Regulatory Pressure For Cybersecurity Increases: Key Aspects of the German Federal Government’s Draft Bill for an IT Security Act 2.0 and Next Steps in the Legislative Process

By France Vehar and Jan Pohle

On 16 December 2020 the German Federal Government passed a draft bill for a ‘Second Bill To Increase The Security of Information Technology Systems’ (‘Entwurf eines Zweiten Gesetzes zur Erhöhung der Sicherheit informationstechnischer Systeme’, “IT-SiG 2.0-E”). The IT SiG 2.0 is now up for adoption by the German Bundestag. The German Federal Government seeks to have such law adopted by the end of this legislative period (i.e. in early autumn 2021).

Adding on the first ‘Bill To Increase The Security of Information Technology Systems’ of 17 July 2015 (“IT-SiG”), the purpose of the IT-SiG 2.0-E is to implement proceedings to avert threats to cyber and information security for the state, the economy and society. While such goals are pivotal to pursue, the planned measures certainly have a significant impact on operations of companies. In essence, the draft introduces more rights of the Federal Office for Information Security (‘Bundesamt für Sicherheit in der Informationstechnik’, “BSI”) and more obligations and risk of higher administrative fines for so-called operators of critical infrastructures, companies of special public interest (‘Unternehmen im besonderen öffentlichen Interesse’) and manufacturer of critical components.

The IT-SiG sets out amendments to the Act of the Federal Office for Information Security (‘Gesetz über das Bundesamt für Sicherheit in der Informationstechnik’, “BSIG-E”) and respective changes in a few other laws (German Telecommunications Act (‘Telekommunikationsgesetz’, “TKG”), Law On Electricity And Gas Supply (‘Gesetz über die Elektrizitäts- und Gasversorgung’, “EnWG”), the Foreign Trade and Payments Regulation (‘Außenwirtschaftsverordnung’, „AWV”) and Volume X of the Social Insurance Code (‘Zehnte Buch Sozialgesetzbuch’, “SGB X”).

This article sets out the key planned changes of the Federal German Government’s draft IT-SiG 2-0 of 16 December 2020 to the current law and outlines the next steps in the legal proceedings, such as a decision on requests for amendments to the IT-SiG 2.0-E by the German parties CDU/CSU and SPD of 20 April 2021 which is on the agenda of the German Bundestag on Friday 23 April 2021.

A. Key planned changes of the German Federal Government’s draft IT-SiG 2.0. of 16 December 2020 to the current law

1. Significant extension of the powers of the BSI

Per the draft of 16 December 2020 the powers of the BSI will be significantly expanded. Some core aspects:

– Certification and recommendations: In the future, the BSI is to become the national cybersecurity certification authority in the sense of the EU Cybersecurity Act (EU Regulation No. 881/2019) (Section 3 (1) sentence 2 No. 5a BSIG-E). The authority is to issue recommendations for identification and authentication procedures, evaluate these procedures with regard to information security as well as develop and publish a state of the art for security-related requirements for IT products (Section 3 (1) sentence 2 No. 19, 20 BSIG-E – Article 1 No. 2g IT-SiG 2.0-E).

– Reporting office: As central unit for third-party reports, the BSI receives and evaluates information on security risks in information technology (Section 4b BSIG-E – Article 1 No. 3 IT-SiG 2.0-E).

– Consumer protection and consumer information in the field of information security: This is defined as a further responsibility of the BSI (Section 3 (1) sentence 2 No. 14a BSIG-E – Article 1 No. 2d IT-SiG 2.0-E). In addition to the existing power of the BSI to investigate IT products pursuant to the current Section 7a (1) BSIG, the manufacturer will furthermore also be obliged to provide information about its products (Section 7a (2) BSiG-E – Article 1 No. 9 IT-SiG 2.0-E). The draft puts in place the preconditions for a uniform voluntary IT security label to visualize the IT security of a product (Section 9c BSIG-E – Article 1 No. 19 IT-SiG 2.0-E ). While details on the label’s requirements have yet to be decided on, these are supposed to be laid out in a specific regulation in the future (Section 10 (3) BSIG-E – Article 1 No. 20 IT-SiG 2.0-E).

– Query of stored data from telecommunications service providers to inform affected parties about security vulnerabilities and attacks: The BSI may request information on stored data pursuant to Sections 95 and 111 TKG from anyone providing telecommunications services commercially or contributing to the provision of such services. This shall apply insofar as if in an individual case, there are facts giving rise to the conclusion that the security or functionality of information technology systems of a critical infrastructure or a company of special public interest has been purposefully impaired in at least a specific manner and for a foreseeable period of time and if the requested data is necessary for the BSI to fulfil its duties (Section 5c (1) BSIG-E – Article 1 No. 7 IT-SiG 2.0-E). As set out on page 75 of the explanatory memorandum to the draft bill, utilizing the companies’ IP addresses, the goal of these provisions is to identify affected companies in the event of cyberattacks and to allow for a warning.

– Minimum standards: Section 8 BSIG-E (Article 1 No. 11 IT-SiG 2.0-E) refers to minimum standards which the BSI determines in agreement with the ministries. These minimum standards seek to ensure a uniform level of protection throughout the federal administration (page 91 of the BSI-E’s explanatory memorandum). In the future, the minimum standards are intended to apply not only to federal agencies, but also to third party IT service providers to the extent to which the latter provide IT services in favour of the federal government’s communication technology. Furthermore, in the future, the BSI will not only provide advice to the relevant bodies, but will also be able to monitor compliance with significant minimum standards.

