update page now

New: EU CAPTCHA – GDPR-compliant bot protection. Try it free for 3 months!

Home>

IT Security Act: Rules and Obligations Under IT-SiG 2.0

Person works on a laptop

IT Security Act: Rules and Obligations from IT-SiG 2.0

The IT Security Act (IT-SiG) has been the central regulatory framework for cybersecurity in Germany since July 2015, requiring especially operators of critical infrastructure (KRITIS) to meet a defined minimum standard for IT security. With the implementation of IT-SiG 2.0 in May 2021, the BSI’s authority was expanded, fines were raised to up to €20 million, and new sectors were included. The EU NIS-2 Directive complements the IT-SiG, being transposed into national law via the NIS2UmsuCG (NIS2 Implementation and Cybersecurity Strengthening Act).

Learn more about compliance standards at Myra

At a
Glance

  1. 1. What is the IT Security Act – Short Explanation?
    1. 2. What is the purpose of the IT Security Act?
      1. 3. Who is subject to the IT Security Act?
        1. 4. What has changed with the IT Security Act 2.0?
          1. 5. How are IT-SiG 2.0 and NIS-2 related?
            1. 6. What specific obligations do companies have?
              1. 7. Conclusion: IT security is shifting from a luxury to a necessity

                01

                What is the IT Security Act – Short Explanation?

                The IT Security Act is designed as an omnibus bill. This means that it amends and supplements several existing laws simultaneously—including the Federal Office for Information Security Act, the Energy Industry Act, the Telecommunications Act, and the Telemedia Act. This results in a comprehensive legal framework for information security in Germany.

                The law addresses three target groups: operators of critical infrastructure (KRITIS) with particularly strict obligations, companies of special public interest (UBI/UNBÖFI) such as defense contractors or corporations of significant economic importance, and federal authorities and public administration.

                Key Information on the IT-SiG

                • IT-SiG in effect since July 2015; IT-SiG 2.0 since May 2021

                • Central supervisory authority: BSI

                • Applicable to: KRITIS operators, UBI/UNBÖFI federal administration

                • Fines: up to €20 million or 4% of global annual turnover

                • In parallel: NIS-2 expands the requirements of the IT-SiG

                02

                What is the purpose of the IT Security Act?

                The IT Security Act is a complex omnibus bill that addresses a wide range of issues and, in addition to the Federal Office for Information Security Act, amends and supplements the Energy Industry Act, the Telemedia Act, the Telecommunications Act, and other laws. Its goal is to make Germany’s IT systems and digital infrastructure among the most secure in the world. Three key protection objectives are at the heart of the legislation:

                1. Protecting critical infrastructure from failure, sabotage, and espionage

                2. Strengthening general cybersecurity in the economy and public administration

                3. Protecting citizens in the digital space

                The IT Security Act is also intended to contribute to a general improvement in cybersecurity for companies, public authorities, and citizens across the country. In its current form, the Act serves as an important roadmap for cybersecurity in German society.

                Airport

                03

                Who is subject to the IT Security Act?

                The IT-SiG is primarily aimed at operators of critical infrastructure. According to the Federal Office for Information Security (BSI), operators of critical infrastructure include companies in the energy and water supply, healthcare, food, finance and insurance, IT and telecommunications, and transportation sectors.

                 

                With the IT-SiG 2.0, the following were added:

                • Municipal waste disposal as a new KRITIS sector

                • Companies of particular public interest (UBI/UNBÖFI) – e.g., defense contractors, companies of significant economic importance, and operators of upper-class operational areas under the Hazardous Incident Ordinance

                • Manufacturers and suppliers of critical components (particularly in the telecommunications sector)

                 

                You can find more information on requirements and solutions on our page about Critical Infrastructure (KRITIS).

                04

                What has changed with the IT Security Act 2.0?

                The IT-SiG 2.0 came into effect in May 2021 and updated the list of requirements to reflect the current threat landscape. At its core, the IT-SiG 2.0 provides for an active protective role for the BSI on behalf of the state, the economy, and the public. The most significant changes concern, on the one hand, the expanded powers of the BSI and, on the other hand, stricter obligations for KRITIS operators, including significantly higher fines.

                Expanded BSI Powers

                The BSI is being restructured into a proactive cybersecurity agency that identifies and closes relevant security vulnerabilities in the systems of the business sector and society. To this end, the BSI is to monitor the internet for vulnerable or unsecured devices (IoT / IIoT / ICS) and notify affected companies and users.

                • Port scans to identify vulnerable systems on the German network

                • Authority to deploy security patches to proactively disrupt botnets and eliminate malware from compromised devices

                • Use of sinkhole servers to block communication between bots and C&C servers

                • Establishment of binding minimum standards for the federal administration

                • Introduction of a voluntary IT security label for consumer products

                Stricter Requirements for KRITIS Operators

                Since the IT-SiG 2.0 came into effect, KRITIS operators have been required to comply with a significantly more extensive set of obligations. These focus on technical protective measures, increased transparency toward the BSI, and stricter requirements for the use of critical components.

