Upcoming Cyber Security Law in Germany is introducing severe fines

Four years after Germany has adopted its first Cybersecurity Law – which was, by the time, followed by Brussels with its EU NIS Directive – the German government is now revising the existing German rules. A draft law published last week suggests to broaden the scope of the existing regulation and to introduce GDPR-type fines for certain violations of the law. The draft law is still in early stages of the legislative process and subject to amendments by different committees. However, its adoption is planned before the summer break and, if it comes into force as currently proposed, it will push cyber security for companies with business in Germany even higher on the compliance agenda – comparable to the push we’ve seen since May 2018 with data protection under GDPR.

Broadening the scope to IT product providers and adding sectors of specific public interest

The draft law suggests to broaden the scope of the law to manufacturers of ‘IT products’ for critical infrastructure companies, whereby ‘IT products’ will cover software as well as hardware. Manufacturers and providers of IT products will be obliged to report IT security incidents concerning their IT products to the authorities in case the incident leads to a considerable impairment of the critical infrastructures’ functioning. In addition, manufacturers and providers of IT products (including the full supply chain for such products), that have been specifically developed for the purpose of being used by a critical infrastructure, will have to provide a declaration of trustworthiness to the customer; the Ministry of the Interior will detail the requirements for such declaration.

The scope will further be extended to companies that are of specific public interest such as certain media companies relevant to the formation of public opinion, certain companies regulated under the Frankfurt stock exchange rules (prime standard), to be specified by government regulation, and certain companies from the defence sector.

Fines comparable to GDPR

By now, fines for non-compliance with cyber security measures are at a moderate level ranging from EUR 50.000 to 100.000 and the German IT Security Authority (BSI) applies a collaborative approach to the companies concerned. With the proposed draft law this could change considerably. The suggested fines are of

  • up to 4 % of total worldwide turnover, or 20 Mio EUR, whichever sum is higher, for non-compliance with an order of the BSI and of
  • up to 2 % of total worldwide turnover, or 10 Mio EUR, whichever sum is higher, for any other non-compliance with a company’s obligation under the law, e.g. failure to fulfil IT security measures, incident reporting obligations, or registration obligations.

Enhanced power of BSI to review vulnerable systems

Among the numerous additional tasks that are allocated to the BSI by the draft law, the BSI may take measures to detect and analyse malware, security gaps and other security risks in publicly available IT systems and require the operator of such systems to adapt counter-measures. This is aimed at preventing botnets to spread and enhancing security within the IoT.