On June 12, 2015, the German Parliament (Deutscher Bundestag) passed an Act to Improve the Security of Information Technology Systems ("IT-Security Act"). The new legislation requires operators of so-called critical infrastructure to meet minimum standards for IT security and to report significant IT security incidents to the Federal Office for Information Security ("BSI"). This is an important development for both German and non-German entities that provide critical infrastructure products and service in Germany (the law applies to both), and because it imposes a reporting obligation on such companies in the event of a security incident.

Background

The objective of the IT-Security Act is to improve the security of information and IT-systems in Germany by increasing the level of protection regarding the availability, integrity, confidentiality and authenticity of IT-infrastructure. In particular, providers of critical infrastructure (as defined below) will be required to implement and maintain appropriate minimum organizational and technical security standards in order to ensure the proper operation and permanent availability of that infrastructure. Furthermore, the IT-Security Act provides for a greater role for the BSI and recognizes its increased significance as central agency for IT security by expanding its advisory function. Additionally, the BSI will be equipped with the authority to test the security of IT products and systems currently on the market.

This IT-Security Act mirrors aspects of the so-called "NIST Framework"[1] in the United States and related Executive Orders issued by the Obama Administration, all of which focus on sound cybersecurity preparedness and risk mitigation strategies for 16 critical infrastructure sectors in the United States, as provided in Presidential Policy Directive 21 (PPD-21).[2]

The IT-Security Act at a glance

> What is "critical infrastructure"?

The IT-Security Act defines "critical infrastructure" based on (i) qualitative and (ii) quantitative criteria:

(i) Qualitative factors focus on whether the respective installations or facilities or parts thereof provide critical services that are substantial for a bigger number of members of society. This includes installations and facilities in the sectors of Energy, Telecommunications and Information Technology, Transportation and Traffic, Health, Water and Agriculture, as well as Finance and Insurance. The critical infrastructure will be specified by an ordinance (Rechtsverordnung) to be adopted by the Federal Ministry of the Interior (Bundesinnenministerium) (the "Ordinance"). However, at this time the exact scope of the catalogue of critical infrastructure remains highly controversial.

(ii) Quantitative factors focus on whether in individual case the breakdown or the impairment of the respective installations or facilities, or parts thereof, directly or indirectly induce negative effects to the supply of a substantial number of users, thus relevant to society as a whole (an area of qualitative focus). It is expected that the Ordinance will set thresholds concerning this matter.

> For whom does the IT-Security Act apply?

The IT-Security Act provides for IT security obligations of operators of "critical infrastructure" in Germany, regardless of their organizational form. The act clearly applies to German-based companies. However, foreign companies based outside Germany will also be covered to the extent they provide critical infrastructure products or services in Germany. Moreover, both public and private companies would need to comply with the regulations.

> What is required from operators of critical infrastructure?

(i) Contact point (Kontaktstelle): Within six months from entry into force of the Ordinance, operators of critical infrastructure are obliged to set up a contact point within their organization. The operator has to notify and will be notified by the BSI via this contact point.

(ii) Organizational measures: Operators of critical infrastructure are obligated to implement adequate organizational and technical measures to protect the availability, integrity, confidentiality and authenticity of such IT systems, components or processes that are crucial for the functioning of the critical infrastructure within two years from entry into force of the Ordinance.

(iii) Providing of evidence: Operators of critical infrastructure will be obliged to prove the implementation of the aforementioned security measures every two years by providing sufficient audit reports or certificates to the BSI.

(iv) Reporting obligations: Operators of critical infrastructure are obliged to notify the BSI via the aforementioned contact point without undue delay in case of interference or impairment that could lead to breakdown or the impairment of the critical infrastructure. In such cases, the operator may notify the BSI on an anonymous basis. The notification must contain information about the technical framework used to provide the critical infrastructure, the security measures implemented and the sector of the operator. Where the impairment actually causes a failure or impairment of the critical infrastructure, such notification has to include the operator's identity.

> Administrative Fines

Any violation of the aforementioned obligations may be classified as a administrative offense which can be punished with a fine of up to EUR 50,000. In case the operator of critical infrastructure refuses to remedy deficiencies determined by the BSI in spite of an enforceable order issued by the BSI, the fine could amount up to EUR 100,000

Next Steps

Although the specific date of the adoption of the Ordinance it is not yet determined, entities that might be regarded as critical infrastructure would be certainly well-advised to face the issues arising from the technical and organizational implementation of the requirements of the IT-Security Act at an early stage, by setting up respective IT-standards and compliance-systems.

Companies operating in the affected business sectors should consider in particular the following points: Does the company come into question as an operator of critical infrastructure according to the IT-Security Act? Do the organizational measures in place to protect the availability, integrity, confidentiality and authenticity of the respective IT system meet the legal requirements and does the technical environment comply with state-of-the-art technology prescribed by law? Is there a monitoring process in place to meet the periodical reporting and IT security incidents notification obligations?

Footnotes

[1] See NIST Cybersecurity Framework, available at http://www.nist.gov/cyberframework/.
[2] PPD-21 identifies the following as critical infrastructure sectors: chemicals, commercial facilities, communication, critical manufacturing, communications, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear, transportation, waste and wastewater. See Department of Homeland Security, available at http://www.dhs.gov/critical-infrastructure-sector.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.