1 Legal framework

1.1 Does the law in your jurisdiction distinguish between 'cybersecurity', 'data protection' and 'cybercrime' (jointly referred to as 'cyber')? If so, how are they distinguished or defined?

German law distinguishes between 'cybersecurity', 'data protection' and 'cybercrime'.

'Cybersecurity' can generally be equated with the term 'security of information technology'. According to Section 2(2) of the Act on the Federal Office for Information Security, 'security of information technology' refers to compliance with certain security standards in relation to the availability, integrity or confidentiality of information, by means of both security precautions:

  • in IT systems, components and processes; and
  • for the use of IT systems, components and processes.

The main objective of cybersecurity is to prevent data destruction, loss, alteration or unauthorised disclosure by implementing hardware and software solutions.

'Data protection' concerns the protection of information relating to an identified or identifiable natural person. While 'cybersecurity' can refer to any information, 'data protection' addresses only information that refers to an individual, making data protection part of the fundamental right of personality. Nevertheless, the processing of personal data requires a high level of cybersecurity. Accordingly, the European Data Protection Regulation (GDPR) requires the implementation of, among other things, state-of-the-art technology to ensure a level of security appropriate to the risk of the processing of personal data.

'Cybercrime' refers to crimes that are committed through or directed against the Internet, data networks and IT systems. Currently, the most common cybercrimes involve the infection and manipulation of computer systems with malware – for example, in order to access and misuse personal data (eg, identity theft) or to encrypt users' data in order to extort 'ransom money' from them (ransomware).

1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?

Cybersecurity is primarily addressed in the Act on the Federal Office for Information Security (BSI) and its accompanying regulation, which set out specific provisions for facilities that are of vital importance to Germany whose failure to operate may lead to significant supply shortages or endanger national security (so-called 'critical infrastructure'). Numerous sector-specific regulations also impose IT security obligations on the respective companies.

Data protection is mainly regulated by the GDPR. For individual matters, the GDPR has provided for opening clauses through which member states can adopt specific national regulations. The most important national regulation is the Federal Data Protection Act. One of the most important opening clauses is Article 88 of the GDPR, which leaves it to member states to establish provisions for data processing in the employment context. Germany has made use of this opening clause by providing employment-related data protection requirements, in particular in Section 26 of the Federal Data Protection Act (parts of which are, however, likely not applicable due to conflict with the requirements of the GDPR).

As cybercrimes constitute criminal offences, the Criminal Code contains the key statutory provisions.

1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?

(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?

Essential services/critical infrastructure: Provisions that address cybersecurity in relation to essential services (so-called 'critical infrastructure') are set out in the Act on the BSI and the Regulation for Critical Infrastructure. For instance, under Section 8a of the Act on the BSI, operators of critical infrastructure are obliged to take appropriate technical and organisational measures in order to avoid disruptions to the availability, integrity and confidentiality of their IT systems. These measures must explicitly include intrusion detection systems. Furthermore, operators of critical infrastructure must regularly audit their measures and prove to the BSI that they took appropriate measures to comply with said requirements. As a rule of thumb, operators of critical infrastructure will need to serve 500,000 people to fall under the obligations of the Act on the BSI, but the specifics depend on the sector and the services provided.

The IT Security Act 2.0 expanded its scope of application to include companies of special public interest, such as defence and chemical manufacturers, which have now been incorporated in Section 2(14) of the Act on the BSI. These companies must also implement adequate technical and organisational measures, although they are subject to less stringent obligations. Pursuant to Section 9b of the Act on the BSI, operators of critical infrastructure must also fulfil information and cooperation duties.

Telecommunications services: Providers of telecommunication services (internet access, email accounts, telephone networks) are subject to special data protection regulations, which are stipulated in Sections 9 to 13 and 19 to 24 of the Telecommunications and Telemedia Data Protection Act. These provisions aim to safeguard users' personal data, and in particular their traffic and inventory data.

According to Section 165 of the Telecommunications Act, service providers must deploy and maintain state-of-the-art IT security measures, not only to protect personal data, but also to prevent unauthorised interference with IT infrastructure. Under Section 166 of the Telecommunications Act, providers of telecommunications services must also establish an adequate IT security concept and appoint a security officer. In case of security incidents, providers must immediately comply with specific reporting obligations which are set forth in Section 168 of the Telecommunications Act.

