German legislation

IT Security Acts of 2015 and 2021

The legal basis for Critical Infrastructures and their operators is the Federal Office for Information Security Act (BSI-Act, BSIG) The definition of Critical Infrastructures is concretised by §§ 1 - 7 of the Regulation on the Designation of Critical Infrastructures pursuant to the BSIG (BSI Critical Infrastructure Regulation, BSI Kritis Regulation, BSI-KritisV). The BSI Kritis Regulation describes the individual sectors in more detail and specifies threshold values for determining whether an operator operates a Critical Infrastructure.

In 2015, the Law on Increasing the Security of Information Technology Systems (First IT Security Law) expanded the BSI-Act in addition to other laws such as the Energy Industry Act, the Atomic Energy Act, the Telemedia Act and the Telecommunications Act.

On 7 May 2021, the Bundesrat approved the Second Act to Increase the Security of Information Technology Systems (IT Security Act 2.0), subsequent to this law being passed in the Bundestag on 23 April 2021. It gives the BSI new competences that will significantly strengthen its work as the federal cyber security authority.

The Federal Government has thus contributed to increasing the cyber-resilience of Germany's digital infrastructures and IT systems in critical sectors - such as electricity and water supply, finance or food, where a failure or impairment in the supply of services would have dramatic consequences for the economy, state and society in Germany. The availability and security of IT systems therefore plays a central role in such critical infrastructures.

The goals of the IT Security Act are also to improve IT security at companies and in the federal administration as well as to better protect citizens on the internet. Individual regulations of the IT Security Act therefore also apply to operators of commercial websites, who must meet higher requirements for their IT systems. To achieve these goals, the tasks and powers of the Federal Office for Information Security have been expanded.

Telecommunications companies will also be more strongly regulated in the future. They will be obliged to warn their customers if they detect misuse of a customer connection. In addition, where possible, they are obliged to disclose potential solutions with those affected. The competent regulatory/supervisory authority in these cases is the Federal Network Agency (Bundesnetzagentur).

Further development of the BSI Kritis Regulation

On 3 May 2016, the first part of the BSI Kritis Regulation for the implementation of the IT Security Act came into force. Companies from the energy, information technology and telecommunications, water and food sectors were affected.

The first amendment amending the BSI Kritis Regulation, which came into force on 30 June 2017, added the sectors of finance and insurance, health, and transport and traffic.

The second amendment to the BSI Kritis Regulation has been in force since 1 January 2022, and primarily implements changes based on the evaluation of the BSI Kritis Regulation. This version is therefore sometimes also referred to as "BSI-KritisV 1.5". The amendment to the BSI-KritisV, which will also contain the changes from the IT Security Act 2.0, is expected to be published in 2022.

Regulation at the European level

To strengthen cyber security at the European level, the EU Network and Information Security Directive (NIS Directive) was published in the Official Journal of the European Union in July 2016. With the IT Security Act, which came into force in 2015, many of the directive's requirements were already fulfilled in the Federal Republic of Germany, so that the NIS Directive Implementation Act could be published in June 2017.

In December 2020, the European Commission presented a draft amendment to the NIS Directive. This amendment ("NIS 2.0") is intended in particular to take into account the intensified cyber threat situation and the advancing digitalisation of recent years. NIS 2.0 is currently expected to be adopted in 2023.