5 Things to know about the German Draft IT Security Act

On 12th June 2015, the German Parliament passed the IT Security Act. The Act is hailed by supporters as a breakthrough for cyber-security and demonized by opponents, who criticize the focus on large companies and the missing consumer focus.

  1. The IT Security Act introduces mandatory minimum standards for the IT security systems of critical infrastructures as well as the requirement to report significant IT security incidents.
  2. Critical infrastructures are installations and facilities in the sectors of energy, telecommunications, transportation and traffic, health, water and agriculture, as well as finance and insurance that are important for the community and impairment would have adverse effects on supply or public safety.
  3. Sources convey that approximately 2,000 companies will fall under the ‘critical infrastructure’ provisions – a separate ordinance will provide further specification.
  4. The Federal Office for Information Security (BSI) will be responsible for enforcing compliance with minimum standards – including the right to impose fines for non-compliance.
  5. The IT Security Act is in line with the EU-Network and Information Security Directive (NIS), which currently being negotiated between the EP and the Council.

For more information on what this means for your business, please contact Markus Weidling in our Berlin office on +49 30 28 88 29 17