Telemedia services: Telemedia providers will need to fulfil certain IT security obligations based on the Telecommunications and Telemedia Data Protection Act. A 'telemedia provider' is any company that can determine the content and provision of any electronic information and communication service. Pursuant to Sections 19(1) and (4) of the act, telemedia providers must comply with certain IT security standards by implementing appropriate technical and organisational measures.

Energy suppliers: While energy suppliers, as operators of critical infrastructure, are also subject to the Act on the BSI, they may also have to comply with sector-specific provisions according to Section 11 of the Energy Industry Act. For instance, to ensure an adequate level of IT security, energy suppliers and operators of energy supply installations must implement:

  • an information security management system;
  • intrusion detection systems; and
  • a network structure plan with all IT components.

Operators of nuclear facilities: Due to their high-risk potential, operators of nuclear facilities are subject to increased IT security obligations, which are specifically regulated in the Atomic Energy Act. The mandatory approval procedure ensures that operators can guarantee sufficient security standards from the commencement of operations. Furthermore, in accordance with Section 6 of the Atomic Energy Act, operators and processors of nuclear material must maintain state-of-the-art technology to ensure an appropriate level of IT security at all times.

Health sector: With the introduction of electronic identity documents and digital health applications, the functioning of the healthcare system depends to an even greater extent on the availability of IT systems. Sector-specific security obligations can inter alia be found in:

  • the Social Code;
  • the Digital Healthcare Act;
  • the Patient Data Protection Act; and
  • the Digital Healthcare Modernisation Act.

Banking: Although the provisions of the Act on the BSI also apply to the banking sector, an additional obligation to establish and maintain IT security is stipulated in Section 25a(1) of the Banking Act. Credit institutions (eg, companies that conduct banking business commercially or on a scale that requires a commercially oriented business operation) must ensure that they have in place an effective risk management system, which must include an appropriate emergency plan for IT systems. In addition, such companies must have appropriate technical and organisational measures in place. The scope of these measures is substantiated by the Federal Financial Supervisory Authority in its Circulars "Minimum Requirements for Risk Management" (MaRisk) and "Banking Supervisory Requirements for IT". Under the MaRisk, credit institutions must also fulfil extensive requirements if they outsource their IT security to hosting or cloud providers.

Finance: Sector-specific IT security obligations apply e.g. to:

  • payment and e-money institutions;
  • investment service providers;
  • electronic identification service providers; and
  • stock exchange carriers.

Insurance: As they play an essential role in the provision of pensions and healthcare, insurance companies are classified as critical infrastructure within the meaning of the Act on the BSI. As a result, they are subject to the general IT security provisions of the Act on the BSI. Additionally, the Law on the Supervision of Insurance Companies obliges such companies to comply with certain IT security standards, including the requirement to implement a general risk management system (Section 26). These obligations are specified in detail by the Federal Financial Supervisory Authority in its circular entitled "Insurance Supervisory Requirements for IT".

(b) Certain types of information (personal data, health information, financial information, classified information)?

Personal data: Regulations on personal data – including the lawfulness of processing, the duties of controllers and processors, and the rights of data subjects – are predominantly regulated by the GDPR. Key provisions of the GDPR include:

  • Article 6 (lawfulness of processing);
  • Article 12 (data subject access rights); and
  • Article 32 (security of data processing).

Protection of special categories of personal data: The GDPR sets out specific regulations for special categories of personal data. Pursuant to Article 9(1), this is data that reveals the data subject's racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic and biometric data. The processing of special categories of personal data is generally forbidden. Exceptions to this rule are set out in Article 9(2) of the GDPR.

Cybercrime: The provisions on cybercrime and personal data are supplemented by Section 42 of the Federal Data Protection Act. According to Section 42, for instance, the unlawful provision to third parties of access to personal data concerning a large number of data subjects is punishable by imprisonment for up to three years or by a fine, if this is conducted in an organised and professional way.

1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?

Data protection: According to Article 3(2) of the GDPR, the GDPR has extraterritorial reach under certain conditions. According to Article 3(2), the provisions of the GDPR apply to a data controller or processor that is not established in the European Union where the respective data processing relates to:

  • the offering of goods or services to data subjects in the European Union; or
  • the monitoring of the data subjects' behaviour, insofar as this takes place within the European Union.

