IT Security Act 2.0 (BSI-Gesetz / BSIG Amendment)

Germany's IT Security Act 2.0 (Zweites Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme), effective May 28, 2021, significantly expands the BSI Act (BSIG) and strengthens Germany's cybersecurity framework. Key additions include: expanded scope of critical infrastructure (KRITIS) to include waste management and large enterprises of special public interest (UBI); mandatory use of attack detection systems (Angriffserkennung) for KRITIS operators; BSI authority to issue security certifications and prohibit use of components from untrustworthy manufacturers; mandatory registration of KRITIS operators with BSI; consumer device security requirements; and enhanced BSI investigative powers. The Act introduces the concept of "Unternehmen im besonderen öffentlichen Interesse" (UBI) — companies of special public interest including defense contractors, companies in the top 1,000 by revenue, and hazardous materials operators — who face new reporting and security obligations. The Act also implements the EU NIS Directive and prepares Germany for NIS2 implementation. Fines for non-compliance can reach EUR 20 million.