The Federal Government's new IT Security Act 2.0 is due to be heard in the Bundestag's Interior Affairs Committee on Monday.

The core of the law is, among other things, new access rights for the Federal Office for Information Security (BSI) and new reporting obligations for particularly relevant companies.

The role of the federal authorities is also to be strengthened in consumer protection.

Domestic politicians of the CDU are already celebrating the law, which was passed by the Federal Cabinet in the parliamentary legislative procedure at the end of December, as a great success and are urging a quick adoption in an internal federal committee decision of the party, which is available to WELT.

They call for even more far-reaching measures for more security.

The requirements in the paper are "closely coordinated with Arne Schönbohm, President of the BSI", according to the text.

At the same time, however, the economy, of all things, which is supposed to benefit from more IT security in German networks, as well as network politicians of the opposition are resisting the current version of the draft law.

Various business associations hope to be able to implement changes.

BSI should get significantly more rights


“With the IT Security Act 2.0, the CDU wants to adapt the legal framework to the new threat situation.

It contains measures to better protect government networks and critical infrastructures and to strengthen consumer protection, ”says the strategy paper.

"It is therefore of great importance that the law is passed in this legislative period."

From the point of view of the Union experts, the key point of the draft law is the future role of the BSI.

It is to be expanded as the “third pillar of a federally integrated cyber security architecture” and given significantly more rights.

In the future, the office itself is to actively search for security gaps in German networks, for example to identify and influence endangered systems via so-called port scans or to operate so-called sinkholes, traps for hackers in the network - at least the former would be illegal for private security providers.

The authority is also to be authorized to issue instructions to operators of telecommunications networks in order to ward off attacks from the Internet.

In addition, the draft law significantly expands the group of companies that have to have their IT security measures approved by the BSI.


Previously only operators of critical infrastructure were obliged to do so, but now “companies of particular public interest” should submit a self-declaration on IT security to the BSI every two years and, in the event of an IT security leak, immediately raise the alarm to the experts at the Federal Office.

Exactly which companies are included has not yet been clearly defined.

In addition, the Federal Office is to check and certify network hardware in German telecommunications networks for back doors and security gaps before they are used by companies.

At the federal level, the BSI is to be authorized to issue instructions to other authorities and to check their IT security - and to get almost 800 new jobs for all of this.

Invest even more in IT security in the future

“A robust defense against cyber attacks is a question of location for the economy.

It is particularly important for small and medium-sized companies to support them with protective measures against cyber attacks, ”said CDU General Secretary Paul Ziemiak, explaining the request to WELT.

"We want a strong state when it comes to effectively protecting our SMEs against cyber attacks."


In addition to the draft law, at the initiative of BSI boss Schönbohm, the Union is calling for a so-called cyber quota for future public IT projects at federal level: "At least 20 percent of material resources should be used for federal IT projects for information security," according to the party experts' strategy paper .

"In the future we will invest even more in IT security," said Ziemiak.

The content of the law has been wrestling with since the beginning of 2019, and the Union’s security politicians now want to pass it before the end of the legislative period.

But in particular the trade associations, whose members, according to the Union experts, should benefit from the measures, are protesting against the new role of the BSI and the expanded obligations for companies.

The Federation of German Industry (BDI) sees the current draft as “in large parts in urgent need of revision” and fears “considerable additional burdens” for companies.

The IT association Bitkom describes a "great need for improvement", boss Achim Berg fears that the BSI will be overwhelmed with the large-scale expansion of competencies.

Reporting requirements that offer added value

The association Eco of network operators goes even further: "The law in this form weakens general IT security considerably," says Eco board member Klaus Landefeld in an interview with WELT.

He sees the BSI as having a conflict of interest in the future: “On the one hand, companies are obliged to report security gaps to the BSI.

On the other hand, however, the office should keep any security gaps found secret if other security authorities or federal secret services so wish. ”With this, the federal government is undermining the trust between the company and the office.

Landefeld also criticizes the envisaged obligation to certify supply chains for network hardware: “How should companies do that?

They get network cards in pallets, and then they should open them all and check them one by one?

Which software is running on it cannot be controlled anyway. "

Furthermore, it has not yet been determined which companies are in the public interest at all and will in future fall under the extended reporting and certification obligations and have to report to the BSI.

"But that should be well over 1000 - a lot more than before."

Manuel Höferlin (FDP), chairman of the Bundestag committee on the digital agenda, is similarly critical.

He fears that medium-sized companies will be overwhelmed by the new reporting obligations at the BSI: “We need reporting obligations that also offer companies added value.

That is why I call for a qualitative return channel instead of the current one-way street in the direction of the BSI, ”said Höferlin WELT.

"In the case of medium-sized companies this means uncomplicated help, and in the case of larger companies it may be up-to-date images of the cyber threat situation."


Höferlin also sees the BSI in a quandary: "The Minister of the Interior, as the highest employer, wants to bunker knowledge about security gaps for the security authorities, while the BSI is supposed to take care of the country's IT security."

Overall, the economy and the opposition feel run over by the current pressure from the federal government to pass the law before the general election.

But whether the associations can still enforce their change requests in the upcoming hearings in the Bundestag is at least questionable in view of the Union's enthusiasm for the law.

Here you can listen to our WELT podcasts

We use the player from the provider Podigee for our WELT podcasts.

We need your consent so that you can see the podcast player and to interact with or display content from Podigee and other social networks.

Activate social networks

I consent to content from social networks being displayed to me.

This allows personal data to be transmitted to third party providers.

This may require the storage of cookies on your device.

More information can be found here.

"Everything on shares" is the daily stock market shot from the WELT business editorial team.

Every morning from 7 a.m. with the financial journalists Moritz Seyffarth and Holger Zschäpitz.

For stock market experts and beginners.

Subscribe to the podcast on Spotify, Apple Podcast, Amazon Music and Deezer.

Or directly via RSS feed.