Legal Framework Conditions – IT Security Becomes Mandatory

IT security is no longer just voluntary choice, but increasingly legal obligation. Previously, mainly large companies and critical infrastructures were regulated, but new regulations are expanding the circle – also to medium-sized companies in certain sectors. In this article, we provide an understandable overview of the most important laws, directives and standards for cybersecurity that SMEs should know.

GDPR: Data Protection and IT Security Hand in Hand

The General Data Protection Regulation has been in effect since 2018 and affects practically all companies. What many don't know: the GDPR explicitly requires in Article 32 "appropriate technical and organizational measures" to protect personal data. This essentially means state-of-the-art IT security.

For SMEs, this means: access controls, entry controls, encryption, backup and other IT security measures should be implemented if you process customer data, for example. In case of a hacker attack with data breach, you must inform the data protection authority within 72 hours and possibly the affected individuals.

If you don't comply with these obligations or the attack was a result of inadequate security precautions, sensitive penalties threaten. Authorities have already imposed fines in several cases due to insufficient technical protective measures after cyberattacks. Data protection and IT security are thus closely interlinked.

IT Security Act and KRITIS Regulation

The IT Security Act of 2015 (with version 2.0 from 2021) is primarily aimed at operators of so-called Critical Infrastructures (KRITIS) – i.e., large companies from sectors like energy, water, health or finance. Most SMEs don't fall under this.

However, there are indirect effects: if you're a supplier to a KRITIS operator, they may require certain security standards from you in contracts to fulfill their own legal obligations. A mechanical engineer who supplies control technology to a power grid operator may have to meet high security requirements themselves.

Furthermore, IT-SiG 2.0 also has companies with "particular economic importance" in view – larger medium-sized companies could fall under this. It's therefore worth checking whether you might belong to this circle.

For SMEs in general, however, the IT security laws serve at least as orientation for what currently counts as "state of the art" – the BSI sets the standards for this in the form of IT-Grundschutz catalogs.

NIS2 Directive: Extended Obligations for Many Companies

The new EU directive NIS2 (Network and Information Systems) represents a significant expansion. It comes into effect gradually from 2024/25 and considerably expands the circle of companies that must comply with cybersecurity minimum standards.

According to expert estimates, about 30,000 companies in Germany will fall under the NIS2 regulations – significantly more than previously under the IT Security Act. These include, for example:

• Larger medium-sized IT service providers
• Medical device manufacturers
• Certain food companies
• Waste disposal companies
• Parts of the public sector

"Important" companies from about 50 million euros turnover in certain sectors also count. The exact implementation into German law is still pending (draft law in progress).

Who falls under the NIS2 regulations must then implement appropriate technical and organizational measures according to state of the art and report significant incidents to the BSI. There are also sanctioning options, including personal liability of executives for gross negligence.

For affected medium-sized companies, IT security thus finally becomes a mandatory task at the highest level.

Industry Standards and Certifications

Independent of laws, industry-related requirements also arise that become de facto binding. Examples:

• Automotive industry: TISAX (Trusted Information Security Assessment Exchange) – a certification that automotive manufacturers often require from their suppliers
• Aviation: EN 9100 with IT security elements
• Financial sector: BAIT rules (Banking Supervisory Requirements for IT) from BaFin, which can also be relevant for service providers

For many SMEs, these certifications are prerequisites to even receive orders in certain industries. They are "voluntary obligations" – formally not prescribed, but often economically indispensable.

Liability and Duty of Care of Management

Even without direct legal requirements, every managing director has the duty for "proper business organization." In the digital age, this includes not ignoring IT risks.

If management neglects basic IT security measures and damage results, this can sometimes be considered a breach of duty. Case law is developing further here.

At the latest with the NIS2 directive, the topic of compliance in IT security will gain importance. It's therefore wise to already now demonstrably ensure appropriate protective measures are taken.

Practice Tip: Act Proactively Instead of Reactively

Check whether your company could fall under new regulations like NIS2. Orient yourself to proven standards (ISO 27001, BSI IT-Grundschutz) – even if they're voluntary, they signal "state of the art."

Use checklists (e.g., from BSI or Chamber of Commerce) for your IT security level and get advice early: data protection officers, Chamber of Commerce events on NIS2, etc., can help keep track.

Better to implement measures step by step now than later having to hectically fulfill legal requirements in a short time or being confronted with legal consequences after an incident. Forward-thinking IT security protects not only from hackers but also from problems with the law.