German Law: critical infrastructures and cybersecurity

The frequency and the impact of incidents affecting information systems and services are continuously growing, because of the development of increasingly sophisticated methods.One of these methods consists in creating and using ‘botnets’, namely, the act of establishing remote control over a significant number of computers by infecting them with malicious software through targeted cyber-attacks. Once created, the infected network of computers that constitute the botnet can be activated without the computer users’ knowledge in order to launch a large-scale cyber-attack, which usually has the capacity to cause serious damage.

Cyber-attacks can be really critical to sensitive functions in both the private and public sector, with particular reference to the so-called “critical infrastructures”, namely, facilities and installations, the disruption or destruction of which could seriously affect essential economic and societal activities (e.g. transportation and traffic, IT and telecommunication, water and food, finance and insurance, healthcare).

The most relevant German regulation on the matter is contained in the IT Security Act, which came into effect on July 25, 2015.

The IT Security Act applies to websites operators and others considered as service providers according to the German Telemedia Act, telecommunication companies and operators of critical infrastructures, requiring them to implement security measures and to report security incidents to the Federal Office for information Security - “Bundesamt für Sicherheit in der Informationstechnik” (BSI).  This regulation applies to operators based in Germany, as well as, to foreign operators to the extent they provide infrastructures, products and services in Germany.

The IT Security Act is relevant in particular because of the regulation provided for the operators of critical infrastructures.

The IT Security Act provides a general definition of “critical infrastructures” and it empowers the Federal Ministry of the Interior to specify, in each sector, which operators could be deemed as a critical. At this purpose, the Ministry shall use branch-specific threshold values. The first ordinance, recently issued, covers the following sectors: energy, information technology and communications, water and food. The ordinance for the health, banking and insurance sectors is expected by the end of 2016 and the ordinance concerning the transport and traffic sector is expected by the beginning of 2017.

According to the IT Security Act and the ordinances, critical infrastructure operators must fulfill the following requirements.

First of all, companies shall adopt state-of-the-art technical and organizational measures to protect and ensure the availability, integrity, authenticity and confidentiality of their IT systems and services. IT Security Act does not define what is to be considered as state-of-the-art in each branch. The specification will be provided by the BSI, in cooperation with the representatives of the relevant sectors. Companies and industry associations may also propose branch-specific security standards.

Companies shall adopt the measures provided by the BSI within two years after the above mentioned ordinances has taken effect and they will be also required to demonstrate compliance to the BSI at least every two years (e.g. by security audits, examinations and certifications).

During the transition period, companies shall apply state-of-the-art measures, which are appropriate, technically feasible and commercially reasonable. In order to identify the “state-of-the-art measures”, companies can refer to national and international standards as well as to examples successfully proven in practice for the respective sector.

Within six months, after the above mentioned ordinances, companies shall also define an internal procedure in order to accomplish the reporting obligation to the BSI and they shall identify a person as a single point of contact with the authority. In case of incident, companies shall inform the BSI immediately, providing any relevant information on the disruption (e.g. the suspected or actual cause, the information technology and the facilities involved). The IT Security Act does not ask companies to report cybercrime attacks publicly but, in limited circumstances, the BSI could provide third parties with information on reported incidents.

In case of failure in implementing IT security measures, companies should pay fines up to EUR 100,000. Fines could be lesser in case of failure in complying with reporting obligations to the BSI.

The IT Security Act forestalled the European directive 2016/1140 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive).

The NIS Directive clarifies that Member States may adopt or maintain provisions with a view to achieving a higher level of security of network and information systems. Moreover, the analysis of the rules shows significant similarities between European and German regulation.

Hence, the Directive does not affect the validity of the IT Security Act, but the German legislator should be asked to adjust the current legislation where necessary. Responding effectively to the new challenges in the cyber security sector requires, in fact, a global approach at Union level, covering common minimum capacity building and planning requirements, exchange of information, cooperation and common security requirements for operators.