A purple and purple background with a white logo.
BlogSecurity

Understanding Germany's IT Security Act 2.0

Written by
Herman Errico
Reviewed by
No items found.

Accelerating security solutions for small businesses 

Tagore offers strategic services to small businesses. 

A partnership that can scale 

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

The IT Security Act 2.0, which was passed by the German Bundestag and Bundesrat in spring 2021, came into effect at the end of May 2023. 

Due to the increased IT security obligations and higher fines, the numerous changes to the central German IT Security Act, specifically the Law on the Federal Office for Information Security (BSI-Gesetz), are particularly relevant for operators of critical infrastructures already covered by the BSI-Gesetz, as well as for companies in the municipal waste disposal sector, manufacturers of IT products used in critical infrastructures, and companies of special public interest. 

The IT Security Act 2.0 and the second KRITIS regulation have far-reaching consequences. While there was previously a transition period for implementing the new requirements, companies must now comply with the requirements of the Federal Act on the Security of Information Technology (BSIG) from the first working day on which they meet the threshold values of the second KRITIS regulation. 

This means that from the first day after the IT Security Act 2.0 and the second KRITIS regulation come into effect, potential operators of critical infrastructures must adhere to the requirements of the IT Security Act 2.0. Failure to comply with the requirements can result in significant fines of up to 20 million euros imposed by the Federal Office for Information Security (BSI).

This post will cover the scope and applicability of the Act, exploring the new definitions and audit and security requirements for both critical infrastructure operators and digital service providers. Additionally, we will explore the voluntary IT security label, the reporting requirements and new regime for the administrative fines associated with non-compliance to the new Act.

Additionally, this post aims at providing an overview of the requirements for both critical infrastructure operators and digital service providers so that organizations can be in a better position to understand what aspects they will need to prioritize as part of their security programme should their business be in scope for the new IT Security Act.

Should you require support in determining if this new law applied to you, feel free to engage with one of our experts at Vanta.

Scope and applicability

The IT Security Act 2.0 applies to operators of critical infrastructure (KRITIS-Betreiber), which includes sectors such as energy, information technology, telecommunications, transportation, healthcare, finance, water supply, waste management and more.

Operators are identified based on predefined criteria, such as their significance for the functioning of society and the potential consequences of IT security incidents.

Key terms and definitions

The Act identifies a number of definitions to support an easier application of the requirements including concepts such as information technology, security in information technology, federal communications technology, harmful software, security gaps, certification, protocol data, data traffic, IT products, systems for attack detection, critical infrastructures, digital services, provider of digital services, critical components, and companies in the special public interest.

These definitions aim to provide clarity and common understanding of the terms used within the context of the law. By clearly defining these terms, it helps ensure consistent interpretation and application of the law's provisions. The definitions cover various aspects of information technology, security, infrastructure, and services, providing a comprehensive framework for the implementation and enforcement of the law.

Overall, these definitions play a crucial role in establishing a common language and understanding for all stakeholders involved in the protection of critical infrastructures and the security of information technology. They lay the foundation for effective communication, compliance, and enforcement efforts, helping to safeguard the integrity, availability, and confidentiality of information and IT systems.

Audits and inspections

The BSI is empowered to conduct audits and inspections to verify compliance with the law's requirements. Audits may include reviewing documentation, conducting on-site inspections, and assessing the effectiveness of security measures implemented by operators. Non-compliance with the law can result in penalties, including fines.

Authority of the Federal Office

The Federal Office is responsible for gathering and evaluating information to prevent threats to information technology security. This includes identifying security gaps, malware, successful or attempted attacks, and the methods used. It promptly informs federal authorities about relevant information and facts related to IT security. Overall, Section 4 establishes the Federal Office as a central hub for information sharing and coordination among federal authorities, ensuring a proactive approach to information technology security and facilitating effective response measures.

Other federal authorities are required to inform the Federal Office without delay if they become aware of significant information related to IT security. However, there are exceptions for information that is confidential or protected by constitutional status. The Federal Office has the authority to monitor the security of federal communications technology and can request information, access data processing systems, and examine devices used for federal communications technology.

Additionally, the Federal Office serves as the general registration office for security in information technology. It receives information from third parties about security risks and evaluates this information. The reported information is used to inform the public, federal authorities, operators of critical infrastructures, and companies in the public interest. However, the disclosure of reported information may be limited if it contains trade secrets or business secrets.

Section 7a of the Act establishes the authority of the Federal Office to examine the security of information technology products and systems. The Federal Office can request manufacturers to provide necessary information for the examination, including technical details. The obtained information is promptly shared with relevant supervisory authorities, and the findings may be shared and published if necessary for fulfilling the Federal Office's tasks. Non-compliance by manufacturers with information requests can result in public disclosure of the non-compliance, including the manufacturer's name and details of the affected product or system. However, manufacturers are given an opportunity to comment before any disclosure occurs. This section ensures that information technology products and systems undergo rigorous security examinations, promotes information sharing, and holds manufacturers accountable for complying with security requirements.