Cybersecurity: In order to implement the requirements of the Network and Information Security (NIS) Directive, in 2017 the legislature extended the powers of the BSI in a cross-border context. Among other things, it tasked the BSI with communicating IT disruptions to its counterparts in other EU member states. Providers of digital services – such as cloud providers, online marketplaces and search engines – which have no establishment in the European Union will generally be subject to IT security requirements deriving from German law when directing their services to Germany.

Cybercrime: Criminal offences committed abroad have extraterritorial reach within the limits of Section 5(7) of the Criminal Code. According to this provision, German criminal law applies to the violation of business or trade secrets of domestic establishments or enterprises. Accordingly, the secrecy regulations stipulated in Sections 201 to 204 of the Criminal Code (see question 1.6) have extraterritorial reach if they are breached by companies that operate in Germany; so-called 'mailbox companies' are not protected under the aforementioned provisions if they are targeted at Germany from abroad. This extraterritorial reach also applies, among other things, to the offence of (computer) fraud pursuant to Sections 263 and 263a of the Criminal Code, as long as the victim's financial loss has materialised due to a violation of business or trade secrets.

1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?

European laws regulating cyber – such as the NIS Directive and the GDPR – as well as EU bilateral agreements, such as the EU-US Data Privacy Framework, have direct effect in Germany. Other than these, however, bilateral and multilateral instruments have no major impact in this regard.

1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?

'Cybercrime' encompasses a variety of different criminal offences, such as:

  • violation of the privacy of the spoken word (Section 201 of the Criminal Code);
  • data espionage (Section 202a of the Criminal Code);
  • phishing (Section 202b of the Criminal Code);
  • data manipulation (Section 303a of the Criminal Code); and
  • computer sabotage (Section 303b of the Criminal Code).

Cybercrime that causes a financial loss to the victim (eg, phishing) can constitute fraud (Section 263 of the Criminal Code). The Criminal Code also provides for computer fraud (Section 263a of the Criminal Code), which occurs when the offender damages the (financial) property of another person by influencing the result of a data processing operation through:

  • the incorrect configuration of the computer program;
  • the use of incorrect or incomplete data;
  • the unauthorised use of data; or
  • the exercise of other unauthorised influence on the processing operation.

In addition to the provisions of the Criminal Code, individual codifications in different statutes address cybercrime. One example is Section 23 of the Law on the Protection of Business Secrets, which protects business secrets from unlawful disclosure or transmission. Furthermore, the unauthorised use of IT systems shall be criminalised in a new Section 202e of the Penal Code.

Depending on the individual offence, the criminal penalties available range from fines to imprisonment for up to three years. Where government entities are targeted, there could be felony charges of treason (Section 94 of the Criminal Code) or the disclosure of state secrets (Section 95 of the Criminal Code), which can incur a sentence of imprisonment for up to five years or more. In the case of (computer) fraud, the penalties range from fines to imprisonment for up to five years – or in particularly severe cases, up to 10 years.

2 Enforcement

2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?

Data protection: There are 17 state authorities for data protection and one Federal Data Protection Authority. Generally, the supervision of states' public authorities and the private sector falls within the responsibility of the individual state authorities, while the supervision of federal authorities and bodies falls within the responsibility of the Federal Data Protection Authority. The data protection authorities have both:

  • investigative powers (eg, the power to order the provision of documents or to obtain information); and
  • corrective powers (eg, the power to issue warnings or to impose fines).

Generally, these measures can be taken against:

  • the data controller (ie, the person that determines the purposes and means of the data processing); and
  • the data processor (ie, a person that processes personal data on behalf of the controller), which may be a natural or legal person, a public authority, agency or other body.

The measures that may be taken by the data protection authorities do not include criminal penalties. Measures can also be taken extraterritorially, although extraterritorial enforcement of orders may be difficult.

Cybersecurity generally falls under the competence of the Federal Office for Information Security (BSI). The BSI investigates IT security risks and develops preventive security measures. It can issue warnings, examine and certify IT products and services, and advise individuals and companies. Furthermore, it sets out the criteria under which operators of critical infrastructure must fulfil the IT requirements in the Act on the BSI. The BSI has both:

  • investigative powers (eg, the power to order the provision of documents); and
  • corrective powers (eg, the power to impose fines).

The BSI can also – at least to some extent – take extraterritorial measures, although extraterritorial enforcement of the measures may be difficult in practice.

Cybercrimes are prosecuted by the German criminal prosecutors. Criminal penalties ranging from fines to imprisonment may be imposed. To some extent, prosecution is also possible at an extraterritorial level.

