On August 19, 2014, the German Federal Ministry of the Interior ("GMI") proposed a new bill to increase the security of IT systems (the "Draft Bill"). As contemplated in the White & Case Technology Newsflash of December 2013, this initiative stems from the current German Government’s Coalition Agreement, which outlined the digital agenda for the next four years.
The Draft Bill includes proposed amendments to several national laws relating to the security of IT systems, with an overarching goal of improving the protection of German citizens, companies and governmental institutions. It is intended to strike a reasonable balance between risk, protection requirements and accountability. The Draft Bill's addressees will be responsible for comprehensively protecting their IT systems against a variety of IT security risks, including cyber threats, cyber attacks, cyber spying and other forms of cyber crime. At the same time, it is envisaged that the powers of the German Federal Office for Information Security ("BSI"), the national security agency in Germany, will be strengthened.
The overall objective of the Draft Bill is to establish Germany as a global leader in the field of IT security. The key elements of the Draft Bill are as follows:
IT Security Requirements
- Pursuant to the Draft Bill, the German Act on the Federal Office for Information Security ("BSIG") will be amended to broaden its scope to so-called critical infrastructure. Going forward, the BSIG will also apply to certain facilities, systems or parts thereof in the areas of energy, IT and telecommunication, transportation and traffic, health, water, food as well as finance and insurance, with details to be defined by way of a regulation to be issued by the GMI after consultation with the interested parties.
- Operators of critical infrastructure will be obligated to ensure the protection of IT systems, components and processes relevant for functioning of such infrastructure by implementing state-of-the-art technical and organizational security measures within a period of two years following the enactment of GMI’s regulation and to report immediately any incident related to the security of such infrastructure to the BSI.
- The Draft Bill also provides for similar amendments to the German Telemedia Act and the German Telecommunications Act, requiring commercial internet service providers and telecommunication providers to also have in place appropriate, state-of-the-art technical and organizational measures to prevent unauthorized access to telecommunication and data processing systems. In addition, Internet service providers will be obliged to offer safe authentication procedures to their user, while telecommunication providers will be subjected to extended notification obligations in relation to security incidents.
Extended BSI Authorities
- Pursuant to the Draft Bill, the BSI will become the focal point in Germany for IT security matters.
- As a consequence, the right of the BSI to issue public warnings about IT security risks and data breaches will be expanded.
- In addition, the right of the BSI to assess IT products, systems and services will be broadened. To this end, the BSI will be entitled to use all technical means and request support by third parties (if necessary).
- Furthermore, the BSI will have authority to set standards for IT security within German federal authorities.
If the Draft Bill were to be passed in its present form, the requirements for operators of critical infrastructure, as well as for internet service providers and telecommunication providers with regard to IT security would substantially be increased. Equally, the BSI's powers would be expanded and the BSI would have significant influence on the quality, adequacy and legitimacy of the pertinent security measures. While the German Government seems to be determined to push the Draft Bill through the legislative process, the affected industries are raising initial concerns in relation to burdens and costs associated with the initiative. Whatever the outcome, the Draft Bill will form the basis of the German Government’s position for upcoming discussions around the proposal for a directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union.