Deadline May 1, 2023
BSI presents current draft of guidance on the use of detection systems
Cyber criminals are increasingly targeting operators of critical infrastructures (KRITIS). In the worst case, public safety is at stake. The German legislator has responded to this threat in 2021 with IT Security Act 2.0 and has added further measures to the existing Act of the Federal Office for Information Security (BSI). European legislators follow suit with a second EU Network and Information Security Directive (NIS2).
Furthermore the definition of critical infrastructure has been expanded and now includes additional sectors. Companies of the so-called “special public interest” such as national defense manufacturers, waste management companies or organisations of particular economic importance, will now also have to implement certain IT security measures. More than 250 additional companies in Germany are affected.
IT Security Act 2.0:
Overview of new requirements
KRITIS operators must have implemented threat detection systems by May 1, 2023 at the latest.
KRITIS operators are obliged to notify the German Federal Ministry of the Interior about every initial use of critical components, for example, if the manufacturer is controlled by a third country or contradicts security policy goals of the German federal government, EU or NATO.
Critical operators and “companies of special public interest” will be required to submit a self-declaration on a regular basis. They will have to present certifications they have obtained in the area of IT security within the last two years and how their systems are secured.