CRITIS & German IT Security Act 2.0
Intrusion detection is mandatory

Critical infrastructures and companies operating in the special public interest will be legally obliged to deploy an intrusion detection system such as Cybersense Deception as of 1 May 2023.

Increased danger, increased IT security

Ransomware campaigns and insider threats pose an increasing danger to companies and organizations. Legislators have now responded: The "Second Act to Increase the Security of Information Technology Systems" (IT Security Act 2.0) not only grants the Federal Office for Information Security (BSI) further powers, but has also increased the requirements for cyber security:

In § 8a (1a), operators of both critical infrastructures and companies in the special public interest are legally obliged to implement an intrusion detection system. Choose a system that suits you. With Cybersense Deception, you acquire a solution for advanced and pragmatic intrusion detection as a Managed Service.

Requirements for intrusion detection systems according to the German IT Security Act 2.0 and BSI (Federal Cyber Security Authority)

  • Continuous and automatic recording and evaluation of appropriate parameters and characteristics from ongoing operations.
  • Identification and prevention of ongoing threats
  • Appropriate measures for the mitigation of security incidents
Area
BSI-ID
Requirement
Governance
77-79, 81-82
Processes and responsibilities for security incidents
Systems and evaluation
80, 90-94
Systems and methods for systematic evaluation
Tests and vulnerabilities
95-96
Regular penetration tests and handling of vulnerabilities

Thus, the focus is also shifting to operational technologies (OT), i.e. technologies for remote control, process control and network control, which are differentiated from corporate IT.

Cybersense Deception meets the specific requirements of CRITIS operators

To ensure the high stability of IT systems, you want to avoid the installation of additional software, such as additional agents. Similarly, changes on your servers and security solutions that require cloud data storage are unacceptable. For you, these options combined with false alerts are simply out of the question. Cybersense Deception provides the solution.

Implement an effective intrusion detection system – with zero impact on your existing IT and OT systems.

Discover Cybersense Deception now!

What is CRITIS?

CRITIS is the abbreviation for critical infrastructure. These are facilities, organisations, plants and systems that are of high importance to the community, and whose failure would have serious consequences for society and national order. For this reason, CRITIS operators – as well as companies operating in the special public interest – are legally obliged to meet minimum IT security requirements. These are stipulated in the German IT Security Act 2.0, and compliance is monitored by the BSI as the Federal Cyber Security Authority.

Critical infrastructure sectors

  • Information Technology
  • Telecommunications
  • Water
  • Energy
  • Transport and traffic management
  • Food
  • Public administration
  • Media and culture
  • Finance and insurance
  • Healthcare
  • Waste management (since May 2021)

What companies operate in the special public interest?

The German IT Security Act 2.0 stipulates that companies of economic importance must also take precautions to avoid disruptions to their IT systems. These mainly include the following:

  • Arms manufacturers
  • Aerospace companies
  • Manufacturers of IT products for processing classified government information
  • Companies that are economically significant due to their size
  • Operators in high-level areas as defined by the Major Accidents Ordinance (Störfall-Verordnung), e.g. chemical companies.

While these companies do not have to meet as many requirements as CRITIS institutions, they are also obliged to take a proactive approach to cyber security.

New requirements of the German IT Security Act 2.0

Companies operating in the special public interest must also submit a self-declaration of their IT security. This describes the security certifications of the previous two years as well as any IT security audits or checks carried out – including the audit framework and areas of application. It also provides information on how IT systems, components and processes that require special protection are secured in accordance with the state of the art.

In addition to the above-mentioned self-declaration, operators and companies must designate a point of contact that can be reached during business hours, as well as report any disruptions to availability, integrity, authenticity and confidentiality. In this way, the Federal Government aims to ensure that IT security in Germany is raised to a higher level.

Do you have any questions? Would you like a demo?
We look forward to hearing from you.

Your contact partner
Sebastian Struwe

Contact us now