2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?

Data protection: According to Article 77 of the General Data Protection Regulation (GDPR), a data subject has the right to lodge a complaint with a supervisory authority if he or she considers that the processing of his or her personal data infringes the GDPR – in particular, if the controller does not comply with the data subject's rights under Articles 13 and following of the GDPR. Furthermore, Article 78 of the GDPR grants the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning the data subject. Notwithstanding Article 77 of the GDPR, Article 79 grants the right to an effective judicial remedy against a controller or processor in cases where the data subject considers that his or her rights under the GDPR have been infringed. Furthermore, the data subject can claim damages under Section 823 of the Civil Code and apply for an injunction under Section 1004 of the Civil Code. Under certain circumstances, the data subject can file a criminal complaint (see questions 1.4 and 1.6).

Cybercrime: If a natural or legal person's rights protected under German criminal law are violated, that person can generally file a criminal complaint with the authorities. Cybercrimes that are sufficiently far reaching to constitute a public interest may be prosecuted without a criminal complaint when the authorities become aware of them. For instance, cybercrime that results in a victim's financial loss can constitute fraud, for which a formal complaint is not required if the loss exceeds at least €50.

2.3 What defences are available to companies in response to governmental or private enforcement?

Generally speaking, companies can always appeal against governmental enforcement actions. The remedies may be divided into administrative and juridical remedies. In the former case, the act of enforcement will be reviewed by the authorities themselves, such as data protection authorities or the BSI (so-called 'objection'). In the latter case, the act of enforcement will be reviewed before the courts. While it is always possible to have a governmental enforcement reviewed before the courts, the possibility of administrative review depends on the executing authority, among other things.

When the public prosecutor's officer has filed a criminal suit against a defendant due to alleged cybercrime, the defendant will need to appear before the court. The power to impose a criminal penalty generally rests with the judge. In case of conviction, the defendant can appeal the decision to the high court.

3 Landmark matters

3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?

In December 2019 1&1 Telecom GmbH was fined €9.55 million for not complying with General Data Protection (GDPR) regulations concerning the security of processing (Article 32 of the GDPR). Customers calling 1&1's customer service department were able to obtain extensive information on other customers simply by giving their names and dates of birth. According to the Federal Data Protection Authority, this constituted a violation of Article 32 of the GDPR, according to which a company is obliged to implement appropriate technical and organisational measures to systematically protect the processing of personal data. This infringement was not limited to a small proportion of customers, but posed a risk to the entire customer base. The Bochum Regional Court reduced the fine to €900,000.

GDPR fines have also been imposed in other cases with less 'cyber' relevance. For example, on 30 October 2019 the Berlin commissioner for data protection imposed a fine of around €14.5 million on Deutsche Wohnen SE for violations of the GDPR. The supervisory authority found that, between June 2017 and March 2019, the real estate company used an archive system that did not provide for the option to delete tenants' data when it was no longer required. In some cases, the company preserved sensitive data (eg, salary statements, self-disclosure forms, extracts from employment contracts, health insurance and social security data), even though the data was no longer necessary for the purposes for which it was originally collected. Following a complaint by Deutsche Wohnen, the Berlin Regional Court discontinued the fine proceedings by order of 18 February 2021 and declared the fine notice to be invalid (due to formal reasons). An appeal is pending.

On 1 October 2020, the Hamburg commissioner for data protection imposed a fine of €35 million on H&M Hennes & Mauritz Online Shop AB & Co. KG due to its monitoring and permanent storage of personal data of several hundred employees. This was found to constitute a serious violation of employee data protection through unlawful spying. The fine is the highest of its kind imposed in Germany to date.

In addition, the Federal Office for Information Security (BSI) has recently become more active in enforcement measures, and has commenced administrative proceedings with respect to non-privacy-related cybersecurity measures against several companies.

3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?

The IT Security Act 2.0, which came into force on 28 May 2021, has significantly expanded the scope of the current security laws and led to increased cybersecurity requirements for many companies. In addition, the BSI now has broader powers and responsibilities, and can conduct more in-depth investigations to identify any security vulnerabilities. Fines for non-compliance have also been significantly increased: even non-privacy-related cybersecurity breaches are subject to fines in amounts that resemble those under the GDPR, as fines of up to €20 million can be imposed.

4 Proactive cyber compliance

4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.

