Under Section 14 of the BSI Act, new fines have been added for cases including:
A failure to provide evidence in accordance with Section 8a(3)(1) or a failure to provide this evidence on time
In breach of Section 8b(3)(4), a failure to ensure that a point of contact can be reached
Instances in which the BSI – in breach of Section 8a(4)(2) (review by the BSI or Section 8b(3a) (information obligation in the event of non-registration) – is not granted access to a room, is not provided with a document in a timely manner (or at all), is not provided with information, is provided with incorrect or late information, or is not provided with support in a timely manner (or at all).
Following IT-SiG 2.0, the scope for fines has been increased to four levels ranging from EUR 100,000 to EUR 20 million (for cases against legal entities) depending on the circumstances.
Examples for maximum fines:
A failure to comply with an order from the BSI regarding the rectification of a security deficiency: up to EUR 20 million
A failure to provide evidence: up to EUR 10 million
A failure to implement safeguards in accordance with Section 8a(1) of the BSI Act: up to EUR 10 million
Failure to register: up to EUR 500,000
Failure to report disruptions: up to EUR 500,000
Unavailability of the point of contact: up to EUR 100,000
