IT-Sicherheitsgesetz 2.0 is Germany’s strengthened cybersecurity law designed to protect critical infrastructure and other high impact organizations. The law expands earlier requirements and introduces stricter obligations around risk management, incident reporting, and security governance.
CyberArrow helps organizations implement IT-Sicherheitsgesetz 2.0 and stay audit ready without manual spreadsheets or fragmented compliance efforts.
IT-Sicherheitsgesetz 2.0 is a German cybersecurity law that strengthens security requirements for critical infrastructure operators and companies of special public interest. It defines legal obligations for managing cybersecurity risks, implementing appropriate technical and organizational measures, and reporting security incidents to the German Federal Office for Information Security.
IT-Sicherheitsgesetz 2.0 is not a certifiable standard. Organizations do not receive a formal certificate for compliance. Instead, affected entities are required to implement the law’s requirements and be able to demonstrate compliance during regulatory audits, inspections, and supervisory reviews.
Once IT-Sicherheitsgesetz 2.0 requirements are implemented, organizations must maintain continuous compliance readiness and retain documentation and evidence to support ongoing regulatory oversight.
There are no special prerequisites to start. CyberArrow Customer Success guides organizations through the full compliance journey, including applicability assessment, control implementation, documentation, evidence collection, and regulatory readiness.
CyberArrow is a technology first GRC platform that automates control management, risk assessments, documentation, and evidence tracking for IT-Sicherheitsgesetz 2.0. The platform also supports policy management, task assignments, reporting, and audit preparation to reduce manual effort and compliance pressure.
CyberArrow can be used by critical infrastructure operators, companies of special public interest, and regulated organizations operating in Germany and across the European Union.
Say good-bye to manual spreadsheets and identifying security controls across multiple systems, CyberArrow automatically gathers evidence. CyberArrow supports 80+ integrations and comes packed with auditor pre-approved document templates.
CyberArrow continuously monitors your security posture by integrating with your technologies and processes. Security control KPI assessments and reporting is automated so you can put your time where it’s needed.
CyberArrow automatically manages your risk assessments. You can also upload your manual spreadsheets and take advantage of CyberArrow’s powerful reporting dashboards. The solution comes pre-mapped with 300+ risks and mitigations across IT-Sicherheitsgesetz 2.0 and other standards.
By eliminating the hundreds of hours of manual effort that were previously required to maintain your Compliance reports and certifications, you can now spend more time on other daily tasks.
No. IT-Sicherheitsgesetz 2.0 is a legal requirement, not a certifiable standard. Organizations do not receive a certificate. They must demonstrate compliance during regulatory audits and supervisory reviews.
Organizations prove compliance through documented policies, risk assessments, implemented controls, incident records, and audit evidence. Regulators may request this information during inspections.
The law applies to critical infrastructure operators, companies of special public interest, and certain organizations with high relevance to public security or economic stability in Germany.
Many organizations use ISO 27001 or BSI IT-Grundschutz to structure their security programs. These frameworks help implement controls and maintain evidence that supports compliance with IT-Sicherheitsgesetz 2.0.
Compliance should be reviewed on an ongoing basis. Organizations must be ready to demonstrate compliance at any time during audits, inspections, or regulatory inquiries.