BSI Act and IT Security Act 1.0
In Germany, the BSI Act has formed the basis for the security of critical infrastructures (KRITIS) since 2009. It defines the tasks of the Federal Office for Information Security (BSI), which acts as the central reporting office for IT security, among other things. KRITIS companies must also take appropriate security measures to protect their IT systems, report significant disruptions, and demonstrate compliance with security measures.
The IT Security Act 1.0 was passed to increase KRITIS security. This supplements the BSI Act with the obligation to meet minimum requirements.
EU General Data Protection Regulation (GDPR/EU Regulation 2016/679)
The aim of the GDPR is to protect natural persons when processing personal data and to support the free movement of data. Security measures should be appropriate to the respective risk and protected by means of suitable technical and organizational measures (known as TOMs), such as encryption, pseudonymization, availability, and resilience of systems.
Cybersecurity Act (EU Regulation 2019/881)
To improve transparency and trust in digital products and services, the Cybersecurity Act created an EU-wide framework for cybersecurity certification. Certification is risk-based and voluntary, and is valid in all EU member states.
IT Security Act 2.0
With the introduction of the IT Security Act 2.0, the obligations for KRITIS operators were expanded and the powers of the BSI were further strengthened. Since then, the BSI has been a national authority for cybersecurity certification. New additions include the implementation of an “attack detection system” (SzA) and higher fines for violations, as well as additional sectors in the KRITIS classification, e.g., waste management.
Digital Services Act/DSA (EU Regulation 2022/2065)
The Digital Services Act applies to all intermediary services that offer their services to users in the EU. These include, for example, online marketplaces and social networks. The DSA aims to ensure a secure digital single market, combat illegal content more effectively, and protect users' rights. In Germany, the DSA is supplemented by the Digital Services Act.
Cyber Resilience Act/CRA/Cyber Resilience Regulation (EU Regulation 2024/2847)
The Cyber Resilience Act places obligations on all networked products with digital components for the first time. Manufacturers must keep security gaps closed throughout the entire product life cycle and report serious incidents to the European Agency for Cybersecurity (ENISA) within 24 hours. Products must now bear a CE mark confirming IT security. Failure to comply may result in heavy fines, product warnings, sales bans, or loss of the CE mark.
Digital Operational Resilience Act/DORA (EU Regulation 2022/2554)
DORA requires financial institutions such as banks, insurance companies, and investment firms to manage ICT risks, report security incidents quickly, and have their management of third-party providers reviewed.
NIS 2 Directive (EU Directive 2022/2555)
The NIS 2 Implementation and Cybersecurity Strengthening Act, which transposes the European NIS 2 Directive into German law, now includes significantly more companies in mandatory IT security measures.
The scope of application has been expanded to include several sectors. As a result, it is no longer limited to the KRITIS sector. Even “normal” companies with 50 or more employees or a turnover of €10 million or more are now subject to the requirements.
Affected companies are required to implement strict technical and organizational security measures to reduce risks, manage incidents, and improve information security. These include risk management, supply chain auditing, and compliance with ISO 27001-like standards.
Examples of such measures are risk analyses, incident management (incident response), supply chain security, use of cryptography, access controls and identity management, business continuity, and recovery.
To ensure that these measures are effective in an emergency, NIS-2 also requires companies to adhere to a strict reporting procedure. Once a security incident has been identified, it must be reported within 24 hours. Failure to comply with this requirement will result in heavy fines.
EU RCE Directive/CER Directive (EU Directive 2022/2557)
The KRITIS umbrella law is intended to supplement the NIS 2 Directive with the aspect of physical resilience and is targeted for the end of 2025/beginning of 2026. KRITIS operators are to carry out risk analyses, draw up resilience plans, and are obliged to report security incidents. This is to ensure that important services can be provided despite disruptions.
Conclusion
While national regulations such as the BSI Act and IT Security Acts 1.0 and 2.0 define obligations and responsibilities in Germany, especially for KRITIS, European regulations such as the GDPR, the Cybersecurity Act, DORA, DAS, and the Cyber Resilience Act (CRA) ensure uniform standards and reporting requirements.
With NIS-2 and the KRITIS umbrella law, the scope of application will be significantly expanded in the future: Not only large KRITIS companies, but also many medium-sized businesses are now required to implement comprehensive technical and organizational security measures in a verifiable manner.
The European and national IT security landscape is thus evolving toward a networked, risk-based security framework designed to promote transparency, prevention, and responsiveness. Those who invest early in information security, compliance, and cyber resilience are not only on the safe side legally, but are also simply better equipped to defend against digital attacks.
Unser Tipp: Bring clarity to the legal jungle!
The requirements in the area of information security are complex. In addition to the existing regulations, the NIS 2 Implementation Act has now been added—with significantly expanded obligations, stricter liability regulations, and significantly higher expectations for security levels. With our practical DTS Information Security Services, we support you in meeting legal requirements, placing your individual IT security strategy on a robust foundation, and, if necessary, preparing you optimally for upcoming audits or certifications.
In our NIS 2 introductory workshop, our experts show you how to implement NIS 2 efficiently, with best practices for prevention, detection, and response to security incidents. In our risk management workshop, we will help you gain a deeper understanding of the necessary risk management measures. By identifying, evaluating, and controlling existing measures, we will help you establish a risk management system that really works. In the information management system (ISMS) workshop, we guide you through the process of setting up a powerful ISMS that is understandable and implementable with practical ideas and effective strategies. And in the state-of-the-art workshop, we work with you to make your security status transparent, uncover optimization potential, and define modern security measures for the next level.