Germany rolls out IT Security Act
Germany's controversial IT Security Act (ITSG) came into effect on July 25, 2015. The new act seeks to increase protections for German citizens, companies and government institutions that may be vulnerable to a range of IT security risks. The act requires critical infrastructure operators to implement state-of-the-art security measures and to report security incidents to a national agency, the Federal Office for Information Security (BSI). It also provides new obligations for commercial telemedia service providers.
On August 20, 2014, the German Federal Ministry of the Interior proposed a new bill to increase the security of IT systems in the country by amending several national laws and increasing the power of the BSI (for details, see "Germany's Draft Bill on IT Security" in our August 2014 Technology Newsflash). During the legislative process, a number of stakeholders argued that the bill conflicted with the German Constitution and undermined a European Union proposal on network and security regulations. A March 2015 revision removed portions of the bill that would have subjected telecommunications providers to retain user data "through the backdoor" and strengthened aspects of the bill that required providers to notify users when they are subject to security incidents (for details, see "Update: Germany's Draft Bill on IT Security" in our April 2015 Technology Newsflash). The bill passed the Bundestag on June 12, 2015 and came into force on July 25, 2015.
Who is affected?
The ITSG applies primarily to critical infrastructure, which is defined as facilities and installations (or parts thereof) in sectors whose interruption could seriously affect public utility or safety. The relevant sectors include energy, IT, telecommunications, transportation, traffic, healthcare, water, food, finance and insurance. The ITSG authorizes the Federal Ministry of the Interior to determine by way of ordinance (Rechtsverordnung) which services within these sectors are deemed to be critical, considering their respective importance and the required supply levels. Independent of such ordinance, certain players, such as telecommunications providers are directly subjected to the new requirements due to an amendment of the pertinent sector-specific legislation.
The ITSG applies to private and public infrastructure operators in Germany, regardless of their organizational form. Thus, non-German companies that provide critical infrastructure in Germany are subject to the ITSG, as well.
New requirements in a nutshell
Critical infrastructure operators must fulfill the following requirements:
- Implement state-of-the-art technical and organizational measures to protect and ensure the availability, integrity, authenticity and confidentiality of their IT infrastructure. The range and scope of these measures will be set out by the BSI, in cooperation with representatives from the relevant sectors.On a regular basis, critical infrastructure operators have to provide evidence (e.g., audits or certificates) to the BSI that the aforementioned measures were implemented.
- Report security incidents to the BSI related to IT systems that have ,or may have, an impact on critical infrastructure; reports may be submitted anonymously, as long as the incident has not already resulted in impairment or failure.
- Identify a contact person who is available at all times to serve as a single point of contact to the BSI and notification of such contact to the BSI.
In addition, telecommunications providers are now required to notify the Federal Network Agency (Bundesnetzagentur) of any impairment of their networks or services that lead, or may lead, to considerable security breaches, including incidents that may result in unauthorized access to users' telecommunications or data processing systems. If the incident is IT-related, the Federal Network Agency has to inform the BSI accordingly. Furthermore, telecommunications providers must inform users about any incidents they become aware of that originate from the users' system, and must highlight suitable steps that users can take to identify and remove what is causing the incident from their systems.
Meanwhile, regardless of whether they operate critical infrastructure, telemedia providers must apply state-of-the-art measures (e.g., encryption) that are technically feasible and commercially reasonable to prevent unauthorized access to the technical systems used for their services and secure their systems against data protection breaches and other incidents, including outside attacks.
Breaches of these regulations may result in fines up to €100,000.
Critical infrastructure operators have to fulfill their obligations within two years after the above-mentioned ordinance comes into force. After that, they will have to demonstrate compliance to the BSI at least every two years. The relevant contact person who will serve as the single point of contact for BSI must be named within six months after the ordinance comes into force. Such transition period does not apply for telecommunications and telemedia providers, which are obliged with immediate effect.
The changes implemented by the ITSG aim at making infrastructure safer and providing advantages for users. However, while further details are yet to be defined, the required measures may prove very burdensome for critical infrastructures operators and telecommunications and telemedia providers. The BSI has been empowered to a high degree, but it remains to be seen how well it will perform as the central authority for infrastructure security. Also yet to be determined is whether BSI will succeed in cooperating with different sectors to establish workable standards for reaching the goals set out in the ITSG.
 - Cf. Art. 11 ITSG, German Federal Law Gazette 2015, part I, No. 31, p. 1324, available at: http://www.bgbl.de/xaver/bgbl/start.xav?startbk=Bundesanzeiger_BGBl&start=//*%255B@attr_id='bgbl115s1324.pdf'%255D#__bgbl__%2F%2F*%5B%40attr_id%3D%27bgbl115s1324.pdf%27%5D__1439313195257 (last accessed: August 2015).
 - Cf. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52013PC0048 (last accessed: August 2015).
 - Cf. Definition in Sec. 2 para. 10 German Central Security Agency Act (BSIG).
 - Cf. Sec. 10 para. 1 BSIG.
 - Cf. Sec. 109, 109a German Telecommunications Act (TKG).
 - Not applicable to critical infrastructure operators that are deemed small businesses or are already subject to comparable obligations under sector-specific legislation, cf. Sec. 8c BSIG.
 - Cf. Sec. 8a para. 1 BSIG.
 - Cf. Sec. 8a para. 2 BSIG.
 - Cf. Sec. 8a para. 3 BSIG.
 - Cf. Sec. 8b para. 4 BSIG.
 - Cf. Sec. 8b para. 3 BSIG.
 - Cf. Sec. 109 para. 5 TKG.
 - Cf. Sec. 109a para. 4 TKG.
 - Cf. Sec. 13 para. 7 TMG.
 - Cf. Sec. 14 para. 2 BSIG
 - Cf. Sec. 8a para. 1, 3 BSIG.
 - Cf. Sec. 8b para. 3 BSIG.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2015 White & Case LLP