German Law: critical infrastructures and cybersecurity

The frequency and the impact of incidents affecting information systems and services are continuously growing, because of the development of increasingly sophisticated methods.One of these methods consists in creating and using ‘botnets’, namely, the act of establishing remote control over a significant number of computers by infecting them with malicious software through targeted cyber-attacks. Once created, the infected network of computers that constitute the botnet can be activated without the computer users’ knowledge in order to launch a large-scale cyber-attack, which usually has the capacity to cause serious damage.

Cyber-attacks can be really critical to sensitive functions in both the private and public sector, with particular reference to the so-called “critical infrastructures”, namely, facilities and installations, the disruption or destruction of which could seriously affect essential economic and societal activities (e.g. transportation and traffic, IT and telecommunication, water and food, finance and insurance, healthcare).

The most relevant German regulation on the matter is contained in the IT Security Act, which came into effect on July 25, 2015.

The IT Security Act applies to websites operators and others considered as service providers according to the German Telemedia Act, telecommunication companies and operators of critical infrastructures, requiring them to implement security measures and to report security incidents to the Federal Office for information Security - “Bundesamt für Sicherheit in der Informationstechnik” (BSI).  This regulation applies to operators based in Germany, as well as, to foreign operators to the extent they provide infrastructures, products and services in Germany.

The IT Security Act is relevant in particular because of the regulation provided for the operators of critical infrastructures.

The IT Security Act provides a general definition of “critical infrastructures” and it empowers the Federal Ministry of the Interior to specify, in each sector, which operators could be deemed as a critical. At this purpose, the Ministry shall use branch-specific threshold values. The first ordinance, recently issued, covers the following sectors: energy, information technology and communications, water and food. The ordinance for the health, banking and insurance sectors is expected by the end of 2016 and the ordinance concerning the transport and traffic sector is expected by the beginning of 2017.

According to the IT Security Act and the ordinances, critical infrastructure operators must fulfill the following requirements.

First of all, companies shall adopt state-of-the-art technical and organizational measures to protect and ensure the availability, integrity, authenticity and confidentiality of their IT systems and services. IT Security Act does not define what is to be considered as state-of-the-art in each branch. The specification will be provided by the BSI, in cooperation with the representatives of the relevant sectors. Companies and industry associations may also propose branch-specific security standards.

Companies shall adopt the measures provided by the BSI within two years after the above mentioned ordinances has taken effect and they will be also required to demonstrate compliance to the BSI at least every two years (e.g. by security audits, examinations and certifications).

During the transition period, companies shall apply state-of-the-art measures, which are appropriate, technically feasible and commercially reasonable. In order to identify the “state-of-the-art measures”, companies can refer to national and international standards as well as to examples successfully proven in practice for the respective sector.

Within six months, after the above mentioned ordinances, companies shall also define an internal procedure in order to accomplish the reporting obligation to the BSI and they shall identify a person as a single point of contact with the authority. In case of incident, companies shall inform the BSI immediately, providing any relevant information on the disruption (e.g. the suspected or actual cause, the information technology and the facilities involved). The IT Security Act does not ask companies to report cybercrime attacks publicly but, in limited circumstances, the BSI could provide third parties with information on reported incidents.

In case of failure in implementing IT security measures, companies should pay fines up to EUR 100,000. Fines could be lesser in case of failure in complying with reporting obligations to the BSI.

The IT Security Act forestalled the European directive 2016/1140 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive).

The NIS Directive clarifies that Member States may adopt or maintain provisions with a view to achieving a higher level of security of network and information systems. Moreover, the analysis of the rules shows significant similarities between European and German regulation.

Hence, the Directive does not affect the validity of the IT Security Act, but the German legislator should be asked to adjust the current legislation where necessary. Responding effectively to the new challenges in the cyber security sector requires, in fact, a global approach at Union level, covering common minimum capacity building and planning requirements, exchange of information, cooperation and common security requirements for operators.

 

 

Cybersecurity: the relevant European regulation

Network and information systems and services play a vital role in society. Their reliability and security are essential to economic and societal activities as well as to the functioning of the internal market.

