Germany: Introduced Second Law to increase the security of Information Technology Systems ( IT Security Act 2.0) including cybersecurity regulation and voluntary IT security label

On 1 January 2021, the Security of Information Technology Systems (IT Security Act 2.0) including cybersecurity regulation and voluntary IT security label, was introduced in the German Parliament. The Act would expand the list of critical sectors and establish a new regulated category of service providers, companies in the special public interest, defined as companies that provide or manufacture products classified as essential based on the Foreign Trade and Payments Ordinance, have economic importance to Germany or are operators of an upper-tier establishment based on the Hasardous Incident Ordinance. Companies in the special public interest are subject to the security requirements as the providers of critical infrastructure, such as energy, health, information technology and telecommunications, transport and traffic, media and culture, water, finance and insurance, food, municipal waste disposal, state and administration. In particular, the providers must implement organisational, detective, and preventive technical measures to ensure the resilience of their systems. Furthermore, in cases of significant disruptions, the providers of critical infrastructure and companies in the special public interest are required to provide the data the Federal Office for Information Security requests. Finally, the IT Security Act 2.0 established a voluntary IT security label that providers can obtain if they are compliant with the security measures outlined in the Act. The providers have to apply for the label and can use it upon Federal Office for Information Security approval.