Legal Framework – IT Security Becomes Mandatory

IT security is no longer just a voluntary extra – it is increasingly a legal obligation. Until now, mainly large companies and critical infrastructure operators have been regulated, but new requirements are expanding the circle – including to mid-sized companies in certain sectors. In this article, we provide a comprehensible overview of the most important laws, directives, and standards in cybersecurity that SMEs should know.

GDPR: Data Protection and IT Security Hand in Hand

The General Data Protection Regulation has been in force since 2018 and affects virtually all companies. What many don’t know: the GDPR explicitly requires “appropriate technical and organizational measures” in Article 32 to protect personal data. This effectively means IT security in line with the current state of the art.

For SMEs, this means: access controls, password controls, encryption, backup, and other IT security measures should be in place if you process, for example, customer data. In the event of a cyberattack with data exfiltration, you must notify the data protection authority and, if applicable, those affected within 72 hours.

If you fail to meet these obligations or the attack resulted from inadequate security precautions, significant penalties may follow. Authorities have already imposed fines in several cases for insufficient technical protective measures following cyberattacks. Data protection and IT security are therefore closely intertwined.

IT Security Act and Critical Infrastructure Regulations

The IT Security Act of 2015 (with Amendment 2.0 of 2021) is primarily aimed at operators of so-called critical infrastructure (KRITIS) – i.e., large companies from sectors such as energy, water, healthcare, or finance. Most SMEs do not fall under this.

However, there are indirect effects: if you are a supplier to a KRITIS operator, they may contractually require certain security standards from you to fulfill their own legal obligations. A mechanical engineering company that, for example, delivers control technology to a power grid operator may itself have to meet high security requirements.

In addition, IT-SiG 2.0 also targets companies of “special economic significance” – which can also include larger mid-sized companies. It is therefore worth checking whether you might belong to this group.

For SMEs in general, however, the IT security laws at least serve as guidance on what is currently considered the “state of the art” – the BSI sets the benchmarks in the form of the IT-Grundschutz catalogs.

NIS2 Directive: Extended Obligations for Many Companies

The new EU directive NIS2 (Network and Information Systems) represents a significant expansion. It comes into force gradually from 2024/25 and considerably widens the circle of companies required to comply with minimum cybersecurity standards.

According to expert estimates, around 30,000 companies in Germany will fall under NIS2 regulations – significantly more than previously covered by the IT Security Act. These include, for example:

• Larger mid-sized IT service providers
• Manufacturers of medical devices
• Certain food companies
• Waste management companies
• Parts of the public sector

“Important” companies with revenue of around €50 million or more in certain sectors are also included. The precise implementation into German law is still pending (a draft law is in preparation).

Those falling under NIS2 regulations will then be required to implement appropriate technical and organizational measures in line with the current state of the art and to report significant incidents to the BSI. There are also sanction possibilities, including personal liability of managers for serious failures.

For affected mid-sized companies, IT security thus definitively becomes a mandatory task at the highest level.

Industry Standards and Certifications

Independently of laws, industry-specific requirements are also emerging that are becoming effectively binding. Examples:

• Automotive industry: TISAX (Trusted Information Security Assessment Exchange) – a certification that automotive manufacturers often require from their suppliers
• Aviation: EN 9100 with IT security elements
• Financial sector: BAIT regulations (supervisory requirements for banking IT) from BaFin, which can also be relevant for service providers

For many SMEs, these certifications are a prerequisite for obtaining orders in certain industries at all. They represent “voluntary obligations” – not formally prescribed, but often economically essential.

Liability and Duty of Care of Management

Even without direct legal requirements: every managing director has a duty to ensure “proper organizational management.” In the digital age, this includes not ignoring IT risks.

If management neglects basic IT security measures and damage results, this can under certain circumstances be assessed as a breach of duty. Case law is developing further in this area.

At the latest with the NIS2 directive, the topic of compliance in IT security will gain in importance. It is therefore wise to document now that appropriate protective measures are being taken.

Practical Tip: Act Proactively Rather Than Reactively

Check whether your company might fall under new regulations such as NIS2. Orient yourself to proven standards (ISO 27001, BSI IT-Grundschutz) – even if they are voluntary, they signal “state of the art.”

Use checklists (e.g., from the BSI or Chamber of Commerce) for your IT security level and seek advice in good time: data protection officers, Chamber of Commerce events on NIS2, etc., can help you keep track.

It is better to implement measures step by step now than to have to hastily fulfill legal requirements under time pressure later, or to face legal consequences after an incident. Proactive IT security protects not only against hackers, but also against problems with the law.