The Berliner Verkehrsbetriebe (BVG) are in a clinch with the Federal Office for Information Security (BSI). It is disputed whether the BVG is a critical infrastructure (Kritis) for local passenger transport within the meaning of the BSI and IT Security Act. If so, reporting and certification requirements apply. In addition, the public company would have to comply with minimum standards and maintain IT security concepts, for example.
According to the BSI law passed by the Bundestag in 2009, Kritis operators must take appropriate organizational and technical precautions according to the state of the art in order to avoid disruptions to their IT systems. However, the BVG does not want the authority to make any regulations writes the “Tagesspiegel”. In October, the group brought an action against the requirements of the BSI at the Cologne Administrative Court.
BVG names different numbers of passengers
“It’s about the principle,” the newspaper quoted a BVG spokeswoman. In addition, de BVG wants to avoid fines. According to an ordinance issued under the BSI Act, transport companies are considered critical infrastructure if they transport at least 125 million passengers a year. On its website, the BVG writes, carry over a billion passengers annually. According to the report, the company only reports 30 million passengers per year to the BSI. The spokeswoman explained the enormous difference by saying that the billion “journeys” meant, not individual people.
The BSI is of the opinion that the BVG is not meeting its legal obligations. So she only “voluntarily” gradually provided information on four relevant control systems. This is not enough to prove systematic management of IT security.
With the IT Security Act 2.0, the Federal Government wants to extend reporting obligations to companies that are “of particular public interest” because their “failure or impairment could lead to considerable economic damage” or to a threat to public safety and order.