On 20 August 2014, the German Federal Ministry of the Interior presented a draft legislation that introduces mandatory IT and cyber security measures designed to ensure the protection of IT systems. The Draft IT Security Act (the “Draft Act”) is part of the Federal Government’s “Digital Agenda 2014-2017”, and provides for binding minimum IT security standards for “critical infrastructures”. The draft legislation defines “critical infrastructures” as installations and facilities in the sectors of Energy, Telecommunications and Information Technology, Transportation and Traffic, Health, Water and Agriculture, as well as Finance and Insurance that are important for the community and the failure or impairment of which would cause serious shortages of supply or a significant disturbance of public safety. Pursuant to the Draft Act, the German Act on the Federal Office for Information Security will be amended to broaden its scope to include the so-called “critical infrastructures”. The actual scope of installations and facilities covered, however, is to be determined in a separate ordinance. Objectives of the draft IT Security Act The Draft Act proposes to introduce amendments to several laws relating to the security of telecommunications and IT systems with the main objective of improv-ing the protection of German citizens, companies and governmental institutions. The Draft Act covers providers of publicly-available telecommunications services; providers of telemedia services; and operators of both public telecommunication networks and “critical infrastructures”. These providers are obligated to protect their IT systems against IT security risks, including cyber threats, cyber attacks, cyber espionage and other forms of cyber crime. The Draft Act also aims to strengthen and expand the powers of the national cyber security agency, the Federal Office for Information Security (“BSI”). IT Security Obligations The Draft Act provides for IT security obligations of telecommunications and telemedia companies as well as operators of “critical infrastructures”. 1. In addition to already applicable obligations:
- Providers of publicly-available telecommunications services and operators of public telecommunication networks are obligated to notify the Federal Network Agency, without undue delay, of any security incident of which they become aware of and which may lead to unlawful access to user systems or disrupts its availability (this is in addition to existing notification obligations in cases of a personal data breach or security breach);
- Providers of publicly-available telecommunication services are obligated to notify users of known disruptions caused by the users’ data processing systems and to provide users with information on appropriate, effective and accessible technical measures to detect and remedy such disruptions;
- Telemedia service providers are obligated to provide secure authorization methods for personalized telemedia services and, where technically feasible and reasonable, take measures to ensure that unlawful access to data processing and telecommunication system is prevented;
- Telecommunications and telemedia providers shall be entitled to use their customers’ data to protect their customers and to resolve disruptions.
Undertakings involved in the provision of telecommunications surveillance measures or equipment will be subject to investment control under the German Foreign Trade and Payments Act. 2. Operators of “critical infrastructures” will be obligated to implement adequate organizational and technical measures to protect such IT systems, components or processes that are crucial for the functioning of the critical infrastructure within two years from entry into force of the ordinance. The draft Act foresees that operators of critical infrastructures or their industry associations shall be entitled to propose security standards for their respective sectors. Once approved by the BSI, these standards will specify the obligations of operators of critical infrastructures, but will not prevent operators from implementing different and more stringent standards. 3. Furthermore, the Draft Act subjects operators of “critical infrastructures” to notification obligations regarding impairment of their IT systems, components or processes that could lead to a failure or impairment of the critical infrastructure. Where the impairment actually causes a failure or impairment of the critical infrastructure, the operator has to notify the BSI via an intermediary [so called “Warn- und Alamierungskontakt”], which has to be appointed by the operator. Such notification has to include the operator’s identity. In all other cases, the operators may file an anonymous notification via the intermediary. Additional Powers for the Federal Office for Information Security The Draft Act proposes to strengthen the powers of the Federal BSI, which will be in charge of registering and monitoring IT security of the operators of critical infrastructures. The BSI will have expanded powers to issue public warnings regarding IT security risks and the authority to set IT security standards for Federal authorities. Outlook The Draft Act takes into account some of the main issues that have already been raised in the consultation of an earlier draft that was tabled in 2013, including the right of operators of “critical infrastructures” not to disclose their identity when notifying incidents that do not directly cause a failure or impairment of the critical infrastructure in order to limit reputational damage. However, the Draft Act does not reflect the request of several industry associations to define the term “critical infrastructures” in the Draft Act and not in a separate governmental ordinance to be issued for this purpose. The Draft Act will serve as guidance for the German Government to structure their position in the forthcoming discussions around the proposal for a “Directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union” (COM (2013) 48 final). The proposed Directive is expected to be debated in the European Parliament in November 2014. By Prof. Dr. Joachim Scherer, LL.M., Caroline Heinickel, LL.M. and Dr. Holger Lutz, LL.M.* *Prof. Dr. Joachim Scherer and Dr. Holger Lutz are Partners, Caroline Heinickel is a counsel in Baker & McKenzie’s Franfurt am Main office.