However, the frequency and the impact of security incidents are continuously increasing and they represent the major threat to the functioning of information systems and services, as well as to the protection of the personal data.

Furthermore, the different approach of the Member State has led to fragmented regulations across the Union.

Responding effectively to the new challenges in the cyber security sector requires a global approach at Union level, covering common minimum capacity building and planning requirements, exchange of information, cooperation and common security requirements for operators.

In order to accomplish this purpose, the European Union issued, inter alias, the following acts:

- Directive 2013/40/EU of 12 august 2013, on attacks against information system.

- Directive 2016/1148 of 6 July 2016, concerning measures for a high common level of security of network and information systems across the Union.

- Regulation 2016/679 of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

Directive 2013/40/EU of 12 august 2013, on attacks against information system

The objectives of this Directive are to approximate the criminal law of the Member States in the area of attacks against information systems by establishing minimum rules concerning the definition of criminal offences and the relevant sanctions and to improve cooperation between competent authorities, including the police and other specialised law enforcement services of the Member States, as well as the competent specialised Union agencies and bodies, such as Eurojust, Europol and its European Cyber Crime Centre, and the European Network and Information Security Agency (ENISA).

In fact, there is evidence of a tendency towards increasingly dangerous and recurrent large-scale attacks conducted against information systems which can often be critical to particular functions in the public or private sector. There is also a relevant number of “critical infrastructures” (infrastructures which are essential for the maintenance of vital societal functions like health, safety, security and transport), the disruption or destruction of which would have a significant cross-border impact.

Furthermore, it is really relevant the development of increasingly sophisticated methods, such as the creation and use of so-called ‘botnets’, namely, the act of establishing remote control over a significant number of computers by infecting them with malicious software through targeted cyber-attacks. Once created, the infected network of computers that constitute the botnet can be activated without the computer users’ knowledge in order to launch a large-scale cyber-attack, which usually has the capacity to cause serious damage.

Hence, the Directive aims to introduce criminal penalties for:  (i) illegal access to information systems, (ii) illegal system interference, (iii) illegal data interference, (iv) illegal interception.

In all cases, the criminal act must be committed intentionally. Instigating, aiding, abetting and attempting to commit any of the above offences will also be liable to punishment.

The Member States will have to make provision for such offences to be punished by effective, proportionate and dissuasive criminal penalties.

Where an offence is committed in the context of a criminal organisation and causes substantial loss or affects essential interests, this will be considered an aggravating circumstance. The same applies if an offence is committed using another person's identity and causes harm to this person.

The Directive also introduces the liability of 'legal persons' and sets out sanctions that may apply if they are found liable.

Each EU country will assume jurisdiction at minimum for offences committed on its territory or by one of its nationals outside its territory. Where several countries have jurisdiction over an offence, they must cooperate to decide which one will conduct proceedings against the author of said offence.

In order to fight cybercrime effectively, it is also necessary to increase the resilience of information systems by taking appropriate measures to protect them more effectively against cyber-attacks. Member States should take the necessary measures to protect their critical infrastructure from cyber-attacks, as part of which they should consider the protection of their information systems and associated data. Ensuring an adequate level of protection and security of information systems by legal persons, for example in connection with the provision of publicly available electronic communications services in accordance with existing Union legislation on privacy and electronic communication and data protection, forms an essential part of a comprehensive approach to effectively counteracting cybercrime. Appropriate levels of protection should be provided against reasonably identifiable threats and vulnerabilities in accordance with the state of the art for specific sectors and the specific data processing situations. The cost and burden of such protection should be proportionate to the likely damage a cyber-attack would cause to those affected. Member States are encouraged to provide for relevant measures incurring liabilities in the context of their national law in cases where a legal person has clearly not provided an appropriate level of protection against cyber-attacks.

To fight cybercrime better, the Directive also calls for greater international cooperation between judicial and law enforcement authorities.

