Update August 2017
Since July 2015, the German IT Security Law („IT-Sicherheitsgesetz“) as well as refining administrative decrees and handouts have been passed. The IT Security Law amended a number of existing laws and introduced IT Security and notification obligations, mostly for a number of so-called “Operators of Critical Infrastructure” providing services of general interest.
In addition, IT Security Obligations for providers of telemedia services, such as website operators, have been strengthened.
In July 2016, the Directive on Security of Network and Information Systems (“NIS Directive”) passed the European Parliament. By April 2018, the EU Member States have to transpose the provisions of the NIS Directive into national laws. In consequence, Germany has passed the NIS Directive Implementation Act (“NIS-Umsetzungsgesetz”) in April 2017.
2. Requirements for Operators of Critical Infrastructure
2.1 Who is an Operator of Critical Infrastructure?
Most of the obligations deriving from the IT Security Law fall with operators from the following critical infrastructure sectors, whose facilities are of high importance because their outage or impairment would cause significant supply shortfalls or endanger public security:/p>
- Energy: Operators of supply facilities in the sectors electricity, gas, fuel, heating oil, and district heating, to the extent that more than 500,000 citizens are sustained
- Information Technology and Telecommunications: Operators of facilities in the sectors voice and data transmission, data storage and processing to the extent that more than 500,000 citizens are sustained
- Water: Operators of facilities in the sectors drinking water and waste water, to the extent that more than 500,000 citizens are sustained
- Food: Operators of facilities in the sectors production, processing, and trade, to the extent that more than 500,000 citizens are sustained
- Transport and traffic: Operators and Facilities in the sectors of aviation, rail transport, sea and inland navigation, road transport, public local transport, logistics, weather forecast and satellite navigation, to the extent that more than 500,000 citizens are sustained
- Health: Operators and Facilities in the sectors of inpatient care (hospitals), the supply of vital medical products, prescription drugs and blood and plasma concentrates, to the extent that more than 500,000 citizens are sustained, except of hospitals, where only 30,000 citizens have to be sustained
- Finance and Insurance: Operators and Facilities in the sectors of cash supply, card-based payment transactions, conventional payment systems, clearing and settlement of securities and derivative transactions and insurance services, to the extent that more than 500,000 citizens are sustained
2.2 What obligations apply?
In particular, Operators of Critical Infrastructure will have to (a) implement state of the art technical and organizational measures and (b) notify the regulator in case of security incidents.
(a) Technical and Organizational Measures
- Operators of Critical Infrastructure must implement state of the art technical and organizational to prevent disturbances of any kind
- For the sectors Energy, Information Technology and Telecommunications, Water and Food, respective measures must generally be implemented until May 2018 at the latest
- For the sectors Transport and Traffic, Health as well as Finance and Insurance, operators have to implement the necessary measures until June 2019
- Operators must demonstrate every two years that their security measures are state of the art
- Industry Associations may elaborate industry security standards; the responsible regulator can confirm that these standards are sufficient
( b ) Notification Requirements
Operators of Critical Infrastructure must
- Designate single points of contacts for communication with competent authorities
- Notify the responsible regulator in case of significant incidents affecting the availability, integrity, authenticity and confidentiality of its IT systems, components and processes that could lead or have led to an outage or impairment of critical infrastructure; notifications can be submitted on an anonymized basis unless an outage or impairment has indeed occurred
( c ) Obligations for specific energy and telecom providers
In addition, there had already been pre-existing IT security standards in highly regulated parts of the industries of energy (e.g. operators of atomic plants) and telecom. For those sectors, the IT Security Law holds additional IT security requirements and notification obligations. In addition, operators of energy grids will have to implement an Information Security Management System (ISMS) consistent with ISO/IEC 27001.
( d ) Enforcement
- Authorities can impose fines of up to 100,000 € if operators do not comply with binding orders to remedy their operations
- In other cases, such as failure to provide information on the implementation of security measures or failure to notify incidents, fines can be as high as 50,000 €
- In addition, other consequences such as damage claims may arise in case of non-compliance
3. Requirements for Operators of Telemedia Services
Operators of telemedia services, such as all website operators, will now have to implement reasonable and state of the art security measures to prevent unauthorised access to their IT operations and to ensure that these IT operations are protected against attacks pursuant to the German Telemedia Act. For the time being, no notification requirements under the Telemedia Act exist, but notification requirements for providers of so-called “digital services” will become effective in May 2018. “Digital services” are online marketplaces, online search engines and cloud computing services.