On March 5, 2013, the German Federal Ministry of the Interior published proposed amendments (in German) to the German Federal Office for Information Security Law. These proposed amendments are significant because they establish a new duty to notify the German Federal Office for Information Security in the event of a cybersecurity breach.
The proposed amendments apply only to operators of critical infrastructure in the energy, IT and telecommunications, transport and traffic, health, water, food, finance and insurance sectors. These operators, which will be specifically identified in secondary legislation, would be required to immediately inform the German Federal Office for Information Security in the event their IT systems, components or processes suffer a significant adverse impact caused by a cybersecurity breach.
Other proposed amendments to the German Federal Office for Information Security Law seek to embed IT security obligations into German online privacy and telecommunications laws.
The German proposal is similar to the notification requirement described in the European Commission’s cybersecurity strategy and draft network and information security directive. At this stage, the German federal government still needs to agree to the proposal before it is sent on to the German Parliament for further discussion and an eventual vote.