To this end, EU countries must: (i) have an operational national point of contact, (ii) use the existing network of 24/7 contact points (iii) respond to urgent requests for help within 8 hours to indicate whether and when a response may be provided, (iv) collect statistical data on cybercrime.

This Directive has been implemented by national laws across the Union.

Directive 2016/1148 of 6 July 2016, concerning measures for a high common level of security of network  and information systems across the Union.

The Directive requires minimum IT security requirements and a reporting scheme for security incidents to digital service providers as well as operators of essential services, so called “critical infrastructures”.

Within the meaning of the Directive, digital services are: (i) online marketplace; (ii) online search engine; (iii) cloud computing services. The Directive does not apply to: (i) undertakings providing public communication networks or publicly available electronic communication services, within the meaning of Directive 2002/21/EU, which are subject to the specific security and integrity requirements laid down in that Directive; (ii) trust service providers within the meaning of Regulation 910/2014/EU which are subject to the security requirements laid down in that Regulation.

Digital service providers should identify and take appropriate and proportionate technical and organisational measures to ensure the security of network and information systems which they use in the context of offering their services within the Union, as well as to prevent and minimise the impact of incidents affecting their systems.

Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk posed, and shall take into account the following elements: (i) the security of systems and facilities; (ii) incident handling; (iii) business continuity management; (iv) monitoring, auditing and testing; (v) compliance with international standards. They also should notify the competent authority without undue delay of any incident having a substantial impact on the provision of a service. In order to determine whether the impact of an incident is substantial, the following parameters in particular shall be taken into account: (i) the number of users affected by the incident, in particular users relying on the service for the provision of their own services; (ii) the duration of the incident; (iii) the geographical spread with regard to the area affected by the incident; (iv) the extent of the disruption of the functioning of the service; (v) the extent of the impact on economic and societal activities.

For the purposes of the Directive, a digital service provider should be deemed to be under the jurisdiction of the Member State in which it has its main establishment, namely, the head office. If the digital service provider is not established in the Union but offers services within the Union, should designate a representative in the Union.

Operators of critical infrastructure are subject to rules slightly different. Each Member State will determine which operators in their jurisdiction could be considered as critical infrastructures. The criteria for the identification should be as follows: (i) an entity provides a service which is essential for the maintenance of critical societal and/or economic activities; (ii) the provision of that service depends on network and information systems; and (iii) an incident would have significant disruptive effects on the provision of that service.In order to establish if an incident could have significant disruptive effects, the Member States should take into account the following factors: (i) the number of users relying on the service provided by the entity concerned; (ii) the dependency of other sectors referred to in Annex II on the service provided by that entity; (iii) the impact that incidents could have, in terms of degree and duration, on economic and societal activities or public safety; (iv) the market share of that entity; (v) the geographic spread with regard to the area that could be affected by an incident; (vi) the importance of the entity for maintaining a sufficient level of the service, taking into account the availability of alternative means for the provision of that service. It is also possible that some entities provide both essential and non-essential services. Therefore, the operators should be subject to the specify security requirements only with respect to those services which are deemed to be essential. Furthermore, for the purpose of the identification process, when an entity provides an essential service in two or more Member state, those Member States should engage in bilateral or multilaterals discussions with each other. The Directive underlines the importance of an international cooperation within the Union, considering that services and incidents could have cross-border impact.In order to facilitate cross-border cooperation and communication, each Member State should designate a national single point of contact responsible for coordinating issues related to the security of network and information systems and cross-border cooperation at Union level. EU countries will have 21 months from the date the directive comes into force to implement the new EU legislation into national laws, and have a further six months to identify the operators of critical infrastructures.

Regulation 2016/679 of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

The economic and social integration resulting from the functioning of the internal market has led to a substantial increase in cross-border flows of personal data. Furthermore, technological developments and globalisation have brought new challenges for the protection of personal data. Hence, those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement. In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States.

With particular reference to the security of personal data, the Directive provides that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement “appropriate technical and organisational measures” to ensure a level of security appropriate to the risk, including as appropriate: (i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. This Regulation shall apply from 28 May 2018.