The IT Security Act (ITSiG) is a German law that aims to improve the IT security of companies, especially operators of critical infrastructures (KRITIS). It was first passed in 2015 and expanded in 2021 with the IT Security Act 2.0. The law is a response to the increasing threats posed by cyberattacks and the growing importance of IT security for national security and the economy.

Key Facts

IT Security Act improves the IT security of companies, especially KRITIS.
Reporting obligations: KRITIS operators must report IT security incidents to the BSI.
Minimum standards for IT security are defined in critical infrastructures.
Extended BSI powers: BSI can proactively monitor IT security.
IT security certifications for products and services are introduced.
The cost of necessary IT security measures is a challenge.
Regular adjustments to the law are necessary to counter new threats.

Legal basis

1st IT Security Act of 2015 (ITSiG 1.0)
2. the IT Security Act 2.0 of 2021 (ITSiG 2.0)
3. amendments to various laws, in particular the BSI Act (BSIG)

Core elements of the IT Security Act

1. reporting obligations: KRITIS operators must report significant IT security incidents to the Federal Office for Information Security (BSI).

2. minimum standards: Definition of minimum standards for IT security in critical infrastructures.

3. expansion of the BSI’s powers: The BSI receives extended powers to monitor and support IT security.

4. certification: introduction of IT security certifications for certain products and services.

5. provisions on fines: introduction of fines for violations of the provisions of the law.

Affected sectors (KRITIS)

1. energy
2. information technology and telecommunications
3. transportation and traffic
4. health
5. water
6. nutrition
7. finance and insurance
8 State and administration

Extensions due to the IT Security Act 2.0

1. inclusion of companies in the special public interest (UNBÖFI)
2. stronger regulation of 5G networks
3. extension of the BSI’s powers to proactively search for security vulnerabilities
4. introduction of an IT security label for consumer products
5. tightening of criminal provisions for cyber attacks

Effects on companies

1 Increased compliance requirements: Companies must adapt and document their IT security measures.
2. investment in IT security: need for increased investment in security technologies and personnel.
3. reporting processes: Establishment of processes for detecting and reporting security incidents.
4. risk management: integration of IT security risks into company-wide risk management.
5. certifications: The need to have certain IT products and services certified.

Challenges and criticism

1. complexity: Implementing the requirements can be particularly challenging for smaller companies.
2. costs: The necessary investments in IT security can be considerable.
3. data protection concerns: extension of BSI powers is viewed critically in some cases.
4. international coordination: need for harmonization with EU and international standards.
5. technological development: the law must keep pace with rapid technological development.

Significance for the German IT market

1. growth impetus: Increasing demand for IT security products and services.
2. promotion of innovation: incentives for the development of new security technologies.
3. competitive advantage: High IT security standards can serve as a quality feature.
4. need for specialists: increasing demand for IT security experts.

Future prospects

1. continuous adaptation: regular revision of the law to adapt to new threats.
2. European harmonization: coordination with EU initiatives such as the Cybersecurity Act.
3. AI and automation: Integration of AI-based safety solutions into the regulatory framework.
4. cross-sector cooperation: promoting the exchange of information between different sectors.

Conclusion

The IT Security Act represents an important step towards improving cyber security in Germany. It responds to the growing threats in the digital space and sets a binding framework for IT security measures, particularly for critical infrastructures. For companies, the law means increased requirements and investments on the one hand, but also offers opportunities for innovation and strengthening their own competitive position on the other. Continuously adapting the law to new technological developments and threat scenarios will remain a key challenge. Overall, the IT Security Act makes a significant contribution to strengthening the resilience of the German economy and society against cyber threats.

