In the wake of ever-increasing cyber-security threats, Germany has passed legislation ordering that over 2,000 essential service providers implement new minimum information security standards or face penalties if they fail to do so within two years. The law will affect institutions listed as “critical infrastructure,” such as transportation, health, water utilities, telecommunications providers, as well as finance and insurance firms. It gives companies two years to introduce cyber security measures or face fines of up to €100,000 ($111,000).
The Bundesrat-approved IT security law obliges firms and federal agencies to certify for minimum cyber-security standards and obtain Federal Office of Information Security (BSI) clearance. The companies must also notify the Office of suspected cyber-attacks on their systems. The new set of rules also obliges telecommunications providers to warn customers when their connection was abused, for example in a botnet attack, and store the traffic data for up to six months for investigative purposes, thus potentially violating privacy rights.
BSI will also be expanded to the international center for IT security. Its main task will be to evaluate the reports of possible cyber-violations in critical infrastructure. The Federal Intelligence Service (BND) will be allowed access to foreign data linking to malware signatures and malware traces. In addition, the Federal Office for the Protection of the Constitution (BfV) will lend assistance to the BSI with assessing the potential impact of cyber-attacks on the accessibility of the critical infrastructure facilities, while the Office of Criminal Investigation (BKA) will be responsible for investigating such cyber-crimes as data spying, intercepting or manipulating.