On January 25, 2021, the German federal Cabinet introduced the draft for the new Cyber Security Act (“IT-Sicherheitsgesetz 2.0”) into the legislative process (Entwurf eines Zweiten Gesetzes zur Erhöhung der Sicherheit informationstechnischer Systeme, Drucksache 19/26106 [draft of a second law to increase the security of information technology systems, document 19/26106]). The new German Cyber Security Act is intended to replace the old German Cyber Security Act of July 2015. The purpose of the law is to ensure cyber and information security, which is becoming more and more important with the increasing digitization of all areas of life and the growing importance of the "Internet of Things".
The German federal government's draft contains various new features. The changes, but also the criticism of the government draft, focus on the changes to the BSIG (German law on the Federal Office for Information Security), which significantly expand the competencies of the BSI (German Federal Office for Information Security).
The first IT security law was passed in July 2015. This dealt with changes to various laws, such as the German Federal Office for Information Security Act (“BSIG”), the German Telecommunications Act (“Telekommunikationsgesetz, TKG”) and the German Telemedia Act (“Telemediengesetz, TMG”). This should now be expanded and improved due to the growing risk from cyber attacks. This legislative process has been running for almost two years. A first draft was presented by the German Federal Ministry of the Interior, Building and Community in March 2019 and commented on by us at the time (you can find the article under this link). After the expansion of official powers was met with great criticism, a new draft was drawn up in May 2020. The main issue here was the discussion on the provision of the 5G Infrastructure by Huawei. The current bill is therefore already the third draft of a new German Cyber Security Act.
The new draft provides for changes in various laws. The BSIG, the TKG and the TMG, SGB X [10. German Social Security Statute Book] and the German Electricity and Gas Supply Act (“Gesetz über die Elektrizitäts- und Gasversorgung”) as well as the Außenwirtschaftsverordnung [German foreign trade regulation] are affected.
II. Important innovations in brief
- New definitions: The introduction of new areas of regulation also made it necessary to adapt the terminology used. There are new definitions of terms, for example, for “federal communications technology”, “logging data”, “IT products”, “attack detection systems” and “critical components”. The latter play a central role in many of the new regulations. In particular, these are components that are used in critical infrastructures. As the previous drafts provided for this central term to be filled out by means of non-legislative requirements that have yet to be created, a structuring is however already desired. The resulting legal security is to be welcomed.
- Inclusion of "companies in the special public interest": Up until now, the security requirements and intervention powers of the BSIG have primarily applied to the operators of critical infrastructures (the areas of energy, water, nutrition, transport, finance, insurance, health, telecommunications and information technology are covered). The amendment law is intended to extend these to a large extent to other companies whose functionality has a significant social interest. For this purpose, three categories have been developed, some of which have different requirements. For example, registration with the BSI, inter alia, does not necessarily have to take place within the third category. The first category includes, for example, companies in the arms industry and classified IT, the second includes companies that are of particular economic importance due to their high value creation, and the third includes companies that are subject to the regulation of the German Hazardous Incident Ordinance (“Störfallverordnung”) (cf. Section 2(14) BSIG-E). The question of when a company is of particular economic importance should be answered on the basis of economic indicators. In any case, the operators of such companies will have to face considerable additional work with the German Cyber Security Act.
- Attack detection systems: Operators of critical infrastructures must implement attack detection systems within one year of the law coming into force (Section 8a(1a) BSIG-E) and store the resulting data for at least four years. This obligation does not apply to companies in the special public interest.
- Obligations to provide evidence: In addition, the operators of companies in the special public interest must submit a self-declaration on IT security every two years, which gives details of the IT security measures taken (such as certification, security audits and other protective measures; cf. Section 8f BSIG-E). According to Section 8b(4a) BSIG-E, the BSI can also request the surrender of documentation required for remedy in the event of a malfunction. An extension of the already existing reporting obligation for malfunctions in Section 8b(4) BSIG, which has been planned in the meantime, has not been made part of the bill.
- Notification requirement when installing critical components: According to Section 9b BSIG-E, the installation of critical components for which certification is required must also be reported. These may only be used if there is a “guarantee declaration” from the manufacturer regarding the trustworthiness of the product. This is probably a consequence of the Huawei debate, although this regulation hardly restricts the products of foreign manufacturers. However, the BSI can also prohibit the use of critical components by operators of critical infrastructures.
