The requirement to use attack detection systems will apply from 1 May 2023 according to the legislation.
Operators regulated in accordance with the BSI Act have to provide the BSI with evidence in accordance with Section 8a (3) of the BSI Act every two years. Evidence provided to the BSI from 1 May 2023 onwards also has to contain information on the implementation of paragraph 1a (i.e. regarding the use of attack detection systems).
Operators of energy supply grids and energy facilities that are classed as critical infrastructure in accordance with statutory regulations as per Section 10 (1) of the BSI Act must – in accordance with Section 11 (1e) of the EnWG – provide the Federal Office for Information Security with evidence of their compliance with the requirements under Section 11 (1d) on 1 May 2023 for the first time and then every two years thereafter.
More specific requirements are currently being drawn up by the BSI and will be published in the form of an orientation guide.
The suitability of industry-specific security standards (B3S) is declared for two years at regular intervals. Until the provision of the orientation guide and for B3S that do not contain sufficient information regarding the requirements under Section 8a (1) of the BSI Act, the BSI is unable to assess suitability for the implementation of Section 8a (1a) of the BSI Act. As such, the declaration of suitability is restricted to Section 8a (1) of the BSI Act and excludes paragraph 1a. Operators of critical infrastructure then have to – as is otherwise the case in the event of an absence of B3S – apply their own suitable technical and organisational measures (e.g. based on other standards) and provide evidence for these measures.
The IT Security Act 2.0 defines attack detection systems as 'processes that are used for detecting attacks on information technology systems and are supported by technical tools and organisational integration'.
As defined in Section 8a (1a) of the BSI Act, the attack detection systems used must automatically scan and evaluate appropriate parameters and characteristics during live operations on an ongoing basis. They should be capable of continuously identifying and avoiding threats and arranging suitable safeguards to rectify any disruptions.
The term 'attack detection systems' refers to a wide range of technical and organisational safeguards that serve to detect attacks. The BSI will publish an orientation guide on the definition, which will provide general and cross-sectoral descriptions of what can be classed as an intrusion detection system. The BSI is also planning to draw up requisite specific definitions of 'state-of-the-art technology' in cooperation with operators.
From 1 May 2023, operators of critical infrastructure will be required – with the entry into force of the IT Security Act 2.0 – to use state-of-the-art attack detection systems and provide corresponding evidence to the BSI. So, in addition to the evidence to be presented to the Federal Network Agency regarding the implementation of the IT Security Catalogue, further evidence must be provided to the BSI.
For the provision of evidence, the BSI will publish suitable forms in line with the established method for providing evidence in the context of Section 8a (3) and (1) of the BSI Act.
Section 8a (1a) modifies the requirements set out in Section 8a (1) of the BSI Act. Accordingly, evidence for Section 8a (1) and for Section 8a (1a) can be submitted together to the BSI. Documents that are submitted to the BSI after 1 May 2023 and that do not provide evidence for the appropriate use of attack detection systems within the context of paragraph 1a will not be regarded as complete within the meaning of Section 8a (3) of the BSI Act under the new legal framework.