Implement the requirements in your company now in an uncomplicated way.

The grace period for KRITIS operators is over! 

01.05.2023 is a deadline that should be marked red in the calendar of all KRITIS operators. On this day, the transition period for companies to implement the requirements of the IT Security Act 2.0 (IT-SiG 2.0) and to implement an attack detection system ended.

Companies that cannot prove this appropriately now risk severe economic damage in the millions - in the worst case, the very existence of the company. On the one hand, the costs caused by an attack on your IT are immense. On the other hand, there is the threat of hefty fines for non-compliance with the requirements of the IT Security Act 2.0.

The BSI provides some examples of the maximum fine range

However, implementing the requirements of IT-SiG 2.0 is about much more than "just" avoiding fines - even if these can be enormous.

The security and existence of your company is at stake.

That's why we're clarifying the most important questions about IT-SiG 2.0 for you here and showing you how you can implement the resulting requirements in your company in a straightforward manner.

In a nutshell: Answers to the most important questions about IT-SiG 2.0

IT-SiG 2.0 obliges all CRITIS operators to take "appropriate organizational and technical precautions to prevent disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes." The new Section 8a (1a) BSIG also explicitly mentions the use of attack detection systems (SCC).

In accordance with Section 8a (3) BSIG and Section 11 (1e) EnWG, the implemented measures are to be demonstrated using a six-stage implementation level model. The implementation levels range from level 0 (no requirements met) to level 5 (all requirements met).

The IT Security Act 2.0 defines what is meant by an attack detection system. Accordingly, it refers to processes that are supported by technical tools and organizational integration and serve to detect attacks on information technology systems.

To achieve this, the systems must continuously and automatically collect and evaluate parameters and characteristics from the operation of the systems. They must compare the processed data with information and patterns that may indicate attacks. In addition, they should be able to detect and prevent threats and take appropriate remediation actions when a failure occurs.

In terms of their functionality, attack detection systems thus have three main tasks:

  • Logging
  • Detection
  • Reaction

Every single company is exposed to the risks of a cybersecurity incident - regardless of the industry and the size of the company. It therefore makes sense for every company to implement the requirements of the IT Security Act 2.0 and the recommendations of the IT-Grundschutz.

However, only operators of critical infrastructures are currently legally obligated to

According to Section 2(10) of the BSIG, this includes facilities, installations or parts thereof belonging to the following sectors:

  • Energy
  • Information technology and telecommunications
  • Transportation and traffic
  • Health
  • Water
  • Nutrition
  • Finance and insurance
  • Municipal waste management

Critical infrastructures are further defined by Section 10 (1) BSIG. According to this, certain thresholds must be reached or exceeded for a CRITIS operator to be subject to the BSI's statutory notification and verification obligations. You can read the threshold values of the BSI Critical Infrastructure Ordinance here

If your company is not covered by the BSI Criticality Ordinance, we still strongly recommend that you invest in a secure IT infrastructure. We will be happy to advise you on this.

If your IT infrastructure is not adequately secured, your company becomes an easy target for attack and is exposed to unnecessarily high risks. A cyber attack can cause significant damage such as:

  • Failure of entire IT systems or production facilities
  • Financial losses due to downtime
  • Compromise of sensitive data
  • Blackmail and ransomware
  • Image damage

For CRITIS operators, these consequences can be even more drastic. In addition, they face fines of up to €20 million if they fail to comply with the requirements of the IT Security Act 2.0.

It is not uncommon for a cyber attack to lead to the insolvency of the affected company in the long term.

Since the requirements from IT-SiG 2.0 should already have been implemented since 01.05.2023, there is an urgent need for action. You should act quickly, but well thought out.

First, the status quo of your IT security measures should be compared with the legal requirements. Then, any gaps identified must be closed immediately. To do this, speak to the person responsible in your IT department.

Our IT security experts at C & C IT will be happy to provide you with comprehensive advice and support. With ProLog, they can deliver a fast and secure all-in-one solution to meet the requirements of the IT Security Act 2.0.

With ProLog, you can quickly and easily meet the BSI requirements.

ProLog is the perfect tool for data protection & data security - made in Germany. The all-in-one solution combines all technical and organizational measures required by the IT Security Act 2.0, enabling a level 4 implementation.

Because ProLog combines log management with SIEM functionalities in one package:

Detailed documentation in two stages

  • Protection needs and risk analysis
  • Creation of a logging concept

The ProLog software

ProLog agents collect log data on the applications assigned to them. They can be administered centrally from the software.

Reporting and alerting packages

Reports and alerts for regulatory compliance and to ensure internal compliance requirements.

Maintenance & Updates

ProLog customers receive support to ensure that all regular changes to the GDPR are integrated into the software in a timely manner.

Rely on the highest data, IT and audit security in your company.

We support you in meeting the requirements as quickly as possible.