IT Security Act 2.0 & KRITIS Regulation 2023 – challenges for mid-market companies to master

The newest version of the Second Act on Increasing the Security of IT Systems (German IT Security Act 2.0 [IT-Sicherheitsgesetz 2.0]) entered into force in May 2023. This gives the BSI new powers and strengthens its role as the federal cyber security authority. The Act also brings about new challenges in IT security for mid-market companies.

• The IT Security Act (IT-SiG) makes increased requirements on mid-market companies
• Mid-market companies are obliged to report cyber-attacks to the BSI immediately
• Critical services no longer depend on the size of the company
• DIN ISO 27001 certification is no longer sufficient to avoid liability

What does the IT Security Act (IT-SiG) regulate?

The objective of the Second IT Security Act is to improve IT security within businesses and public administration. The IT Security Act is designed to increase the security of information technology systems and digital infrastructure of Germany. Operators of commercial advertising must fulfil higher security requirements. Telecommunications providers are even obliged to warn their customers about misuse.

The Federal Office for Information Security (BSI) acts as the central reporting office for IT security, gathers information and monitors observance of the Act. It provides information on security gaps and on new patterns of attack. The office considers itself as digital consumer protection.

What new features are there and what do mid-market companies now have to take note of?

IT-SiG version 2.0 has been in force since 1 May 2023. The main new feature is that more businesses are required to observe the Act than before. Its scope has now been expanded to include businesses in the new KRITIS sector of municipal waste management and in the category of companies of special public interest (‘UBI/UNBÖFI’).

A major innovation for these companies is the duty it imposes on them to introduce systems and processes to identify digital attacks (SIEM, SOC).

Furthermore, their reporting obligations have also been expanded. They are now required to make a report to the Federal Office for Information Security (BSI) when an attack on IT security takes place. When significant disruption occurs, a large amount of information must be reported, which now includes personal data. The companies included in the Act must register directly with the BSI and also designate a contact point within the company. The BSI is also authorised to designate operators of critical infrastructure itself.

For mid-market companies, this means that there are now more ways to infringe IT-SiG 2.0. If an infringement occurs, mid-market companies must count on penalties being higher as well. The threshold values from which a company is counted as operating a critical installation have also been reduced. The list of installations in question has also been expanded. Information from the BSI can be found here.

What is the KRITIS Regulation (KRITIS-V)?

The BSI KRITIS Regulation serves to determine critical infrastructure under the BSI Act (BSIG). It defines ten sectors, together with the threshold values for installations.

The threshold values in the BSI KRITIS Regulation refer exclusively to installations (e.g. a sewer system) for performing a critical service (critical service = disposal of waste water).

Which companies are affected by the IT Security Act?

A company is affected if it provides a critical service in one of the ten sectors and operates the installation used for this in full or in part. It is no longer sufficient for a company to be certified under ISO 27001. Rather, the BSI Act requires information security to be implemented according to the state of the art. Documentation of this has to be shown to the BSI by an auditing body, such as an audit firm, every two years.

Organisational and technical information security is to be implemented according to the ‘state of the art’ by applying the appropriate industry-specific security standards (B3S) for each industry. If a B3S is not proposed by the operators of an industry and it is not reviewed by the BSI and found suitable, the requirements published by the BSI must be fulfilled.

Why do mid-market companies have to think about this now?

The size of a company is irrelevant for analysing whether it is affected, which means that mid-market companies are mostly affected as well. It is strictly the relation to installations that counts, with the associated threshold values. An affected company also counts as an operator, with all the duties that come with it, even if it is only partially involved in the operation of such an installation.

The use of third parties by affected companies also plays a major role. With the updated version of the IT-SiG 2.0, determining whether it applies to a business or not and registering the business may be undertaken by the federal government, represented by the BSI.

How Grant Thornton can help mid-market companies specifically

Grant Thornton can assist your company in analysing whether you fall under KRITIS auditing. This auditing includes:

• Analysing threats
• Identifying vulnerabilities and
• Determining the threats resulting from them for performing the critical service.

We also offer:

• A maturity level analysis to identify vulnerabilities and organisational and
• Process and technical measures derived from this to secure protection targets for performing the critical service.

We will put your company on the path to continual monitoring, all the way up to the responsible management and supervisory bodies.

Grant Thornton will be glad to assist your information security officer and help your company draft and update its security policy.