Now the time has come: the IT Security Act 2.0 will come into full effect on May 1st. This means that the transition period for the obligation to provide proof of attack detection for critical infrastructure KRITIS has expired. The law has been in force for 2 years, but only now in a tightened form. Now the suppliers of KRITIS also have an obligation and may still not know it. Information from RADAR Cyber Security, Sophos, Rhebo.
Even a few days before the end of the transition period, there is still some ambiguity about what the IT Security Act 2.0 means in detail: Which requirements need to be implemented, which technologies are necessary, which measures have to be proven and who needs to feel addressed at all?
Who is meant?
The IT Security Act 2.0 has been in force for two years, the transition period for the obligation to provide evidence of attack detection ends on May 1st. This regulation thus reaches a new dimension. Firstly, the second version of the IT Security Act (IT-SiG for short) tightens the requirements considerably. Secondly, it significantly expands the group of facilities that are part of the critical infrastructure: The regulation applies not only to KRITIS operators themselves, but also to their suppliers. Thirdly, this now also includes companies of "particular public interest": Among other things, armaments manufacturers or companies with "particular economic importance" must implement certain IT security measures. Fourth, the state and regulatory authorities are given more powers: For example, the BSI can itself classify companies as KRITIS.
What is required?
In concrete terms, this means: KRITIS operators must have implemented systems and processes for attack detection by the deadline of May 1, 2023 at the latest, which are now explicitly part of the technical and organizational security precautions. These include, for example, a "Security Information and Event Management" (SIEM) or a "Security Operations Center" (SOC): With the defense center, also known as the "Cyber Defense Center" (CDC), KRITIS operators can create a consistent security concept for their IT and implement OT infrastructure. Here technologies and processes are combined with the know-how of the experts who are responsible for monitoring, analyzing and maintaining the information security of a company.
In addition, the companies of particular public interest addressed are obliged to regularly submit a self-declaration: They must explain which IT security certifications have been carried out in the past two years and how they have secured their IT systems.
Legislative initiatives such as the IT Security Act 2.0 show that politicians have recognized the urgency of the task of resilience in today's digital age. Companies have a lot to do, even after May 1, 2023, according to Lothar Hänsler, Operations Officer of RADAR Cyber Security.
More on the topic of Sophos and Rhebo
IT Security Act 2.0: Implementation assistance for KRITIS organizations
IT Security Act 2.0: Operators of critical infrastructures (KRITIS) are legally obliged to take “reasonable organizational and technical precautions” to prevent cyber attacks. With the passing of the "IT Security Act 2.0" (ITSiG 2.0) in spring 2021, these obligations were tightened again.
From May 2023, the operators of critical infrastructures must implement these and, above all, have “attack detection systems” available. Sophos, as an APT response service provider (Advanced Persistent Threat) officially qualified by the BSI, has therefore created a solution brief for KRITIS that helps companies and organizations to adapt their security measures in good time in accordance with the new requirements. 144 million new malicious programs…
ITSiG 2.0: System for attack detection becomes mandatory for KRITIS
On April 23, 2021, the Bundestag passed the revised IT Security Act (ITSiG 2.0). ITSiG 2.0, the system for detecting attacks, is mandatory for KRITIS. Critical infrastructures have to set up a holistic system for attack detection within two years.
The supply chain becomes part of the IT Security Act. On April 23, 2021, the Bundestag passed the revised IT Security Act (ITSiG 2.0). In addition to extended powers for the Federal Office for Information Security (BSI), cyber security requirements are being tightened. Critical infrastructures such as energy suppliers and water suppliers and now also waste disposal companies and large companies with economic importance will be affected with the amendment…