New IT Security Act Intensifies Duties Of Providers

On June 12, 2015, the German Parliament passed the IT Security Act (IT-Sicherheitsgesetz). The law provides, inter alia, that operators of so-called critical infrastructure must meet a minimum level of IT security, install protection tools to ensure the security and notify the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – “BSI”) of incidents regarding IT security.

Within the last minutes of the Parliament’s Friday session, three main new aspects were added to the existing Act of the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik – “BSIG”).

The first amendment refers to the obligation to eliminate safety deficiencies. Non-compliance with this obligation entails the risk of a fine of up to 100,000 EUR being imposed on the telecommunications providers (added as section 14 to the BSIG). The risk of a fine of up to 50,000 EUR occurs due to non-compliance with the duty to transfer certification and audit results of organizational measures taken to implement a minimum security standard to the BSI. Besides that, the IT Security Act also obligates producers of hardware and software to cooperate in eliminating security vulnerabilities. The third main amendment to the Act contains requirement for review after four years. This requirement entails that certain provisions of the Act are to be reviewed by an expert whom the Parliament will appoint (article 10 IT Security Act).

On one hand, the law emphasizes the duties of telecommunication service providers. On the other hand, however, it strengthens the institution of the Federal Office for Information Security by expanding its rights.

Germany’s Federal Minister of the Interior, Thomas de Maizière, presented his ideas for an IT Security Act to the public for the first time in August 2014. Shortly after, in November, the Sony Pictures cyber-attack paralyzed the company’s computer systems and resulted in the leak of several unreleased films. This attack – albeit in the United States and not in Germany – emphasized the need to defend institutions and companies against cyber-attacks. Moreover, just this past weekend, the German authorities were shaken by a cyber-attack on the Parliament itself. However, de Maizière was criticized for his approach due to his concentration on the rights of the information security authorities, thereby neglecting data protection issues. Critics claimed the Draft Act was very vague about the definition of a critical infrastructure. Furthermore, they pointed out that the Act lacked consideration of technical measures and focused only on legal matters.

It is unlikely that critical views of the IT Security Act will decrease in the near future. In fact, thousands of telecommunications companies – if not more – are to report cyber-attacks, constituting a major administrative effort. Additionally the new IT Security Act might be obsolete soon, after a European law on IT safety is concluded.