The German Federal Ministry of the Interior recently published its revamped proposal for an “IT Security” Law. A similar proposal had already been adopted by the previous German Government in March last year (see InsidePrivacy, German Government Proposes Cybersecurity Law, March 22, 2014). However, that proposal ultimately failed to clear the legislative process in time before the federal elections in autumn 2013. The new proposal is based on the 2013 proposal, but certain changes have been made to address some of the concerns that had been voiced as regards the previous proposal.
The proposed IT Security Law pursues a similar objective as the proposed EU Directive on Network and Information Security (“NIS”) (see InsidePrivacy, European Parliament Votes to Ensure that the Proposed Network and Information Security Directive Focuses on Protecting Critical Infrastructure, March 15, 2014). In particular the rules on security requirements and security incident notifications in both proposals are generally aligned. Nonetheless, the reporting obligations under the proposed IT Security Law go further than those in the NIS Directive and the German proposal contains additional obligations in particular for telecommunications providers and providers of commercial information society services (Telemedien). The German Government made it clear that the proposed IT Security Law will serve as a guideline for its position in the Council (which represents the EU member states’ governments) and pending negotiation of the NIS Directive at EU level.
Main objectives of the draft IT Security Law
The draft IT Security Law’s five main objectives are:
- Improved IT security of companies: in particular, providers of critical infrastructures will be required to implement and maintain appropriate minimum organizational and technical security standards in order to ensure the proper operation and permanent availability of those infrastructures and to report significant IT security incidents (for further detail, see below).
- Protecting citizens online: this will be achieved through the increased security standards but also additional information obligations vis-à-vis users/subscribers.
- Strengthening the Federal Office for Information Security (“BSI”): the BSI shall act as the national information security authority and centralized information hub with regard to any sort of cyber-attack or other impairment of information systems of critical infrastructures. For this purpose, the BSI will collect and analyze essential information in relation to IT security and to inform operators of critical infrastructures and competent authorities but can also provide information about providers’ compliance with security requirements and security incidents and liaise with third parties (such as providers) to identify and warn affected users. The BSI will publish technical guidelines on security measures. Among other things, the BSI will be empowered to (i) investigate IT products, systems and services and to disclose and publish its evaluation of the security of the investigated products, systems and services; (ii) request from the providers of critical infrastructures a copy of audit and certification results prepared to prove compliance; (iii) request immediate removal of security defects.
- Expanding the competences of the Federal Criminal Police Office (BKA): the BKA will become competent for police tasks regarding the prosecution of cybercrimes insofar as they are directed against the security of Germany or certain vital facilities.
- Protecting the IT security of the German Government and federal administration: the BSI will obtain the power to issue mandatory requirements for the IT of the federal state.
Scope of the draft IT Security Law
Like in the previous draft, “critical infrastructure” is defined as equipment, plants or parts thereof which are of high importance for the functioning of the community and whose failure or impairment would lead to a lasting supply shortfall or significant impairment of public security. The communication technology of the German Government, Parliament and public administration both at federal, state (Länder) and municipality level as well as the culture and media sector are excluded from the scope.
The exact scope of the Law’s application will be determined on the basis of qualitative and quantitative criteria by secondary legislation following a stakeholder consultation process. However, providers of critical infrastructures (except for micro enterprises) in the following industry sectors would generally be covered:
- energy
- IT and telecommunications (providers of public telecommunication networks and services are partly exempted insofar as they are or will be subject to similar obligations under sector-specific laws)
- transport and traffic
- health
- water
- food
- finance
- insurance
New obligations for the private sector
The draft IT Security Law introduces new obligations for operators of critical infrastructures generally and for telecommunications providers and providers of commercial society services more specifically:
- Operators of critical infrastructure must:
- implement minimum security standards after a transitional period of two years and prove that they satisfy the requirements at least every two years; operators and industry associations may propose sector-specific security standards;
- designate a warning and alarm contact through which they can be reached by BSI at any time;
- promptly report to the BSI any impairment of their IT systems, components or processes which can or does lead to a failure or impairment of their critical infrastructures (examples include security gaps, malware, security attacks that have either been carried out, attempted or successfully fended off as well as extraordinary and unexpected technical defects with an IT connection). Pseudonymous reporting would be permitted, unless the impairment results in a failure or impairment of the critical infrastructure.
- Telecommunications providers must:
- in addition to already existing reporting obligations notify the Federal Network Agency (which in turn will inform the BSI) in case of the impairment of telecommunications networks and services which can lead to significant security violations or unauthorized access to telecommunications and data processing systems of the end users.
- inform affected subscribers/users if the providers become aware of impairments which originate from the users’ data processing systems (such as malware) and in addition provide information about appropriate, effective and accessible technical means allowing those subscribers/users to discover and remove such impairments.
- Commercial information society services(essentially content and host providers) must:
- must implement technical and organizational measures to generally protect the telecommunications and data processing systems against unauthorized access. According to the legislative reasoning, this aims to reduce so-called drive-by-downloads attacks and malware which could be achieved by regular software updates and security patches as well as contractual arrangements with third party content providers.
- offer a reasonably secure authentication procedure in case of personalized services.
Next steps
The draft IT Security Law first needs to be endorsed by the German Government before it can be presented to the Parliament for approval. The intra-ministerial consultation which will require close coordination in particular with the three German Ministries of Economic Affairs, Justice and Traffic and Digital Infrastructure is currently underway and expected to last three to four months. The Interior Minister also announced his intention to carry out intensive stakeholder consultation on the draft Law.