In summary, Section 7a grants the Federal Office the power to examine the security of information technology products and systems. It requires manufacturers to provide necessary information for the examination and mandates the prompt sharing of findings with relevant authorities. The section also establishes the possibility of public disclosure in cases of non-compliance by manufacturers. By enforcing stringent security examinations and promoting transparency, this section contributes to enhancing the overall security of information technology systems.

Requirements for operators of critical infrastructures

Under the legislation, operators of critical infrastructures are required to implement appropriate measures to protect the security of their information technology systems. These measures should prevent disruptions and ensure the availability, integrity, authenticity, and confidentiality of the systems. 

Operators must use systems for attack detection and develop incident response plans. They can propose industry-specific security standards, which will be assessed by the Federal Office. Compliance with the requirements must be demonstrated every two years through security audits, reviews, or certifications. The Federal Office has the authority to review compliance and may involve independent third parties. Operators must provide access and support during these reviews. The Federal Office can define requirements for security audits and certifications in consultation with industry representatives. Additionally, The operators must ensure that they can be reached at any time via the contact point named or specified by the Federal Office

The operators of critical infrastructures shall appropriately prove compliance with the requirements at least every two years. This evidence may be provided by means of security audits, reviews or certifications. The operators shall provide the Federal Office with the results of the audits, reviews or certifications performed including any security deficiencies identified. The Federal Office may request the provision of the documentation on which the assessment was based. In the event of security deficiencies, the Federal Office may request remedy of the security deficiencies.

Special requirements for providers of digital services

Section 8c of the legislation introduces special requirements for providers of digital services. These providers are obligated to implement suitable technical and organizational measures to manage risks to the security of their network and information systems used for providing services within the European Union. These measures aim to prevent or minimize the effects of security incidents. The detailed requirements for these measures are defined by implementing acts of the Commission.

Providers of digital services must immediately report any security incidents that materially affect the provision of their services within the European Union to the Federal Office. The determination of material effect and the content of the reports are specified by implementing acts of the Commission. If the provider lacks sufficient access to the necessary information to evaluate the impact of the incident, the reporting obligation does not apply. In cases where the reported security incidents affect another EU Member State, the Federal Office informs the competent authority of that Member State.

If there are indications that a provider of digital services is not meeting the requirements, the Federal Office can request certain measures from the provider. These measures may include transferring information for security evaluation, providing evidence of security measures taken, and rectifying any non-compliance. The Federal Office cooperates with the competent authority of another EU Member State if the provider is based there, in fulfilling these tasks and requesting measures if necessary.

Security in information technology in companies in the special public interest

This section of the IT Security law imposes obligations on companies in the special public interest regarding IT security. Here are the key points:

  1. Companies must submit a self-declaration on IT security to the Federal Office, providing information about certifications, security audits, or protection measures implemented in the last two years.
  2. The Federal Office can provide guidance on organizational and technical precautions based on the self-declaration.
  3. Companies have specific deadlines for submitting self-declarations based on their classification.
  4. Companies must register with the Federal Office and provide contact information.
  5. Optional registration is available for companies not falling under the first two categories.
  6. Companies must promptly report disruptions that affect the availability, integrity, authenticity, and confidentiality of their IT systems.
  7. By November 1, 2021, companies falling under a different category must report disruptions as per the Major Incidents Ordinance.
  8. The Federal Office can verify a company's status by requesting information on domestic added value or confirmation from an auditing firm.
  9. These provisions ensure that companies in the special public interest comply with IT security requirements through self-declarations, reporting of disruptions, and registration with the Federal Office.

Critical components prohibitions

Under Section 9b of the legislation, the use of critical components in critical infrastructures is subject to certain prohibitions and requirements. Here are the key points:

  • Notification Requirement: Operators of critical infrastructures must notify the Federal Ministry of the Interior, Building and Community in advance about the planned deployment of a critical component, specifying the component and its intended use. This requirement does not apply if the operator has already reported the use of another critical component of the same type and use that has not been prohibited.

  • Prohibition and Orders: The Ministry, in consultation with relevant departments and the Federal Foreign Office, has the authority to prohibit the deployment of a critical component or issue orders to the operator if the deployment could compromise public order or security in Germany. Factors considered include the manufacturer's control by a foreign government, involvement in activities impacting security, and alignment with security policy goals.

  • Guarantee Declaration: Critical components can only be used if the manufacturer provides a guarantee declaration to the operator. This declaration demonstrates that the component does not have features that could be exploited for malicious purposes. The Federal Ministry, in agreement with relevant departments and the Federal Foreign Office, sets the minimum requirements for the guarantee declaration.

  • Prohibition of Continued Use: If indications of manufacturer untrustworthiness arise, such as violations of obligations or technical risks, the Ministry can prohibit the continued use of the critical component or issue orders to the operator. In severe cases, a prohibition may be issued.

  • Impact on Other Components: If the further use of a critical component is prohibited, the Ministry can also prohibit the planned use of other components of the same type and manufacturer, as well as the continued use of existing components, with a reasonable compliance period provided.

