The German parliament, the Bundestag, has adopted the new IT Security Act. It requires operators of critical infrastructures to implement IT security measures and stipulates reporting obligations. Similarly, providers of tele-media services must implement state of the art security technology.

IT Security has become a predominant issue in German media and public opinion. Almost weekly, new IT vulnerabilities and criminal or espionage attacks against IT infrastructure are reported. Lately, even the Bundestag itself has been successfully hacked – allegedly by foreign intelligence services. In order to improve IT security in Germany, the German Bundestag has now adopted an IT Security Act (“Act”).

The Act primarily addresses operators of critical infrastructures. These are in-frastructures in the energy, IT/C, transportation, health, water, food and financial sector, which are of high importance for society. The Act goes beyond what is presently required and imposes obligations to:

  • implement IT security measures that comply with the state of the art;
  • provide proof of the implemented measures to the Federal Office for Infor-mation Security at least once every two years (e.g. by providing proof of au-dits, including information about all vulnerabilities discovered during the audit);
  •  notify security breaches to the Federal Office for Information Security;
  • proactively notify a contact person for IT security issues to the Federal Office for Information Security.

(Some of the obligations are subject to a grace period of up to two years com-mencing with the enactment of a specific ordinance.)

In addition, the Act requires telemedia service providers (regardless of them quali-fying as critical infrastructure) to implement measures to prevent unauthorized access to the systems used to provide the services and to prevent violations of the protection of personal data. These measures shall account for the state of the art, whereas the obligation is limited to economically reasonable measures. The Act emphasizes the importance of strong encryption to achieve the desired level of protection. Although the Act needs to be discussed in the Bundesrat, we do not expect signifi-cant changes before it becomes effective. Thus, businesses in the affected indus-tries should monitor the development and review whether they need to take action to ensure timely compliance with the new requirements.

Non-compliance with the provisions of the Act may, among other things, be subject to administrative fines of up to EUR 100,000.

Although the Act needs to be discussed in the Bundesrat, we do not expect signifi-cant changes before it becomes effective. Thus, businesses in the affected indus-tries should monitor the development and review whether they need to take action to ensure timely compliance with the new requirements.