News

Reporting obligations in Germany in the case of security incidents

16.10.2023

When a company is the victim of a cyber attack, one of the first urgent questions for its legal department is usually what reporting obligation must now be met. For some reporting obligations very short time limits apply, which the regulatory authorities take very seriously. This article provides an overview of reporting requirements to authorities in the event of an IT incident.

Depending on a company’s business, it may be subject to several concurrent reporting obligations. Cyber attacks frequently have international ramifications. This in turn can mean that a company also must fulfil additional reporting requirements abroad. Depending on the competent authority, it may be that an authority will inform other authorities as well, at least within Europe.

It can frequently be observed that companies lack an understanding of their contractual obligations to notify their contractual partners of a cyber breach. In particular, such reporting obligations are often “hidden” in confidentiality clauses. A processor for the purposes of data protection law also has an obligation to notify a controller of a data breach (Article 33(2) of the GDPR).

In addition, reporting obligations (Meldeobliegenheiten) to insurers must also be taken into account. Issuers of financial instruments must check whether the IT security incident also triggers an ad-hoc publicity obligation under the Market Abuse Regulation (MAR).

Statutory definition of an IT security incident

Different laws have different definitions of an IT security incident. The majority of these definitions have one thing in common, namely that the information security goals of confidentiality, integrity, authenticity and/or availability must have been compromised. In the case of some laws, a reporting obligation only arises when further preconditions are met.

Overview

(Klick here for the image version)

Legal source

Addressee(s) of the provision

Authority (English language where available)

Time limits

Article 33 of the General Data Protection Regulation, GDPR

Controller for the purposes of data protection law

Relevant data protection authority

Without undue delay and not later than 72 hours after having become aware of the personal data breach

Section 8b(4) of the German Federal Office for Information Security Act

Operators of critical infrastructure

Federal Office for Information Security 

Without undue delay

Section 8c (3) of the German Federal Office for Information Security Act

Digital service providers

Federal Office for Information Security

Without undue delay

Section 8f (7) and (8) of the German Federal Office for Information Security Act

Companies of special public interest

Federal Office for Information Security

Without undue delay (currently only mandatory for hazardous incidents occurring at companies of special public interest )

Section 168 of the German Telecommunications Act

Operators of public telecommunications networks or providers of publicly available telecommunications services

Federal Network Agency and Federal Office for Information Security

Without undue delay

Section 169 of the German Telecommunications Act

Providers of publicly available telecommunications services

Federal Network Agency and Federal Commissioner for Data Protection and Freedom of Information

Without undue delay

Section 11(1c) of the German Energy Industry Act

Operators of energy supply systems

Federal Office for Information Security

Without undue delay

Section 6 of the German Nuclear Safety Officer and Reporting Ordinance and section 44b of the German Atomic Energy Act

Various licence holders (such as nuclear power plant operators)

The Federal Office for Information Security and other nuclear regulatory authorities

Without undue delay

Section 24(1) no. 19 of the German Banking Act

Credit institutions

Federal Financial Supervisory Authority and German Central Bank

Without undue delay

Section 54 of the German Payment Services Oversight Act

Payment services providers

Federal Financial Supervisory Authority

Without undue delay 

Section 329 of the German Social Security Code (Book V)

Telematics infrastructure company (“Gematik”)

Providers of components and services as well as providers of applications

Gematik: Federal Office for Information Security

Provider: Gematik

Without undue delay

Commission Implementing Regulation (EU) 2019/1583

Operators, air carriers and entities

Federal Office for Information Security

Without undue delay

 

This news item is revised regularly. Current at: 4 January 2024.

Further detailed information can be found on the Noerr Cyber Risks Team’s webpages here.

Contact

Julian Monschke
Julian Monschke+49 69 971477179
Paul Vogel
Paul Vogel+49 89 28628542

Data Privacy
Data Tech and Telecoms
Digital Business
IT & Outsourcing
Liability & Insurance
Cyber Risks
Data Protection Litigation

Share

Show all

Insights

hand touching led wall screen
News

Data Compliance Governance

16.04.2024
compass with pulse
News

Data Act – Scope, Impact, Implementation

16.04.2024
telescopes with pulse
News

Digital Markets Act: European Commission opens investigations against Alphabet, Apple and Meta

28.03.2024
LED field Data Protection Litigation
News

Update on the Data Governance Act

12.03.2024
street view with pulse
News

European data protection authorities start coordinated investigation into right of access

11.03.2024
EU Flag with Pulse
News

Digital consumer protection: current case law and European legislation

04.03.2024
container storage port
News

Update Commercial 2024

01.03.2024
library
News

Judgment of the Cologne Administrative Court of 17 November 2023 – BNetzA Acted Unlawfully by Naming Company in Press Release

01.03.2024
compass with pulse
News

Data privacy pitfall: Cookie banners must allow a genuine choice

26.02.2024