Subject to the Act on the Federal Office for Information Security (BSI), industry-specific security standards may be passed and be officially recognised by the BSI (so-called 'B3S' standards). Such industry standards have been passed for the water, nutrition, IT and telecommunications, energy, health, transportation, finance and insurance sectors.

The BSI has also published its so-called IT Grundschutz guidance (IT baseline protection), oriented at the ISO 27001 requirements and giving an overview of security best practices.

4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.

With regard to cybersecurity, the BSI provides guidance on both maintaining IT security and complying with the cybersecurity regime, in particular the Act on the BSI.

With regard to data protection, the data protection authorities regularly issue statements in which they both comment on their legal view and advise on compliance with the data protection regulations.

4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?

Regardless of the legal form of a corporate entity, proactive cyber-compliance falls within the responsibility of corporate officers and directors. This follows from Section 91 of the Stock Corporation Act, which primarily applies to stock corporations (see question 4.4), but also to other corporations. In essence, Section 91 obliges the management board to conduct diligent corporate management and organisation. This results in a duty to achieve and maintain a high level of IT security. Corporate officers and directors may be in breach of this duty where they fail to adhere to their duties as outlined in question 4.4.

4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?

Managing the company and complying with legal obligations, including proactive cyber-compliance, fall within the responsibility of the management board. No special cyber-regulations are explicitly directed at listed entities. However, general provisions stipulated in the Stock Corporation Act specify the general scope of the management board's duties. These provisions may be used to determine the scope of its obligations regarding IT security and cyber-compliance.

The duty to establish and maintain IT security derives from Sections 76 and 91 of the Stock Corporation Act. In practice, a member of the management board will often be appointed with responsibility for IT compliance, who will be monitored by his or her fellow board members. Proactive cyber-compliance requires the establishment of an IT risk management system that proactively monitors and detects IT security risks that could endanger the company's entire existence (see Sections 91 and 93 of the Stock Corporation Act).

The duty to manage the company, stipulated in Section 76 of the Stock Corporation Act, imposes further cyber-compliance obligations, including:

  • the duty to act in accordance with the general legal system (particularly with regard to the use of IT systems);
  • monitoring obligations (in order to identify IT security risks as early as possible); and
  • the obligation to exercise due diligence (which requires appropriate responses to identified IT security risks in order to prevent damage to the company).

The implementation of specific measures ensuring compliance with these duties is generally at the discretion of the management board.

4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?

There is generally no requirement for companies to share such details with industry or other stakeholders. However, if a cybersecurity threat has materialised, affected companies must share details with the BSI and data protection authorities under different cyber-statutes (see question 5).

5 Cyber-incident response

5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?

Article 33 of the General Data Protection Regulation (GDPR) imposes a mandatory notification requirement in the case of a personal data breach. A 'personal data breach' is defined in Article 4(12) of the GDPR as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed". Pursuant to Article 33(1) of the GDPR, the data controller must generally give notice to the supervisory authority within 72 hours of the breach. This notification requirement applies to all personal data (regardless of its sensitivity), unless the breach is unlikely to present a risk to the rights and freedoms of the data subject.

Additionally, Article 34 of the GDPR provides for the "Communication of a personal data breach to the data subject", which requires that notification be given to affected data subjects when their rights and freedoms are at risk. In this case, the controller is obliged to communicate the personal data breach to the data subject without undue delay.

Furthermore, notification requirements exist for operators of critical infrastructure and companies of special public interest and other regulated entities. These must notify disruptions to the availability, integrity, authenticity and/or confidentiality of their IT systems that have or may have led to a failure or significant impairment of the functionality of respective infrastructure to the competent regulator (often the Federal Office for Information Security) .

So-called 'providers of digital services', such as cloud providers, must report security incidents which have a significant impact on their services; and telecommunications service providers must report impairments of telecommunications networks that have or may have led to significant security breaches, as well as privacy violations.

5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?

Personal data breach: In case of a personal data breach, Article 33(1) of the GDPR stipulates that the controller must give notice to the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. If the notification is not made within 72 hours, this delay must be justified.

The information to be provided is set out in Article 33(3) of the GDPR and includes:

  • a description of the nature of the personal data breach, including the categories and approximate number of data subjects concerned;
  • details of the likely consequences of the personal data breach; and
  • the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Additionally, the controller must communicate the personal data breach to affected data subjects without undue delay if the breach is likely to present a significant risk to their rights and freedoms. This communication must describe in clear and plain language the nature of the breach and at least:

  • the name and contact details of the relevant data protection officer or contact point;
  • the likely consequences of the data breach; and
  • the measures taken or proposed by the controller to address the breach and/or mitigate its effects.

