The legal regulation of IT security for the CRITIS sector is multi-layered and has been pushed forward intensively in Europe, especially since 2015, after the first IT security law came into force in Germany. In the meantime, however, IT security regulation covers many more areas than just the CRITIS sector, for example, providers of digital services (cloud computing, online marketplaces, online search engines) are also covered by the EU NIS Directive, and regulations for Industry 4.0 processes, IoT and consumer protection measures beyond the B2B sector are increasingly being adopted. The basis for legislative and regulatory action in IT security is primarily formed by strategy papers that provide an outlook on how things will develop in the near future.
In Germany, for example, a new national cyber security strategy is currently being drafted, which will restructure the version currently in force from 2016[1]. The document is expected to be adopted in the spring of 2021 and, with a view to protecting critical infrastructures, will focus on ensuring digital sovereignty, making IT security measurable, and also focuses on usability, security by design, further promotion of public-private partnerships (PPP), and takes into account not only the operators of critical infrastructures, as in the past, but also the manufacturers and suppliers of hardware and software.
The renewal of the national cyber security strategy is accompanied by the draft of a new IT Security Act 2.0,[2] which revises the existing version of the Act from 2015. On the one hand, this involves expanding the group of addressees of affected institutions, and on the other, significantly expanding the powers of the BSI as the national authority for cybersecurity. Among other things, „municipal waste disposal“ is to be added to critical infrastructures, and „companies in the special public interest“ are to be added. In this context, it will probably be particularly interesting to see which of the so-called „largest companies by value added“ will be included. These companies will also have to meet special IT security requirements comparable to those for critical infrastructures. Considerable public attention was also attracted by a proposed regulation under which manufacturers of critical core components with a control function in critical infrastructures would have to provide proof that their product is cyber-secure throughout the entire supply chain.
New decisions are also currently being taken at European level with regard to cybersecurity. On December 16, 2020, the EU Commission presented its new cyber security strategy, „The EU’s Cybersecurity Strategy for the Digital Decade,“[3] which aims to create a crisis-proof and digital Europe. The subject of the fields of action in the new strategy are, among other things, the expansion of existing critical infrastructure sectors to include, among others, public administration and space travel, the development and establishment of an „EU Cyber Shield“ with the aim of supra-regional monitoring and data analysis, the development of an „ultra-secure communications network“ and associated 5G security, the creation of a Joint Cyber Unit („JCU“) as a common focal point for private and governmental entities in the areas of law enforcement and defense related to IT security, and the development of a Union-wide deterrence strategy with countermeasures in response to attacks in the digital space. This includes a „diplomatic toolbox“ to provide a politically unified response to proven cyberattacks. Issues of digital sovereignty and supply chain protection are also addressed, here looking at cloud, processor technologies, secure connectivity and 6G networks. Last, but not least, a new European center of excellence on cybersecurity will be established, based in Bucharest/Romania. Together with the new EU cybersecurity strategy, the draft EU NIS 2 Directive was also presented (Proposal for a Directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148).[4] The current draft version of the NIS 2 Directive primarily provides for the recasting and expansion of the scope of existing regulations, e.g., to include public administration and space as new sectors, and district heating/district cooling and hydrogen as subsectors. According to the draft directive, the obligation to take IT security measures is to be based on whether a facility is classified as „essential“ or as „important“. In general, the EU not only wants to create more obligations for companies and operators, but also for the member states in particular, which will be obliged to implement NIS 2. These include identification and verification obligations with regard to infrastructures and transmission to the EU Commission, increased requirements for national cybersecurity strategies, proactive scanning of network and information systems by member state CSIRTs, and intensification of information exchange and cooperation between member state authorities, such as in „EU-CyCLONe“ for defense against large-scale cybersecurity incidents. ENISA is also to create a register in which security vulnerabilities of ICT products and services can be entered. It will also be interesting to see how the EU Commission positions itself on the issue of encryption – the conflict between secure data storage and communication on the one hand and the possibility of government institutions effectively gaining access to digitally stored information for the purposes of security and law enforcement on the other has not yet been resolved in an appropriate legal or technical manner.
[1] https://www.bmi.bund.de/cybersicherheitsstrategie/BMI_CyberSicherheitsStrategie.pdf
[2] https://www.bmi.bund.de/SharedDocs/gesetzgebungsverfahren/DE/entwurf-zweites-it-sicherheitsgesetz.html
[3] https://ec.europa.eu/digital-single-market/en/news/eus-cybersecurity-strategy-digital-decade
[4] https://ec.europa.eu/digital-single-market/en/news/proposal-directive-measures-high-common-level-cybersecurity-across-union