On April 23, the Bundestag passed a second IT Security Act, which is intended to protect important infrastructure such as mobile phone and energy networks, among other things. One of the new features is that the Federal Ministry of the Interior can prohibit the use of security-relevant components if the manufacturer is controlled by the government of another country or has already been involved in dangerous activities. Previously, the focus was on a declaration of trustworthiness from the manufacturer itself.

The law expands the role of the Federal Office for Information Security (BSI), which is to take greater care of consumer cyber security. There will be IT security labels to help consumers find their way around.

Legal basis for exclusion of Huawei

The IT Security Act 2.0 is the result of a long discussion. It was also held against the backdrop of the question of whether the Chinese network equipment supplier Huawei should be allowed to participate in the expansion of the new 5G data network. The new version provides a broader legal basis for excluding Huawei.

The USA in particular accuses Huawei of having close ties to the Chinese government and has imposed tough sanctions on the company, citing a risk of espionage and sabotage. Huawei rejects the accusations.

"Security policy issues are now of central importance in the expansion of the 5G network," said the CDU/CSU parliamentary group's domestic policy spokesperson Mathias Middelberg. The responsible Union rapporteur Christoph Bernstiel emphasized that in addition to a technical review, there would also be a political review of the manufacturers. However, it is not a "Lex Huawei", as the same requirements apply to all. SPD rapporteur Sebastian Hartmann emphasized that Parliament had set clear criteria for this.

At the same time, the Greens' network expert Konstantin von Notz accused the government of having done too little for IT security over the years - and now, "in the last bend of the legislature", coming up with a draft that has been criticized by many experts. The law was passed with the votes of the governing coalition.

Criticism from Bitkom, approval from the BDI

The digital association Bitkom criticized the new security law as "a combination of technical certification machinery and political-regulatory arbitrariness with questionable added value for IT security". The Federation of German Industries (BDI), on the other hand, welcomed the law. It paves the way for the expansion of a secure 5G network in Germany.

BSI head Arne Schönbohm told the German Press Agency that the BSI is necessary as a strong federal cyber security authority to ensure that digitalization succeeds. "Advising, informing and warning will become increasingly important in the future." The new law would enable extensive improvements in all three of the BSI's major areas of responsibility.

Threat situation remains at a high level

On the one hand, the BSI's mandate to protect the federal administration will be strengthened by new audit and control powers. "I am particularly pleased that the BSI will become the independent and neutral advisory body for consumers on IT security issues at federal level." In addition, the scope of the BSI will be extended to companies that are of particular economic importance due to their high added value or whose failure due to an attack would have an impact on critical infrastructure. "This is the right and logical step, as the threat of cybercrime in Germany remains at a tense and high level."