Implement the requirements in your company now in an uncomplicated way.

IT-SiG 2.0 obliges all CRITIS operators to take "appropriate organizational and technical precautions to prevent disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes." The new Section 8a (1a) BSIG also explicitly mentions the use of attack detection systems (SCC).

In accordance with Section 8a (3) BSIG and Section 11 (1e) EnWG, the implemented measures are to be demonstrated using a six-stage implementation level model. The implementation levels range from level 0 (no requirements met) to level 5 (all requirements met).

The IT Security Act 2.0 defines what is meant by an attack detection system. Accordingly, it refers to processes that are supported by technical tools and organizational integration and serve to detect attacks on information technology systems.

To achieve this, the systems must continuously and automatically collect and evaluate parameters and characteristics from the operation of the systems. They must compare the processed data with information and patterns that may indicate attacks. In addition, they should be able to detect and prevent threats and take appropriate remediation actions when a failure occurs.

In terms of their functionality, attack detection systems thus have three main tasks:

• Logging
• Detection
• Reaction

Every single company is exposed to the risks of a cybersecurity incident - regardless of the industry and the size of the company. It therefore makes sense for every company to implement the requirements of the IT Security Act 2.0 and the recommendations of the IT-Grundschutz.

However, only operators of critical infrastructures are currently legally obligated to

According to Section 2(10) of the BSIG, this includes facilities, installations or parts thereof belonging to the following sectors:

• Energy
• Information technology and telecommunications
• Transportation and traffic
• Health
• Water
• Nutrition
• Finance and insurance
• Municipal waste management

Critical infrastructures are further defined by Section 10 (1) BSIG. According to this, certain thresholds must be reached or exceeded for a CRITIS operator to be subject to the BSI's statutory notification and verification obligations. You can read the threshold values of the BSI Critical Infrastructure Ordinance here

If your company is not covered by the BSI Criticality Ordinance, we still strongly recommend that you invest in a secure IT infrastructure. We will be happy to advise you on this.

If your IT infrastructure is not adequately secured, your company becomes an easy target for attack and is exposed to unnecessarily high risks. A cyber attack can cause significant damage such as:

• Failure of entire IT systems or production facilities
• Financial losses due to downtime
• Compromise of sensitive data
• Blackmail and ransomware
• Image damage

For CRITIS operators, these consequences can be even more drastic. In addition, they face fines of up to €20 million if they fail to comply with the requirements of the IT Security Act 2.0.

It is not uncommon for a cyber attack to lead to the insolvency of the affected company in the long term.

Since the requirements from IT-SiG 2.0 should already have been implemented since 01.05.2023, there is an urgent need for action. You should act quickly, but well thought out.

First, the status quo of your IT security measures should be compared with the legal requirements. Then, any gaps identified must be closed immediately. To do this, speak to the person responsible in your IT department.

Our IT security experts at C & C IT will be happy to provide you with comprehensive advice and support. With ProLog, they can deliver a fast and secure all-in-one solution to meet the requirements of the IT Security Act 2.0.