Revision of IT Security Act

 

Federal Minister of the Interior De Maizière today, August 19th, introduced in the Ministry a new draft IT Security Act already in discussion since 2013. The draft is part of the Digital Agenda of the Federal Government (BSI). It is the declared objective of the Federal Minister of the Interior De Maizière that the German IT system should be the most secure in the world.

 

1. Main points

• The draft affects all “Betreiber kritischer Infrastrukturen” (all infrastructures critical for operators). These will, in accordance with new Sec. 10 ss. 1 of the Act, be specified in a legal regulation by the Federal Ministry of the Interior through the Federal Agency for Security in IT. It previously heard representatives of industry associations affected, inter alia.
•  The draft provides an obligation of the companies to give notice of any attack on their digital systems. The notice should be issued directly to the Federal Agency for Security in IT, notification under a pseudonym is in principle sufficient. Naming is intended, however, to be necessary if the “critical infrastructure” is interrupted or destroyed.
• Companies should within two years set up security standards for their industries. Energy, IT and telecommunication, transport and traffic, health, water, food, finance and insurance are the concrete industries in discussion.
• An obligation to give notice of system disruptions, which could have significant consequences not only for data protection, is also provided for certain companies and institutions. Apart from banks, energy networks and hospitals, mainly administrative authorities and telecommunication networks are affected.
• Finally, the jurisdiction of the Federal Criminal Agency (BKA) is to be extended to many cyber-crimes for which so far the “Länder” had jurisdiction.

 

2. New surveillance

• The objective of strengthening the significance and jurisdiction of the BSI is evident in several places in the draft. The establishment of the BSI as a surveillance authority for the measures of business mentioned above is a pillar of this concept.
• The draft in this connection also provides an obligation on companies to send the BSI at least every two years a list of all security audits, tests and certifications including the security defects ascertained thereby. Together with the authority to demand the entire audit, testing and certification results, the BSI is also entitled in the case of security defects to demand the remedying thereof without delay.

 

3. Further legislative procedure

The draft IT Security Act is, since yesterday, in the consultative process between the ministries. The next step in the legislative procedure is then submission of an agreed draft.

 

4. EU Cyber Security Directive

The draft Cyber Security Directive introduced at the beginning of the year by the EU Commission, is also relevant in connection with the subject of IT security. The relevant committee of the EU Parliament is expected to agree at the beginning of November 2014 on the draft directive so that it can still be passed in this year. It remains to be seen whether and to what extent this directive makes further regulations other than those in the IT Security Act necessary.