The Legislative Framework Governing Cybersecurity
The subject of cybersecurity has gained in importance within Germany and the European Union. There is a growing need to protect the digital market, and players’ IT systems therein, against cybersecurity threats. In the last two years, 68% of enterprises have registered cybersecurity attacks against them. According to the President of the German Federal Office for Information Security (Bundesamt für Informationstechnologie or BSI), the number of malware programs that we currently know of in Germany (roughly 800 million) grows each day by 390,000. Consequently, European and German legislators have taken measures in order to strengthen cybersecurity, thereby imposing a multitude of new obligations on EU Member States and enterprises. This briefing aims to provide an overview of the most relevant cybersecurity legislation and the requirements affected parties must meet.
The existing legislation regarding cybersecurity can be roughly divided in two categories: Some legislative acts are directly aimed at the improvement of cybersecurity, notably the EU Cyber-Security-Regulation that has been recently passed. Other legislation, such as the General Data Protection Regulation (GDPR) touches upon questions of cybersecurity incidentally.
Legislation directly aimed at the improvement of cybersecurity
Directive 2009/140/EC (Framework Directive) and Directive 2002/58/EC (ePrivacy Directive) – transposed into German law into the Telecommunications Act (Telekommunikationsgesetz or TKG) – are directed at the operators of public telecommunications networks and providers of publicly available electronic telecommunications services. With the adoption of Directive (EU) 2016/1148 (NIS-Directive), the Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik or BSIG) and the Energy Industry Act (Gesetz über die Elektrizitäts- und Gasversorgung or EnWG) were amended. These latter cybersecurity regulations are directed at: the Federal Office for Information Security itself; at the operators of critical infrastructure (organizations and facilities highly important to the functioning of the community, since their failure or impairment would lead to dramatic repercussions); and at digital service providers (online marketplaces, online search engines and cloud computing services). Small suppliers are excluded from the scope of application of these laws.
These cybersecurity laws primarily set standards for minimum-security requirements and reporting obligations:
The above laws require the subjects concerned to set in place technical and organizational measures to protect their networks and IT-systems against potential threats in order to avoid security breaches or at least kept them to a minimum. References to EU directives and soft law specify the respective security requirements for certain industries.
Operators of public telecommunications networks and providers of publicly accessible electronic telecommunications services must appoint a security officer and draw up a security concept based on requirements set out in the Federal Network Agency’s security catalogue. This security concept must be submitted to the Federal Network Agency immediately after network operation has commenced. As for digital service providers, the security standards are specified in the EU Commission’s Implementing Regulation (EU) 2018/151. Operators of energy supply networks must comply with a catalogue of security requirements set out by the Federal Network Agency. A corresponding catalogue exists for operators of power plants that also qualify as critical infrastructure. All other operators of critical infrastructure may propose industry-specific safety standards to the BSI for evaluation and adoption. They must provide proof of compliance with these safety requirements at least every two years.
The reporting obligations that the aforementioned laws prescribe are of great importance in practice. Operators of public communications networks and providers of publicly accessible electronic communications services must immediately notify the Federal Network Agency and the BSI of significant impairments to their networks and services (Article 109 (5) TKG). In such an event, operators of critical infrastructure must report to the BSI immediately via their contact point all disruptions that caused system failures as well as all other significant disruptions that may in the future lead to system failures (Article 8b (4) BSIG). Furthermore, providers of digital services must immediately report to the BSI any incidents that have a significant impact on the provision of a digital service they provide within the European Union.
Guidelines as to what may qualify as an incident of significant impact are set out in the BSIG. Factor may include the number of users and the geographical area affected, as well as the duration and the extent of the disruption.
In turn, the BSI must immediately inform the responsible state (Bundesland), supervisory authorities and the operators of critical infrastructure that a cybersecurity attack was attempted or took place, and about the security vulnerabilities they were made aware of.
