German Bundestag passes IT Security Act

On 12 June 2015, the German Bundestag passed the "Act to Enhance the Security of Information Technology Systems (IT Security Act)" (Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme – “IT Sicherheitsgesetz”). The new law will establish a framework for enhanced IT security and will also introduce a centralized reporting system at the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – “BSI”).

For the first time, the Act defines so-called "critical infrastructures". According to the legislator, these are areas which play an important role in public services. They include all institutions, facilities or parts thereof in the sectors energy, information technology and telecommunications, transport and traffic, health, water, food, as well as finance and insurance. However, the "critical infrastructures", shall be defined in more detail by statutory order which is to be issued by the Federal Ministry of the Interior in agreement with the affected trade associations.

The act will authorize the BSI to autonomously investigate in potential risks. In addition, it compels operators of critical infrastructures to implement appropriate organizational and technical precautions to prevent malfunctions within two years at the latest after the above-mentioned regulation comes into effect. Furthermore, the operators of critical infrastructures will be obligated to keep available contact lists to exchange information with the BSI. They will also be obligated to report malfunctions to the BSI immediately.

In addition, the BSI will be authorized to warn the public about security gaps and malware, as well as in case of possible data loss or unauthorized access to data.

It must be noted that some regulations of the new IT Security Act do not apply to very small businesses (companies with less than 10 employees). Furthermore, the new act initially only sets the framework which will be further specified by the statutory order.

In the approval process for the IT Security Act, the regulations of the Telemedia Act (Telemediengesetz – “TMG”), which are relevant for all website operators, have also been amended. Website operators will have to secure their websites according to the state of the art in the future. Breaches of both the IT Security Act and the now legally standardized obligation of website operators may be fined.

The amendments will give rise to companies' examining their own IT infrastructure and infrastructure security. Protection against malfunctions and external attacks is first of all in the company's own interest. The new regulations, however, show that the legislator also views this as an obligation of the companies. As a result, companies should keep an eye on the statutory orders which will be passed in the near future by the Federal Ministry of the Interior to specify the new law.