Germany: Implemented Second Law to increase the security of Information Technology Systems ( IT Security Act 2.0) including cybersecurity regulation and voluntary IT security label

On 28 May 2021, the Security of Information Technology Systems (IT Security Act 2.0) including cybersecurity regulation and voluntary IT security label, entered into force. The Act expands the list of critical sectors and establishes a new category, companies in the special public interest, defined as companies that provide or manufacture products classified as essential based on the Foreign Trade and Payments Ordinance, have economic importance to Germany or are operators of an upper-tier establishment based on the Hasardous Incident Ordinance. Companies in the special public interest are subject to the security requirements as the providers of critical infrastructure, such as energy, health, information technology and telecommunications, transport and traffic, media and culture, water, finance and insurance, food, municipal waste disposal, state and administration. In particular, the providers must implement organisational, detective, and preventive technical measures to ensure the resilience of their systems. Furthermore, in cases of significant disruptions, the providers of critical infrastructure and companies in the special public interest are required to provide the data the Federal Office for Information Security requests. Finally, the IT Security Act 2.0 established a voluntary IT security label that providers can obtain if they are compliant with the security measures outlined in the Act. The providers have to apply for the label and can use it upon Federal Office for Information Security approval.