Publications & Events
Technology Newsflash

Update: Germany's Draft Bill on IT Security

White & Case Technology Newsflash

On March 20, 2015, the revised bill to increase the security of IT systems (the "Draft Bill")[1] was first read in the German Bundestag. As contemplated in the White & Case Technology Newsflash of August 2014,[2] the overarching goal of the Draft Bill is to improve the protection of German citizens, companies and governmental institutions against a variety of IT security risks. In particular, the Draft Bill obligates operators of critical infrastructure to notify about security incidents and to comply with minimal IT standards. It is important that the affected industries are mindful of these developments.

Changes during the Draft process
Since August 2014, during the draft process, among other minor changes these are two notable major changes which have been made to date:

First, after significant criticism and discussion by a range of stakeholders,[3] the proposed addition to section 15 of the German Telemedia Act that would have allowed the retention of data (Vorratsdatenspeicherung) "via the backdoor,” i.e. through the service providers, is no longer included in the Draft Bill.[4]

Second, the obligation of telecommunication providers to inform users in cases of security incidents that shall be added in the German Telecommunications Act will now only arise if the relevant user was already known to the provider.[5]

In spite of the aforementioned changes, the Draft Bill has been subject to various criticisms by IT and data protection experts as well as the Internet economy. Among other, things the consistency of parts of the Draft Bill with the German Constitution (Grundgesetz) has been questioned, particularly with respect to the principle of privacy of telecommunications (Fernmeldegeheimnis, Article 10 Grundgesetz)[6]. Others[7] see the danger of varying regulations in the European Union and therefore demand to avoid conflicts with European regulations, in particular with the proposed directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union (the "Proposed EC Directive").[8]

It remains to be seen if and how the criticism will further influence the legislative process in Germany. What has, during the first reading of the Draft Bill in the German Bundestag, once again become obvious is that the German legislator considers itself as a trendsetter in the fight against IT security risks and is not willing to wait for statutory provisions set forth by the European Union. In fact, the Draft Bill — in whatever form enacted — may have, one way or the other, an impact on the ongoing and future discussions regarding the Proposed EC Directive. The affected industries are therefore well advised to also keep an eye on these developments.


[1] - Cf. Gesetzesentwurf der Bundesregierung zum IT-Sicherheitsgesetz, available at: (last accessed: 27 March 2015).
[2] - Cf. Update: Germany's Draft Bill on IT Security, August 2014.
[3] - Cf. (last accessed: 27 March 2015).
[4] - Cf. Article 4 of the Draft Bill.
[5] - Cf. Draft Bill on new Sec. 109a, para. 4 German Telecommunications Act.
[6] - Cf. Stellungnahme des FIfF zum IT-Sicherheitsgesetz der Bundesregierung vom 17.12.2014, available at; cf. Also press release of the Cyber-Sicherheitsrat Deutschland e.V., available at (last accessed: 27 March 2015).
[7] - Cf. Positionspapier zum Kabinettsentwurf für ein Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme (IT-Sicherheitsgesetz) des Verbands der deutschen Internetwirtschaft, available at (last accessed: 27 March 2015).
[8] - Cf. (last accessed: 27 March 2015).


This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2015 White & Case LLP