German IT security law 2.0 – draft bill of March 2019

The German Federal Government is currently revising the IT security law of 2015. Recently a draft bill by the Federal Ministry of the Interior became public. It shows what kind of changes might be expected from the final reform: the law will apply to more business sectors and bring more regulation, expand the powers of the German Federal Office for Information security (BSI) and increase penalties both in criminal law as well as in administrative fines. The latter will be taken to the level of fines in the GDPR. It is thus advisable for all businesses concerned with IT security to study the new rules carefully.

1. Who is concerned by the new law?

The obligations contained in the current IT Security law will be extended to additional sectors:

• The regulated “critical infrastructures” (to date including the sectors energy, information technology and telecommunications, transportation and traffic, health, water, nutrition, and the finance and insurance sector) will be broadened to include installations of waste management that “are of high importance to the functioning of the community since their failure or impairment would result in material shortages of supply or dangers to public safety”.
• The draft bill introduces a new category of “infrastructures of particular public interest”. Included are certain businesses in the sectors of defence, stock exchange infrastructure, as well as companies engaging in culture and media that have major importance for the functioning of the democratic polity. The explanatory memorandum accompanying the draft bill also lists the sectors automotive and chemical industry, although these are not included in the actual draft bill. Businesses included in this category will be obliged to obey the same rules as those defined as “critical infrastructures”.
• A new category of businesses of “cyber criticality” is introduced. Included are businesses that are not regarded as “critical infrastructures” only due to the lack of their “standalone importance”, and businesses that operate infrastructure of communications or water supply that, at the same time, are interconnected with other infrastructure in a way that their outage would lead to the failure of critical infrastructure. On an individual case base, the BSI may decide that certain businesses falling into this category will have to obey the same rules as those businesses defined as “critical infrastructures”.

• manufacturers of information technology components for critical infrastructures (so called “KRITIS core components”) as well as manufacturers of other information technology components of relevance for critical infrastructures; and
• providers of telecommunications services and telemedia services.

2. Which obligations are stipulated in the draft law?

• Operators of critical infrastructures will be obliged to:
  

• Register with the BSI and designate a point of contact that is available for official inquiries at any time.
• Employ systems that are capable of detecting attacks on their IT infrastructure.
• Supply the BSI with any information necessary for the performance of its tasks.
  

• Manufacturers of information technology components and KRITIS core components will be obliged to report major disturbances in availability or integrity of their products to the BSI, where relevant to critical infrastructures or infrastructures of particular public interest.
• Manufacturers of KRITIS core components will further be obliged to bring up a certificate of reliability regarding their whole supply chain before being allowed to sell and distribute their components. Details on this certificate are to be determined by the German Federal Ministry of the Interior.
• Providers of telecommunications services and telemedia services will be obliged to

• Designate a point of contact in Germany for official inquiries.
• Organize their data processing operations in a way that ensures prompt replies upon requests for report, data provision and data deletion by the competent authorities.
• Report “data breaches“ in their systems to the German Federal Criminal Police Office.
• Report the use of their service for the unlawful distribution of unlawfully obtained data by third parties to the German Federal Criminal Police Offic, block the access to such data and, under certain circumstances, delete it later on.
• Be subject to administrative acts by the BSI regarding security related issues.

• Providers of telecommunications services will further be obliged to

• Employ systems that are capable of detecting attacks on IT infrastructure.
  In individual cases they might be ordered by the BSI to redirect traffic to command-and-control-servers of bot nets to government controlled servers (so called “sink holes”); as well as to remotely clean computer systems infested by malicious software.

• The expanded tasks and competences of the the German Federal Office for Information security (BSI) include:

• The screening of products available on the market, for malicious software and security vulnerabilities.
• The detection of security risks in publicly available IT infrastructure and systems (e.g. by executing port scans or setting up so called “honey pots”).
• The collection of information about security risks in IT products with the goal of warning manufacturers and the general public.
• The development of crisis response plans.
• Supporting the German Federal Constitutional Bodies, especially the parliament, in securing their IT infrastructure.
• The definition of minimum standards in IT security of the German Federal authorities.
• Extended tasks of customer protection: Warning on security vulnerabilities, malicious software and unauthorized data access as well as giving recommendations on counter measures.
• Development and introduction of IT security certification marks.
• Authorization to access data of contractors to the German Federal Authorities where necessary to protect the governmental IT infrastructure.

• Authorization to extended data processing and extended analysis of protocol data originating from communications infrastructure of the German Federal authorities for up to 18 months.

• Authorization to retrieve inventory data (data identifying certain users) from telecommunications providers with the goal of warning persons affected by attacks on IT systems or security vulnerabilities.

3. What are the changes in administrative fines and criminal law?

• The maximum amount of administrative fines for violations of the BSI act will be increased dramatically. Infringements will be subject to administrative fines of up to 20 Million Euros, or up to 4 % of the annual turnover. The list of fined violations will be extended according to the aforementioned new obligations.
• The draft bill also proposes several changes in criminal law relating to IT security:
  • „Unlawful use of IT systems“ as well as “Provision of services aiding the committal of crimes” will be introduced as new criminal offences.
  • The maximum range of sentences for numerous criminal offences relating to IT security will be raised to up to five year of prison. In certain cases (e.g., committing such crimes as part of a gang or in service of a foreign power; the deliberate disruption of critical infrastructure) the maximum sentence will be up to ten years of prison.
• Law enforcement agencies will be authorized to employ the instruments of lawful interception of communications, remote execution of search warrants on computer systems or the retrieval and analysis of communications data in certain cases of criminal offences relating to IT security. They will also be authorized to access user accounts of suspects of criminal offenses in telecommunications and telemedia services und use these accounts under the suspect’s identity to communicate with third parties. The suspect will be obliged to disclose its login details to the authorities.

 
Overall, the amendments proposed in the draft bill will significantly raise the importance of the IT security requirements in Germany. This will hold true in particular having the risen fines in mind.