Effective June 30, 2017 amendments to the BSI Act to enhance the security standard of network and information systems entered into force. In the future, providers of “digital services” in Germany will be obligated to protect their systems and to report security incidents to the BSI.

With the amendment of the law, Germany is transposing the EU Directive concerning measures for a high common level of network and information systems (NIS Directive) into national law. For this purpose, the transposition act primarily modifies provisions of the BSI Act and of the Telecommunications Act.

What are the new duties?

As of May 10, 2018, not only operators of critical infrastructure, but for the first time also providers of “digital services” will be obligated to take measures to protect the network and information systems that they are using. Additionally, security incidents must be reported to the BSI without undue delay if they may have a significant impact on providing the digital service.

Who is affected?

“Digital services” include online search engines, online marketplaces, and cloud computing services. The security and reporting requirements apply to providers of digital services that either have their main establishment in Germany, a designated representative in Germany or that operate network and information systems in Germany to provide digital services.

Outlook

The EU Commission is currently developing specific security requirements to protect IT systems to be used by digital service providers and criteria for reporting security incidents. Initial results are expected for August 2017.

In Germany, the BSI is responsible to enforce the obligations under the BSI Act. If a provider of digital services fails to meet the new requirements, fines of up to EUR 50,000.00 may be imposed.