Our society is becoming increasingly interconnected and digital. At the same time, cyberattacks are constantly increasing and headlines about successful cyberattacks appear in the media on a daily basis. In its latest report on the state of IT security in Germany, the Federal Cyber Security Authority (BSI) notes an overall increase in cyberattacks, as well as an increase in the number of malware variants used. The European and German legislators have recognised this growing threat and passed a number of laws in recent years to counter it and protect the economy and the state from cyber criminals. However, this has also led to a veritable ‘regulation jungle’ of legal regulations on IT security in Germany.
Framework: European regulations regarding IT security
In 2016, the European Union adopted Directive (EU) 2016/1148 (NIS Directive), creating the first legal framework for IT security standards at EU level. It aims to ensure a high common level of security of network and information systems in the EU. To this end, it establishes benchmarks for security requirements and reporting obligations for operators of essential services and providers of digital services, which are further specified by the implementation of the EU member states. A reform of the NIS Directive is currently in the legislative process.
Regulation (EU) 2019/881 (Cyber Security Act) from 2019 strengthens the European Union Agency for Cyber Security (ENISA) and gives it a permanent mandate while also introducing a uniform certification framework for the cyber security of information and communication technology. In addition, there are other regulations such as the ePrivacy Directive (last revised in 2009) as well as the Cyberattack Regulation (2019) and the Directive on Attacks against Information Systems (2013) that directly address cybersecurity.
Dedicated IT security laws and indirect requirements in Germany
At national level, the situation is even more complex. In 2015, the German legislator took a first step to counteract the threat of cybercrime with the IT Security Act. It amended various laws, in particular the Act on the Federal Cyber Security Authority (BSIG). The IT Security Act aims to protect IT infrastructures against cyberattacks in order to prevent supply bottlenecks for business, government and society in Germany. Primarily, it addresses operators of so-called critical infrastructures – companies which are part of selected sectors and which are of great importance for the functioning of the German society.
Over the years, the German legislator adjusted the IT Security Act as part of the implementation of the NIS Directive, but has also revised it further independently of EU requirements. The most recent changes came into force in 2021. Particularly, the scope of the BSIG was extended and is now not only aimed at operators of critical infrastructures and providers of digital services, but also at companies in special public interest and manufacturers of critical IT components. Particularly, the category of companies in the special public interest is rather broad and even includes suppliers to some extent. The catalogue of obligations differs between the addressees, whereas operators of critical infrastructures face the highest regulatory impact. The determination of whether a company is an operator of critical infrastructure is carried out in three steps:
- First, it must offer a service that is considered critical because of its importance. The critical services are specified in the Ordinance on the Identification of Critical Infrastructures (KritisVO) and are found in the sectors of energy, water, food, information technology and telecommunications, health, finance and insurance, transport and traffic, as well as municipal waste disposal.
- Second, the operator must use a facility that is necessary for the provision of the critical service, such as hospitals in inpatient medical care for the health sector.
- Third, a certain level of supply must be met as a quantitative approach. The threshold value is calculated on the basis of special formulas that are also defined in the KritisVO.
Operators are obliged to fulfil an appropriate level of IT security adapted to the so-called ‘state of the art’ – a term subject to interpretation. In order to meet these obligations, operators may apply industry-specific security standards. They describe information security procedures and measures by which an appropriate level of protection can be achieved. Operators must be able to provide documentation of compliance with the security obligations and report to the BSI in the event of significant disruptions to IT security. In this context, the obligation for manufacturers of critical IT components to issue a corresponding guarantee declaration to the operator should also be emphasised. Otherwise, the use by the operator is not permitted. From May 2023, the IT security requirements also include the use of attack detection systems that continuously and automatically record and evaluate suitable parameters and characteristics from ongoing operations.
In addition to the BSIG, the IT Security Act also amends other sector-specific laws such as the Nuclear Act, Energy Industry Act or the Social Code with regard to their IT security requirements.
However, if a company is not an addressee of the IT Security Act, this does not mean that it is not equally obliged to implement IT security measures. This can be illustrated by the example of a hospital. According to KritisVO, a hospital is only to be classified as an operator of a critical infrastructure if it has more than 30,000 full inpatient cases per year. But, as a result of the Patient Data Protection Act enacted in October 2020 and the newly introduced s75c of Volume V of the Social Insurance Code from 1 January 2022 all hospitals regardless of thresholds are now obliged to take appropriate organisational and technical precautions for IT security.
Such precautions are also required of telemedia providers under s19(4) TTDSG to prevent unauthorised access to the technical facilities and malfunctions. For consumer contracts concluded on or after 1 January 2022, due to the transposition of EU Directive (EU) 2019/771 and EU Directive (EU) 2019/770, the German Civil Code provides for update obligations of the trader in certain cases in order to preserve the conformity of the contract. These updates explicitly include IT security updates.
Even data protection law, especially the General Data Protection Regulation (GDPR), can result in IT security obligations, because there is often also a data breach subject to GDPR regulatory obligations in the event of a cyberattack. Article 32 of the GDPR sets minimum requirements for IT security based on the ‘state of the art’, implementation costs, nature, scope, circumstances and purposes of the processing, different likelihood of occurrence and severity of the risk. The same applies to Article 24 and 25 GDPR. However, the regulations here have the protective purpose of ensuring that personal data are protected by IT.
Moreover, IT security obligations can also arise from general laws that do not originally relate to IT security. Rather, they arise indirectly, for example from due diligence obligations or due to the specific contract design. For instance, in the area of commercial and company law, some corporate bodies face due diligence obligations, which also include ensuring a level of IT security (s(2) Stock Corporation Act, s45 Limited Liability Companies Act). IT security measures can also represent performance obligations in contracts based on mutual (explicit or implicit) agreements, the non-fulfilment of which results in liability of the breaching party.
Cyber security law in Germany is complex. Companies can be subject to many preventive security obligations, depending on the nature of their business and their field of activity. In the event of a cyberattack, various additional regulations come into play. Companies must be aware of this interplay and know exactly which regulations affect them and which obligations they must comply with and implement. Within light of advancing digitalisation, increasing regulatory advancements are noticeable. In the future, IT security is therefore likely to become even more regulated. The latest legislative decisions indicate: ‘security by design’ may become a basic requirement for products in the future.