Germany's Draft Bill on IT Security 2.0 – Extended BSI Authorities, Stricter Penalties and New Obligations on Providers
On March 27, 2019, the German Federal Ministry of the Interior (GMI) proposed a new bill (the "Draft Bill") for a so-called IT Security Act 2.0 (IT-SiG 2.0). In an effort to take a front-runner role in Europe, Germany has enacted a comprehensive IT security law in 2015. In 2017, that law was slightly amended to bring it in line with Directive (EU) 2016/1148 concerning the security of network and information systems ("NIS Directive"). With the IT-SiG 2.0, the GMI now strives to even further increase IT security in the country1, bearing in mind that the NIS Directive principally permits EU Member States to adopt or maintain provisions with a view to achieving a higher level of security for network and information systems.2
Ensuring cyber and IT security is a core topic for all countries in the world. In its Draft Bill, the GMI emphasizes that cyberattacks are becoming increasingly sophisticated in terms of quality, and thus more dangerous. In particular, the dynamic character of the subject requires constant adaptation and further development of the established protection mechanisms. Numerous incidents, such as the ransomware WannaCry in May 2017, the detection of vulnerabilities in chips as in Meltdown and Spectre, and the attack on the German Federal Foreign Office in 2018, have highlighted the strong nexus between digitalization, cybersecurity and data protection. Cyberattacks, cyber espionage and cyber crimes continue to pose a major threat to state, businesses and society. Recent data leaks of social networks in early 2019 exemplify that also individual interests are affected. In addition, the increasing use of Internet of Things (IoT)3 devices aggravates the threat, as IoTs are regularly developed independently of security standards and can therefore be easily integrated into large computer networks infected by Trojans or other malware, so-called bot networks.
Main objective and structure
The new Draft Bill is intended to defend Germany's role as a lead nation in the field of IT security. To do so, the IT-SiG 2.0 aims to adapt to the aforementioned technical developments by closing legal loopholes and expanding the existing regulatory framework. As an omnibus bill, the overarching objective is to enhance IT security standards by amending several existing German laws,4 including: the primary statute governing cyber-security issues—the Act on the German Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik) (BSIG); the primary statute governing telecommunications providers and their services—the German Telecommunications Act (Telekommunikationsgesetz) (TKG); the primary statute governing online media, e-commerce and hosting provider liability—the German Telemedia Act (Telemediengesetz) (TMG); and the German Criminal Code (Strafgesetzbuch) (GCC).
Key elements of the Draft Bill
The contemplated amendments to the aforementioned statutes pursue five objectives, enumerated in an explanatory note of the Draft Bill:
Digital consumer protection
As part of a holistic approach, the Draft Bill introduces consumer protection as an additional task of the German Federal Office for Information Security (BSI), the national security agency in Germany, combined with its improvement in the area of IT security, in particular through the introduction of an IT security label.5 The voluntary IT security label (Freiwilliges IT-Sicherheitskennzeichen) is a new project, driven by GMI and BSI, and is intended to give consumers more transparency about security-relevant IT product characteristics.
Considerable extended BSI authorities
The Draft Bill aims to equip the BSI with new competences to act as a conformity assessment body in matters of IT security and extend their warning and investigation authorities,6 including:
- Extended screening of IT products such as, e.g., routers or SmartTVs in the form of technical investigations for the safety of products available on the market7
- Authorization to request inventory data information from telecommunications service providers in order to identify the victims of cyberattacks and offer effective support in the defense against such attacks8
- Detection and evaluation of cyber-infection attempts and security risks in IT infrastructures/systems, e.g,. by setting up so-called "active honeypots," or performing special non-invasive "port scans" and independent "sinkholes"9
- Authorization to develop necessary crisis response plans—stakeholders shall be involved in the preparation of such plans10
- Analysis and collection of information on security gaps, malware and other IT security risks11
- Extended data processing and evaluation of pseudonymized protocol data from communication infrastructures of the federal authorities in Germany. Such log data may be stored for a maximum of 18 months (up-to-date three months). However, access to such data older than three months is restricted as well as only permissible and technically possible if there are actual signs of an attack12 and
- Expanded monitoring and controlling of the communication technology and its components (including the technical infrastructures) of the federal authorities in Germany in order to identify dangers at an early stage.13 The BSI may also inspect and verify the interfaces of third parties` facilities that have interfaces to such communication technology.
