Critical Infrastructure: KRITIS – How does the German IT Security Act (BSI) impact cybersecurity?

by Sükrü ilkel Birakoglu, Senior Director 

The German IT Security Act 2.0 passed by the German parliament and Federal Council in the spring of 2021 comes into force in May 2023. With the IT Security Act 2.0, the first act to increase the security of information technology systems was updated to increase cyber and information security against the backdrop of increasingly frequent and complex cyber-attacks and the continued digitalisation of everyday life.

What is the BSI act?

Due to the tightened IT security obligations and increased penalties, in particular the numerous amendments to Germany’s central IT security law – the Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSI-Gesetz), “BSI Act“) – are relevant for both the operators of critical infrastructure already covered by the BSI Act but also companies active in the area of municipal waste disposal, manufacturers of IT products used in critical infrastructures, and  companies in the special public interest.

KRITIS and NIS2

The NIS2 directive (Network and Information Systems Directive), is a European Union regulation that aims to improve the security of these critical infrastructure networks and systems. It requires organizations in the KRITIS sector to take appropriate security measures to protect against cyber threats and to report significant incidents to the relevant authorities. The directive also establishes a framework for cooperation and information sharing between member states to enhance the overall security of the EU’s critical infrastructure.

What is included?

All areas of critical infrastructure (KRITIS) are included. The IT Security Act 2.0 adds the waste management sector to the group of potential operators of critical infrastructure alongside the energy, information technology and telecommunications, transport and traffic, health, water, food, and finance, and insurance sectors.

Companies of special public interest

These are now also subject to the BSI(G). However, such companies are not considered operators of critical infrastructure but are bound by their own additional obligations (see below). Companies of special public interest are, e.g.:

• Defense contractors (Sec. 1 (14) no. 1 IT Security Act 2.0, Sec. 60 (1) nos. 1 and 3 Foreign Trade and Payments Ordinance);
• Chemical companies (Sec. 1 (14) no. 3 IT Security Act 2.0, Sec. 1 (2) Major Accidents Ordinance); and
• Germany’s largest companies (Sec. 1 (14) no. 2 IT Security Act 2.0).

The IT-Security Act 2.0 imposes several obligations on operators of critical infrastructure. Among other things, operators must:

• Provide for minimum security standards for critical infrastructures (e.g., the use of intrusion detection systems in accordance with Sec. 8a IT Security Act 2.0);
• Comply with security requirements for critical components and
• Comply with information obligations and reporting requirements vis-á-vis the Federal Office for Information Security (in the following “BSI”) (e.g., list all IT products that are important for the functionality of critical infrastructures, report malfunctions).

As can be seen from the IT-Security Act 2.0, the companies which are operators of critical infrastructures must have intrusion detection systems for their IT Systems. SAP Systems, which are in many cases the backbones for all business processes of operators of critical infrastructures are no exceptions to this rule.

What is the impact?

IT Security Act 2.0 and the Second KRITIS-Ordinance may have far-reaching consequences in some cases. Whereas previously there was a transition period for implementing new requirements, now companies must comply with the requirements of the BSIG from the first working day on which they reach the thresholds of the Second KRITIS-Ordinance. This means that from the first day after the IT Security Act 2.0 and the Second KRITIS-Ordinance come into force, potential operators of critical infrastructure must comply with the requirements of the IT-Security Act 2.0. If the requirements are not complied with, significant fines of up to 20 million Euros may be imposed by the BSI.

Therefore, companies must now verify whether they fall within the scope of the IT Security Act 2.0 and the Second KRITIS-Ordinance. If this is the case, these companies must make sure that they seek for counsel about steps they must undertake and have intrusion detection systems implemented to monitor their IT Systems, including SAP or other ERP Systems.