German Federal Cabinet adopts strategy for cybersecurity 2021

Hogan Lovells
Contact

Hogan Lovells

On 8 September 2021, the Federal Cabinet adopted the new strategy for cybersecurity 2021 presented by the Federal Ministry of the Interior, Building and Community (Bundesministerium des Inneren, für Bau und Heimat, BMI). The new strategy for cybersecurity replaces the 2016 German strategy for cybersecurity and describes the fundamental orientation of the Federal Government's cybersecurity policy for the next five years. It is the goal of the new strategy for cybersecurity to enable citizens to continue using digital technologies securely, freely and in a self-determined manner. The aim is to strengthen the digital sovereignty of the state, the economy, science and society, in particular through a high level of cybersecurity, i.e. the "abilities and possibilities of individuals and institutions to exercise their role(s) in the digital world independently, self-determinedly and securely".

In addition to the fields of action, the new strategy for cybersecurity provides for the first time for concrete guidelines, measures and goals by means of which, according to BMI, the challenges and risks of a digitalized world with technologies such as artificial intelligence and networked devices are to be mastered. BMI declares cybersecurity to be a task for society as a whole. The addressees of the new strategy for cybersecurity are in equal measure the state, the economy, science and society.[1]

Fields of Action and Guidelines of the new Strategy for Cybersecurity

The strategy for cybersecurity 2021 will at first retain the four fields of action of the strategy for cybersecurity 2016:

  • According to field of action 1, the strategy for cybersecurity 2021 sets itself the goal of increasing the "cybersecurity competence" of society. For example, the user-friendliness of IT security solutions is to be improved, digital consumer protection services are to be expanded, electronic identities and electronic communication are to be better protected. AI has a dual role to play here: on the one hand, AI is to be used as a tool to contribute to IT security; on the other hand, AI itself is also to be protected by specific IT security requirements.[2]
  • In addition, field of action 2 provides for the strengthening of the National Cybersecurity Council, which is to be achieved by the improvement of cooperation between the state, business, science and civil society in the area of cybersecurity, as well as the strengthening of the German digital economy and the protection of German companies.[3]
  • Moreover, field of action 3 aims to expand the federal government's legislative competence to avert danger and the cooperation between the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) and the federal states. Law enforcement in cyberspace is also to be intensified and access by the security authorities to encrypted communications is to be created. Telecommunications and telemedia law is to be adapted to technological progress.[4]
  • The strategy for cybersecurity 2021 also provides with field of action 4 for Germany to actively participate in the further development of applicable strategies and regulation (such as EU’s Cybersecurity Strategy for the Digital Decade or the directive concerning network and information systems, in order to achieve a high standard of cybersecurity across the European Union by introducing and implementing agreed minimum standards.[5] Germany also intends to advocate for the continuous further development of cybersecurity policy at NATO level.[6]

It is new that a total of four guidelines flank the four fields of action of the strategy for cybersecurity, which in turn are for the first time defined by 44 strategic goals. These guidelines are:

  • Establish cybersecurity as a joint task of the state, business, science and society;
  • Strengthening the digital sovereignty of the state, the economy, science and society;
  • Shape digitisation securely and
  • make goals measurable and transparent.[7]

The 13 strategic goals of the second field of action are among the most interesting for companies. These include goals such as "Further improve the protection of critical infrastructures"[8], "Protecting companies in Germany"[9], "Cybersecurity certification"[10] and "Promote research and development of resilient, secure IT products, services and systems for the internal EU market".[11].

The IT security of products plays an important role in this. By increasing the IT security of products and creating products to increase their IT security, the BMI aims for strengthening the following economic sectors and their supply chains: Mobility and automotive industry, energy industry, smart home or IoT and smart cities, industry 4.0, healthcare, finance and the IT security industry with the fields of biometrics, long-term security and quantum technology.[12]

In order to evaluate the achievement of the defined strategic goals within the fields of action and to make the implementation of the strategy for cybersecurity 2021 continuously traceable and verifiable through operational measures, the new strategy for cybersecurity also includes for the first time specific measurability criteria. Based on these evaluation criteria, the various departments responsible for implementation report to BMI on the progress made in achieving the strategic goals.[13]

For example, a decline in the number of private individuals affected by cyber attacks or the reach of the BSI's information services for consumers will serve as an indicator of success in implementing the goal of promoting digital skills among all users. The Federal Ministry of the Interior wants to see whether the goal of protecting companies in Germany is being achieved by the concrete demand for support programmes for the IT security of SMEs, by whether the number of users of the BSI's support services is increasing, and by the fact that the "Economic Protection Initiative" is establishing projects for the holistic protection of the value chain against the outflow of know-how and information.[14]

Outlook

After BMI had already published a draft of the strategy for cybersecurity in June 2021, the inclusion of "digital sovereignty" as a guideline[15] and the planned improvement of cooperation between the state, business and civil society[16] were expressly welcomed by interest groups. On the other hand, the planned expansion of German security authorities' access to encrypted communication [17] and a possible weakening of security technologies in favour of state intervention possibilities[18] as well as the expansion of surveillance powers at the expense of IT security, especially from the point of view that foreign intelligence services and cyber criminals could exploit security gaps, were criticised.[19]

Whether and how the strategic goals of the strategy for cybersecurity 2021 can be achieved in the coming years, despite or precisely because of the scope for action granted to the ministries, remains to be seen. In order to ensure an active exchange between government and industry in the meantime, the strategy for cybersecurity 2021 refers, among other things, to initiatives such as the "Initiative IT-Sicherheit in der Wirtschaft" (IT Security Initiative in the Economy) of the Federal Ministry for Economic Affairs and Energy (Bundesministerium für Wirtschaft und Energie, BMWi), the Alliance for Cybersecurity (ACS) or the "Cyber Alliance with Industry" launched by BMI and the Federation of German Industries (Bundesverband der Deutschen Industrie, BDI).[20] We will continue to keep you up-to-date on current developments.

[4] Cybersicherheitsstrategie für Deutschland 2021, Kapitel 8.3.14 ff. (S. 111 ff.).

[15] Stellungnahme des Verbands der Elektrotechnik, Elektronik und Informationstechnik e.V. (VDE), https://www.vde.com/resource/blob/2070148/e0b59657872bb4226331c49c0cd 89cb2/stellungnahme-cyber-sicherheitsstrategie-2021---download-data.pdf, S. 1.

[18] Stellungnahme der Gesellschaft für Informatik e.V. (GI), https://gi.de/fileadmin /GI/Allgemein/PDF/2021-06-16_GI-StN_CSS_2021.pdf.

[19] Pressemitteilung des Forums InformatikerInnen für Frieden und gesellschaftliche Verantwortung e.V. zu einem gemeinsamen offenen Brief von knapp 40 Verbänden an die Bundesregierung.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hogan Lovells | Attorney Advertising

Written by:

Hogan Lovells
Contact
more
less

Hogan Lovells on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.