Additional sectors, new categories and redefined KRITIS core components
The Draft Bill envisages extending the list of existing critical infrastructure sectors (KRITIS) (currently energy, water, information technology/telecommunications, food, health, finance/insurance and transportation/traffic) by including waste-management as an additional KRITIS sector.14
With regard to so-called KRITIS core components, the Draft Bill newly includes a definition that comprises "IT products for the operation of equipment or systems for voice and data transmission or for data storage and processing" if they are used in critical infrastructures and are not yet covered by the security catalogue pursuant to the TKG.15
In addition, the bill proposes to expand the BSIG to two new sets of entities: (i) "infrastructures of special public interest";16 and (ii) operators with "cyber-criticality". The definition of "infrastructures in the special public interest" covers companies in three different sectors: (i) defense; (ii) cultural and media sector;16 and (ii) "companies of considerable economic importance".17 The explanatory memorandum also mentions the automotive and chemical industry, however these sectors are not included in the Draft Bill itself. In the near future, a further concretization of such terms and scope are likely to take place through specific ordinances. Operators with "cyber-criticality" comprise companies without standalone importance,17 which are therefore not considered as "critical infrastructures,", as well as those operating in the water or information technology and telecommunications sectors, but where a disruption of their IT system, components or processes would lead to a failure or impairment of critical infrastructure due to their interconnection with other infrastructure.18
Additional obligations on manufacturers, providers and KRITIS operators
The Draft Bill newly stipulates that entities, falling under the category of "infrastructures of special public interest," will be obliged to comply with the same obligations of KRITIS operators19, notably certain organizational, technical and reporting obligations.20 On a case-by-case base, the BSI will be authorized to impose these obligations also on companies defined as "cyber-critical".21 Under Section 8a BSIG, for example, the Draft Bill now explicitly obliges KRITIS operators to install technical precautions in form of systems, capable of detecting attacks on their IT infrastructure.22 Furthermore, KRITIS operators will be obligated to register with the BSI and designate a contact point in order to ensure their constant availability.23
In addition, the Draft Bill contains new rules for manufacturers of IT products and manufacturers of the aforementioned KRITIS core components: Both will be obliged to report malfunctions to the BSI at short notice, as they often detect security gaps even before the customer is aware of them.24 However, since impairments of KRITIS core components have a significantly higher damage potential for KRITIS operations, the factual requirements for triggering such notification obligations are lower for their manufacturers than for those of other IT products.25 Moreover, the bill introduces a "declaration of trustworthiness" for manufacturers of KRITIS core components covering their entire supply chain.26 KRITIS operators shall be able to purchase KRITIS core components only from such manufactures. The declaration of trustworthiness is the government’s effort to shift the assessment from a purely technical level to a geostrategic level. The "minimum requirements" will be set up by the GMI.
With regard to the TKG, the amendments intend to impose extensive obligations on providers of telecommunications services to delete, report and provide inventory information in the event of cyber-security incidents, as they are attributed an important role in the dissemination of illegal data.27 Providers are obligated, for example, to immediately inform the German Federal Criminal Police Office (BKA) if data has been unlawfully transmitted, or disclosed to third parties28, and notify the BKA when determining that their service is being used to illegally pass on or publish illegally obtained data.29 Additionally, they shall block access to personal data or data containing business secrets in the event of unlawful collection or disclosure.30 The explanatory note attached to the bill points out that providers domiciled abroad, and who thus store data on servers abroad, should be obliged to set up a contact point for official enquiries in Germany when providing their services there.31 Those standards and obligations are partially mirrored in the amendments to the TMG32 for telemedia service providers.33
New criminal offenses and stricter penalties
While introducing new criminal offenses34 and stricter penalties for data protection-related offences35, the Draft Bill addresses the recent gaps with respect to computer-related crimes concerning criminal liability, and introduces new qualifications for computer-related offenses and investigative tools to fight cyber crime more effectively. Modeled on the GDPR, the Draft Bill also revises the catalogue of fines and significantly increases the level of potential penalties (including fines applicable to telecommunications service providers)36. Depending on the offense, fines can amount to up to €20 million or up to 4 percent (in less significant cases €10 million or up to 2 percent) of the company’s worldwide total annual turnover in the preceding business year, whichever is the higher.
