On December 16, 2020, the German Federal Government passed a draft law that substantially amends some of Germany’s information technology laws (“IT laws”). These amendments aim to adapt the current legal framework to the increasing digitalization of products and services, the proliferation of IoT products, and the appearance of new cybersecurity threats. The draft law is expected to be enacted in the German Parliament in the first quarter of 2021.

The draft law is called the “Second Act to Increase the Security of Information Technology Systems” or “IT Security Law 2.0” (Zweites Gesetzes zur Erhöhung der Sicherheit informationstechnischer Systeme or IT-Sicherheitsgesetz 2.0). As the name indicates, this is the second amendment to Germany’s IT laws. The first amendment was enacted in July 2015.

The draft law substantially amends the following three laws:

  • the Law on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik);
  • the Telecommunications Law (Telekommunikationsgesetzes); and
  • the Electricity and Gas Supply Law (Elektrizitäts- und Gasversorgung).

Objectives

The amendments proposed by the draft law are intended to:

  • strengthen the Federal Office for Information Society – more concretely, to:
    • strengthen the Federal Office for Information Security’s (“Federal Office”) auditing and control powers over the IT systems and products used by the federal administration’s; and
    • grant to the Federal Office the power to:
      • process log data generated by the federal administration’s IT systems and products, and deploy systems and procedures to detect security threats and inform those affected about these threats;
      • request log data from any entities providing or participating in the provision of telecommunication services to the federal administration, with certain exceptions; and
      • establishing minimum security standards for IT systems and products used by the federal administration.
    • strengthen consumer protection in the area of IT security – more concretely, the to grant the Federal Office the power to:
      • take measures to further consumer protection in the area of IT security, for example, by warning consumers about security threats and issue guidance on the actions consumers should take to prevent those threats; and
      • establish an IT security label to inform consumers about the IT security of products (N.B., it does not attest the products’ data protection compliance).
    • strengthen the precautionary measures implemented by businesses – more concretely, to:
      • improve the overall level of security of IT systems and products put on the German market:
        • examine IT products and systems made available on the market or intended to be made available on the market; and
        • order telecommunications service providers with more than 100,000 customers and information society service providers to take certain technical and organizational measures in order to protect their services against identified security vulnerabilities.
      • improve the overall level of security of the IT systems of critical operators:
        • require critical operators, such as operators of energy supply networks, to deploy systems and procedures to appropriately detect security threats, to identify and prevent threats on an ongoing basis, and to take appropriate remedial actions.
      • improve the overall level of security of the IT systems of companies that are not critical operators but whose activities are of particular public interest (N.B., these companies will be listed in a Government Ordinance):
        • apply to these companies the same obligations imposed on critical operators.
      • strengthen the German State’s protective function – more concretely, to:
        • require manufacturers of critical components to issue a warranty declaration that guarantees that they take certain measures to secure those components; and
        • prohibit operators of critical infrastructures to use critical components that were not evaluated by and certified by an accredited certification body.

The draft law is part of the Federal Government’s objective to ensure that German IT laws keep up with the fast-developing IT landscape. It is in line with the EU’s recently published Cybersecurity Strategy to increase the level of cyber resilience of all relevant sectors (see blog post here).

The team at Covington will continue to monitor developments in the cybersecurity space.