Which companies are affected and what measures do they have to take now?
With the German IT Security Act 2.0, most of which came into force on 28 May 2021, the new category of companies in the special public interest was introduced in addition to critical infrastructures and digital service providers. Who falls under this category and what obligations this entails has now been specified in the general FAQ (currently only available in German) which were published by the Federal Office for Information Security (“BSI”) last week. This article summarises the main aspects of the clarifications made by the BSI and highlights the current points for action.
Who falls under the category of companies in the special public interest?
This includes companies that are not operators of critical infrastructures (operators of critical infrastructures are already subject to extensive obligations under the BSI Act - see our article from May 2021) and
- No. 1 - manufacture or develop goods pursuant to Section 60 para. 1 nos. 1 and 3 of the German Foreign Trade and Payments Ordinance (Außenwirtschaftsverordnung (AWV)) According to the FAQ of the BSI, this includes companies that are active in the field of weapons, ammunition, and armaments or in the field of products with IT security functions for the processing of classified state information or components of such products that are essential for the IT security function (hereinafter "CSPI 1").
- No. 2 - in terms of their domestic value-added, are among the largest companies in Germany and are therefore of considerable economic importance for the Federal Republic of Germany, or which are of essential significance to such companies as suppliers because of their unique selling propositions The BSI has clarified in the FAQ that the first group includes the largest companies in Germany. The exact economic indicators for identifying the largest companies are still to be defined by ordinance. Once this ordinance has been issued and the group of affected companies in this category of companies in the special public interest has been established, the Federal Ministry of the Interior can determine in a further ordinance which unique selling propositions are decisive in determining that suppliers are of essential importance to these companies and therefore also fall under the provisions of the BSI Act (hereinafter " CSPI 2").
- No. 3 - are operators of an upper-tier establishment within the meaning of the Hazardous Incident Ordinance (Störfall-Verordnung) or are equivalent to such operators pursuant to Article 1 para. 2 of the Hazardous Incident Ordinance According to the BSI, these are companies that operate an area in which hazardous substances are present in quantities that reach or exceed the quantity thresholds specified in column 5 of the list of substances in Annex I of the Hazardous Incident Ordinance (hereinafter " CSPI 3").
Which IT security obligations apply to companies in the special public interest?
The obligations of companies in the special public interest differ depending on the category to which such a company belongs: The obligations imposed on companies subject to regulation under the Hazardous Incident Ordinance (Section 2 para. 14 sentence 1 no. 3 BSI Act, CSPI 3) are not as extensive as those imposed on companies whose business activities fall under Section 60 para. 1 nos. 1 and 3 AWV (Section 2 para. 14 sentence 1 no. 1 BSI Act, CSPI 1) as well as companies which, based on their domestic value-added, are among the largest companies in Germany and are therefore of considerable economic importance for the Federal Republic of Germany, or which are of essential significance to such companies as suppliers because of their unique selling propositions (Section 2 para. 14 sentence 1 no. 2 BSIG, CSPI 2).
In a nutshell, the companies falling under CSPI 1 as well as CSPI 2 category are subject to the following obligations:
- Obligation to submit a self-declaration on IT security to the BSI. On the basis of such a self-declaration, the BSI can provide guidance on appropriate organisational and technical measures for compliance with the state of the art;
- Obligation to register with the BSI and designate a contact point that can be reached during normal business hours (this needs to be done simultaneously with the submission of the first self-declaration on IT security) and;
- Obligation to report certain disruptions to the BSI without delay (this obligation applies from the time when there is an obligation to submit the self-declaration on IT security).
The companies of the CSPI 3 category, on the other hand, are only required to report certain security incidents without delay. Registration with the BSI and designation of a contact point, that can be reached during normal business hours, can be made on a voluntary basis. There is also no obligation to submit a self-declaration on IT security.
What are the possible consequences of violating the above-mentioned IT security obligations?
The violation of the obligations for companies in the special public interest is subject to a fine. Fines of up to 500,000 EUR may be imposed
- in the event of failure to register or failure to register in due time (Section 14 para. 2 no. 5 BSI Act);
- in the event of failure to designate a contact point or failure to do so in due time (Section 14 para. 2 no. 5 BSI Act);
- if the self-declaration pursuant to section 8f para. 1 BSIG is not submitted at all, not submitted correctly, not submitted in full or not submitted in due time (section 14 para. 2 no. 9 BSI Act);
- if a notification is not submitted to the BSI, is not submitted correctly, is incomplete or is not submitted in due time (Section 14 para. 2 no. 7 BSI Act).
In summary: What measures do companies in the special public interest have to take now?
The current need for action varies according to the category of a company in the special public interest:
- CSPI 1: Because the corresponding preparations – depending on which certifications are already available and which still need to be carried out – may be cumbersome, there is currently an urgent need for action on the part of manufacturers and developers of goods within the meaning of Section 60 AWV (including defence manufacturers and manufacturers of IT products for the processing of classified state information). In addition to registering, they must submit a self-declaration on IT security to the BSI by 1 May 2023 and provide among other things certain information on the certifications, security audits and checks carried out in the area of IT security.
- CSPI 3: There is also an urgent need for action for companies that are subject to regulation under the Hazardous Incident Ordinance. Such companies must report certain incidents to the BSI from 1 November 2021. For companies that could potentially fall into this category, it is therefore important as a first step – if not already done – to ascertain as quickly as possible whether or not they fall within the scope of this obligation. Should the respective company be covered by the CSPI 3 category, it is important in the next step, against the backdrop of increased fines, to familiarize oneself with the reasons for notification as well as the time and content requirements in connection with this obligation by 1 November 2021 and to integrate the corresponding requirements into the operational/internal processes of the company. Only in this way will the affected company be able to make timely, correct and complete notifications in accordance with the requirements of the BSI Act.
- CSPI 2: Regarding the companies of considerable economic importance and which are of essential significance for such companies as suppliers due to their unique selling propositions, current developments in connection with the enactment of the corresponding ordinance (which, as in the case of Critical Infrastructures, should determine who specifically should fall under this category) should be closely followed. This is important in order to have enough time to check whether the respective company falls under the CSPI 2 category and to be able to prepare comprehensively for the submission of a self-declaration on IT security as well as to be able to register with the BSI in due time.
Irrespective of the obligations existing under the BSI Act as well as relating ordinances and deadlines, the BSI recommends in this context, considering the current tense IT security situation, at all times and for every company to continuously improve and increase its own IT security level.