of Things, IT security shall now be adapted to technical developments.

Amendments to the BSIG

The competent authority for cyber security is the German Federal Office for Information Security (BSI), which is not only to receive more money and personnel, but whose competences will also be extended considerably. In the future, the authority will control government communication technology and interfaces to third parties. Section 4a BSIG-E plans that the BSI may now also evaluate internal logging results of IT-systems of public authorities. The BSI may store corresponding data for 18 months and does not have to pseudonymise them. This also affects data of citizens who communicate online with administrative authorities. According to the draft, the BSI may also collect and evaluate data from IT service providers that provide essential IT services for the German federal government in order to avert dangers for the federal government’s communications technology.

Pursuant to Section 7a BSIG-E, the BSI may in the future examine information technology products and systems made available on the market or intended for making available on the market in order to fulfil its responsibilities pursuant to Section 3 (1) sentence 2 BSIG and may also request all necessary information from manufacturers of information technology products and systems for this purpose. If the manufacturers fail to comply with the request for information, the BSI may inform the public. After an unsuccessful expiration of a reasonable deadline to give a statement, the BSI may publish the name of the manufacturer, the product or system concerned and the extent to which the manufacturer has failed to comply with its obligation to provide information.

In addition, Section 7b BSIG-E allows the BSI to implement measures for the detection and evaluation of malware, security gaps and other security risks in publicly accessible IT systems, including mobile and IoT-based devices. According to Section 7b BSIG-E, however, this is only permitted if facts justify the assumption that such IT-systems are unprotected and that their security or functionality may be endangered as a result. In order to register and evaluate malware and other methods of attack, the BSI may in the future use BSIG-E procedures in accordance with Section 7b (4) BSIG-E which simulate to an attacker that his attack was successful and process the necessary data.

Furthermore, the target group and obligations according to Section 8a, 8b BSIG-E are extended. KRITIS core components may only be purchased from manufacturers who have made a declaration of their trustworthiness before the respective component is used for the first time. These requirements apply to the entire supply chain of the manufacturer. Also the waste management sector now constitutes a “critical infrastructure” in the sense of the BSIG. In addition, the new category “Infrastructures of special public interest” is introduced, which includes among others the infrastructures of certain listed stock corporations and companies from the chemical, military, automobile, culture and media sector.

According to Section 8h BSIG-E, the manufacturers of IT products must notify the BSI if significant disruptions affecting the availability, integrity, authenticity and confidentiality of their IT products occur or if their application could lead to a failure or to a significant impairment of the functionality of facilities pursuant to Section 2 para. 10 or para. 14 BSIG.

Moreover, consumer protection becomes an additional responsibility for the BSI according to the draft. With its expertise, the authority is to contribute to the protection of consumers against the dangers to IT security associated with digitisation by raising awareness as well as providing advice and support. With the conception and allocation of so-called “IT security labels” (see Section 9a BSIG-E), consumers should be enabled to recognize whether an IT product meets current security standards. The label will contain two components: The manufacturer’s declaration and the BSI security information. The latter is intended to inform the consumer about security gaps or other security-relevant IT characteristics; while the manufacturer’s declaration assures that the product has certain IT security characteristics. The use of the IT security label is voluntary for the manufacturers of the products.

The catalogue of fines in Section 14 BSIG was also revised: The draft now contains more than twice as many offences. In determining the amount of fines, it is modelled after the GDPR system. Certain infringements are punishable with fines of up to 20 million euros or up to four percent of the total annual global company turnover of the previous financial year.

Amendment of the TKG

In addition to further changes to the BSIG, notable amendments to the TKG imposing more obligations on providers are planned. Under Section 109a (1a) TKG-E, for example, they must inform the Federal Criminal Police Office immediately if data stored by them is unlawfully transmitted. Section 109b TKG-E also stipulates extensive reporting and deletion obligations on the part of the provider with regard to the unlawful disclosure or publication of unlawfully obtained data.


The actual consequences the implementation of the draft will have for the digital economy are difficult to predict, but are likely to be significant. The introduction of stricter provisions on fines is already increasing pressure on the addressed operators of critical infrastructures and manufacturers of the respective information technology systems. In addition, extending the competences of the BSI is accompanied by conflicts in the area of fundamental rights of both companies and consumers. Finally, companies are subject to reporting and deletion obligations. It is questionable if the purposes and means are still in proportion to each other. In addition, the draft contains adaptations and additions to other laws that are at least problematic in terms of both legal dogma and politics, in particular the amendment of substantive criminal law and criminal procedural law.