Veröffentlicht16. October 2024

Aktualisiert13. March 2025

5.0 61 reviews

Tobias Weinmann ★★★★★ vor 3 Jahren
Marian konnte mir in mehreren Projekten exzellent vertreten! Fachkompetenz, Kreativität und ein umfassendes Netzwerk zeichnen … Mehr ihn aus.
Art and Architecture Studio ★★★★★ vor einem Jahr
Herr Härtel hat uns äusserst kompetent in einen lästigen Fall mit META betreut. Er war effizient, beharrlich, aber auch mit … Mehr uns geduldig. Menschlich top, bis wir am Ende Dank ihm erfolgreich zum Ziel gekommen sind. Können wir wärmstens empfehlen. Und nochmals danke. P.H.
games mill ★★★★★ vor 5 Jahren
Great lawyer with huge industry experience. Always a pleasure and excellent service. 5 stars!
Kai Lübeck ★★★★★ vor 5 Jahren
Herr Härtel war ein echter Glücksfall für die Gründung unseres Startups. Wir brauchten schnelle und unkomplizierte Hilfe … Mehr und genau diese hat er uns sofort gegeben. Kein Anwalt, der einen ewig warten lässt, sondern extrem schnell und effektiv. Dank seiner Ratschläge konnten wir trotz nicht ganz unkomplizierter Investorenbeteiligung nun doch fristgerecht und nach Plan gründen. Vielen Dank dafür!
Tore Braun ★★★★★ vor 3 Jahren
Wir brauchten einen Vertrag um die Zusammenarbeit mit Freelancern zu regeln. Bevor ich auf Herr Härtel gestoßen bin, hatte … Mehr ich mit einigen Anwälten zutun, die sich entweder nicht auskannten, unzuverlässig waren oder sich keine Mühe gegeben haben.Mit Herr Härtel hingehen hatte ich ein ausführliches Beratungsgespräch und habe eine Deadline vereinbart. Trotz recht engen Zeitraums hat Herr Härtel den Vertrag wie besprochen geliefert, sodass auch Zeit für etwaige Korrekturen war. Ohne Herr Härtel hätten wir ernsthafte Probleme mit einem Kunden bekommen.Bei Rechtsfragen ist dies in Zukunft die erste Adresse.
Doris H. ★★★★★ vor einem Jahr
Herr Härtel hat uns bezüglich eines Telefonvertrags beraten und vertreten. Wir waren mit seinem Service sehr zufrieden. Er … Mehr hat stets schnell auf unsere E-mails und Anrufe reagiert und den Sachverhalt einfach und verständlich erklärt. Wir würden Herrn Härtel jederzeit wieder beauftragen.
Vielen Dank für die hervorragende Unterstützung
Danny Schober ★★★★★ vor 2 Jahren
Herrn Härtel kann ich wirklich nur empfehlen. Nach einer kostenfreien Einschätzung konnten wir äußerst zügig einen Termin … Mehr finden. Das Gespräch war dabei sehr angenehm - Herr Härtel hat stets verständlich und präzise auf meine Fragen zu Urheber-, Lizenz- und IT-Recht antworten können. Auch die transparente Kostenstruktur möchte ich hier loben.Bei zukünftigen Anliegen in diesem Bereich werde ich auf jeden Fall hierhin zurückkehren!
Fritz Schnickers ★★★★★ vor 4 Jahren
Sehr umgänglich und versteht sein Fach. Hat uns schon vielfach sehr professionell beraten und dabei immer fair bei der … Mehr Abrechnungen.

IT Security Act (ITSiG)

Private AI use in the company

App purchases, in-app purchases and sales tax

What belongs in a DPA? Data processing agreement in accordance with Art. 28 GDPR

Contract for work vs. service contract in software, AI and games projects

Influencer contract: performance profile, rights/buyouts, labeling and AI content

AI content for subscription platforms

E-sports finally charitable? What the government draft of the Tax Amendment Act 2025 really brings

Clubs, photos and minors: managing consent properly

AI faces, voice clones and deepfakes in advertising: rules of the game under the EU AI Act and German law

Modding in EULAs and contracts – what applies legally in Germany?

Arbitration agreements in EULAs and developer contracts

Chain of title in game development: building a clean chain of rights

Fail-fast clauses in media productions – what are they actually?

Founder’s agreement vs. shareholder agreement: setting the course for startups at an early stage

Cheat software without code intervention: What the BGH really decided in the Sony ./. Datel case (I ZR 157/21)

Digital integrity as a (new) fundamental right: status in Germany and the EU in 2025

EU Digital Decade 2030: Data law, Data Act & eIDAS 2 – what needs to be implemented in 2025

Upload filters between copyright and personal rights

On-demand transmission right in the digital space: streaming, Section 19a UrhG and licensing

5-day guide: Founding a game development studio