IT Security Act 2.0: Requirements for Critical Infrastructure Operators

Introduction

Germany's IT Security Act 2.0 (IT-Sicherheitsgesetz 2.0), which entered into force in May 2021, represents one of the most significant expansions of cybersecurity regulation in Europe. Building on the original IT Security Act of 2015, the 2.0 version substantially broadened the scope of entities subject to cybersecurity obligations, strengthened the powers of the Bundesamt fur Sicherheit in der Informationstechnik (BSI), and introduced new requirements for systems for attack detection (Systeme zur Angriffserkennung). For operators of critical infrastructure (KRITIS) in the financial sector, including banks, insurance companies, stock exchanges, and payment service providers, the Act created obligations that directly affect how IT security is managed, monitored, and reported.

In 2026, the IT Security Act 2.0 exists alongside -- and is being partially superseded by -- the German implementation of the EU NIS2 Directive (Directive (EU) 2022/2555). The NIS2-Umsetzungs- und Cybersicherheitsstarkungsgesetz (NIS2UmsuCG), which transposes NIS2 into German law, expands the scope of affected entities further and adjusts the obligations originally established by the IT Security Act 2.0. For financial institutions, understanding both the current IT Security Act 2.0 requirements and the incoming NIS2 adjustments is essential for maintaining compliance. This article provides that dual perspective.

What Is the IT Security Act 2.0?

The IT Security Act 2.0 (Zweites Gesetz zur Erhohung der Sicherheit informationstechnischer Systeme) is not a standalone statute but an omnibus law that amends several existing laws, most importantly the BSI Act (BSI-Gesetz, BSIG). The BSIG, as amended by the IT Security Act 2.0, contains the operative requirements for KRITIS operators and other affected entities.

The Act designates the BSI as Germany's central authority for IT security and grants it expanded powers, including the authority to issue binding technical directives, conduct active vulnerability scanning of internet-facing systems, and order the remediation of security deficiencies. For KRITIS operators, the BSI serves as the primary point of contact for incident reporting and compliance verification.

KRITIS operators are defined through the BSI-Kritisverordnung (BSI-KritisV), which specifies threshold values for each KRITIS sector. In the financial sector, operators are classified as KRITIS if they exceed defined thresholds for transaction volumes, assets under management, or number of insured persons. The relevant sectors include banking, financial market infrastructure, and insurance.

The IT Security Act 2.0 also introduced a new category of "companies in the special public interest" (Unternehmen im besonderen offentlichen Interesse, UBI), which includes defense contractors, companies of significant economic importance, and operators of hazardous facilities. While most financial institutions fall under the KRITIS category rather than UBI, some financial groups with defense-related subsidiaries may be affected by both.

Key Requirements

Minimum Security Standards (Section 8a BSIG)

KRITIS operators must implement appropriate organizational and technical precautions to protect the availability, integrity, authenticity, and confidentiality of their IT systems. These measures must reflect the "state of the art" (Stand der Technik) and be proportionate to the risk. Section 8a(1) BSIG requires that these measures be implemented by the operator and that compliance be demonstrated to the BSI every two years through audits, inspections, or certifications.

For financial institutions, the "state of the art" standard is defined in practice by reference to established frameworks. The BSI itself publishes technical guidelines (Technische Richtlinien) and IT-Grundschutz standards that provide detailed specifications. Industry-specific security standards (branchenspezifische Sicherheitsstandards, B3S) developed by sector associations and approved by the BSI can also be used to demonstrate compliance. The financial sector's B3S, developed by the Deutsche Kreditwirtschaft, aligns closely with MaRisk, BAIT, and ISO 27001, providing a bridge between KRITIS obligations and existing financial sector compliance frameworks.

Systems for Attack Detection (Section 8a(1a) BSIG)

One of the most significant additions made by the IT Security Act 2.0 is the requirement for KRITIS operators to implement systems for attack detection (Systeme zur Angriffserkennung). This requirement, codified in Section 8a(1a) BSIG, took effect on May 1, 2023.

The BSI published detailed guidance on what constitutes compliant attack detection systems in its "Orientierungshilfe zum Einsatz von Systemen zur Angriffserkennung" (February 2023). The guidance specifies that attack detection systems must cover three functional areas:

Logging and detection (Protokollierung und Detektion): Continuous collection and analysis of security-relevant log data from IT systems, networks, and applications. This includes the use of Security Information and Event Management (SIEM) systems or equivalent technologies.

Evaluation and correlation (Auswertung und Korrelation): Automated analysis of collected data to identify patterns indicative of cyberattacks. The BSI expects the use of threat intelligence, behavioral analysis, and anomaly detection capabilities.

