Since July 2015, the German IT Security Law („IT-Sicherheitsgesetz“) as well as refining administrative decrees and handouts have been passed. The IT Security Law amended a number of existing laws and introduced IT Security and notification obligations, mostly for a number of so-called “Operators of Critical Infrastructure” providing services of general interest.
In addition, IT Security Obligations for providers of telemedia services, such as website operators, have been strengthened.
2. Requirements for Operators of Critical Infrastructure
2.1 Who is an Operator of Critical Infrastructure?
Most of the obligations deriving from the IT Security Law fall with operators from the following critical infrastructure sectors, whose facilities are of high importance because their outage or impairment would cause significant supply shortfalls or endanger public security:
- Energy: Operators of supply facilities in the sectors electricity, gas, fuel, heating oil, and district heating, to the extent that more than 500,000 citizens are sustained
- Information Technology and Telecommunications: Operators of facilities in the sectors voice and data transmission, data storage and processing to the extent that more than 500,000 citizens are sustained
- Water: Operators of facilities in the sectors drinking water and waste water, to the extent that more than 500,000 citizens are sustained
- Food: Operators of facilities in the sectors production, processing, and trade, to the extent that more than 500,000 citizens are sustained
- Transport and traffic; Health; Finance and Insurance: Specific scope still to be determined in separate administrative decree
2.2 What obligations apply?
In particular, Operators of Critical Infrastructure will have to (a) implement state of the art technical and organizational measures and (b) notify the regulator in case of security incidents.
- (a) Technical and Organizational Measures
- Operators of Critical Infrastructure must implement state of the art technical and organizational to prevent disturbances of any kind
- For the sectors Energy, Information Technology and Telecommunications, Water and Food, respective measures must generally be implemented until May 2018 at the latest
- For the sectors Transport and Traffic, Health as well as Finance and Insurance, an administrative decree will specify which specific operators will be considered to provide “Critical Infrastructures”; from the date of such decree on (which is expected to be passed until the end of 2016), the operators have to implement the necessary measures within a time frame of two years
- Operators must demonstrate every two years that their security measures are state of the art
- Industry Associations may elaborate industry security standards; the responsible regulator can confirm that these standards are sufficient
- (b) Notification Requirements
Operators of Critical Infrastructure must
- Designate single points of contacts for communication with competent authorities until November 2016
- Notify the responsible regulator in case of significant incidents affecting the availability, integrity, authenticity and confidentiality of its
IT systems, components and processes that could lead or have led to an outage or impairment of critical infrastructure; notifications can be submitted on an anonymized basis unless an outage or impairment has indeed occurred
- (c) Obligations for specific energy and telecom providers
In addition, there had already been pre-existing IT security standards in highly regulated parts of the industries of energy (e.g. operators of atomic plants) and telecom. For those sectors, the IT Security Law holds additional IT security requirements and notification obligations. In addition, operators of energy grids will have to implement an Information Security Management System (ISMS) consistent with ISO/IEC 27001.
- (d) Enforcement
- Authorities can impose fines of up to 100,000 € if operators do not comply with binding orders to remedy their operations
- In other cases, such as failure to provide information on the implementation of security measures or failure to notify incidents, fines can be as high as 50,000 €
- In addition, other consequences such as damage claims may arise in case of non-compliance
3. Requirements for Operators of Telemedia Services
Operators of telemedia services, such as all website operators, will now have to implement reasonable and state of the art security measures to prevent unauthorised access to their IT operations and to ensure that these IT operations are protected against attacks. For the time being, no notification requirements exist.
In July 2016, the Directive on Security of Network and Information Systems (“NIS Directive”) passed the European Parliament. By April 2018, the EU Member States will have to transpose the provisions of the NIS Directive into national laws. As the obligations from the German IT Security Law and the NIS Directive are widely symmetrical (the former is actually a premature implementation of the latter), major amendments to the German IT Security Law are not likely to be necessary. However, in several aspects, changes to German Law will be required. In particular, the scope of Operators of Critical Infrastructure in the IT Security Law does not entirely mirror the respective obligations of the NIS Directive. Furthermore, notification obligations will also have to be implemented for certain operators of telemedia services.