IT Security Act (ITSiG)

The IT Security Act (ITSiG) is a German law that aims to improve the IT security of companies, especially operators of critical infrastructures (KRITIS). It was first passed in 2015 and expanded in 2021 with the IT Security Act 2.0. The law is a response to the increasing threats posed by cyberattacks and the growing importance of IT security for national security and the economy.

Legal basis

1st IT Security Act of 2015 (ITSiG 1.0) 2nd IT Security Act 2.0 of 2021 (ITSiG 2.0) 3rd Amendments to various laws, in particular the BSI Act (BSIG)

Core elements of the IT Security Act

1. reporting obligations: KRITIS operators must report significant IT security incidents to the Federal Office for Information Security (BSI). 2. minimum standards: Definition of minimum standards for IT security in critical infrastructures. 3. extension of the BSI’s powers: The BSI is given extended powers to monitor and support IT security. 4. certification: introduction of IT security certifications for certain products and services. 5. fines: introduction of fines for breaches of the law.

Affected sectors (KRITIS)

1. energy 2. information technology and telecommunications 3. transportation and traffic 4. health 5. water 6. nutrition 7. finance and insurance 8. government and administration

Extensions due to the IT Security Act 2.0

1. inclusion of companies in the special public interest (UNBÖFI) 2. stronger regulation of 5G networks 3. extension of the BSI’s powers to proactively search for security vulnerabilities 4. introduction of an IT security label for consumer products 5. tightening of criminal provisions for cyber attacks

Effects on companies

1 Increased compliance requirements: Companies must adapt and document their IT security measures. 2. investment in IT security: need for increased investment in security technologies and personnel. 3. reporting processes: Establishment of processes for detecting and reporting security incidents. 4. risk management: integration of IT security risks into company-wide risk management. 5. certifications: Need to have certain IT products and services certified.

Challenges and criticism

1. complexity: Implementing the requirements can be challenging, especially for smaller companies. 2. costs: The necessary investments in IT security can be considerable. 3. data protection concerns: extension of BSI powers is sometimes viewed critically. 4. international coordination: need for harmonization with EU and international standards 5 Technological development: The law must keep pace with rapid technological development.

Significance for the German IT market

1. growth impetus: increasing demand for IT security products and services. 2. promotion of innovation: Incentives for the development of new security technologies. 3. competitive advantage: High IT security standards can serve as a quality feature. 4. need for skilled workers: increasing demand for IT security experts.

Future prospects

1. continuous adaptation: regular revision of the law to adapt to new threats. 2. European harmonization: Coordination with EU initiatives such as the Cybersecurity Act. 3. AI and automation: Integration of AI-based security solutions into the regulatory framework. 4. cross-sector cooperation: promoting the exchange of information between different sectors.

Conclusion

The IT Security Act represents an important step towards improving cyber security in Germany. It responds to the growing threats in the digital space and sets a binding framework for IT security measures, particularly for critical infrastructures. For companies, the law means increased requirements and investments on the one hand, but also offers opportunities for innovation and strengthening their own competitive position on the other. Continuously adapting the law to new technological developments and threat scenarios will remain a key challenge. Overall, the IT Security Act makes a significant contribution to strengthening the resilience of the German economy and society against cyber threats.