On August 19, 2014, the German Federal Ministry of the Interior published a revised draft cybersecurity law (the “Draft Law”). An earlier version of the law was published in March 2013. The Draft Law is intended to serve as a cornerstone of Germany’s recently-announced digital agenda.

“Critical Infrastructure” and Security Requirements

The revised Draft Law will amend a number of laws and provisions relating to IT security. All companies subject to the Draft Law will be responsible for specifically protecting their IT systems against cyber attacks and cyber crime. According to the Draft Law, the German Federal Office for Information Security’s (“BSI’s”) Federal Act will be amended to extend its scope to include so-called “critical infrastructures.” “Critical infrastructures” are those that are of high importance for the functioning of the community; an outage or disruption of critical infrastructures would lead to lasting supply shortfalls or significant public safety issues. According to the Draft Law’s definition, it will apply to companies in the following industry sectors: energy, information technology and telecommunication, transportation and traffic, health, water, food, and finance and insurance. A regulation will specify the criteria for determining which IT systems, components or processes are in-scope.

Within two years of adoption of the regulation, all covered operators will be required to implement appropriate organizational and technical security measures to protect the IT systems, components or processes relevant for the functioning of the critical infrastructures. These security measures must contemplate state-of-the art technology, and operators and industry associations may suggest specific security standards. Further, operators of critical infrastructures will be obliged to undergo IT security audits or certifications at least every two years.

Powers of Federal Office for Information Security

In addition, the BSI will become the central notification body in Germany for IT security incidents. Depending on the type of incident, the operator’s name may not have to be listed. The BSI will function as an advisory body for all cyber and IT security issues, and will refer operators to qualified third party service providers. The BSI also may evaluate IT products, systems and services for these purposes.

Current Status and Next Steps

The Draft Law is currently in a coordination process involving several other ministries (e.g., economics, justice, traffic). It is expected that this process will take up to three or four months. It can be assumed that Germany will take the discussions concerning this Draft Law to the European level, to cement its leadership position in the pending discussions on the European Commission’s draft cybersecurity strategy.