Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

Where personal data is concerned, the security standards of the General Data Protection Regulation (GDPR) apply, namely article 5(1)(f) in conjunction with article 32. The GDPR uses the state of the art as its benchmark for the standard of security to be offered, while also taking into account the costs of implementation and the nature, scope, context and purposes of processing, as well as the risks to natural persons. Although the GDPR provides some examples of measures (eg, encryption), the security requirements under the GDPR are moving targets that will vary widely depending on the type and amount of data processed.

Operators of critical infrastructure are required to take appropriate organisational and technical precautions to avoid disruptions to the availability, integrity, authenticity and confidentiality of their IT systems, components and processes. These companies are required, pursuant to section 8a of the Act on the Federal Office for Information Security (BSIG), to implement state-of-the-art of technology. Importantly, the duty of care of these companies is significantly increased, as the precise measures to be taken are not just weighed against the effects for the company, but the effects of the failure or a disruption of the relevant critical infrastructure. Additionally, branch-specific standards can be developed by individual industry associations, which may then be accepted as adequate by the Federal Office for Information Security (BSI) (section 8a(2) of the BSIG). Compliance with the security requirements of section 8a(1) of the BSIG must be evidenced by the operator of the critical infrastructure every two years at a minimum, which can be done by means of audits and certifications.

Digital service providers have to take appropriate technical and organisational measures to cope with the risks to the security of the network and IT systems that they use for the provision of the digital services in the European Union by virtue of section 8c of the BSIG. They must take measures to keep the effects of security breaches on digital services rendered within the European Union to a minimum.

Generally, companies are obliged by virtue of sections 91 and 93 of the Stock Corporation Act to take appropriate measures to ensure cybersecurity compliance and to prevent risks that would jeopardise their continued existence. The obligations that fall on large corporations will be different in their scope to those that fall on small and medium-sized enterprises. In general, the obligations that arise for companies are organisational and require the establishment of early warning systems, as well as obligations to monitor and carefully lead the company. Though technical measures play a pivotal role in the fulfilment of compliance obligations, the regulations governing companies are not very prescriptive of how this must be carried out. Company boards have a duty of care, but the specifics of this duty are not clearly delineated and are heavily dependent on factors in individual cases, such as the type and sensitivity of the data in question, as well as its importance to the particular company. Directors are awarded a rather large margin of discretion in determining precisely which technical measures to implement.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

Pursuant to article 33(5) of the GDPR, controllers are required to document any breaches of data protection and the documentation must be made available to supervisory authorities when requested. The GDPR does not provide a specific time limit or form for storage of the documentation.

The BSIG also imposes an obligation to document cyberattacks, but similarly does not provide a specific time limit or form for storage of documentation.

Documentation should be retained for a long period of time to enable proper investigation by supervisory authorities and the BSI. The time limits on storage of personal data stipulated by the GDPR should be adhered to when this documentation contains personal data.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

If a company is considered to be active in the field of critical infrastructure, it is under a heightened obligation to notify the BSI pursuant to section 8b of the BSIG. It must notify the BSI without delay of any breaches that have compromised the availability, authenticity, integrity and confidentiality of its IT systems, components or processes that have led, or could lead, to an outage of the critical infrastructure it provides. The same applies to digital service providers by virtue of section 8c of the BSIG.

If personal data is affected by the breach, then the competent supervisory authority must be informed within 72 hours of the breach in accordance with article 33 of the GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where there is a high risk to the rights and freedoms of natural persons, the data subject must be informed of the personal data breach without undue delay, pursuant to article 34 of the GDPR. ‘High risk’ has been interpreted broadly, with the result that cybersecurity breaches will frequently give rise to a requirement to notify the data subject, unless the company has taken steps in advance to mitigate this risk (the GDPR mentions encryption of personal data as an example of mitigation).

Time frames

What is the timeline for reporting to the authorities?

If an organisation has an obligation under the GDPR to notify supervisory authorities of a breach of cybersecurity, the notification must be made without delay – at the latest, this should be within 72 hours of becoming aware of the breach.

Notifications to the BSI by operators of critical infrastructure and digital service providers must be reported without delay.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

European data protection law regulates the conditions under which breaches must be communicated to data subjects in article 34 of the GDPR. The controller must notify a personal data breach to data subjects without undue delay when the breach is likely to result in a high risk to the rights and freedoms of data subjects. The controller may be exempt from the obligation to notify if the risk of harm is remote, if it has taken steps to minimise the risk of harm or if the notification would require disproportionate effort (such as a public notice of the breach). This obligation is mirrored in national law by section 109a(1) of the Telecommunications Act.

Regarding operators of critical infrastructure and digital service providers, there is no general obligation on organisations to report threats to customers or the industry. The obligation on the operator or provider is to notify the BSI of the relevant breach. However, the BSI is entitled in its own right to issue public warnings and recommendations regarding, for example, malware and cybersecurity vulnerabilities, in particular products or systems.

Companies subject to disclosure requirements must consider ad hoc announcements after cybersecurity incidents in accordance with the Securities Trading Act.

Law Stated Date

Correct On

Give the date on which the information above is accurate.

14 January 2021.