Response and remediation (Reaktion und Behebung): Defined processes for responding to detected attacks, including incident response procedures, communication protocols, and remediation measures.

The BSI evaluates the maturity of attack detection systems on a scale from 0 to 5, with level 3 ("established") considered the minimum acceptable level. KRITIS operators must demonstrate their attack detection maturity during the biennial compliance audits under Section 8a(3) BSIG. BaFin-supervised institutions must address this requirement alongside their DORA incident detection obligations.

BSI Reporting Obligations (Section 8b BSIG)

KRITIS operators must report significant IT security incidents to the BSI without undue delay. Section 8b(4) BSIG defines the reporting triggers and timelines:

• Initial notification: Within 24 hours of becoming aware of a significant disruption. This is a preliminary report that must include the nature of the incident and initial impact assessment.
• Intermediate report: Within 72 hours, providing a more detailed assessment including the likely cause, affected systems, and measures taken.
• Final report: Within one month, providing a comprehensive post-incident analysis including root cause, full impact assessment, and lessons learned.

A "significant disruption" includes any IT security incident that could lead to a failure or significant impairment of the critical infrastructure being operated. The threshold is deliberately set low to ensure the BSI has early visibility into potential threats.

Additionally, KRITIS operators must register with the BSI and maintain a contact point for IT security matters that is reachable at all times (Section 8b(3) BSIG). They must also provide the BSI with information about their IT infrastructure when requested for the purpose of threat analysis and warning.

Biennial Compliance Verification (Section 8a(3) BSIG)

Every two years, KRITIS operators must demonstrate to the BSI that they comply with the requirements of Section 8a. This is done through audits conducted by BSI-approved auditors, through inspections, or through recognized certifications (such as ISO 27001 on the basis of IT-Grundschutz). The audit results, including any identified deficiencies, must be submitted to the BSI.

If the BSI identifies deficiencies, it can order the operator to remediate them within a specified timeframe (Section 8a(4) BSIG). Failure to remediate can result in administrative fines of up to EUR 2 million under Section 14 BSIG.

Critical Components and Trustworthiness Declarations (Section 9b BSIG)

The IT Security Act 2.0 introduced a new regime for critical components in KRITIS infrastructure. Under Section 9b BSIG, KRITIS operators must notify the Federal Ministry of the Interior (BMI) before deploying critical components from manufacturers that may pose security concerns. The BMI can prohibit the use of specific components if the manufacturer is deemed untrustworthy. This provision was primarily designed to address concerns about 5G network equipment but applies across all KRITIS sectors.

Relationship to NIS2 and Other Frameworks

The relationship between the IT Security Act 2.0 and NIS2 is one of evolution rather than replacement. The NIS2-Umsetzungs- und Cybersicherheitsstarkungsgesetz (NIS2UmsuCG) transposes NIS2 into German law by further amending the BSIG and related legislation. The key changes from NIS2 include:

Expanded scope: NIS2 significantly broadens the entities subject to cybersecurity obligations beyond traditional KRITIS operators. The new categories of "essential entities" (wesentliche Einrichtungen) and "important entities" (wichtige Einrichtungen) capture a much larger number of organizations, including medium-sized enterprises in covered sectors.

Harmonized incident reporting: NIS2 Article 23 establishes EU-wide incident reporting timelines that align closely with the BSI reporting obligations already established by the IT Security Act 2.0, but with some adjustments to the specific notification windows.

Management liability: NIS2 Article 20 introduces personal liability for management bodies that fail to ensure compliance with cybersecurity requirements -- a significant escalation from the IT Security Act 2.0's approach.

Higher penalties: NIS2 increases maximum fines to EUR 10 million or 2% of global annual turnover for essential entities, substantially above the EUR 2 million maximum under the IT Security Act 2.0.

For financial institutions, DORA takes priority over NIS2 for digital operational resilience requirements (NIS2 Article 4 provides a lex specialis carve-out for entities covered by sector-specific legislation). However, the IT Security Act 2.0 / NIS2UmsuCG requirements remain relevant for aspects not covered by DORA, particularly the critical components regime under Section 9b BSIG and BSI-specific reporting obligations.

ISO 27001, particularly when implemented on the basis of BSI IT-Grundschutz, provides a recognized path to demonstrating compliance with the "state of the art" requirement under Section 8a BSIG. Many KRITIS operators use ISO 27001 certification as the foundation for their biennial compliance verification.

ENISA (the European Union Agency for Cybersecurity) publishes threat landscape reports and best practice guidance that inform the "state of the art" standard referenced in the IT Security Act 2.0. KRITIS operators should monitor ENISA publications as a source for evolving security expectations.

