VCI position in a nutshell

IT Security Act

The German federal government wants to increase the cyber-resilience of German industry. For this purpose, the government adopted on 16 December 2020 the draft for the IT Security Act 2.0 (ITSiG 2.0). The VCI expressly welcomes this, however, the association still sees a need for better precision.

Already the 1st IT Security Act was intended to improve the security of information technology systems and contribute to the protection of critical infrastructures (KRITIS). Seven KRITIS sectors were defined for this purpose in 2015: energy, water, information technology and telecommunications, food, health, finance and insurance, as well as transport and traffic. The health sector includes production facilities for prescription medicines. The act obliges KRITIS operators to observe a defined minimum level of IT security, in order to prevent personal injury, protect the common good and minimise negative effects for everyone. Furthermore, IT-critical incidents must be reported to the Federal Office for Information Security (BSI).

More companies in the focus

In the future, the IT Security Act 2.0 is to also cover companies of particular public interest that rank among the major undertakings in this country because of their domestic value creation – so that they are of considerable importance to the German national economy. The calculation of domestic value creation is to be determined in a legal ordinance still to be enacted. The method is to be oriented to the report by the Monopolies Commission. If one takes the Commission's top 100 list as a basis, 17 of these would be chemical and pharmaceutical groups. This approach ignores that German chemical and pharmaceutical businesses are integrated in extensive international value chains. The act does not cover foreign suppliers, so that potential weak points might persist. Moreover, companies from all areas of the value chain can be of considerable importance to the German national economy.

In the future, the ITSiG 2.0 is to also comprise all companies which run an operating area of the upper class of the Major Incidents Ordinance (Störfallverordnung).

Major Incidents Ordinance forms the basis

The VCI welcomes that the ITSiG 2.0 now takes the Major Incidents Ordinance – and not, as originally planned, the Hazardous Substances Ordinance (Gefahrstoff-verordnung) – as the basis for its extended scope. The purpose of the Hazardous Substances Ordinance is to protect the general public from dangerous events related to industrial installations. This ensures a limitation to companies of particular relevance to public safety and order.

In addition, the circle of those subject to the act is brought in a much more precise form and thus safeguards legal clarity. The reference to the Major Incidents Ordinance also means that existing reporting obligations under this Ordinance will not have to be duplicated with regard to cyber security. In these companies, incident officers are in place and invariably work with the latest security technology. Therefore, it is advisable to resort to the incident reporting obligations, avoiding unnecessary bureaucracy.

Companies of considerable importance to the national economy are obliged to submit an IT security self-declaration. In principle, it is welcomed that the level of IT security is increased in this manner. Particularly the addressed larger businesses have their own IT departments with cyber security experts already working in this field. The BSI should actively support small and medium-sized enterprises in efforts to strengthen their cyber-resilience.


  • Provide more clarity
    Concrete and precise criteria for which companies with their value creation are of considerable importance to the national economy – and thus fall under the ITSiG 2.0 – should be defined already in the legal text and not as late as in a future legal ordinance.
  • Maintain the reference to the Major Incidents Ordinance
    The reference to the Major Incidents Ordinance brings more cyber security and better legal certainty. Furthermore, it prevents unnecessary bureaucracy. Therefore, this reference should be maintained in the further legislative procedure.
  • Strengthen cyber security
    IT security must have a central role in the digitalisation strategies of companies. Already today, the chemical industry is making great efforts which will become even more comprehensive in the future.

Click here to download PDF 150 Kb

For questions or suggestions, please feel free to contact us.


R. Stephan