IT-Security Regulatory Update | January 2023

Focus: IT-Grundschutz-Compendium 2023, risks and trends in 2023

← IT-Security Regulatory Update | December 2022 New names for the ADWEKO product portfolio →

Highlight from January 2023

Publication of the IT-Grundschutz Compendium 2023

The BSI has published its IT-Grundschutz-Compendium in the 2023 edition. Familiarize yourself with the adjustments using the BSI change document!

“Stay up to date with our monthly regulatory update on IT Security Management!”

IT-Grundschutz Compendium Edition 2023

Every year, the BSI publishes an updated version of the IT-Grundschutz-Compendium. 2023 is no exception, and so Edition 2023 was published at the beginning of February.

In the course of the update, the BSI has made the following changes:

Ten new modules have been added in five layers of the compendium. Among other things, these deal with IT operations (OPS.1.1.1) and outsourcing (OPS.2.3 and OPS.3.2), in which two existing building blocks have been replaced by the newly added ones.
21 building modules of the 2022 edition have been extensively adapted. This applies, for example, to the crypto concept (CON.1) and data protection (CON.2), but also to the Active Directory (APP.2.2) and modules relating to premises and infrastructure (INF.1, INF.2 and INF.10).
A structural revision took place for all modules.
Furthermore, linguistic adjustments were implemented.

In addition to the modules themselves, the BSI has revised the cross-reference tables. These now only include direct hazards that directly affect the target object.

Laptop with lock symbol on screen on world map as background with networks to different countries

As usual, the BSI provides the IT-Grundschutz-Compendium in various formats:

The complete IT-Grundschutz-Compendium in the edition 2023 here;
the individual modules of the compendium here;
the structure of the compendium here;
the version in Word here; and
the version in xml here.

In addition, BSI has developed the following supporting materials:

A change document that lists and describes all changes made, here; and
the revised cross reference tables here.

Source: Federal Office for Information Security – BSI, bsi.bund.de

Focus risks in 2023 from BaFin’s perspective

At this year’s press reception, BaFin’s president outlined some of the risks that will be of particular concern to the authority in 2023. The six focus risks include IT risks, particularly in the context of cyberattacks.

The report sheds light on the fact that the likelihood of disruptions in the IT operations of finance service providers continues to increase. Although a large number of these are triggered internally, this is no reason to give the all-clear; intentionally caused IT incidents have the potential to cause very high damages. Moreover, this risk does not only affect individual institutions. The increasing number of outsourcing arrangements and the growing interconnectedness of institutions among themselves as well as with outsourcing companies, again both with each other and with their subcontractors, are exacerbating this risk. An IT incident at one institution or service provider along the outsourcing chain has the potential to directly or indirectly impact various other financial institutions. The consequences may therefore be felt in large and/or significant parts of the financial system.

Furthermore, one of the trends presented also pays off in terms of IT risk: digitization. And especially the lack of the same. Many institutions operate on outdated IT infrastructures, making them much more vulnerable to IT security incidents, disruptions and failures.

To counter this development and mitigate the growing risk, BaFin is planning close monitoring of multi-client service providers as well as additional audit procedures. Further, it will closely oversee the implementation of DORA’s requirements.

The BaFin press release on the press reception and the focus risks for 2023 can be found here.

Source: © German Federal Financial Supervisory Authority / www.bafin.de

Cyber resilience as a trend for 2023

In addition to BaFin, the EU Commission is also dealing with issues that will be particularly relevant in 2023. In the EU-wide context, the European elections in 2025 are already being considered. Furthermore, ESG and climate-related topics are also a trend that will accompany us in 2023.

Additionally cyber resilience to be particularly relevant. The report approaches the topic through the heat map as well as the cybersecurity of Critical Infrastructures before moving on to the increasing operational resilience of the EU. However, it also looks at the risks to private households that the Cyber Resilience Act is intended to address. In addition, the focus is shifting to the supply chain and high-risk service providers along the supply chain.

Finally, the Commission addresses the skill gap in the cybersecurity sector and addresses various measures to close it.

You can find the analysis of the EU Commission here on their website.

Source: European Commission – ec.europa.eu

The IT-Grundschutz-Compendium in the 2023 edition brings with it some new content and adjustments. As an orientation document in a multitude of topics around IT security, the reading is worthwhile in any case.

The focus topics and risks shared by BaFin and the EU Commission also show the continuing relevance of IT security.

We at ADWEKO are happy to assist you with our expertise in the orientation and implementation of specifications relating to IT security.

The current regulatory developments can be found here.

BaFin and Bundesbank publish speech on supervisory briefing 2023
ESAs publish program for technical discussion around DORA
EIOPA deals with supervisory convergence

BSI publishes recommendation on the use of products with digital elements in UP KRITIS
BSI publishes English version of IT-Grundschutz Compendium 2022
EBA publishes Risk Dashboard with data from Q3 2022
FSB publishes feedback on cyber incident reporting consultation
ENISA provides insight into “Awareness Raising in a Box”.
CEP analyzes Cyber Resilience Act

BfDI deals with cookies
EU Parliament addresses its data protection policy
ENISA publishes report on the practical use of the GDPR in the context of data exchange

Bundesrat committees do not recommend suspension of supply chain due diligence law

BaFin publishes user manual for MVP portal
EIOPA publishes Consumer Trends Report 2022
EBA launches stress test 2023
European Parliament considers progress on banking union
BaFin publishes FAQ on reporting payment security incidents

Cookie	Duration	Description
cookielawinfo-checkbox-analytics		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional		The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary		This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy		The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.