The Legal Framework for Cyber Security – Current Developments

On 27 March 2019, the German Federal Ministry of the Interior, Building and Home Affairs (BMI) presented a draft bill on the IT Security Act 2.0. The proposed legislative amendment will have significant implications for companies. The draft provides an expansion of the companies to which the IT Security Act 2.0 applies and plans to hold manufacturers of critical infrastructures accountable. Furthermore, the IT Security Act 2.0 provides for the German Federal Office for Information Security (BSI) to be equipped with extended powers and for the current provisions on cyber criminal law to be tightened up.

In 2015, with the creation of the IT Security Act 1.0, the German legislator took the first step to counteract the threat of cyber crime. Due to the ongoing digitalization and the increasing networking of IT systems, the situation of IT security in Germany has become worse in the past few years. In order to ensure protection against cyber attacks in the future, the German governing parties have therefore decided to develop the IT Security Act 1.0 further. On 27 March 2019, the BMI presented the draft bill for the IT Security Act 2.0 – with far-reaching changes.

Addressees are to be expanded

The IT Security Act 1.0 aims to protect IT infrastructures against cyber attacks in order to prevent supply bottlenecks for business, government and society. Primarily, it addresses operators of so-called critical infrastructures – companies which are part of the sectors energy, IT and telecommunications, transport and traffic, water, health, nutrition and finance and insurance and which are of great importance for the functioning of a society.

The IT Security Act 2.0 is intended to address further sectors, namely, waste disposal. Furthermore, the IT Security Act 2.0 shall apply to infrastructures of special public interest such as, for example, the defence and security industry, the chemical and automobile manufacturing sector, companies in the sector of culture and media and companies, which are of considerable economic importance.

The draft bill redefines core components of critical infrastructures − IT products that serve the operation of critical infrastructures and which are developed or modified especially for this purpose. In the future, manufacturers of such core components will be obliged to submit a declaration of trustworthiness, which covers the entire supply chain. Otherwise, operators of critical infrastructures may no longer use their products. Additionally, the manufacturers of core components of critical infrastructures – as well as operators of critical infrastructures – must notify the BSI about disruptions related to their products caused by cyber attacks.

The so-called Ordinance on the Designation of Critical Infrastructures under the IT Security Act of the BSI defines thresholds and sets out whether a company is to be classified as an operator of a critical infrastructure within the above-mentioned sectors. If a company does not reach the threshold, the IT Security Act 1.0 does not apply. This is where the IT Security Act 2.0 comes in: The BSI may impose the obligations of the IT Security Act 2.0 on a company in justified individual cases where a disruption of this companies’ IT security could endanger society.

BSI provided with extensive powers

The bill further provides for the tasks and powers of the BSI to be expanded comprehensively. As a central certification and standardization body, the BSI will have more responsibility and further tasks, for example in the area of digital consumer protection.

Currently, the BSI is dependent on the BMI. This relationship of dependence gives rise to conflicts of interest: On the one hand, the BSI’s task is to close IT security gaps; on the other hand, however, the BSI itself partly generates these gaps by participating in the development of statestrojans. Therefore, the BSI shall become more independent and neutral. At the same time, it is provided with extensive warning and investigative powers as well as an extensive authority to issue directives. The BSI shall be equipped in particular with powers that enable offensive action against botnets, risks in the Internet of Things and the distribution of malware. The BSI shall, for example, be empowered to penetrate third-party IT systems in order to install patches or remove malware. Furthermore, it shall be authorised to direct providers to block or redirect data traffic in order to ward off and defend against cyber attacks.

Moreover, the IT Security Act 2.0 is intended to introduce an IT security label. The label aims to make it easier for consumers to assess the cyber security of IT products and services. In the future, manufacturers will be able to voluntarily apply for the IT security label for their products in case they have implemented the „state of the art“ of IT security defined by the BSI through technical guidelines.

Tightening up of cyber criminal law and increase of fines

The IT Security Act 2.0 provides for the cyber criminal law to be tightened up. Adjustments to the substantive criminal law will map out the injustice and danger of cyber crimes more reasonably. Criminal liability gaps will be closed up, and for particularly serious cases of computer crimes, new qualification criteria will be created.

According to the IT Security Act 2.0, a larger number of offences can lead to a fine in the future. Besides this, the draft provides for a sharp increase in fines – comparable to the level of the regulations on fines in the EU General Data Protection Regulation (GDPR). As in the GDPR, fines of up to a maximum of 20 million Euros or up to 4 percent of the total worldwide company turnover can now be imposed. The increase of fines is to ensure that companies devote more attention to the requirements of IT Security.

IT security versus public security

The companies to which the IT Security Act 2.0 will apply will have to make considerable investments in order to comply with the legal requirements – unless they are already obliged to a high IT security standard due to other regulations. Companies should take into account that the security level is constantly evolving and rising.

Conclusion

Many initiatives of the IT Security Act 2.0 are useful, especially the IT Security label, the reporting requirement and the innovations in the area of consumer protection. However, the planned fundamental new orientation of the IT security policy in Germany, the comprehensive extension of the powers of the security authorities and the planned tightening up of the cyber criminal law will probably be discussed controversially – including from a constitutional point of view.