Germany's Draft Bill on IT Security

more+
less-

[co-author: Mathias Bogusch]

On August 19, 2014, the German Federal Ministry of the Interior ("GMI") proposed a new bill to increase the security of IT systems (the "Draft Bill").[1] As contemplated in the White & Case Technology Newsflash of December 2013[2], this initiative stems from the current German Government’s Coalition Agreement[3], which outlined the digital agenda for the next four years.

Main Goals
The Draft Bill includes proposed amendments to several national laws relating to the security of IT systems, with an overarching goal of improving the protection of German citizens, companies and governmental institutions. It is intended to strike a reasonable balance between risk, protection requirements and accountability. The Draft Bill's addressees will be responsible for comprehensively protecting their IT systems against a variety of IT security risks, including cyber threats, cyber attacks, cyber spying and other forms of cyber crime. At the same time, it is envisaged that the powers of the German Federal Office for Information Security ("BSI"), the national security agency in Germany, will be strengthened.

The overall objective of the Draft Bill is to establish Germany as a global leader in the field of IT security. The key elements of the Draft Bill are as follows:

IT Security Requirements

  • Pursuant to the Draft Bill, the German Act on the Federal Office for Information Security ("BSIG")[4] will be amended to broaden its scope to so-called critical infrastructure. Going forward, the BSIG will also apply to certain facilities, systems or parts thereof in the areas of energy, IT and telecommunication, transportation and traffic, health, water, food as well as finance and insurance[5], with details to be defined by way of a regulation to be issued by the GMI after consultation with the interested parties[6].
  • Operators of critical infrastructure will be obligated to ensure the protection of IT systems, components and processes relevant for functioning of such infrastructure by implementing state-of-the-art technical and organizational security measures within a period of two years following the enactment of GMI’s regulation and to report immediately any incident related to the security of such infrastructure to the BSI[7].
  • The Draft Bill also provides for similar amendments to the German Telemedia Act[8] and the German Telecommunications Act[9], requiring commercial internet service providers and telecommunication providers to also have in place appropriate, state-of-the-art technical and organizational measures to prevent unauthorized access to telecommunication and data processing systems[10]. In addition, Internet service providers will be obliged to offer safe authentication procedures to their user[11], while telecommunication providers will be subjected to extended notification obligations in relation to security incidents.

Extended BSI Authorities

  • Pursuant to the Draft Bill, the BSI will become the focal point in Germany for IT security matters[13].
  • As a consequence, the right of the BSI to issue public warnings about IT security risks and data breaches will be expanded[14].
  • In addition, the right of the BSI to assess IT products, systems and services will be broadened. To this end, the BSI will be entitled to use all technical means and request support by third parties (if necessary)[15]. 
  • Furthermore, the BSI will have authority to set standards for IT security within German federal authorities[16].

Conclusion
If the Draft Bill were to be passed in its present form, the requirements for operators of critical infrastructure, as well as for internet service providers and telecommunication providers with regard to IT security would substantially be increased. Equally, the BSI's powers would be expanded and the BSI would have significant influence on the quality, adequacy and legitimacy of the pertinent security measures. While the German Government seems to be determined to push the Draft Bill through the legislative process, the affected industries are raising initial concerns in relation to burdens and costs associated with the initiative. Whatever the outcome, the Draft Bill will form the basis of the German Government’s position for upcoming discussions around the proposal for a directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union[17].

[1] - See Referentenentwurf des Bundesministeriums des Inneren – Entwurf eines Gesetzes zur Erhöhung der Sicherhe informationstechnischer Systeme (IT-Sicherheitsgesetz), available at: http://www.bmi.bund.de/SharedDocs/Downloads/DE/Gesetzestexte/Entwuerfe/Entwurf_IT-Sicherheitsgesetz.pdf?__blob=publicationFile (last accessed: August 2014).
[2] - See http://www.whitecase.com/articles-12162013/ (last accessed: August 2014).
[3] - See Deutschlands Zukunft gestalten – Koalitionsvertrag zwischen CDU, CSU und SPD – 18. Legislaturperiode, available at: https://www.cdu.de/sites/default/files/media/dokumente/koalitionsvertrag.pdf (last accessed: August 2014).
[4] - Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSI-Gesetz – BSIG).
[5] - Cf. Draft Bill on new Sec. 2 (10) BSIG.
[6] - Cf. Draft Bill on new Sec. 10 (1) BSIG.
[7] - Cf. Draft Bill on new Sec. 8a (1) and 8b (4) BSIG.
[8] - Cf. Draft Bill on amended Sec. 13 and 15 German Telemedia Act.
[9] - Cf. Draft Bill on new/amended Sec. 100, 109 and 190a German Telecommunications Act.
[10] - Cf. Draft Bill on amended Sec. 13 German Telemedia Act and (amended) Sec. 109 (2) German Telecommunications Act.
[11] - Cf. Draft Bill on amended Sec. 13 German Telemedia Act.
[12] - Cf. Draft Bill on amended Sec. 109 (5) and new Sec. 109 (4) German Telecommunications Act.
[13] - Cf. Draft Bill on new Sec. 8a and 8b BSIG.
[14] - Cf. Draft Bill on amended Sec. 7 BSIG.
[15] - Cf. Draft Bill on new Sec. 7a BSIG.
[16] - Cf. the amendments of the Draft Bill to Sec. 8 BSIG.
[17] - See http://eeas.europa.eu/policies/eu-cyber-security/cybsec_directive_en.pdf (last accessed: August 2014).

Topics:  Cybersecurity, Proposed Legislation

Published In: General Business Updates, Elections & Politics Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© White & Case LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »