DAC Beachcroft in collaboration with Luther Rechtsanwaltsgesellschaft – Frankfurt am Main, Germany

What does this cover?

We reported on this development back in August and below is a detailed analysis of the Act provide by German lawyer Christian Hufen.

On July 25 2015, the German IT-Security Act (the Act) came into force. The new statutory law aims to improve the overall IT security in Germany and particularly requires operators of critical infrastructure to implement minimum IT security measures and introduces a specific reporting scheme for IT security incidents. The Act further directly obliges providers of commercial telemedia services to implement state of the art security measures to prevent unauthorized access and to protect personal data. Providers of publicly available telecommunications services or networks and energy network operators are subject to additional obligations through amendments of the respective sector legislation.

The Act primarily affects so called operators of critical infrastructure in the energy, IT, telecommunications, transport and traffic, health, water, food, finance and insurance sectors. Whether an entity operates a 'critical infrastructure' in accordance with the Act is determined based on qualitative and quantitative criteria, whereas a critical infrastructure shall be any facility, installation or part thereof which is of great importance to the public (qualitative element) and a breakdown or impairment thereof would result in significant supply shortages for a significant number of users (quantitative element). However, the actual scope is still to be further specified by the Federal Ministry of the Interior in a separate ordinance.

Moreover, all suppliers and contractors of operators of a critical infrastructure (still to be defined) are likely to be affected by the new law as well, as the operators concerned will oblige their suppliers and contractors accordingly.  In any case, regardless of a critical infrastructure, one’s product portfolio should therefore carefully and comprehensively be assessed in order to determine whether or not the company could be deemed as a respective supplier/contractor for operators of critical infrastructure.

Furthermore, the new security requirements for telemedia services will apply to any provider of commercial telemedia services (e.g. blogs, apps, online shops, etc.). According to the explanatory memorandum (Gesetzesbegründung) to the Act, this shall particularly apply to fee-based and ad-supported services. However, solely the 'non-commercial' provision of telemedia shall not be affected.

Operators of critical infrastructure are obliged:

  • to implement adequate technical and organizational measures to protect and safeguard the availability, integrity, authenticity and confidentiality of their IT systems. These measures have to be state of the art, must be fully implemented within two years following enactment of the ordinance and then regularly be presented to the Federal Office for Information Security every two years; and  
  • appoint a contact within their organization for ongoing communications with the BSI, within six months following enactment of the ordinance.   
  • The BSI has to be notified about any security incidents regarding the IT system, which could lead to a failure or impairment of the critical infrastructure. Such notifications shall be made through the appointed contact but may be submitted anonymously where such incident did not result in any actual impairment or failure of the IT systems.   
  • In addition to existing obligations, providers of publicly available telecommunications services or networks now also have to notify the Federal Network Agency without undue delay of any security incident which may lead to unauthorized access to user systems or a disruption of availability. Providers of publicly available telecommunication services are further obliged to notify users of known disruptions rooting from users’ IT systems and to provide users, where adequate, with information on appropriate, effective and accessible technical measures to detect and remedy such disruption.  

Providers of commercial telemedia services, irrespective of any critical infrastructure requirement, are obliged to take state of the art, technically possible and commercially reasonable measures to prevent unauthorized access to the technical systems used for their service and to protect these systems against data protection violations and (external) disturbances. Unfortunately, the Act's explanatory memorandum does not specify which exact measures are to be taken by the respective service providers. However, according to the newly implemented provision within the German Telemedia Act (see section 13 para 7), 'approved encryption procedures' could represent appropriate measures to protect the technical systems, which, under consideration of the explanatory memorandum should at least comply with the current technical guidelines of the BSI in order to be deemed as state of the art measures. Also, the explanatory memorandum states that the 'installation of security patches' without further specifying any reaction times or further possible measures could prevent unauthorized access to the technical systems. Furthermore, organizational measures must be taken. This shall include, for example, to contractually oblige contractors (such as advertising or hosting providers) to take corresponding protective measures.

Violations of these requirements may result in fines of up to EUR 50,000 for telemedia service providers and tele-communications providers and up to EUR 100,000 for operators of critical infrastructure.

What action could be taken to manage risks that may arise from this development?

Companies should ensure they are compliant with the new laws in Germany and seek advice on implementation where necessary.

Submitted by Christian Hufen, Solicitor in the IP/IT law department of Luther Rechtsanwaltsgesellschaft – Frankfurt am Main, Germany