On 25 July 2015 in Germany, the new IT Security Act entered into force. The law aims to improve IT security in companies and public bodies, especially in the field of critical infrastructure, thus stipulating minimum security standards and reporting obligations for operators and providers of communication systems.

The law will affect institutions listed as “critical infrastructure” such as energy, information technology, telecommunications, transport and traffic, health, water, and food supply, as well as finance and insurance firms.
The new cyber-security law obliges firms and federal agencies to certify for minimum cyber-security standards and obtain Federal Office of Information Security (BSI) clearance. Operators of critical infrastructure will have to report significant security incidents and even suspected cyber-attacks to the BSI. It gives companies two years to introduce cyber-security measures. Fines of 100,000 Euro for non-compliance will be enforced.

The BSI will also be expanded to the international center for IT security. One of its new main tasks will be to evaluate the reports of possible cyber-violations in critical infrastructure. The Federal Intelligence Service (BND) will be allowed access to foreign data linking to malware signatures and malware traces.

It is important to note that the operators of critical infrastructure will also look toward suppliers and service providers when it comes to compliance with the new requirements. The new cyber-security law therefore affects many more market players than just the operators themselves.

It is thus advisable that all potentially affected parties assess to what extent they may be affected and what technical and organisational security measures shall be implemented.

Moreover, companies need to be mindful that this national cyber-security law is only one step. The EU law makers are currently planning a new Network and Information Security Directive which could bring some further cyber-security obligations.