On August 19, 2014, more than one year after the first draft bill of an IT Security Act, the German Federal Ministry of the Interior has published the new draft bill of the Act, aimed at boosting the security of information technology systems. The full title of the legislation is “Entwurf eines Gesetzes zur Erhöhung der Sicherheit informationstechnischer Systeme“ (IT Sicherheitsgesetz) (“IT Security Act”). The new rules are still subject to change but look likely to come into force in early 2015.
In fact, the IT Security Act will not be an individual law, but will amend the Act on the Federal Office for Information Security, the Telecommunication Act, the Telemedia Act and the Act on the Federal Criminal Police Office as well as the Act on the German Federal Office of Information Security. The IT Security Act contains five central topics and provides for:
- IT security in companies (see A. below)
- Protection of individuals/citizens while using networks (see B. below)
- Securing federal IT (see C. below)
- Strengthening the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik “BSI”) (see C. below)
- Extension of competences of the Federal Criminal Police Office (Bundeskriminalamt “BKA”). (see C. below)
The aim behind the IT Security Act is to turn German IT systems and critical infrastructures into the safest systems in the world.
A. IT security in companies
Scope: which organisations are caught by the new rules?
Under the new IT Security Act, providers of critical infrastructures (“CI Providers”) shall implement an acknowledged standard of technical measures to secure their IT systems and inform authorities about certain attacks or IT incidents without undue delay. “Critical Infrastructures” will be defined by a separate regulation to be enacted once the IT Security Act is in place. According to the proposed amendment of the Act on the German Federal Office of Information Security critical infrastructures shall, however, include establishments, plants and parts of it in the sectors of energy, IT, transport and traffic, health, water, nutrition, finance and insurance. Provider of critical infrastructures considered to be micro, small and medium-sized enterprises in the meaning of Recommendation 2003/361/EC are excluded from the scope of the IT Security Act.
Expressly excluded from the term “critical infrastructures” are federal communication technologies that are used for internal communication between authorities and for communication towards third parties. This exclusion is subject to criticism of industry associations because the the IT Security Act does not apply to the biggest critical infrastructure in Germany.
Furthermore, currently there is a lot of criticism as the term “Critical Infrastructures” requires concrete definition. To date it is not fully clear which organisations are covered by the new rules.
- Security standards
CI Providers, except providers of public telecommunication networks or public telecommunication services, will be obliged to implement adequate organizational and technical precautions and other measures to protect the IT systems, their components and the processes that are mandatory to provide the critical infrastructure (“Security Measures”). Security Measures must be fully implemented two years after the IT Security Act comes into effect. CI Providers will be obliged to prove those Security Measures every two years by providing sufficient audit reports or certificates.
CI Providers in common sectors and their relevant sector associations may propose their own standards for Security Measures that substantiate the general Security Measures.
- Notification duties
CI Providers must designate at least 15 individuals as contact points for warning and alerting (Warn- und Alamierungskontakte). CI Providers are obliged to notify the BSI via those designated contacts without undue delay in case of interference or impairment that could lead to breakdown or the impairment of the critical infrastructure. In such cases, providers may notify the BSI on an anonymous basis. The notification must contain the technical framework of the CI Provider used to provide the critical infrastructure, the Security Measures implemented and the sector of the provider. In cases where the interference or impairment has already led to a breakdown or impairment, an anonymous notification is not permitted.
- Further obligations
Companies in the same sector may designate one common contact person managing the communication between CI Providers and the BSI.
Third parties may request information on Security Measures and on security incidents from the BSI unless CI Providers have legitimate interest in non-disclosure or if the disclosure of such information would impact material security interests of the general public. CI Providers have to consent in the disclosure of information with regard to actual breakdowns or impairments as well as on the result of the regular audits.
B. Protection of individuals/citizens while using networks
Protection of individuals/citizens is mainly aimed at telemedia and telecommunication providers. Telemedia providers and telecommunication providers shall implement an acknowledged standard of technical security measures.
Telecommunication providers are obliged to inform the Federal Network Agency (Bundesnetzagentur) in case of impairment of the telecommunication networks that could lead to significant security incidents, e.g. unauthorized access to users’ systems. The Federal Network Agency may request a detailed report in case of an actual incident from the providers. In case of an incident, the Federal Network Agency either may inform the public itself or oblige the provider to do so.
Providers are obliged to inform their customers about incidents on the providers’ data processing systems (e.g. malware and cyber-attacks) and provide them with information and, if applicable, software or applications to remove or combat such malware or cyber attacks.
In addition, Telemedia providers are permitted to process and use usage data, telecommunication providers may process and use inventory and traffic data to identify, limit or eliminate impairments.
C. Securing federal IT and strengthening federal authorities
BSI is entitled and obliged to determine minimum security requirements for federal authorities to secure federal IT networks. BSI is entitled to assess IT systems and services to and publish the results for the purpose of improving IT systems and services. BSI is no longer only entitled to inform the public on malware but also on the loss of data. The BKA is entitled to investigate in more kinds of cybercrime, such as espionage of data, computer fraud.
D. Olswang comment and outlook for the new act
The IT Security Act is a step in the right direction – creating high security standards where necessary, increasing protection for individuals and providing assistance for individuals to self-help with regard to security incidents. The opportunity to notify the BSI anonymously of security incidents leads to a fair balance between the reputation of providers and the protection of individuals and general public. However, as long as the term ‘critical infrastructures’ is not defined, it is not fully clear what companies are in the scope of the IT Security Act. Furthermore, the provider of the biggest critical infrastructure of all, the Federation, is excluded from this scope. Furthermore, the costs of implementation which providers will face are currently not easy to quantify. Industry associations assume costs of more than one billion Euros triggered by the implementation and maintenance of the technical and organizational measures under the IT Security Act.
In addition, there are privacy concerns with regard to the processing and use of usage data by telemedia providers and processing and use of inventory and traffic data by telecommunication providers. These companies are entitled to store a lot of information under the cloak of IT security and share this information with federal authorities, i.e. what was denied by the ECJ with regard to the Data Retention Directive.
The IT Security Act is now subject to interdepartmental coordination and will then be discussed with stakeholders of the relevant industries and stakeholders of society. A formal procedure with regard to the participation of stakeholders does not exist. Industry associations will likely request their members to provide feedback and raise issues so that the IT Security Act can be amended. According to a statement made previously by the German Federal Ministry of the Interior, the IT Security Act shall be enacted in early 2015. The content of the final draft will be eagerly awaited.
It is interesting to see that Germany is introducing its own legislation on cyber security ahead of the formal adoption of the EU Network and Information Security Directive, which is still to be agreed by the EU institutions and Member States. However, the EU Network and Information Security Directive and the IT Security Act cover similar topics. The IT Security Act can be seen as Germany’s position in further discussions about the EU Network and Information Security Directive. Next steps, and the final text of the Act, will be monitored with interest by Datonomy.