On June 12, 2015, the German Parliament (Deutscher Bundestag) passed an Act to Improve the Security of Information Technology Systems ("IT-Security Act"). The new legislation requires operators of so-called critical infrastructure to meet minimum standards for IT security and to report significant IT security incidents to the Federal Office for Information Security ("BSI").
This is an important development for both German and non-German entities that provide critical infrastructure products and service in Germany (the law applies to both), and because it imposes a reporting obligation on such companies in the event of a security incident.
The objective of the IT-Security Act is to improve the security of information and IT-systems in Germany by increasing the level of protection regarding the availability, integrity, confidentiality and authenticity of IT-infrastructure. In particular, providers of critical infrastructure (as defined below) will be required to implement and maintain appropriate minimum organizational and technical security standards in order to ensure the proper operation and permanent availability of that infrastructure. Furthermore, the IT-Security Act provides for a greater role for the BSI and recognizes its increased significance as central agency for IT security by expanding its advisory function. Additionally, the BSI will be equipped with the authority to test the security of IT products and systems currently on the market.
This IT-Security Act mirrors aspects of the so-called "NIST Framework" in the United States and related Executive Orders issued by the Obama Administration, all of which focus on sound cybersecurity preparedness and risk mitigation strategies for 16 critical infrastructure sectors in the United States, as provided in Presidential Policy Directive 21 (PPD-21).
What is "critical infrastructure"?
The IT-Security Act defines "critical infrastructure" based on (i) qualitative and (ii) quantitative criteria:
(i) Qualitative factors focus on whether the respective installations or facilities or parts thereof provide critical services that are substantial for a bigger number of members of society. This includes installations and facilities in the sectors of Energy, Telecommunications and Information Technology, Transportation and Traffic, Health, Water and Agriculture, as well as Finance and Insurance. The critical infrastructure will be specified by an ordinance (Rechtsverordnung) to be adopted by the Federal Ministry of the Interior (Bundesinnenministerium) (the "Ordinance"). However, at this time the exact scope of the catalogue of critical infrastructure remains highly controversial.
(ii)Quantitative factors focus on whether in individual case the breakdown or the impairment of the respective installations or facilities, or parts thereof, directly or indirectly induce negative effects to the supply of a substantial number of users, thus relevant to society as a whole (an area of qualitative focus). It is expected that the Ordinance will set thresholds concerning this matter.
For whom does the IT-Security Act apply?
The IT-Security Act provides for IT security obligations of operators of "critical infrastructure" in Germany, regardless of their organizational form. The act clearly applies to German-based companies. However, foreign companies based outside Germany will also be covered to the extent they provide critical infrastructure products or services in Germany. Moreover, both public and private companies would need to comply with the regulations.
What is required from operators of critical infrastructure?
(i) Contact point (Kontaktstelle): Within six months from entry into force of the Ordinance, operators of critical infrastructure are obliged to set up a contact point within their organization. The operator has to notify and will be notified by the BSI via this contact point.
(ii)Organizational measures: Operators of critical infrastructure are obligated to implement adequate organizational and technical measures to protect the availability, integrity, confidentiality and authenticity of such IT systems, components or processes that are crucial for the functioning of the critical infrastructure within two years from entry into force of the Ordinance.
(iii)Providing of evidence: Operators of critical infrastructure will be obliged to prove the implementation of the aforementioned security measures every two years by providing sufficient audit reports or certificates to the BSI.
(iv) Reporting obligations: Operators of critical infrastructure are obliged to notify the BSI via the aforementioned contact point without undue delay in case of interference or impairment that could lead to breakdown or the impairment of the critical infrastructure. In such cases, the operator may notify the BSI on an anonymous basis. The notification must contain information about the technical framework used to provide the critical infrastructure, the security measures implemented and the sector of the operator. Where the impairment actually causes a failure or impairment of the critical infrastructure, such notification has to include the operator's identity.
Any violation of the aforementioned obligations may be classified as a administrative offense which can be punished with a fine of up to EUR 50,000. In case the operator of critical infrastructure refuses to remedy deficiencies determined by the BSI in spite of an enforceable order issued by the BSI, the fine could amount up to EUR 100,000
Although the specific date of the adoption of the Ordinance it is not yet determined, entities that might be regarded as critical infrastructure would be certainly well-advised to face the issues arising from the technical and organizational implementation of the requirements of the IT-Security Act at an early stage, by setting up respective IT-standards and compliance-systems.
Companies operating in the affected business sectors should consider in particular the following points: Does the company come into question as an operator of critical infrastructure according to the IT-Security Act? Do the organizational measures in place to protect the availability, integrity, confidentiality and authenticity of the respective IT system meet the legal requirements and does the technical environment comply with state-of-the-art technology prescribed by law? Is there a monitoring process in place to meet the periodical reporting and IT security incidents notification obligations?
 See NIST Cybersecurity Framework, available at http://www.nist.gov/cyberframework/.
 PPD-21 identifies the following as critical infrastructure sectors: chemicals, commercial facilities, communication, critical manufacturing, communications, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear, transportation, waste and wastewater. See Department of Homeland Security, available at https://www.dhs.gov/critical-infrastructure-sectors.
Orrick's Cybersecurity and Data Privacy Group is an interdisciplinary team with members in the U.S., Europe and Asia. We craft practical solutions across a host of risk management, consumer protection, brand protection, investigatory and litigation contexts. We leverage our relationships with leading privacy and security consultants, domestic and international law enforcement, government, academia and policy groups, so that our clients benefit from multi-angle solutions.
Orrick's Technology Companies Group is passionate about entrepreneurship and shaping the success of early ventures. Our technology-focused, full-service legal practice provides advice on tactical approaches to companies, from incubation to their strategic exit and future growth opportunities. Today's technology companies combine energy and innovation with a focus on long-term growth and success. Leveraging our global resources, including deep-rooted relationships with incubators, angel investors and venture capitalists, we provide critical insight into this rapidly evolving and increasingly competitive marketplace to more than 1,600 technology companies worldwide.