Should operators of public telecommunications networks fail to submit a security concept to the Federal Network Agency (immediately) after network operation has commenced, the TKG provides for fines of up to EUR 100,000. Further, violations of the reporting obligations are punishable with fines of up to EUR 50,000. Under the Energy Industry Act, operators face penalties of up to EUR 100,000 for non-compliance with security standards and failure to fulfil the reporting obligations. The BSIG provides for fines of up to EUR 50,000 for these breaches of law.
Other laws that Contain Provisions on Cybersecurity
Provisions on cybersecurity may be found in several other laws. Regulation (EU) 2016/679 (GDPR) and the Federal Data Protection Act prescribe concrete measures to achieve a level of security appropriate for the handling of personal data. These precautions include encryption techniques and pseudonymisation. The data protection officer responsible must report any breach of the data protection rules to the competent supervisory authority without undue delay, ideally within 72 hours. Where there is a high risk that the rights of the affected data subject have been violated by the breach, they are to be informed as well. The GDPR specifies fines of up to EUR 10 million for non-compliance with protection standards and violations of reporting duties.
Under the Banking Act, financial institutions and the Federal Financial Supervisory Authority are obliged to take measures to ensure data protection and data security. According to the Act to Improve Enforcement of Law in Social Networks (Network Enforcement Act), providers of social networks that receive more than 100 complaints about illegal content within a calendar year must publish a report on their handling of complaints on their website and in the Federal Gazette. Failure to comply with this obligation can result in fines of up to EUR 5 million.
On 12 March 2019, the Cybersecurity Regulation was adopted by the European Parliament, after a political agreement between representatives of the European Parliament, the Council and the European Commission had been reached. The Regulation has yet to be formally adopted by the Council, and will enter into force 20 days after its publication in the Official Journal of the European Union. The purpose of this act is to strengthen the European Union Agency for Network and Information Security (ENISA) in terms of human and financial resources, and to establish its permanent mandate. In addition, the regulation provides for the introduction of a European framework for a cybersecurity certification of IT products, processes and services. Security features in IT products and services will be verified by an independent body. This allows users to evaluate the trustworthiness of IT products and services on the market. Further, the Regulation aims for IT products and services to be equipped with “security by design”. This means that security features should be implemented at an early stage of their technical design and development in order to prevent subsequent security vulnerabilities.
The wide range of legislation enacted has improved the detection and remedy of cybersecurity vulnerabilities. However, the high number of cybersecurity attacks shows a need to continuously adapt security standards to the evolving risks. Furthermore, the fragmentation of cybersecurity regulations can be profoundly challenging for companies as they might have to go to great length to determine the legal framework applicable to them.
The coalition treaty between Christian Democratic Union and Social Democrat Party provides for an IT security law 2.0. In addition to the industries that have been targeted already, cybersecurity obligations shall extend to developers and suppliers of IT products. Other suggestions for improvement have been less concrete: There have been discussions at a political level as to whether to expand the meaning of “critical infrastructure”. At the moment, industries of critical infrastructure are only those who provide services of highest importance to the functioning of the community. This only applies to 2,000 of the 3.5 million companies in Germany. Hence, it has been suggested that the term “critical infrastructure” should also encompass operators that provide services that are not highest, but are of high importance to the functioning of the community. Consumer protection in cyber space could also be improved. In addition to the cybersecurity certification provided for in the Cybersecurity Regulation, a product liability regime for digital goods, where the consumer benefits from a reverse onus of proof, could be introduced. Moreover, it cannot be ruled out that the fines for non-compliance with cybersecurity standards and violation of cybersecurity reporting obligations will be increased to GDPR levels.
In conclusion, the development of a regulatory framework to improve cybersecurity in public and private spaces is not yet complete.
Should you have any questions concerning the impact cybersecurity regulation may have on your company now or in the future, Dr. Roland M. Stein and Dr. Christopher Wolters are happy to provide assistance.