At present, the planned amendments are at an early stage of the legislative process and the publication in their final form is—at best—not expected before the end of this year. However, the Draft Bill contains a number of changes and points to significant consequences that are likely to result from the final legislative outcome. In the coming months, the bill is expected to be widely discussed in various committees, as stricter penalties along with a set of new obligations for KRITIS operators and telecommunications/telemedia service providers exert more pressure on both. As far as the economic aspects are concerned, it seems fair to assume that the proposed legal innovations will lead to considerable additional costs overall.
1 See Referentenentwurf des Bundesministeriums des Inneren – Entwurf eines Zweiten Gesetzes zur Erhöhung der Sicherheit informationstechnischer Systeme (IT-Sicherheitsgesetz 2.0 – IT-SiG 2.0), available at: http://intrapol.org/wp-content/uploads/2019/04/IT-Sicherheitsgesetz-2.0… (last accessed: July 2019).
2 Cf. Art. 3 of the NIS Directive.
3 IoT represents a comprehensive system interconnecting various physical objects or things to the internet.
4 The Draft Bill does not set forth a consolidated new legislation but merely makes line-edits to existing laws.
5 Cf. Draft Bill on new Sec. 9a BSIG.
6 Cf. Draft Bill on amended Sec. 3 BSIG.
7 Cf. Draft Bill on amended Sec. 7a BSIG.
8 Cf. Draft Bill on new Sec. 5d BSIG.
9 Cf. Draft Bill on new Sec. 7b BSIG; the detection of cyber threats is to become a major task of the BSI and marks the transition into an even more active role of the agency. The amended Sec. 109 TKG will therefore also oblige operators of telecommunications networks to implement means of attack detection.
10 Cf. Draft Bill on new Sec. 5c and amended Sec. 8b (2) BSIG.
11 Cf. Draft Bill on new Sec. 4b BSIG; the draft bill establishes the BSI as the main contact point for reports regarding cybersecurity threats and provides that anyone may report such threats.
12 Cf. Draft Bill on amended Sec. 5 (2) BSIG.
13 Cf. Draft Bill on new Sec. 4a BSIG.
14 Cf. Draft Bill on amended Sec. 2 (10) and (13) BSIG.
15 Cf. Draft Bill on amended Sec. 2 (13) No. 3 BSIG.
16 Cf. Draft Bill on amended Sec. 2 (14) BISG.
17 Cf. Draft Bill on amended Sec. 2 (14) BISG.
18 Cf. Draft Bill on new Sec. 8g BISG.
19 Cf. Draft Bill on amended Sec. 8a and 8b BISG.
20 Cf. Draft Bill on new Sec. 8f BISG.
21 Cf. Draft Bill on new Sec. 8g BISG.
22 Cf. Draft Bill on amended Sec. 8a (1a) BISG.
23 Cf. Draft Bill on amended Sec. 8b (3) BISG.
24 Cf. Draft Bill on new Sec. 8h BISG.
25 Explanatory note to the Draft Bill, p. 63; cf. Draft Bill on new Sec. 8h (1) and (2) BISG.
26 Cf. Draft Bill on amended Sec. 8a (6) BSIG.
27 Amendments of the TKG in Art. 2 of the Draft Bill.
28 Cf. Draft Bill on amended Sec. 109a (1a) TKG.
29 Cf. Draft Bill on amended Sec. 109b (1) TKG.
30 Cf. Draft Bill on amended Sec. 109b (2) TKG.
31 Explanatory note to the Draft Bill, p. 73.
32 Amendments of the TMG in Art. 3 of the Draft Bill.
33 Such as e.g. cf. Draft Bill on amended Sec. 15 and new Sec.15b TMG.
34 E.g., new offense under Sec. 202e of the GCC under which the owner of an information technology system may also be liable to prosecution for the unauthorized use of IT systems.
35 E.g., pursuant to the new Sec. 126a (4) No. 3 of the GCC the range of penalties for various offences relating to data security shall be increased to a maximum sentence of five years, including: Sec. 202a 3 of the GCC: data espionage, Sec. 202b3 of the GCC: phishing, Sec. 202c of the GCC: acts preparatory to data espionage and phishing, Sec. 202d of the GCC: dealing with illegally obtained data, Sec. 303a of the GCC: Data tempering and Sec. 303b 3 of the GCC: Computer sabotage.
36 Cf. Draft Bill on amended Sec.14 BSIG.
Alina Bauer (Research Associate, White & Case) co-authored this publication.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP