Regulatory Pressure For Cybersecurity Increases: Key Aspects of the German Federal Government’s Draft Bill for an IT Security Act 2.0 and Next Steps in the Legislative Process

By France Vehar and Jan Pohle

On 16 December 2020 the German Federal Government passed a draft bill for a ‘Second Bill To Increase The Security of Information Technology Systems’ (‘Entwurf eines Zweiten Gesetzes zur Erhöhung der Sicherheit informationstechnischer Systeme’, “IT-SiG 2.0-E”). The IT SiG 2.0 is now up for adoption by the German Bundestag. The German Federal Government seeks to have such law adopted by the end of this legislative period (i.e. in early autumn 2021).

Adding on the first ‘Bill To Increase The Security of Information Technology Systems’ of 17 July 2015 (“IT-SiG”), the purpose of the IT-SiG 2.0-E is to implement proceedings to avert threats to cyber and information security for the state, the economy and society. While such goals are pivotal to pursue, the planned measures certainly have a significant impact on operations of companies. In essence, the draft introduces more rights of the Federal Office for Information Security (‘Bundesamt für Sicherheit in der Informationstechnik’, “BSI”) and more obligations and risk of higher administrative fines for so-called operators of critical infrastructures, companies of special public interest (‘Unternehmen im besonderen öffentlichen Interesse’) and manufacturer of critical components.

The IT-SiG sets out amendments to the Act of the Federal Office for Information Security (‘Gesetz über das Bundesamt für Sicherheit in der Informationstechnik’, “BSIG-E”) and respective changes in a few other laws (German Telecommunications Act (‘Telekommunikationsgesetz’, “TKG”), Law On Electricity And Gas Supply (‘Gesetz über die Elektrizitäts- und Gasversorgung’, “EnWG”), the Foreign Trade and Payments Regulation (‘Außenwirtschaftsverordnung’, „AWV”) and Volume X of the Social Insurance Code (‘Zehnte Buch Sozialgesetzbuch’, “SGB X”).

This article sets out the key planned changes of the Federal German Government’s draft IT-SiG 2.0 of 16 December 2020 to the current law and outlines the next steps in the legal proceedings, such as a decision on requests for amendments to the IT-SiG 2.0-E by the German parties CDU/CSU and SPD of 20 April 2021 which is on the agenda of the German Bundestag on Friday 23 April 2021.