Compliance Automation with Matproof

The IT Security Act 2.0's requirements create a continuous compliance cycle: implement security measures, deploy attack detection systems, report incidents, and demonstrate compliance biennially. Each phase generates documentation requirements that compound over time. Two years of evidence must be available for each biennial audit, attack detection systems must produce continuous logs, and incident reports must be filed within strict timelines.

Matproof automates the evidence collection that underpins this compliance cycle. The platform connects to security infrastructure -- SIEM systems, firewalls, identity management systems, and cloud environments -- and continuously collects evidence mapped to BSIG requirements. When the biennial audit approaches, compliance teams have a structured evidence repository covering the entire audit period rather than a last-minute documentation scramble.

For the attack detection requirement under Section 8a(1a), Matproof monitors whether the three functional areas (logging, correlation, and response) are operating as expected and generates evidence of their maturity level. This directly supports the BSI's maturity assessment during compliance verification.

The platform's cross-framework mapping connects BSIG requirements to overlapping DORA and ISO 27001 controls. Evidence collected for the IT Security Act 2.0 biennial audit simultaneously satisfies DORA's ICT risk management evidence requirements and ISO 27001 audit documentation. All data remains within German data centers, meeting the BSI's own expectations for data sovereignty in critical infrastructure operations.

Implementation Roadmap

Phase 1 (Weeks 1-2): KRITIS Classification. Determine whether your institution meets the KRITIS threshold values defined in the BSI-KritisV for the financial sector. If you are classified as KRITIS, register with the BSI and establish the required 24/7 contact point. If you are newly in scope due to NIS2UmsuCG, understand the adjusted obligations.

Phase 2 (Weeks 3-6): Security Baseline Assessment. Assess your current security posture against Section 8a BSIG requirements, using the financial sector's B3S or BSI IT-Grundschutz as your reference framework. Identify gaps, particularly in the attack detection systems required by Section 8a(1a).

Phase 3 (Weeks 7-12): Attack Detection Deployment. If your attack detection systems do not meet the BSI's minimum maturity level 3, prioritize their enhancement. This typically involves deploying or upgrading SIEM capabilities, integrating threat intelligence feeds, and establishing formal incident response procedures. Document the implementation for the biennial audit.

Phase 4 (Weeks 13-16): Audit Preparation. Organize evidence from the past two-year period into the structure expected by BSI-approved auditors. Conduct a pre-audit review to identify any documentation gaps. Engage the audit firm early to align on scope and expectations.

Ongoing: Continuous Compliance. Maintain automated evidence collection, conduct regular testing of attack detection systems, and keep incident response procedures current. Monitor BSI publications for updates to technical guidelines and the NIS2UmsuCG implementation timeline.

FAQ

How do I determine if my financial institution is a KRITIS operator?

KRITIS classification is based on threshold values defined in the BSI-Kritisverordnung (BSI-KritisV). For the banking sector (Sektor Finanzwesen), the thresholds relate to transaction volumes, the number of accounts managed, or the value of assets under management. For insurance, the threshold relates to the number of insured persons. If your institution exceeds the applicable threshold, you are a KRITIS operator and must comply with Section 8a BSIG. The BSI provides guidance on applying the threshold values, and BaFin can clarify classification questions for supervised institutions.

What happens if we fail to report an IT security incident to the BSI?

Failure to report a significant IT security incident within the required timelines is an administrative offense under Section 14 BSIG. Fines can reach up to EUR 500,000 per violation. More importantly, unreported incidents can escalate if they affect other critical infrastructure operators, and the BSI may take a particularly critical view of an operator's overall compliance posture if reporting obligations are not met. With NIS2UmsuCG, penalties for reporting failures will increase substantially.

Does ISO 27001 certification satisfy the IT Security Act 2.0 requirements?

ISO 27001 certification, particularly when based on BSI IT-Grundschutz, is recognized as a strong foundation for demonstrating compliance with Section 8a BSIG. However, ISO 27001 alone may not cover all BSIG-specific requirements, particularly the attack detection systems requirement under Section 8a(1a) and the incident reporting obligations under Section 8b. KRITIS operators should use ISO 27001 as the foundation and supplement it with BSIG-specific measures.

How do the IT Security Act 2.0 and DORA interact for financial institutions?

For financial institutions supervised by BaFin, DORA takes priority for ICT risk management, incident reporting, and digital resilience testing. NIS2 Article 4 provides a lex specialis principle that gives DORA precedence where its requirements are at least as strict as NIS2. However, certain IT Security Act 2.0 requirements -- such as the critical components regime under Section 9b BSIG and BSI-specific cooperation obligations -- are not covered by DORA and continue to apply independently. Financial institutions must comply with both DORA and the remaining IT Security Act 2.0 / NIS2UmsuCG requirements.