In July 2015 Germany enacted the IT Security Act which aims to improve IT security in certain industry sectors to prevent breakdowns of critical infrastructure facilities (please see our previous newsflash for more details). With this piece of legislation Germany forestalled the EU Network and Security Directive (“NIS” or “Cybersecurity” Directive) which also requires minimum IT security requirements and a reporting scheme for security incidents. The operators of critical infrastructure to which the Act shall apply are still to be defined in ordinances for the relevant industry sectors.
On February 5, 2016, the Federal Ministry of the Interior now published a draft ordinance for determination of critical infrastructures in the energy, information technology and communications, water and food sectors (full text can be accessed here, available only in German). Infrastructure operators in these sectors should carefully assess the draft bill which is expected to be issued without material changes in the next months and follow the legislative procedure. Once the ordinance is enacted, they will have to comply with the reporting and IT security measure implementation obligations set out in the IT Security Act.
Background - Critical Infrastructures in the IT Security Act
The IT-Security Act requires operators of critical infrastructure in certain industry sectors (energy, information technology and telecommunications, transport and traffic, health,water, food, finance and insurance) to implement minimum IT security measures and introduces a reporting scheme for IT security incidents. The IT Security Act only contains a generic definition of the term ‘critical infrastructure’ and empowers the Federal Ministry of the Interior to specify critical infrastructures per sector in a separate ordinance. The draft ordinance which has now been published covers the sectors energy, information technology and communications, water and food and shall be revised after 4 years. Ordinances for the remaining sectors are expected by the end of 2016 (health, banking and insurance) and beginning of 2017 (transport and traffic).
What are Critical Infrastructures?
The draft ordinance follows the three-step methodology set out in the IT Security Act. It first defines, per sector, services that are critical and therefore require protection against IT security threats. Most of these services had already been mentioned in the Federal Government’s reasoning to the Draft IT Security Act. In a second step, it sets out facility categories that are necessary for the provision of these critical services. The ordinance defines ‘facilities’ as ‘operating plants and other stationary facilities or machinery, equipment and other stationary technical facilities which are required to provide the critical service’. Third, the ordinance contains threshold values for each critical service and facility category with the aim of ensuring that only infrastructure considered ‘critical’ for the provision of the service are covered. The calculation of the threshold values and the relevant factors differ per sector (and partly also per critical services), e.g. in the energy sector the threshold value for power generation relates to installed capacity, while for telecommunications networks it relates to the number of network participants.
The main critical services and facility categories per sector are:
Click here to view table.
The reasons to the draft bill contain additional explanations on the above services and facilities.
Next step - Check if your company is covered
Companies in the energy, information technology and communications, water and food sectors that provide any of the above critical services and operates a relevant facility should carefully review the IT Security Act and the draft ordinance, in particular the applicable threshold values and calculation models provided in the ordinance. In case the relevant threshold value is (likely or in the future will likely be) met, they should start taking the necessary precautions to comply with the new obligations under the IT Security Act.