Germany: BMI adopts draft of IT Security Act 2.0
The German Federal Ministry of Interior, Building and Community ('BMI') announced, on 16 December 2020, that the Cabinet of Germany had adopted the draft of a Second Act to Increase the Security of Information Technology Systems ('IT Security Act 2.0'). In particular, the BMI highlighted that the IT Security Act 2.0 regulates, among other things, the protection of the federal administration, critical infrastructures companies in the special public interest, and consumer protection.
Moreover, the BMI outlined that the Federal Office for Information Security ('BSI') is authorised to exercise control and audit powers regarding the federal administration and will be involved at an early stage in major federal digitization projects. In addition, the IT Security Act 2.0 extends the duration of the storage of log data for the purpose of defending against threats to federal communications technology to 12 months. Furthermore, the BMI noted that logging data are now included in the BSI Act and the BSI is authorized to process this data in order to avert threats to federal communications technology, as well as ordering measures against telecommunications and telemedia companies in the event of certain dangers to information security.
Furthermore, the IT Security Act 2.0 stipulates that the BSI will be tasked with regulating consumers and that the basis for a uniform IT security label will be introduced to make security functions, especially for products in the consumer sector. In addition, the BMI noted that the BSI will be authorised to request inventory data information from providers of telecommunications services to protect and notify those affected, and that, the BMI will oblige manufacturers to provide information about their products.
The BMI noted that the IT Security Act 2.0 requires operators of critical infrastructures to use systems with cyberattack detection, including, new requirements for operators of energy supply networks and systems following reforms in the energy industry. Finally, the BMI stated that the reporting obligations that already apply to operators of critical infrastructures will in future, also apply to companies that are relevant to public interest, such as companies in the armaments industry and classified IT, companies that are of particular economic importance, and companies that are subject to regulation by the Major Accidents Ordinance.
You can read the press release, only available in German, here.