You are here

Germany

Country:
Survey Answer:

Yes, please see below our oversight of the most relevant German regulations:
Act to Enhance the Security of Information Technology Systems (Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme, Sicherheitsgesetz (IT Security Act)
• The IT Security Act has come into on 25 July 2015, even before the European Directive on Security of Network and Information Systems (NIS Directive) entered into force.
• The provisions of the IT Security Act amend a number of existing laws by incorporation of new IT security and notification obligations. The amending mainly pertains provisions of the Act on the Federal Office for Information Technology (BSI Act - BSIG), but also the German Atomic Energy Act (AtG), the Energy Industry Law (EnWG), the Telecommunication Act (TKG) and the Telemedia Act (TMG).
Act on the Federal Office for Information Technology (BSI Act - BSIG)
• BSIG has come into effect on 20 Aug 2009 and has been last amended on 23 Jun 2017.
• BSIG sets up the tasks of the Federal Office for Information Security (BSI) as a superior federal authority relating to the security of information technology (for more details of its tasks and measurement, please see under 1.3 below).
• Sec 2 (10) BSIG defines the regulated sectors of critical infrastructure (CRITIS), such as energy, information technology and telecommunications, transportation and transport, health, water, nutrition, finance and insurance. Since “critical infrastructures” shall be operating sections which are of high importance to the functioning of the community, some regulations of the BSIG do not apply to “microenterprises” (companies with less than 10 employees) within the meaning of Sec 8d BSIG.
• According to Sec. 8a (1) and (2) BSIG, operators of critical infrastructure are obliged to implement state-of-the-art technical and organizational measures to protect and ensure the availability, integrity, authenticity and confidentiality of their IT infrastructure. The range and scope of these measures will be determined in ordinances by the BSI, in cooperation with representatives from the relevant sectors.
• As set out in Sec. 8a (3) to (5) BSIG, the BSI has the power to prove the implementation of IT security measures in the process of compliance checks (e.g. audits, review and certifications).
• Moreover, the operators of critical infrastructure shall specify a contact person who is available at all times to serve as a single point of contact to the BSI (Sec. 8b (3) BSIG).
• Reports of security incidents to the BSI related to IT systems that have, or may have, an impact on the critical infrastructure, shall be submitted by the operators (Sec. 8b (4) BSIG).
• Pursuant to Sec. 10 (1) BSIG, the Federal Ministry of the Interior has the power to issue ordinances which define in more detail which companies fall under the provisions of the BSIG. The first of these ordinances was the Regulation on the Identification of Critical Infrastructure (BSI-KritisV-I). A second ordinance was announced in the beginning of 2017 (KRITIS-VO-II) (both are discussed in more detail below).
The Regulation on the Identification of Critical Infrastructure (BSI-KritisV-I, Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSIG) and the amending regulation (BSI-KritisV-II)
• BSI-KritisV-I has entered into force on 3 May 2016.
• BSI-KritisV-I governs which services providers qualifying as operators of critical infrastructure are subject to supervision under the BSIG (for details of the scope and content of the BSIG, please see above).
• In the Regulation Amending the German Regulation on the Identification of Critical Infrastructure (Änderungsverordnung zur BSI-Kritis-Verordnung, BSI-KritisV-II) which was announced on 21 June 2017, the Federal Ministry of the Interior has specified in greater detail the criteria according to which financial sector companies qualify as operators of critical infrastructure.
Transposition of the NIS Directive in Germany
• As part of the EU cybersecurity strategy , the European Commission proposed the EU Network and Information Security Directive EU 2016/1148 (NIS Directive).
• Since the German IT Security Act has come into effect before the NIS Directive passed the European Parliament, it was necessary to transpose the obligations of the NIS Directive into German laws. However, since the IT Security Act and the NIS Directive are widely symmetrical, major amendments to German laws were not necessary. Notably, the scope of the operators of critical Infrastructure did not mirror the respective obligations of the NIS Directive which has been adapted by the BSI-KritisV-II (for details of the BSI-KritisV-I and BSI-KritisV-II see above).

Provided By:
Prof. Peter Bräutigam, Noerr LLP, Munich