IT Security Act I msg security advisors

You'd like to find out more about the range of services offered by the msg group? Then visit the websites of msg and its group companies.

Visit site

Current website

All msg websites
Range of services
Cybersecure Business Transformation
Governance & Compliance Excellence
Strategy & Organisation
Digital Trust
Service modules
Company
About us
Latest news
All news and topics
Career
Overview & Vacancies
Benefits

Message

Failed loading XML...

IT Security Act 2.0

Changes for operators of
critical infrastructures

A post by Deniz Wetz

IT Security Act 2.0: Changes for Operators of Critical Infrastructures

The IT Security Act (IT-Sicherheitsgesetz) of 2015 and, in particular, the associated amendments to the BSI Act have imposed requirements on operators of critical infrastructures (CRITIS). The IT Security Act 2.0 (also known as the Second IT Security Act) came into force on May 28, 2021 and includes enhancements relating to the protection of critical infrastructures. In addition, it strengthens the remit of the Federal Office for Information Security (BSI) as the federal cybersecurity authority. In addition to consumer protection, this includes inspection and monitoring powers in the federal administration and regulatory powers vis-à-vis telecommunications and telemedia providers. In addition, fines for violations will be increased.

Expansion of scope

The IT Security Act 2.0 will be expanded to include “companies in the special public interest”. These include companies that manufacture or develop goods in accordance with Section 60 (1) Numbers 1 and 3 of the Foreign Trade and Payments Ordinance (Außenwirtschaftsverordnung ), companies that are subject to the Major Accidents Ordinance (Störfall-Verordnung), and companies that are among the largest companies in Germany in terms of their domestic value added and are therefore of particular economic importance. The latter also include their suppliers. Economic indicators and characteristics are defined by legal ordinance in order to determine these. In addition, municipal waste disposal becomes another sector of the critical infrastructures.

Evidence in support of information security

Companies in the special public interest are required to submit a self-declaration on IT security to the BSI at least every two years. This must show which certifications, security audits or inspections exist in the area of IT security and how it is ensured that sensitive IT systems, components and processes are protected appropriately and according to the state-of-the-art. Companies that are subject to the Major Accidents Ordinance (Störfall-Verordnung) are exempt from this requirement, as this ordinance already stipulates corresponding obligations to provide evidence. Companies in the special public interest will not have the possibility of having industry-specific standards recognized by the BSI, as is the case with critical infrastructures.

Requirements for critical components

Operators of critical infrastructures must notify the Federal Ministry of the Interior, for Building and the Home Affairs (Bundesministerium des Innern, für Bau und Heimat (BMI)) of the use of critical components. These are IT products that are used in critical Infrastructures or are of high importance for the functioning of the community. Critical components can also be designated on the basis of a law. These may only be used if the manufacturer has issued a guarantee declaration to the operators of the critical infrastructure stating that they do not have technical features that are specifically suited to being misused against the critical infrastructure.

Use of systems for attack detection

In addition, as of May 2023 operators of critical infrastructures will be obligated to use systems for attack detection. These systems must be able to record and evaluate security-relevant events from ongoing operations in order to detect and respond to threats.

Release of security-related information

During a significant breach of information security, the BSI may, in agreement with the relevant competent federal supervisory authority, demand that the affected operators of critical infrastructures or companies in the special public interest hand over the information, including personal data, required to deal with the breach.

With the entry into force of the IT Security Act 2.0, the first step for companies is to determine whether they fall within the extended scope. A holistic IT security strategy must then define ways to meet information security requirements in the most efficient way possible and create synergies in improving information security.

Share this post

Author und contact

Deniz Wetz msg

Deniz Wetz
Lead IT Consultant

deniz.wetz@msg.group

How can we support you on the subject of security solutions?

We are looking forward to your message!

Contact us!

Please fill out the form and we will contact you as soon as possible.

The field is limited to only letters and a hyphen (-).

The field is limited to only letters.

The field is limited to only numbers.

The field is limited to only letters,numbers and hyphens (/:.,!?-).

With this form collected individual-related data are exclusively used for internal handling and will be not forwarded to third parties. Please consider our data privacy statement.

I agree with the data privacy statement of msg advisors.

Contact

msg industry advisors ag
Robert-Bürkle-Str. 1
85737 Ismaning

+49 89 96 10 11 300
+49 89 96 10 11 113

advisors@msg.group

News from the msg group

The msg group

msg is an independent international group of companies with autonomous regional companies and subsidiaries and over 10,000 employees.

The msg group is active in over 34 countries in the banking, insurance, automotive, food, life science & chemicals, public sector, telecommunications, travel & logistics and utilities sectors. msg also develops integrated software solutions and advises its clients in all aspects of information technology.

Imprint
Privacy

Search
Menu (EN)
- Range of services
- Company
- Career
  - Overview & Vacancies
  - Benefits

Cookie settings

The msg security advisors uses cookies to provide an optimal website experience that is tailored to your specific needs. These includes cookies that are necessary for ensuring the smooth operation and the security of our web pages, as well as those used for anonymous statistical purposes, to help us reach our commercial business goals, or to display personalized content. You have the right to choose which categories you wish to allow. Please note that your decisions may affect which page functions are available while using our site. Further information can be found in our data protection information.

Required

Statistics

Hide details

Required

Required cookies are used to ensure the smooth operation of our web pages and to make them user friendly. They also enable security-related functions. Furthermore, these types of cookies help us identify whether you would like to remain logged in under your profile, thereby allowing us to make our services available to you even faster the next time you visit our site.
Statistics

In order to ensure continuous improvement of our content, structure and our website in general, we record anonymized data for statistical purposes. With your consent, data on your user behavior will be transmitted anonymously to Google Analytics. We use these cookies, for example, to determine how many times a specific page is accessed or the effect of certain pages of our web presence; we then use that information to optimize our site.