The IT Security Act 2 0

The most important thing in brief:

• that IT Security Act 2 0 is a comprehensive reform from 2021 that strengthens the protection of critical infrastructures and defines new obligations for companies.
• The expansion of the KRITIS circle, stricter reporting requirements and binding minimum standards increase the level of safety, but also require structured action.
• Companies must create transparency, document processes and continuously invest in modern security mechanisms to meet legal requirements and real threats.

What is the IT Security Act 2 0?

that IT Security Act 2 0 (IT-SiG 2.0) represents the most comprehensive reform of German IT security law since the introduction of first IT security law in 2015. It was adopted in May 2021 and aims to significantly increase the protection of critical digital infrastructures. In doing so, legislators are responding to the massively increased threat situation posed by ransomware, state-controlled attacks and weak points in supply chains.

IT Security Act 2 0 Amendments

The law brings a series concrete and far-reaching innovations, which affect companies — primarily critical infrastructure operators (KRITIS), but also new categories of companies.

1. Extension of the KRITIS term and introduction of the UBI category

The IT Security Act 2 0 massively expands the number of committed companies. New additions include the so-called Companies in the Special Public Interest (UBI). This includes:

• Companies that produce particularly important products (e.g. defense industry)
• Companies with economic significance
• Operators of large supraregional infrastructures

This is the first time that a large number of companies that were previously unregulated are under obligation.

2. Significantly stricter reporting requirements

All KRITIS and UBI companies must immediately report security-related IT incidents to the BSI. This includes:

• successful cyber attacks
• serious security gaps
• Disruptions that could lead to outages

3. Introduction of minimum technical standards

The BSI is authorized mandatory safety requirements and to define minimum standards. These range from network segmentation to update and patch processes to identity and authorization management.

4. Increased fines

The IT Security Act 2.0 provides for significantly higher fines — based on the logic of the GDPR. For violations, companies must pay penalties in multi-digit million range calculate.

5. Commitment to use trustworthy IT components

In future, manufacturers of certain IT components will have to guarantee their integrity. The state can prohibit components if there are safety concerns.

These regulations are intended to prevent attacks on critical infrastructures that are carried out via manipulated hardware or software.

‍

An additional look at the importance of the IT Security Act 2.0

The IT Security Act 2.0 marks a decisive turning point in German IT security law because it was created as a direct response to the increasing digitization of almost all business processes. While the first version of the law was aimed primarily at classic CRITIS sectors, version 2.0 now also takes into account the growing dependence of many industries on complex IT systems, global supply chains and networked production environments. As a result, the law takes account of the fact that IT security is no longer just a technical issue, but a central component of corporate resilience.

‍

Why the IT Security Act 2.0 is necessary

Cyber attacks are constantly increasing — both in frequency and in professionalism. Ransomware, insider threats, and supply chain attacks are part of everyday life for many IT departments today. The legal requirements are intended to force companies to systematically implement safety measures instead of only reacting when damage has already occurred.

Implementation in practice: What companies need to consider

The requirements of IT-Sig 2.0 can be divided into three central fields of action:

1. Transparency about your own IT landscape

Companies must be able to prove which systems, applications and authorizations exist and how they are protected. Without complete transparency, security gaps are barely identifiable.

Practice problem: Many IT departments manage mature environments that have been expanded in an unstructured way over the years. Documentation is often out of date or only partially available.

2. Demonstrable safety measures

The law requires “state of the art.” These include:

• Patch and vulnerability management
• network segmentation
• Authorization management and least privilege principle
• Regular review of measures

3. Reporting and verification requirements

KRITIS companies must be able to document to the BSI which security measures have been implemented. In the event of incidents, they must report them promptly.

IT Security Act 2.0 Summary: Opportunity for More Security

The IT Security Act 2.0 raises IT security requirements in Germany to a new level. The expansion of the KRITIS circle, the introduction of the UBI category, stricter reporting requirements and binding minimum technical standards pose new challenges for companies — but at the same time increase the general level of safety. In the long term, companies benefit from clearly defined processes, better security mechanisms and greater transparency across their own IT landscape. Anyone who takes a structured approach, defines responsibilities and continuously works to improve their own security measures is not only on the safe side by law, but also significantly reduces the risk of serious cyber attacks.