Voluntary IT security label

The legislation introduces a voluntary IT security label to inform consumers about product security. The label consists of a manufacturer's declaration and security information provided by the Federal Office. Manufacturers must meet specific IT security requirements and obtain approval. The label is attached to the product or published online, directing consumers to access relevant information. The Federal Office ensures compliance and can take action if discrepancies or security gaps are identified.

Reporting obligations

Section 13 of the legislation outlines reporting obligations of the Federal Office. The office must inform the Federal Ministry of the Interior about its activities, which are used to inform the public about IT security risks through an annual report. 

The Federal Office also shares information with the Commission regarding critical infrastructure operators, sectors, and services, while ensuring confidentiality. Consultations are initiated with other EU Member States regarding critical services in shared sectors. 

Additionally, the Federal Office submits a summary report to the cooperation group on reported security incidents, measures taken, and anonymized data. Operators are obligated to report significant IT security incidents to the BSI. The law specifies the types of incidents that need to be reported, including incidents that could have a significant impact on critical infrastructure or public safety. Reporting timelines and procedures are defined to ensure prompt communication and response to incidents.

Fines for administrative offenses

Section 14 of the legislation outlines regulations on fines for administrative offenses. It specifies various actions that are considered offenses, including failure to comply with precautionary measures, violation of enforceable orders, failure to provide required information or reports, and non-compliance with registration or documentation requirements. 

The fines for these offenses range from up to EUR 50,000 to up to EUR 2 million, depending on the specific violation and intentionality. Negligent acts are also considered offenses. Violations related to ENISA and cybersecurity certification can result in fines of up to EUR 1 million or up to EUR 2 million, depending on the offense.

Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail
Logo of incident.io
Incident.io
Logo of Lumos
Lumos
Icepanel logo on a white background.
IcePanel
Epsilon Logo
Epsilon3
The logo for supabase.
Supabase
EasyLLama Logo
EasyLlama
Qualifi Logo
Qualifi
Logo of toku
Toku
FEATURED VANTA RESOURCE

The ultimate guide to scaling your compliance program

Learn how to scale, manage, and optimize alongside your business goals.

DOWNLOAD FOR FREE

Table of contents

No titles!

Share this article

Share this article

Related Resources

No items found.

Related Resources

Security
Blog
Laying the groundwork: Building security foundations at the partial stage

Learn how partial-stage companies build security foundations to advance toward risk-informed maturity.

Security
Blog
How Synthesia Became One of Europe’s Fastest-growing AI Companies | Frameworks for Growth

Hear from Steffen Tjerrild on what it takes to scale an AI company.

Security
Blog
How to implement CPS 234: A 7-step compliance guide

Learn who needs CPS 234 and how the framework affects your organisation.

Security
Blog
Why measuring your security maturity matters (And how we do it at Vanta)

At Vanta, we’ve developed a practical and structured approach to tracking our own maturity using NIST CSF 2.0.

Vanta’s Cybersecurity Maturity Assessment Template cover image
Security
Guide / Report
Vanta’s Cybersecurity Maturity Assessment Template

Evaluate and improve your security posture with Vanta’s Cybersecurity Maturity Assessment Template—based on the NIST CSF 2.0. Track controls, score maturity levels, and build a scalable, resilient security program.

Amjad Masad interview cover
Security
Blog
Amjad Masad of Replit: 10x’ing in a Year and Building the Future of Code | Frameworks for Growth

Amjad breaks down how Replit handled early competition, carved out space as one of the first AI-native dev platforms, and sustained momentum in a crowded, fast-moving market.

Security
Blog
Bret Taylor of Sierra: How to sell to Enterprise Companies as an AI Startup

In this episode of Frameworks for Growth, Vanta CEO Christina Cacioppo sits down with Bret Taylor, Co-founder and CEO of Sierra, to discuss the evolution of technology, from the early days of cloud at Salesforce, to enterprise-ready AI companies.

Security
Blog
Building the Team at Anthropic: Daniela Amodei on Hiring 10x AI Engineers | Frameworks for Growth

Whether you're a founder, operator, or investor, this episode offers actionable startup advice and insight from one of the most influential voices in tech.

Template: Business Continuity Plan cover image
Security
Guide / Report
Template: Business Continuity Plan

Vanta’s Business Continuity Plan Template is designed to help you build a robust, audit-ready business continuity plan with confidence.

Security
Blog
Garry Tan of YC: Why the next unicorns are built by AI | Frameworks for Growth

Whether you're a founder, operator, or investor, this episode offers actionable startup advice and insight from one of the most influential voices in tech.

Security
Blog
5 must-haves in your first security hire + [Job posting Template]

Not sure what you should be looking for when you’re hiring your first cybersecurity professional? Get started with these criteria.

Template: First-security Hire Job Posting cover image
Security
Guide / Report
Template: First-security Hire Job Posting

Use this template to hire your first security lead with key qualifications, skills, and experience needed to scale your security program.

Get compliant and build trust—fast

Request a demo
G2 Badge 2025 - Best Software | Top 50 Governance, Risk, & Compliance ProductsG2 Badge 2025 - Best Software | Top 50 Security ProductsG2 Badge 2025 - Best Software | Top 100 Best Software Products