ective on Network and Information Security (“NIS”).
They report that the key difference between the EU directive and the German law is "the reporting obligations under the proposed IT Security Law go further than those in the NIS Directive and the German proposal contains additional obligations in particular for telecommunications providers and providers of commercial information society services."
Commenting on the draft of the law published by The German Federal Ministry of the Interior, InsidePrivacy describes the main objectives of the new law as the following:
Improved IT security of companies: in particular, providers of
critical infrastructures will be required to implement and maintain
appropriate minimum organizational and technical security standards in
order to ensure the proper operation and permanent availability of those
infrastructures and to report significant IT security incidents.
Protecting citizens online: Increased security standards but also additional information obligations
Strengthening the Federal Office for Information Security (“BSI”):
The BSI shall act as the national information security authority and
centralized information hub with regard to any sort of cyber-attack or
other impairment of information systems of critical infrastructures. For
this purpose, the BSI will collect and analyze essential information in
relation to IT security and to inform operators of critical
infrastructures and competent authorities but can also provide
information about providers’ compliance with security requirements and
security incidents and liaise with third parties (such as providers) to
identify and warn affected users. The BSI will publish technical
guidelines on security measures. Among other things, the BSI will be
empowered to (i) investigate IT products, systems and services and to
disclose and publish its evaluation of the security of the investigated
products, systems and services; (ii) request from the providers of
critical infrastructures a copy of audit and certification results
prepared to prove compliance; (iii) request immediate removal of
Expanding the competences of the Federal Criminal Police
Office (BKA): the BKA will become competent for police tasks regarding
the prosecution of cybercrimes insofar as they are directed against the
security of Germany or certain vital facilities.
Protecting the IT security of the German Government and federal
administration: the BSI will obtain the power to issue mandatory
requirements for the IT of the federal state.
The Government must approve the measure before it is sent to the parliament for approval. To read more detail about the law -- its scope, its requirements for those in the private sector, among other things -- check out InsidePrivacy's detailed analysis.