In theory, the controller should notify every affected data subject individually. Where this involves disproportionate effort, however, the controller may consider group notifications.

Article 34(3) of the GDPR stipulates exceptions from the communication requirement. These apply if, among other things:

  • technical and organisational measures have been applied to the personal data which render it unintelligible to unauthorised persons (eg, encryption); or
  • the controller has taken steps to ensure that an originally high risk is no longer likely to materialise.

Several additional notification requirements apply to providers of critical infrastructure and similarly exposed providers in various industries (see question 5.1). Notification in these cases must be provided as soon as is reasonably possible.

5.3 What steps are companies legally required to take in response to cyber incidents?

Apart from complying with the duties outlined in questions 5.1 and 5.2, the company must analyse the risks that led to the materialisation of the cyber incident. Depending on the results of this risk assessment, the company must take steps to mitigate such risks and take all additional measures that are necessary to prevent further damage.

5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?

The legal duties of corporate officers and directors with respect to cyber incident response are similar to those discussed in question 4.3. Corporate officers and directors must diligently manage and organise the company. This duty requires compliance with relevant laws and consequentially also with notification obligations relating to cyber incidents. The aforementioned duties also entail a requirement to:

  • identify the risks that led to a respective cyber incident;
  • mitigate those risks through appropriate measures; and
  • take measures to mitigate the incident's possible adverse effects.

5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?

Yes, some companies maintain cyber-incident insurance policies, although as yet this is still relatively uncommon in Germany as compared to other countries. Due to the rise in cyber-incidents, however, companies are becoming increasingly aware of the need to adequately insure against these risks.

6 Trends and predictions

6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

On a European level, various new cyber security laws have been passed, such as the Digital Operational Resilience Act (DORA), the NIS2 Directive, and the Critical Entities Resilience Directive. These new laws will require the amendment of German cyber security laws. Draft laws of the German NIS2 implementation law and the CER implementation law have been published, but they are not likely to apply before October 2024 (NIS2) or January 2026 (CER).

7 Tips and traps

7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?

Failure to invest and organisational obstacles: Medium-sized companies and so-called 'hidden champions' (larger but relatively unknown companies which are market leaders in their industry) play an important role in the German economy. Nevertheless, many of these companies do not invest sufficiently in their IT security infrastructure, which can put both themselves and – due to their economic importance – the German economy as a whole at greater risk. Furthermore, in order to implement IT security software, employment law principles and provisions must be taken into account. Many companies have works councils, which must be consulted and involved in this implementation.

Private use of employers' IT infrastructure: Some employers allow their staff to use their IT infrastructure (eg, computers, email accounts, mobile phones, internet access) for private purposes. However, the prevailing legal opinion qualifies such employers as telecommunications service providers; as such, they are bound by the principles on the secrecy of telecommunications. This would preclude the employer from accessing employee data – in particular, data in business email accounts. As employers depend on such access for their ordinary business operations, this could lead to a severe legal conflict with their obligations under the General Data Protection Regulation (GDPR). In order to avoid such conflicts, employers in Germany should consider whether to prohibit the private use of company IT infrastructure and the storage of company data in private accounts in their policies. If such policies nonetheless allow for private use or private accounts, additional measures should be taken to ensure that the employer can access relevant data as needed.

Clash between privacy rights and cybersecurity: According to Article 32 of the GDPR, the data controller and processor must implement appropriate technical and organisational measures to protect personal data that ensure a level of security which is appropriate to the risk (ie, sensitivity and volume of personal data processed). Several IT security solutions are state of the art, such as endpoint detection and response, data loss prevention and security information and event management solutions. However, some functions of these tools allow employers to directly or indirectly monitor their employees. Having detailed insight into system and user behaviour (eg, tracking visited websites, sent and received mails, or simply partially private data on devices) can constitute a grave infringement of employee privacy. For this reason, the German data protection authorities recommend that security software be implemented which allows the administration panel to adjust the scope of the data processing. If employers want to introduce such a solution, they should implement technical and organisational measures to minimise the risks. This could be achieved by limiting access to the administration panel or by pseudonymising personal data. In any case, the employer should consider whether the implementation of a solution might require a data processing impact assessment pursuant to Article 35 of the GDPR.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.