Global menu

Our global pages


IT Security Act 2.0

IT Security Act 2.0
  • United Kingdom
  • Technology, Media and Telecoms - General


At the end of March, the German Federal Ministry of the Interior, Building and Community (BMI) submitted a draft bill for the "Second Act to Increase the Security of Information Technology Systems (IT Security Act 2.0)" to the vote of the ministries. Following on from the IT Security Act, which came into force in June 2015, and its amendment by the EU NIS Directive, the protection of IT systems in public administration and the private sector is to be further improved.

For this purpose, the draft bill provides in particular new criminal offences related to IT security. Some essential aspects of the current draft are summarized below.

In the first place obligations to comply with a minimum standard of IT security and to report IT security incidents are to be considerably extended. The draft bill defines further critical infrastructure sectors for this purpose and in future will also directly obligate suppliers of critical infrastructure operators by law. At the same time, the requirements for measures to protect information technology are to be tightened up, for example by requiring the use of systems for attack detection.

In addition, manufacturers of IT products should also be obliged to report to the BSI any significant malfunctions in their IT products that could lead to impairment of critical infrastructure systems or systems used for "infrastructures in the special public interest". The draft also provides for new reporting obligations for manufacturers of so-called "critical infrastructure core components". What "critical infrastructure core components" are is to be specified by statutory order.

The competencies and tasks of the Federal Office for Information Security (BSI) are to be further expanded. The draft bill contains further powers of the BSI, for example to check "publicly accessible information technology systems" for malware and security gaps, and provides for the introduction of an IT security label, the use of which the BSI can permit manufacturers of IT products. The IT security label is intended to provide consumers with relevant information on the security of an IT product.

Finally, the framework for fines for breaches of IT security obligations is to be substantially increased. In particular, if companies fail to comply with enforceable BSI orders on IT security, the draft bill provides for a fine framework of up to EUR 20,000,000.00 or 4% of the annual company turnover. Other infringements should still be punishable by a maximum fine of EUR 10,000,000.00 or 2% of the company's turnover.

The BMI's draft bill is at an early stage. Whether and in what form the draft will be submitted to a formal legislative procedure will also depend to a large extent on comments and statements by companies and industry associations.