Thursday 4 September 2014

Germany Considering New Cybersecurity Law

The German Government is considering a new cybersecurity law meant to strengthen existing protections with new minimum security standards for companies to follow.  About the law, InsidePrivacy (privacy analysis by Covington & Burling LLP) notes its resemblance to efforts across the EU, following much of the EU Directive on Network and Information Security (“NIS”)
law similar to this effort had been considered in Germany last spring without success.

They report that the key difference between the EU directive and the German law is "the reporting obligations under the proposed IT Security Law go further than those in the NIS Directive and the German proposal contains additional obligations in particular for telecommunications providers and providers of commercial information society services."

Commenting on the draft of the law published by The German Federal Ministry of the Interior, InsidePrivacy describes the main objectives of the new law as the following:
  1. Improved IT security of companies: in particular, providers of critical infrastructures will be required to implement and maintain appropriate minimum organizational and technical security standards in order to ensure the proper operation and permanent availability of those infrastructures and to report significant IT security incidents.

  2. Protecting citizens online: Increased security standards but also additional information obligations vis-à-vis users/subscribers.

  3. Strengthening the Federal Office for Information Security (“BSI”): The BSI shall act as the national information security authority and centralized information hub with regard to any sort of cyber-attack or other impairment of information systems of critical infrastructures. For this purpose, the BSI will collect and analyze essential information in relation to IT security and to inform operators of critical infrastructures and competent authorities but can also provide information about providers’ compliance with security requirements and security incidents and liaise with third parties (such as providers) to identify and warn affected users. The BSI will publish technical guidelines on security measures.  Among other things, the BSI will be empowered to (i) investigate IT products, systems and services and to disclose and publish its evaluation of the security of the investigated products, systems and services; (ii) request from the providers of critical infrastructures a copy of audit and certification results prepared to prove compliance; (iii) request immediate removal of security defects.

  4. Expanding the competences of the Federal Criminal Police Office (BKA): the BKA will become competent for police tasks regarding the prosecution of cybercrimes insofar as they are directed against the security of Germany or certain vital facilities.

  5. Protecting the IT security of the German Government and federal administration: the BSI will obtain the power to issue mandatory requirements for the IT of the federal state.

The Government must approve the measure before it is sent to the parliament for approval.  To read more detail about the law -- its scope, its requirements for those in the private sector, among other things -- check out InsidePrivacy's detailed analysis.