Our specialized lawyers advise you in the area of cyber security. We advise on the development or adaptation of IT security concepts and take over legal enforcement for our clients in the cases of damage.

Our consulting approach

The primary goal of our legal advice in the area of cybersecurity is the creation or restoration of secure processes and procedures within the business area of our clients. Since the causes for a lack of security in the processing of data or in the IT security infrastructure can be manifold, our consulting approach is also varying, but in any case adapted to the specific needs of our clients. You benefit from our expertise in all relevant areas of IT and data protection law. From the implementation of a comprehensive information security or data protection management system to rapid intervention in the event of a cyber attack on your systems.

Our experts work together in fast-action task forces to ensure that your company quickly becomes operational again and remains so in the long term. Below, we provide an overview of the focus areas of our IT security law practice.

Please also visit our topic page on Data Protection & Data Security.

In recent years, the risk of companies falling victim to cyberattacks has increased dramatically. Should attackers succeed in penetrating internal systems, companies regularly find themselves exposed to considerable ransom demands, fines and/or significant loss of reputation. We support you in preventively identifying and remediating IT and data protection vulnerabilities in your infrastructure. If you become a victim of a cyber attack, we will help you with Incident and Emergency Response with our network of technical IT security consultants. We will handle communication with investigative and regulatory authorities on your behalf and support you in preparing and executing internal and external communications regarding the incident.


Modern security standards require a variety of effective, synergistic measures to protect the IT infrastructure. An information security management system helps you to establish procedures and rules within your organization to permanently guarantee and continuously improve the security of the information you process. In order to organize and permanently guarantee compliance with the special requirements of processing personal data, a data protection management system should also be introduced and maintained.

We will be happy to advise you on introducing data protection and information security management systems and ensuring that they mesh. If you wish, we can also support you with certification.

In the aftermath of an IT security incident, claims may also be made against corporate bodies, such as acting board members or managing directors. If previous protective mechanisms have not been effective, cyber insurance should be taken out as a last resort to provide effective cover for the responsible parties. The conclusion of such an insurance seems advisable especially because the damages incurred are usually not covered by the D&O insurance. Overall, the range of benefits of all insurance policies with regard to damage caused by IT security incidents should definitely be adapted to the respective company situation and the individual liability risk. Here, the legal expertise of our lawyers helps to identify which benefits should really be available.


The importance of data protection and data protection compliance is constantly increasing, and not only against the background of more and more reports of proceedings for fines and damages. For this reason, it is essential to ensure that the processing of personal data complies with data protection regulations. In practice, these requirements constantly present data controllers with new, complex tasks, the mastering of which can be associated with an immense expenditure of time and money.

Our cross-location team of market-renowned and award-winning experts supports you in answering individual questions as well as in designing extensive processes in compliance with data protection regulations and minimizing the associated risks.

In the event of a cyber attack, the most important step is to act quickly. Every hour that business processes are interrupted causes further damage to affected companies. Therefore, necessary immediate measures should be initiated immediately and a crisis team should be formed to coordinate further action. We will help you implement a comprehensive emergency response plan and support you in developing a tailor-made concept to prepare you for an emergency.


In addition to general IT security requirements, operators of critical infrastructures must also comply with the provisions of the BSI Act. As a result, operators of critical infrastructures must take particular care to ensure that the critical infrastructures they operate are and remain functional. After all, the failure or disruption of a critical infrastructure has significant consequences for a large number of people.

The increased requirements for operators of critical infrastructures apply both with regard to the elements, components and parts used and with regard to the software used. 

Every company is faced with the question of whether and to what extent it uses the support of external service providers to manage its IT infrastructure. The use of such managed services, which, in contrast to other types of IT outsourcing, involve regularly recurring services, can be worthwhile for companies since their own resources are saved. However, in the interest of both parties, the scope of the service to be provided should be clearly defined in advance and contractually agreed. Transparency about the acquired range of services is created by concluding a service level agreement, which contractually stipulates the services to be provided by the external company. The negotiation of this contract requires a high level of consulting and negotiation competence in order to optimally assert your interests. We are happy to support you in this.


Cybersecurity is a C-level matter. Therefore, the appropriate consideration of IT security law requirements and compliance with data protection regulations is essential for companies, regardless of their size. Companies that fail to comply with these obligations and, under certain circumstances, also their executive bodies, face the threat of claims from contractual partners or liability to the company. Serious violations of such obligations can also result in severe fines.

With the help of our holistic consulting approach, you can assess and minimize your liability and litigation risks. Our lawyers specializing in IT security, corporate, insurance and compliance law will be happy to support you in implementing and enforcing appropriate measures, taking out D&O insurance and, if necessary, defending yourself in court against asserted claims. 

Increasingly, cyberattacks are also occurring indirectly via external service providers. As with any cyberattack, there is also an enormous liability risk for the affected companies in the event of an indirect attack, i.e. in the form of an attack on another company within the supply chain. Especially against the background of ever new national and European legal requirements, companies face a wide range of legal issues when using and distributing digital products and digital content. We advise you on the implementation of a strategy that interlinks different, synergetic measures to secure the supply chain.        


