Mar 8, 2016

New legal ordinance expands on the IT Security Act

Operators of critical infrastructures have to upgrade to modern authentication solutions

Berlin, 8 March 2016. The German IT Security Act came into force in July 2015. In February of this year a draft legal ordinance was published which, for the first time, defines who is affected by the new law and must therefore report IT security incidents in future.

IT Security Act for operators of critical infrastructures

The IT Security Act is aimed at improving the security of both businesses and the federal administration as well as protecting citizens on the internet. In this respect, the ordinance includes IT security requirements for so-called critical infrastructures. These are facilities of key importance for the body politic, such as the systems used in the fields of energy provision, traffic, healthcare as well as banking and insurance. “Many IT attacks could be fended off using standard security measures”, explains Mark Rüdiger, Business Development Manager at OpenLimit SignCubes AG ( The operators of critical infrastructures are therefore obliged by the new law to report IT security incidents to the BSI (Federal Office for Information Security) and thereby make their own contribution towards IT security in Germany.

Strong authentication technologies necessary

Using the latest technologies, appropriate organizational and technical precautions must be taken to avoid disturbances in the availability, integrity, authenticity and confidentiality of the IT systems, components and processes, which are crucial for the functionality of the infrastructures operated. “According to the BSI, one can determine what the latest technological standards are at any time with reference to national or international standards such as DIN or ISO. In Germany, the BSI’s IT Baseline Protection Catalogs must be paid particular attention to here. One of these state-of-the-art solutions, for example, is the authentication technology truedentity (, which is based on the certified technology and infrastructure of the German ID card and is therefore based on a tried-and-tested data protection and security concept for digital identities”, adds Rüdiger.

For security-critical application fields, the IT Baseline Protection Catalogs recommend strong authentication, combining at least two authentication factors, such as password plus chip card or the use of biometric identification features. “One-factor authentication consisting of user name and password provides an enticing attack surface for identity theft. Even complicated passwords can be cracked using special programs and must therefore be considered insecure”, says the IT security expert. Regular media reports about large data theft scandals and network attacks underscore this statement.

Two-factor authentication for trust and protection

truedentity guarantees mutual unambiguous identification of user and service. The secure authentication technology can be used flexibly, thereby offering needs-oriented solutions with scalable security. Based on two- or multi-factor authentication, the unique identity of all persons or machines concerned is checked before communication takes place. For this purpose, an eID server, as an independent link between the concerned parties, verifies the genuine-ness of both sides, while user and service actively grant access to their secured data. The subsequent communication is encrypted and follows the BSI’s security standards for the German ID card. Abuse by way of stolen identities is therefore recognized and prevented before access to the data or system is obtained. Subsequent reporting of the attempted attack to the BSI meets the requirements of the new IT Security Act.

In addition to the ID card, truedentity also supports individually issued ID tokens of different designs (e.g. smart cards, USBs, soft tokens), while the actual electronic ID (the eID application) remains in compliance with BSI Technical Guideline 03127. Biometric methods can also be used, so that employee or company IDs can also form the basis for secure authentication processes.

Who is affected by the new reporting obligation?

“A total of seven industries and around 700 systems in Germany are affected by the IT Security Act and therefore by the new reporting obligation”, says the specialist from OpenLimit. “A figure of 500,000 is the rule of thumb: if more than 500,000 citizens are dependent on the service provision of a company from any of the fields of information technology, telecommunications, energy, food, finance or insurance, the system is subject to the reporting obligation and must meet the minimum IT security standards specified.” For a more precise definition, thresholds were determined for the respective sectors, calculated based on the consumption of 500,000 people. For energy providers for instance, this was calculated to be an annual power generation of more than 450 MW and for water works the provision of at least 21.9 million m³ per annum. The operators of security-critical systems still have almost two years to achieve compliance with the security guidelines based on the latest technological advances. “We recommend, however, that all companies, regardless of whether they are affected by the reporting obligation or not, not lose any time when it comes to the issue of IT security. The reports in the media are only the tip of the iceberg, and cyber-attacks represent a real and serious danger.”


About OpenLimit SignCubes
OpenLimit SignCubes AG ( was founded in 2002 and is a wholly-owned subsidiary of the publicly traded OpenLimit Holding AG. The company’s registered office is in Baar, Switzerland, with a subsidiary located in Berlin, Germany. The group currently employs more than 70 highly qualified staff.

OpenLimit stands for the secure electronic handshake. Our technologies enable people and machines globally to communicate without limits in ways that are secure, verifiable and identifiable. We develop base technologies and products in the following areas: legally secure signature methods, digital long-term archiving, secure data transmission and digital identities. Our technologies are an integral part of products from leading developers of IT applications and are used by businesses, authorities, institutions as well as private households. In order to achieve our mission of a secure electronic handshake, we enter into carefully selected strategic development and distribution partnerships.

New legal ordinance expands on the IT Security Act