                • Use of intrusion detection systems is mandatory

                • Expanded reporting requirements for IT security incidents

                • Declaration of guarantee for the use of critical components

                • Mandatory reporting for the initial use of critical components

                Drastically Increased Fines

                Under the IT Security Act 2.0, fines for cybersecurity violations are based on the European General Data Protection Regulation (GDPR). Serious violations can be punished with fines of up to 20 million euros or up to 4 percent of the organization’s total worldwide annual revenue from the previous year—whichever amount is higher. The previous penalty range capped at 100,000 euros per violation.

                05


                How are IT-SiG 2.0 and NIS-2 related?

                The EU-wide NIS 2 Directive largely supplements and supersedes the national IT Security Act. The NIS 2 Directive aims to ensure a high common level of cybersecurity across the EU and to strengthen the resilience of critical sectors. It expands the scope to include additional sectors, tightens security requirements, and introduces stricter enforcement measures to improve cybersecurity across the EU. Organizations that are NIS 2-compliant thus also meet many of the requirements of the IT-SiG 2.0 – but not vice versa.

                  IT-SiG 2.0

                  NIS-2 / NIS2UmsuCG

              2. Scope

                Critical infrastructure + UBI/UNBÖFI in Germany

                Sectors

                8 Sectors

                Reporting Obligations

                Report significant IT incidents to BSI

                Board Responsibility

                Responsibility of the operator

                Fines

                Up to € 20 million / 4% annual revenue

                Scope

                Expanded to around 30,000 organizations in Germany alone

                Sectors

                18 Sectors

                Reporting Obligations

                Multi-stage: Early warning within 24h, reporting within 72h

                Board Responsibility

                Personal liability of the board

                Fines

                Up to € 10 million / 2% annual revenue

                IT-SiG 2.0
                NIS-2 / NIS2UmsuCG

                Scope

                Critical infrastructure + UBI/UNBÖFI in Germany

                Expanded to around 30,000 organizations in Germany alone

                Sectors

                8 Sectors

                18 Sectors

                Reporting Obligations

                Report significant IT incidents to BSI

                Multi-stage: Early warning within 24h, reporting within 72h

                Board Responsibility

                Responsibility of the operator

                Personal liability of the board

                Fines

                Up to € 20 million / 4% annual revenue

                Up to € 10 million / 2% annual revenue

                Justitia

                06

                What specific obligations do companies have?

                The key requirements of the IT Security Act for affected organizations:

                 

                • State of the art: Implement appropriate technical and organizational measures

                • Intrusion detection systems: Deployment and ongoing maintenance

                • Risk analyses and business continuity plans

                • Designate a point of contact at the BSI and ensure they remain reachable

                • Mandatory reporting of significant IT disruptions – the law requires KRITIS operators, for example, to report significant IT disruptions to the BSI

                • Obligation to provide evidence every two years in accordance with Section 8a(3) of the IT Security Act

                • Secure the supply chain – downstream service providers must also comply

                 

                Any company that counts KRITIS-sector enterprises among its customers must meet even higher standards under the IT Security Act, as the required protective measures also apply to downstream service providers. In this case, hosting providers, for example, must demonstrate that they are utilizing all available cybersecurity options to protect their systems. Regular auditing of security mechanisms is also on the agenda.

                Person coding on laptop

                07

                Conclusion: IT security is shifting from a luxury to a necessity

                The IT Security Act remains the legal foundation of cybersecurity in Germany – even after the NIS 2 implementation takes effect. With the IT-SiG 2.0, the requirements for KRITIS operators have been significantly tightened, the BSI’s powers have been expanded, and fines have been raised to GDPR levels. The parallel implementation of the NIS 2 Directive via the NIS2UmsuCG supplements this framework with EU-wide uniform standards and significantly expands the scope of obligated companies.

                 

                For affected organizations, this means that IT security is no longer optional but a measurable obligation. Those who invest early in appropriate protective measures – such as BSI-certified DDoS protection, a WAF, and intrusion detection systems – not only meet regulatory requirements but also strengthen their own resilience against an ever-escalating threat landscape.

                FAQ – Frequently Asked Questions About the IT Security Act

                The German IT Security Act (IT-SiG) has been in force since July 2015. The revised and significantly expanded version, IT-SiG 2.0, came into force in May 2021.

                About the author

                Stefan Bordel

                Senior Editor

                About the author

                Stefan Bordel has been working as Editor and Technical Writer at Myra Security since 2020. He is responsible for the strategic development and editorial management of all content formats – from website content and specialist publications to whitepapers, social media communication, and technical documentation. In this role, he combines solid expertise from IT journalism with in-depth technical understanding in the field of cybersecurity. As a long-time Linux enthusiast, he closely follows developments in the IT industry both professionally and personally.

                © Myra Security GmbH 2026, all rights reserved

                Made in Germany.

                Responsible DisclosureLegal noticePrivacy policyPrivacy SettingsTerms and Conditions