At the end of last year, the German government published an updated version of the draft IT-Security Act. The latest version is expected to become the final law without major changes – although it is still unclear exactly when it will take effect. This post looks at the latest changes.
I reported on the original bill in my September post here. In general, the revised draft IT-Security Act is similar in scope to the first draft (obligations on notification, security measures, and so on). However, there are many clarifications and changes in the detailed wording that are worth noting.
In particular, the new version of the draft bill is stricter on data protection issues.
Key changes to the draft include the following:
- Providers of critical infrastructures must implement adequate organisational and technical precautions and other measures to protect their IT systems.
- In a significant change to the former draft bill, the obligations on notification and implementation of adequate measures will no longer apply to sectors that are already bound by equivalent or higher security obligations by law, e.g. providers of telecommunication networks, providers of energy networks and providers of nuclear facilities under the German Atomic Energy Act. However, the new IT Security Act will implement duties on other critical infrastructure providers equivalent to those already imposed by the German Energy Act and the German Atomic Energy Act. So, in practice this distinction is academic, since all CI providers will be subject to the same standards.
- Telemedia providers only need to implement those security measures that are economically reasonable.
- Telecommunication providers must have their security concept reviewed by the competent authority (Federal Network Agency) on a two yearly basis.
- Personal data that is obtained due to actions taken on basis of the IT-Security Act may not be processed and used for any other purpose.
- The draft of the IT-Security Act allows the assessment of IT products, IT systems or IT services by the German Federal Office for Information Security. This could be done by using reverse-engineering. The results of such an assessment shall only be used for the purposes of IT security, e.g. provision of recommendations. The German Federal Office for Information Security may engage third parties for the assessment unless the manufacturer has legitimate interests against such an engagement. The German Federal Office for Information Security may publish the results of the engagement, but has to give the manufacturer the opportunity to state its views. It will be interesting to see whether the authority will publish many of these of assessments.
At the time of writing, the IT-Security Act is still going through the legislative process. The German parliament starts the legislative process on 20 March 2015 which is expected to last until mid-2015 – after which the law will come into force immediately. The updated text of the Bill is available, in German only, here: http://dip21.bundestag.de/dip21/btd/18/040/1804096.pdf.