Following the German Government’s adoption of a cybersecurity strategy back in February 2011, and only a couple of weeks after the publication of the European Commission’s CyberSecurity Strategy and proposal for a Directive on Network and Information Security (see InsidePrivacy EU Adopts CyberSecurity Strategy and Proposes Network and Information Security Directive, February 7, 2013), Germany has put forward its own proposal for a cybersecurity law.

On 5 March 2013, the German Interior Minister, Hans-Peter Friedrich, presented a draft IT Security Act, which would impose certain minimum IT security standards on operators of critical infrastructure as well as telecommunications and information society service providers.  The measure would introduce mandatory reporting obligations.

The draft Act defines critical infrastructure as equipment, plants or parts thereof which are of high importance for the functioning of the community and whose failure or impairment would lead to a long-term supply shortfall or significant impairment of public safety. Infrastructure in the following sectors would be covered by the proposed Act (whereas IT and communications systems of the public administration have been excluded from the scope):

  • energy
  • IT
  • telecommunications
  • transport and traffic
  • health
  • water
  • food
  • finance
  • insurance.

The exact scope of application of the Act would be determined by secondary legislation, possibly based on criteria, such as level of supply, effects of any failure or impairment on the population, rapidity, duration of the failure and market dominance.

In particular, operators of critical infrastructure in these sectors would be obliged to:

  • implement within two years appropriate organisational and technical safeguards and other measures – in accordance with the state of the art – to protect IT systems, components and processes which are essential for the functioning of critical infrastructure. There would be some room for self-regulation in this respect, as industry and associations could develop sector-specific standards to comply with the proposed minimum IT security standards, which could then be rubber-stamped by the regulator.
  • regularly (but at least every two years) carry out security audits and provide an overview of any security defects discovered through such audits to the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik (BSI));
  • inform without undue delay the BSI of all serious impairment of their IT systems, components and processes which could affect the proper functioning of critical infrastructure.

The BSI would act as a central point of contact, gather and analyse all relevant information, cooperate with other authorities and provide information to operators of critical infrastructure and the public as well as advice and support.

Telecommunications and information society service  providers[1], which are also considered to play a key role with respect to cybersecurity, would also be subjected to additional obligations. To this end, new obligations would be introduced into existing sector-specific laws, obliging these providers to implement technical measures in accordance with the state of the art in order to protect telecommunications and data processing systems against unauthorised access.

Moreover, telecommunications providers would have to notify the sector-specific regulator, the Federal Network Agency (Bundesnetzagentur), without undue delay of any impairment (of which they become aware) regarding telecommunication networks and services, which could interfere with the availability of the services or allow unauthorised access to users’ telecommunications or data processing systems. The Federal Network Agency would in turn inform the BSI thereof. In addition, it is proposed that telecommunications providers inform affected users of any impairment originating from the users’ data processing systems and inform them about suitable, effective and accessible technical means to discover and remove any such impairment.

The draft Act still has to be approved by the German Government before it will be submitted to the German Parliament.

[1] Information Society service is any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services and includes, for instance, online banking and online shopping.