The German parliament, the Bundestag, has adopted the new IT Security Act. It requires operators of critical infrastructures to implement IT security measures and stipulates reporting obligations. Similarly, providers of telemedia services must implement state of the art security technology.
IT Security has become a predominant issue in German media and public opinion. Almost weekly, new IT vulnerabilities and criminal or espionage attacks against IT infrastructure are reported. Lately, even the Bundestag itself has been successfully hacked - allegedly by foreign intelligence services. In order to improve IT security in Germany, the German Bundestag has now adopted an IT Security Act ("Act").
The Act primarily addresses operators of critical infrastructures. These are infrastructures in the energy, IT/C, transportation, health, water, food and financial sectors, which are of high importance to society. The Act goes beyond what is presently required and imposes obligations to:
- implement IT security measures that comply with the state of the art;
- provide proof of the implemented measures to the Federal Office for Information Security at least once every two years (e.g., by providing proof of audits, including information about all vulnerabilities discovered during the audit);
- notify security breaches to the Federal Office for Information Security;
- proactively notify a contact person for IT security issues to the Federal Office for Information Security.
(Some of the obligations are subject to a grace period of up to two years commencing with the enactment of a specific ordinance.)
In addition, the Act requires telemedia service providers (regardless of them qualifying as critical infrastructure) to implement measures to prevent unauthorized access to the systems used to provide the services and to prevent violations of the protection of personal data. These measures shall account for the state of the art, whereas the obligation is limited to economically reasonable measures. The Act emphasizes the importance of strong encryption to achieve the desired level of protection.
Non-compliance with the provisions of the Act may, among other things, be subject to administrative fines of up to EUR 100,000.
Although the Act needs to be discussed in the Bundesrat, we do not expect significant changes before it becomes effective. Thus, businesses in the affected industries should monitor the development and review whether they need to take action to ensure timely compliance with the new requirements.