The German Federal Council (Bundesrat) has approved the Act regarding Improved Security of Information Technology systems ("IT Security Act") on July 10, 2015 without seeing a need to defer it to the Reconciliation Committee (Vermittlungsschuss). Shortly before, on June 12, 2015, the German Parliament (Bundestag) had adopted the new law. Now, the IT Security Act only needs to be signed by the Federal President (Bundespräsident) and officially published in order to enter into force, which is merely a formal act and expected to happen soon.
The IT Security Act aims at better protection of the economy and the general public by improving cybersecurity standards. It obliges telecommunications and telemedia service providers as well as operators of so-called "Critical Infrastructures" to apply IT security minimum standards. In addition, operators of Critical Infrastructures have to notify the Federal Office for Security in the Information Technology ("BSI") of severe IT security breaches. The BSI will analyze the information received and will make it available to all operators of Critical Infrastructures, thereby enabling them to react as early as possible on new threats.
With this new legislation, Germany assumes the role of a front-runner in the cybersecurity field in Europe, even before the enactment of the EU Network and Information Security ("NIS") Directive (also often referred to as "Cybersecurity Directive"), and in the midst of heavy discussions regarding the enactment of the EU General Data Protection Regulation.
Criticism about the IT Security Act came from lobby organizations pointing, inter alia, to high costs and additional operational burdens for the operators of Critical Infrastructures, and presumably overlapping and not harmonized provisions in relation to the upcoming relevant pieces of EU legislation—the NIS Directive and the General Data Protection Regulation.
To Whom Does the IT Security Act Apply?
The obligations and requirements prescribed by the IT Security Act apply to telecommunications and telemedia service providers as well as operators of Critical Infrastructures. Critical Infrastructures are installations, facilities, or parts thereof that are (i) operated in the business segments of energy, information technology, telecommunications, logistics and traffic control, health, water, nutrition, and finance and insurance; and (ii) of central significance for the functioning of the general public, as their outage or impairment would cause sustainable shortage of supply or significant impediments to public safety.
Still outstanding is the final designation of the installations, facilities, or parts thereof that qualify as Critical Infrastructures under the IT Security Act. This is supposed to be done by the German Federal Ministry of Interior (Bundesinnenministerium) by adopting a "Regulation" (Rechtsverordnung). During the legislative process of adopting the Regulation, the affected operators as well as relevant trade organization will be consulted.
What Are the Obligations Imposed on Operators of Critical Infrastructures?
The IT Security Act basically applies two means in order to improve cybersecurity.
First, operators of Critical Infrastructures are obliged to apply appropriate organizational and technical measures in order to avoid breakdowns or impairments of their IT systems, components, or processes. The IT Security Act does not define such measures but merely states that the state of the art is supposed to be complied with in applying those measures. This is likely to mean that the operators can deviate from implementing state-of-the-art measures only if they have valid reasons to do so. An operator would, for example, not be obliged to implement an IT security-driven software update without having verified beforehand that the relevant software is, after the update, still fully compatible with the operator's systems. Trade organizations can define security standards for their industry and have them approved by the BSI. An even higher standard is imposed on providers of telecommunications or telemedia services; providers of telemedia services have to protect their systems to the extent this is "technically and economically feasible."
Second, the IT Security Act imposes information obligations. Operators of Critical Infrastructures have to notify the BSI promptly about all impairments of their IT systems, components, or processes that either resulted or could have resulted in a breakdown of such IT systems, components, or processes. The idea behind this obligation is to make the information available to all relevant operators and to enable them to use such information to protect themselves. Special points of contact are to be implemented by the operators to secure an effective communication. Unless impairments result in a breakdown, the relevant operator can inform the BSI without disclosing its identity. Providers of telecommunications services have corresponding information obligations vis-à-vis the German telecommunications regulator.
What Are the Fines for Noncompliance?
Noncompliance with the duties under the IT Security Act may result in fines up to €100,000. The IT Security Act does not contain a provision that aligns the legal consequences of a security breach with those of a data breach, although one incident will often be regarded as both. Therefore, both regimes will apply in parallel, e.g., in terms of notification obligations as well as possible fines to be imposed.
Interestingly, the NIS Directive, in its version adopted by the EU Parliament in March 2014, provides that when a security incident involves personal data, the sanctions foreseen will be consistent with those under the General Data Protection Regulation. In its version adopted by the EU Parliament in March 2014, the Regulation stipulates fines as high as €100 million or 5 percent of the worldwide revenues of an enterprise, whichever is higher. The EU Council and Commission, on the other hand, favor a proposal providing for fines of up to €1 million or, in case of an enterprise, 2 percent of the annual worldwide turnover.
When Will the IT Security Act Become Effective?
The IT Security Act will become effective on the date following its official publication. However, the obligations imposed on operators of Critical Infrastructures will not become effective until the Regulation defines "Critical Infrastructures." The obligation to install a point of contact will become effective six months after the adoption of the Regulation, and the obligation to implement new security measures will become effective two years after its adoption. However, should the NIS Directive be adopted sometime this year, as many expect, Germany will have to adjust the IT Security Act during the Directive's 18-month implementation period to comply with its requirements.