– Investigation and supervision powers, the authority to issue orders: The BSI is authorized to take measures at the interfaces of publicly accessible IT systems to public telecommunication networks (‘Port-scans‘) for the purpose of detecting security vulnerabilities and other security risks at federal institutions or the companies specified in Section 2 (10), (11) and (14) BSIG-E. Also, the BSI may, in order to perform its duties, use systems and procedures simulating a successful attack for an attacker so the BSI can record and evaluate the use of malware or other methods of attack (‘honeypots‘) (Section 7b (1), (4) BSIG-E – Article 1 No. 10 IT-SiG 2.0-E). Moreover, the BSI is authorized to issue certain orders to telecommunications and telemedia providers to avert specific threats to information security (Section 7c BSIG-E – Article 1 No. 10 IT-SiG 2.0-E)

2. Expansion of obligations affecting operators of critical infrastructures and companies of special public interest

a) Extension of obligations affecting operators of critical infrastructures

Operators of critical infrastructures and companies of special public interest (CRITIS operators”) no longer only have to specify a contact point for the critical infrastructures they operate – as was previously the case in accordance with Section 8 BSIG. Now they must also register these critical infrastructures with the BSI (Section 8b (3) BSIG-E – Article 1 No. 13 IT-SiG 2.0-E).

In addition, Section 9b  BSIG-E (Article 1 No. 19 IT-SiG 2.0-E) sets out that the use of critical components (‘kritische Komponenten’) – defined in more detail in Section 2 (13) BSIG-E (cf. Article 1 No. 1 lit. e) IT-SiG 2.0-E) – must be notified to the Federal Ministry of the Interior, for Construction and Home Affairs (‘Bundesministerium des Innern, für Bau und Heimat’, “BMI”) prior to their use. It also sets out that the notification must be accompanied by a declaration of the manufacturer regarding its trustworthiness vis-à-vis the operator of the critical infrastructure (‘Garantieerklärung‘, “guarantee declaration”) that extends to the manufacturer’s entire supply chain. Section 9b  BSIG-E further states that the BMI can prohibit the use of certain critical components if a manufacturer has proven to be untrustworthy. Section 9b (5) BSIG-E specifies grounds on which the lack of trustworthiness of the manufacturer can be based. A certification requirement for critical components in telecommunications network is also added to Section 109 TKG (Art. 2 No. 2 IT-SiG 2.0-E). The inclusion of critical component into the BISG is mirrored by the inclusion of such elements in Section 55 AWV (pursuant to Article 4 IT-SiG 2.0-E) which regulates the cross-sector review of corporate acquisitions.

CRITIS operators will be obliged to implement intrusion detection systems and to prove their use to the BSI (Section 8a (1a) BSIG-E – Article 1 No. 12 lit. b IT-SiG 2.0-E). The amendment of the list of critical infrastructures in Section 2 (10) sentence 1 No. 1 BSIG-E (Art. 1 No. 1 lit. d IT-SiG 2.0-E) extends this obligation to waste disposal companies (‘Siedlungsabfallentsorgung‘). Similarly, the addition of paragraphs 1d and 1e to Section 11 EnWG (Art. 3 IT-SiG 2.0-E) requires the operators of energy supply networks and energy plants which were determined to be critical infrastructures by the Ordinance on the Designation of Critical Infrastructures under the BSIG (‘BSI-KritisV’) to deploy and demonstrate the use of corresponding systems.

b) Reporting obligations and self-declaration for companies of special public interest

Reporting obligations applying to operators of critical infrastructures will now also apply to companies of special public interest (Section 8f (5) BSIG-E – Article 1 No. 17 T-SIG 2.0-E).

Such companies are defined in Section 2 (14) BSIG-E (Article 1 No. 1 (e) IT-SiG 2.0-E). These include, inter alia, companies in the arms industry and the IT business for classified information, companies that are of particular economic importance due to their high added value, and companies subject to regulation under the German Major Accidents Ordinance (‘Störfallverordnung‘, “StörfallV”). Section 8f (1) BSIG-E also requires these companies to submit a self-declaration on IT security in accordance with the requirements specified in the provision.

3. Increased administrative fines for offences

According to the current list of fines in Section 14 BSIG, the maximum fine for non-compliance with requirements laid out in Section 14 BSIG-E amounts to 2 million euros. However, this can be increased to up to 20 million euros under certain circumstances. Section 14 BSIG-E now contains a reference to Section 30 (2) sentence 3 of the German law on regulatory offences (‘Ordnungswidrigkeitengesetz’, “OWiG”), increasing the regular maximum fine tenfold to 20 million euros if the fine is directed against legal persons and associations of persons in the sense of Section 30 (1) OWiG.

B. Way forward

In the event the German Bundestag adopts the IT-SiG 2.0-E, companies will face higher operational and commercial risks. Especially the risk of high administrative fines will increase pressure on the operators of critical infrastructures, companies of special public interest and manufacturers of critical components.

However, heavy discussion on the German Federal Government’s draft are currently under way. With the goal of the Federal Government to finalize the IT-SiG 2.0 before the end of the legislature period in late summer, respective regulation and the respective substantial discussion in the coming weeks and months should be watched closely.

Firstly, the IT SiG 2.0 is now up for adoption by the German Bundestag. After a first hearing  on 28 January 2021, the draft was referred to the lead committee on Home Affairs (‘Ausschuss für Inneres und Heimat’). In a first hearing the participants welcomed the plan for an IT-SiG 2.0 in principle, but found it completely inadequate in the present version. On 20 April 2021 the German parties CDU/ CSU and SPD filed a motion for amendments to the draft. These amendments are  on the agenda of the German Bundestag for Friday 26 April 2021.

Also, the German Bundesrat had been asked to provide its statement to the draft of 16 December 2020 . Based on competencies of German states being also regulated in the IT-SiG 2.0 some criticism from the German Bundesrat may also be raised.

We will keep you updated on the future developments.