On March 20, 2015, the revised bill to increase the security of IT systems (the "Draft Bill")[1] was first read in the German Bundestag. As contemplated in the White & Case Technology Newsflash of August 2014,[2] the overarching goal of the Draft Bill is to improve the protection of German citizens, companies and governmental institutions against a variety of IT security risks. In particular, the Draft Bill obligates operators of critical infrastructure to notify about security incidents and to comply with minimal IT standards. It is important that the affected industries are mindful of these developments.

Changes during the Draft process

Since August 2014, during the draft process, among other minor changes these are two notable major changes which have been made to date:

  • First, after significant criticism and discussion by a range of stakeholders,[3] the proposed addition to section 15 of the German Telemedia Act that would have allowed the retention of data (Vorratsdatenspeicherung) "via the backdoor,” i.e. through the service providers, is no longer included in the Draft Bill.[4]
  • Second, the obligation of telecommunication providers to inform users in cases of security incidents that shall be added in the German Telecommunications Act will now only arise if the relevant user was already known to the provider.[5]


In spite of the aforementioned changes, the Draft Bill has been subject to various criticisms by IT and data protection experts as well as the Internet economy. Among other, things the consistency of parts of the Draft Bill with the German Constitution (Grundgesetz) has been questioned, particularly with respect to the principle of privacy of telecommunications (Fernmeldegeheimnis, Article 10 Grundgesetz)[6]. Others[7] see the danger of varying regulations in the European Union and therefore demand to avoid conflicts with European regulations, in particular with the proposed directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union (the "Proposed EC Directive").[8]


It remains to be seen if and how the criticism will further influence the legislative process in Germany. What has, during the first reading of the Draft Bill in the German Bundestag, once again become obvious is that the German legislator considers itself as a trendsetter in the fight against IT security risks and is not willing to wait for statutory provisions set forth by the European Union. In fact, the Draft Bill — in whatever form enacted — may have, one way or the other, an impact on the ongoing and future discussions regarding the Proposed EC Directive. The affected industries are therefore well advised to also keep an eye on these developments.