On July 25, 2015, the long awaited and controversially discussed IT-Security Act (ITSA) came into force. The new law which is part of the Government’s ‘Digital Agenda’ aims to improve IT security in Germany and requires operators of critical infrastructure to implement minimum IT security measures and introduces a reporting scheme for IT security incidents. It further obliges providers of commercial telemedia services to implement state of the art security measures to prevent unauthorized access and to protect personal data. Providers of publicly available telecommunications services or networks and energy network operators are subjected to additional obligations through amendments of the respective sector legislation.

Who is affected by the ITSA?
The new law primarily applies to operators of critical infrastructure in the energy, IT, telecommunications, transport and traffic, health, water, food, finance and insurance sectors. Whether an entity operates a ‘critical infrastructure’ is determined based on qualitative and quantitative criteria. A critical infrastructure is any facility, installation or part thereof which is of great importance to the public (qualitative element) because a breakdown or impairment thereof would result in significant supply shortages for a significant number of users (quantitative element). The actual scope of this definition is still to be further specified by the Federal Ministry of the Interior in a separate ordinance which shall provide additional guidance on the qualitative element and is also expected to contain thresholds for the assessment of the quantitative element. Irrespective of this upcoming definition, providers of publicly available telecommunications services or networks as well as license holders under the Atomic Energy Act and operators of power supply networks and energy facilities are already subjected to obligations that will be applicable to operators of critical infrastructures.

The ITSA applies to both private and public entities based in Germany but also to foreign entities to the extent they provide infrastructure in Germany. It will further be relevant to all suppliers and contractors of operators of critical infrastructure as operators are expected to pass-through their obligations under the new law in contractual agreements to their suppliers and contractors. The new security requirements for telemedia services will apply to any provider of commercial telemedia services.

New requirements under the ITSA
  • Operators of critical infrastructure, except for providers of publicly available  telecommunication services or networks to which the relevant obligations already apply under the Telecommunications Act, are obliged to implement adequate technical and organisational measures to protect and safeguard the availability, integrity, authenticity and confidentiality of their IT systems. These measures have to be state of the art, must be fully implemented within two years following enactment of the ordinance and then demonstrated to the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik - BSI) every two years.
     
  • Within six months following enactment of the ordinance operators of critical infrastructure have to appoint a contact within their organisation for ongoing communications with the BSI in the planned notification scheme.
     
  • Operators of critical infrastructure further have to notify the BSI of any security incidents regarding their IT systems, components or processes that could lead to a failure or impairment of the critical infrastructure. Such notifications shall be made through the appointed contact but may be submitted anonymously where such incident did not result in any actual impairment or failure of the IT systems.
     
  • In addition to existing obligations, providers of publicly available telecommunications services or networks now also have to notify the Federal Network Agency without undue delay of any security incident which may lead to unauthorized access to user systems or a disruption of availability (no actual impairment required). Providers of publicly available telecommunication services are further obliged to notify users of known disruptions rooting from users’ IT systems and to provide users, where adequate, with information on appropriate, effective and accessible technical measures to detect and remedy such disruption. The above obligations are introduced through amendments to the Telecommunications Act by the ITSA.
     
  • Providers of commercial telemedia services, irrespective of any critical infrastructure requirement, are obliged to take state of the art, technically possible and commercially reasonable measures to prevent unauthorized access to the technical systems used for their service and to protect these systems against data protection violations and (external) disturbances.

Violations of these requirements may result in fines of up to EUR 50.000 for telemedia service providers and telecommunications providers and up to EUR 100.000 for operators of critical infrastructure.

Relation to data protection obligation

The obligations under the ITSA will apply in addition to existing requirements, e.g. the obligations to take technical and organisational measures and to report data breaches under the Federal Data Protection Act. It still remains unclear how these requirements correlate, in particular if and to what extent the new exceed existing requirements, but it will in any case be necessary to match any existing measures and procedures against the new legal framework.

Outlook
The ITSA imposes many new, and partly far reaching, obligations on operators of critical infrastructure, telemedia service and telecommunications providers that require careful planning, yet timely implementation. In the assessment when and how to implement the new requirements it is necessary to also observe the current developments in the European Union, namely the Network and Information Security Directive as well as the General Data Protection Regulation. Both pieces of legislation contain similar and related requirements regarding IT security and a coordinated implementation, taking into account existing and proposed future requirements, may considerably limit work and (financial) efforts to comply with all requirements in this complex regulatory framework. In addition, telecommunications providers have to continue to comply with EU Regulation No. 611/2013 on the notification of personal data breaches.

Authors