IT-Sicherheitsgesetz 2.0 (Germany)

After a long growth phase a logistics group is classified as a “company in special public interest” (UBI). Management first learns of this through a letter from the BSI with a deadline of a few weeks — the self-declaration, IT security concept and contact point have to be documented in parallel with day-to-day operations. Improvisation here leads to fines and subsequent regulatory orders.

The IT Security Act 2.0 is an amending act that primarily extended the BSIG (Act on the Federal Office for Information Security). It entered into force on 28 May 2021 and is the most comprehensive expansion of German cybersecurity supervision so far — from the introduction of the UBI category, to mandatory attack-detection systems, to the component ban. With the NIS2 transposition, parts of the IT-SiG 2.0 logic are being carried forward and in places replaced.

Who is affected?

The IT-SiG 2.0 takes effect through the changes to the BSIG. In scope:

KRITIS operators (Sections 8a, 8b BSIG) — nine sectors with thresholds under the BSI KRITIS Regulation. Extended catalogue of duties including attack-detection systems.
Companies in special public interest — UBI (Section 8f BSIG) — newly introduced by the IT-SiG 2.0. Three groups:
- UBI-1: Manufacturers or developers of goods under the Foreign Trade Ordinance Annex AL Part I Section A (armaments).
- UBI-2: Top value creators of the German economy by federal criteria.
- UBI-3: Operators of facilities in the upper tier of the Major Accidents Ordinance.
Federal authorities — extended BSI powers in the areas of telemedia advice and detection of security flaws.
Manufacturers of IT-critical components — prohibition and trustworthiness requirements (Section 9b BSIG).

What does the law require?

The main changes introduced by the IT-SiG 2.0 in overview:

Attack-detection systems (Section 8a(1a) BSIG) — since 1 May 2023 KRITIS operators must deploy SIEM/IDS/SOAR solutions that continuously monitor critical IT components and alert on anomalies. Implementation becomes part of the two-year evidence.
UBI duties (Section 8f BSIG) — self-declaration on the state of IT security, reporting obligation for significant disruptions, registration with the BSI, contact point.
Prohibition of critical components (Section 9b BSIG) — the Federal Ministry of the Interior (BMI) can prohibit the use of critical components where the manufacturer is not trustworthy. This applies in particular to 5G networks, cloud components and security products.
Manufacturer trustworthiness declaration (Section 9b(3) BSIG) — obligation of the manufacturer towards the KRITIS operator.
Extended BSI ordering powers — proactive detection of vulnerabilities in publicly reachable systems (Section 7b), prohibition of network and device configurations, ordering of protective measures.
Extended fine provisions (Section 14 BSIG) — higher range, clearer offences, multiplier in the event of non-compliance with orders.
Consumer protection (Section 9c BSIG) — IT security label for manufacturers, voluntary on consumer products.

In practice

Set up attack detection as a programme. A single SIEM tool is not enough to satisfy the requirement — what is needed are clear use cases, regular analysis, defined escalation and a lessons-learned loop. The BSI has published a guidance document that serves as a yardstick. For the evidence under Section 8a BSIG, effectiveness must be demonstrable.

Actively check UBI status. The UBI classification is partly made by the BSI, partly by self-declaration. An organisation that manufactures armaments, operates a Major Accidents facility or counts among Germany’s top value creators should check the duties under Section 8f BSIG on its own initiative — a missed self-declaration is subject to fines.

Build component prohibition into procurement. For critical components, a manufacturer’s guarantee declaration must be in place. The BMI can subsequently prohibit use — the procurement process should assess this risk and, for strategic components, negotiate exit clauses.

Mapping to ISO 27001

The IT-SiG 2.0 strengthens the ISO controls around incidents, detection and suppliers in particular. An organisation running a certified ISMS with a B3S extension covers a large share of the IT-SiG 2.0 duties.

Directly relevant controls:

A.5.7 — Threat intelligence: structured analysis of BSI situation reports.
A.5.19 — Information security in supplier relationships: trustworthiness declarations for critical components.
A.5.20 — Addressing information security within supplier agreements: contractual anchoring of manufacturer guarantees.
A.5.21 — Managing information security in the ICT supply chain: supply-chain risks for critical components.
A.5.23 — Information security for use of cloud services: assessment of cloud components under Section 9b BSIG.
A.5.24 — Information security incident management planning and preparation: prerequisite for the Section 8b report.
A.5.25 — Assessment and decision on information security events: classifying significance.
A.5.26 — Response to information security incidents: structured containment.
A.5.30 — ICT readiness for business continuity: recovery following a component failure.
A.5.36 — Compliance with policies, rules and standards for information security: compliance check against B3S and Section 8f.
A.8.7 — Protection against malware: technical basis of attack detection.
A.8.8 — Management of technical vulnerabilities: CVE watch and patch management.
A.8.16 — Monitoring activities: central control for the SIEM obligation under Section 8a(1a) BSIG.

Typical audit findings

Attack-detection system does not cover the critical IT — SIEM monitors office IT, OT areas remain blind.
Use cases for attack detection are missing — the SIEM platform is installed but generates hardly any actionable alerts because use cases are undefined.
UBI self-declaration missing — the company meets the criteria but has filed no declaration with the BSI.
Trustworthiness declarations for critical components incomplete — the manufacturer has delivered but never issued the guarantee declaration under Section 9b BSIG.
BSI orders not embedded in a process — an order is handled via general mail instead of being escalated immediately.
Fine risk underestimated — management does not know that IT-SiG 2.0 breaches carry fines of up to EUR 2 million.

Sources

BSIG full text with IT-SiG 2.0 amendments (gesetze-im-internet.de) — consolidated version
BSI — Guidance on attack-detection systems — minimum requirements and maturity model
BMI — Press release on the entry into force of the IT-SiG 2.0 — background and political context
Federal Law Gazette — promulgation of IT-SiG 2.0 — official publication of 27 May 2021

ISO 27001 Controls Covered

A.5.7 Threat intelligence A.5.19 Information security in supplier relationships A.5.20 Addressing information security within supplier agreements A.5.21 Managing information security in the ICT supply chain A.5.23 Information security for use of cloud services A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.26 Response to information security incidents A.5.30 ICT readiness for business continuity A.5.36 Compliance with policies, rules and standards for information security A.8.7 Protection against malware A.8.8 Management of technical vulnerabilities A.8.16 Monitoring activities

Frequently asked questions

What did the IT Security Act 2.0 actually change?

The IT-SiG 2.0 structurally extended the BSIG: new category of companies in special public interest (UBI), mandatory attack-detection systems for KRITIS operators, extended ordering powers of the BSI, higher fines of up to EUR 2 million, prohibition of critical components from untrustworthy manufacturers. The scope of cybersecurity supervision was substantially widened as a result.

Am I a UBI under Section 8f BSIG?

UBIs are companies that are among the largest value creators of the German economy (top list by federal criteria), manufacture armaments, or are classified as operators under the Major Accidents Ordinance. Self-classification is up to the company; the BSI can review it. UBIs have reduced duties compared with KRITIS -- minimum IT security, reporting obligation, registration.

How does the duty to run attack-detection systems work?

Since May 2023, KRITIS operators must deploy SIEM or comparable systems that continuously monitor the IT critical for the function, detect anomalies and enable analysis. Implementation must be documented and included in the two-year evidence under Section 8a BSIG. BSI recommendations and the industry-specific B3S standards concretise the requirements.