- Development of a uniform IT security label: The prerequisites for a national IT security label are being created, which, however, should remain voluntary. The requirement can then be specified in a technical guideline (TG). Otherwise, they are based on industry-specific IT security guidelines. This is not the certification under the EU Cyber Security Act, for which the BSI will also be responsible in the future. Whether such a national certification makes sense alongside the CSA certification is quite controversial. In addition, it remains difficult for consumers to identify a safe product if the labeling is voluntary.
- Adaptation of the catalog of fines: With reference to Section 30(2) of the German Administrative Offences Act (“OWiG”), fines of up to EUR 20 million are now possible. However, unlike the GDPR, there is no link to the annual turnover of a company. This is a national initiative, the impact of which on European legislation remains to be seen.
- Strengthening the BSI: Beyond the points stated above, the strengthening of the BSI is also noticeable. A number of new areas of responsibility are being assigned to this body, so that the role of the BSI increasingly approaches that of a supreme federal authority:
- a) Consumer protection, namely "advising and warning consumers" in IT security issues (Section 3 No. 14 a BSIG-E).
- b) General reporting office for reporting IT security risks (Section 4b BSIG-E). The aim is to set up a voluntary anonymous reporting platform for IT security incidents. The fact that the BSI is not required to share the knowledge gained with third parties or the companies has been criticized. This was also criticized in the first parliamentary debate on January 28, 2021: Since there is no obligation to report any security gaps found, these could be kept open for intelligence services. However, if the gaps are not closed, it will make it harder to improve cybersecurity. Here, the passing on of information is generally intended and also possible.
- c) Port scans: The BSI is authorized to detect security gaps at the interfaces between information technology systems and public telecommunications networks (to search for open ports). This does not entitle the BSI to carry out Red Teaming activities and penetration tests, but port scans are possible without prior notice to the extent that there is a reasonable assumption that security gaps exist or security precautions are insufficient (Section 7b BSIG-E). This regulation was criticized as a so-called "hacking paragraph".
- d) Control of federal communications technology and the evaluation and storage of internal authority log data: The fact that the BSI is allowed to store the metadata of the inquiries of authorities for up to twelve months has also been criticized.
- e) Assessment of security in information technology by investigating IT products and systems intended for market distribution (Section 7a BSIG-E) or by querying inventory data from providers of telecommunications services.
- f) Advice, information and warning of the public regarding questions of information security: The BSI issues warnings of security gaps in information technology products and services, warnings of malware and warnings in the event of the loss of or unauthorized access to data, and provides information on security-relevant IT properties of the products.
After the legislative process had dragged on for almost two years, many are now expecting a comparatively quick conclusion, which, however, can hardly be expected before spring this year. The reason for this is that the new German Cyber Security Act is an object of the current coalition agreement. However, this also means that extensive changes to the law are no longer to be expected, despite the criticism that has often been expressed.
The fact that the current draft of the German Cyber Security Act, unlike the previous drafts, provides more legal clarity, as there are significantly fewer blanket references to sub-statutory legal acts in which important details are still to be regulated, is to be welcomed. It is also to be welcomed that there have not been any changes to the German Criminal Code (“StGB”) and German Criminal Procedure Code (“”STPO"), which, for example, could have included the possibility of the compulsory issuance of access data to user accounts by the suspect. For most companies, there will be no major implementation effort after the German Cyber Security Act comes into force. Only for companies in the special public interest and, in some cases, for operators of critical infrastructures, implementation will involve adjustments, some of which will be substantial.
Nevertheless, there are significant points of criticism. These include the fact that the new law was drafted without the measures from the 2015 law ever being evaluated. The comparatively short public debate is also a matter of criticism, after the federal government had allowed itself so much time for this law. In addition, the national IT security label harbors the risk that consumers have a sense of “false security” when using such products.
The biggest point of criticism, however, is probably the ambiguity between the declared objective of consumer protection and the strengthening of IT security on the one hand, and, on the other, the fact that the BSI does not have to report security gaps.
further reports which may be of interest to you