Answer ... (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
Essential services/critical infrastructure: Provisions that address cybersecurity in relation to essential services (so-called ‘critical infrastructure’) are set out in the Act on the BSI and the Regulation for Critical Infrastructure. For instance, under Section 8a of the Act on the BSI, operators of critical infrastructure are obliged to take appropriate technical and organisational measures in order to avoid disruptions to the availability, integrity and confidentiality of their IT systems. These measures must explicitly include intrusion detection systems. Furthermore, operators of critical infrastructure must regularly audit their measures and prove to the BSI that they took appropriate measures to comply with said requirements. As a rule of thumb, operators of critical infrastructure will need to serve 500,000 people to fall under the obligations of the Act on the BSI, but the specifics depend on the sector and the services provided.
The IT Security Act 2.0 expanded its scope of application to include companies of special public interest, such as defence and chemical manufacturers, which have now been incorporated in Section 2(14) of the Act on the BSI. These companies must also implement adequate technical and organisational measures, although they are subject to less stringent obligations. Pursuant to Section 9b of the Act on the BSI, operators of critical infrastructure must also fulfil information and cooperation duties.
Telecommunications services: Providers of telecommunication services (internet access, email accounts, telephone networks) are subject to special data protection regulations, which are stipulated in Sections 9 to 13 and 19 to 24 of the Telecommunications and Telemedia Data Protection Act. These provisions aim to safeguard users’ personal data, and in particular their traffic and inventory data.
According to Section 165 of the Telecommunications Act, service providers must deploy and maintain state-of-the-art IT security measures, not only to protect personal data, but also to prevent unauthorised interference with IT infrastructure. Under Section 166 of the Telecommunications Act, providers of telecommunications services must also establish an adequate IT security concept and appoint a security officer. In case of security incidents, providers must immediately comply with specific reporting obligations which are set forth in Section 168 of the Telecommunications Act.
Telemedia services: Telemedia providers will need to fulfil certain IT security obligations based on the Telecommunications and Telemedia Data Protection Act. A ‘telemedia provider’ is any company that can determine the content and provision of any electronic information and communication service. Pursuant to Sections 19(1) and (4) of the act, telemedia providers must comply with certain IT security standards by implementing appropriate technical and organisational measures.
Energy suppliers: While energy suppliers, as operators of critical infrastructure, are also subject to the Act on the BSI, they may also have to comply with sector-specific provisions according to Section 11 of the Energy Industry Act. For instance, to ensure an adequate level of IT security, energy suppliers and operators of energy supply installations must implement:
- an information security management system;
- intrusion detection systems; and
- a network structure plan with all IT components.
Operators of nuclear facilities: Due to their high-risk potential, operators of nuclear facilities are subject to increased IT security obligations, which are specifically regulated in the Atomic Energy Act. The mandatory approval procedure ensures that operators can guarantee sufficient security standards from the commencement of operations. Furthermore, in accordance with Section 6 of the Atomic Energy Act, operators and processors of nuclear material must maintain state-of-the-art technology to ensure an appropriate level of IT security at all times.
Health sector: With the introduction of electronic identity documents and digital health applications, the functioning of the healthcare system depends to an even greater extent on the availability of IT systems. Sector-specific security obligations can inter alia be found in:
- the Social Code;
- the Digital Healthcare Act;
- the Patient Data Protection Act; and
- the Digital Healthcare Modernisation Act.
Banking: Although the provisions of the Act on the BSI also apply to the banking sector, an additional obligation to establish and maintain IT security is stipulated in Section 25a(1) of the Banking Act. Credit institutions (eg, companies that conduct banking business commercially or on a scale that requires a commercially oriented business operation) must ensure that they have in place an effective risk management system, which must include an appropriate emergency plan for IT systems. In addition, such companies must have appropriate technical and organisational measures in place. The scope of these measures is substantiated by the Federal Financial Supervisory Authority in its Circulars “Minimum Requirements for Risk Management” (MaRisk) and “Banking Supervisory Requirements for IT”. Under the MaRisk, credit institutions must also fulfil extensive requirements if they outsource their IT security to hosting or cloud providers.
Finance: Sector-specific IT security obligations apply e.g. to:
- payment and e-money institutions;
- investment service providers;
- electronic identification service providers; and
- stock exchange carriers.
Insurance: As they play an essential role in the provision of pensions and healthcare, insurance companies are classified as critical infrastructure within the meaning of the Act on the BSI. As a result, they are subject to the general IT security provisions of the Act on the BSI. Additionally, the Law on the Supervision of Insurance Companies obliges such companies to comply with certain IT security standards, including the requirement to implement a general risk management system (Section 26). These obligations are specified in detail by the Federal Financial Supervisory Authority in its circular entitled “Insurance Supervisory Requirements for IT”.
(b) Certain types of information (personal data, health information, financial information, classified information)?
Personal data: Regulations on personal data – including the lawfulness of processing, the duties of controllers and processors, and the rights of data subjects – are predominantly regulated by the GDPR. Key provisions of the GDPR include:
- Article 6 (lawfulness of processing);
- Article 12 (data subject access rights); and
- Article 32 (security of data processing).
Protection of special categories of personal data: The GDPR sets out specific regulations for special categories of personal data. Pursuant to Article 9(1), this is data that reveals the data subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic and biometric data. The processing of special categories of personal data is generally forbidden. Exceptions to this rule are set out in Article 9(2) of the GDPR.
Cybercrime: The provisions on cybercrime and personal data are supplemented by Section 42 of the Federal Data Protection Act. According to Section 42, for instance, the unlawful provision to third parties of access to personal data concerning a large number of data subjects is punishable by imprisonment for up to three years or by a fine, if this is conducted in an organised and professional way.