The central concept of IT security law is that of "state of the art". Not only in the area of critical infrastructures, but also for telemedia providers, the use of IT systems at credit institutions, the introduction of technical and organizational measures in the area of data protection, policies of cyber insurance and much more, the interpretation of this term is of central importance and at the same time highly complex in legal terms.

The distinction from "generally accepted rules of technology" or the "state of the art in science and technology" is also a legal requirement that should not be overlooked.  Not least due to the technical expertise of our lawyers specializing in IT security law, we will be happy to advise you on the state of the art in all areas relevant to you.

Newsletter (selection)

Distinctions (selection)

Legal 500 Germany 2023

Legal 500 Germany 2022

FOCUS Top Wirtschaftskanzleien 2022

JUVE Handbook Commercial Law Firm 2021/2022

Legal 500 EMEA 2022

Chambers Global 2022

WWL Thought Leaders - Data 2022

Legal 500 EMEA 2020

Memberships (selection)

Current Publications (selection)

More Publications...

Current Events (selection)

  • Rechtliche Hürden beim Umgang mit Cyber-Angriffen, Michael Kuska, LL.M., LL.M., and Manuel Poncza; Breidenbach & Frost Symposium Cyber Security in Public Transport, June 30, 2023, Cologne
  • Data Breach Management - An Overview from a Global Perspective, Michael Kuska, LL.M., LL.M., Nick Holland (Shoosmiths) and Jena Valdetero (Greenberg Traurig); Lexology Webinar, June 23, 2023
  • Cyber Resilience als Product Compliance-Anforderung, Manuel Poncza; 14. Europäische Druckgerätetage, Fürstenfeldbruck, June 20, 2023
  • Von Cloud bis Homeoffice – Rechtliche Aspekte einer sicheren IT, Michael Kuska, LL.M., LL.M., Deutsches Studierendenwerk e. V., June 20, 2023
  • NIS-2 Richtlinie, Michael Kuska, LL.M., LL.M., and Manuel Poncza; Cyber Insurance Conference, June 1, 2023, Borussia Park Mönchengladbach

More events...

  • AIR, CRA, DA und Co? Auswirkung der aktuellen EU-Gesetzgebung auf Robotics Geschäftsmodelle, Robotics: Eher "einfaches Gemüt" oder wirklich "Smart"?, Dr. Lutz M. Keppeler; Rittal, May 11, 2023, Haigar
  • Cyber Resilience Act - Und noch viel mehr?, Dr. Lutz M. Keppeler; ICT-Resilienz: "Nice-to-have zu Need-to-have?“, April 26, 2023, Hürth
  • Cybercrime und IT-Sicherheitsrechtsrecht inklusive Ausblick auf den Cyber Resilience Act, Dr. Lutz M. Keppeler; Heuking Compliance Days, March 16, 2023, Düsseldorf
  • Der Entwurf des Cyber Resilience Act und dessen Konsequenzen für KMUs; Manuel Poncza; IHK Cologne, March 14, 2023


  • Cyberversicherung und der "Stand der Technik", Dr. Lutz M. Keppeler and Stefan Jöster; Messe Security Essen, September 21, 2022
  • Panel discussion with on data protection and cyber security, 3. Deutor Cyber Security Best Practice Conference, Markus Lennartz und Dr. Lutz M. Keppeler, Stuttgart, June 30, 2022
  • Haftung für Cyberrisiken in der Kommune, 8. Kommunaler IT-Sicherheitskongress 2022, Stefan Jöster und Dr. Lutz M. Keppeler, Berlin, May 3, 2022
  • Haftung und Organisationsverschulden der Kommune bei Cyber Vorfall. Digital.Kommunal.Sicher-Informationssicherheit in der Kommunalverwaltung, Dr. Lutz M. Keppeler, February 15/17/23 and 14, 2022


  • Die Folgen eines Cyberangriffs, As part of the lecture series „Kurz mal Recht“ der IHK Hanau, November 25, 2021


  • Live online interview on cyber insurance, together with Dr. Stefan Jöster, conducted by Malwarebytes, September 11, 2020
  • Data protection and IT security law, presentation by Dr. Lutz M Keppeler, webinar „Cyberrisiken und Datenschutz in Zeiten des Homeoffice“, together with GOSSLER, GOBERT & WOLTERS ASSEKURANZ-MAKLER GMBH & CO. KG und der Digitrace GmbH, August 28, 2020


  • BSI Basic Protection. New quasi-legal security standard?, lecture by Dr. Lutz M Keppeler, International Insuralex Meeting “Cyber beyond borders”, Frankfurt, November 29, 2019
  • Teilnahme an Paneldiskussion “CYBER CRISIS MANAGEMENT”, lecture by Dr. Lutz M Keppeler, 2. Deutor Cyber Security Best Practice Conference 2019
  • Basic Data Protection Regulation and E-Privacy Regulation, lecture by Dr. Hans Markus Wulf, Handelskammer Hamburg, Oktober 22, 2019
  • Cybersicherheit & Recht – Rechtliche und technische Anforderungen für Unternehmen, lecture by Dr. Hans Markus Wulf, WM Gruppe, 21. Compliance-Tagung, September 19, 2019

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.