Contributed By HEUKING
It is further worth noting that on 1 December 2023 a political agreement on the EU Cyber Resilience Act (CRA) was reached. Only the formal approval of the European Parliament and the Council is still pending. The CRA addresses the Internet of Things (IoT) and is the first ever EU-wide legislation that introduces mandatory cybersecurity requirements for software and connected hardware throughout their entire lifecycle. The proposed act directly impacts the manufacturers and retailers of any software and connected hardware, proposing various obligations upon them. The new obligations introduced in this act aim to ensure that cybersecurity is a key aspect in all design decisions that are made during a product development lifecycle.
Differences Between Data Breach Incidents and Cybersecurity Incidents
A data breach incident is one that results in a violation of statutory provisions regarding the protection of personal data. The aim of data protection laws, such as the GDPR, the BDSG or the data protection laws of the German federal states, is mainly to protect the general personal rights of the natural persons concerned.
In contrast to data protection, cybersecurity is about protecting data, regardless of whether it is personal or not. The term cybersecurity therefore also includes data which is not considered personal data.
Cybersecurity is about countering security risks and protecting data from, for example, manipulation, loss or unauthorised access and the measures that must be taken to protect the data against those risks.
Penalties
Infringements of the provisions set out in the German Data Protection Act and the GDPR with respect to cybersecurity are subject to administrative fines of up to EUR10 million or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The TKG and EnWG provide for fines of up to EUR100,000, while the BSIG provides for fines of up to EUR50,000. (If operators of public telecommunications networks do not submit the mandatory security concept to the Federal Network Agency immediately after the start of network operation, they are threatened with a fine of up to EUR100,000 under the TKG. Violations of the notification obligation are punishable with fines of up to EUR50,000 under the TKG. For non-compliance and in the case of disregard of the reporting obligations, the EnWG provides for fines of up to EUR100,000 and the BSIG for fines of up to EUR50,000.)
The NIS2 Directive provides for fines of up to EUR10 million (essential entities)/EUR7 million (important entities) or up to 2% (essential entities)/1.4% (important entities) of the total worldwide annual turnover of the preceding financial year of the undertaking to which the essential entity belongs, whichever is higher.
The penalties provided for by the StGB range from a fine to a prison sentence of up to five years (for computer fraud).
The penalties provided for within the scope of the EU Cyber Resilience Act, are comparable to those of the GDPR and fines for non-compliance with basic safety requirements can amount to up to EUR15 million or 2.5% of the previous year’s worldwide group annual turnover, whichever is greater. For violations of other obligations, the limits are EUR10 million or 2% of the worldwide consolidated annual turnover of the previous year.
Data Protection Authorities
In addition to the Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit, BfDI), each federal state has data protection authorities. Each supervisory authority has powers of approval, advice, investigation and remedy. They conduct investigations into the application of the GDPR, including on the basis of information received from another supervisory authority or other public authority. They may also initiate legal proceedings.
National Cyber Defence Centre (Nationales Cyber-Abwehrzentrum, or Cyber-AZ)
The Cyber-AZ was established to optimise operational co-operation between various authorities and to co-ordinate protection and defence measures.
The following authorities are currently represented in the Cyber-AZ: Federal Office for Information Security (BSI), Federal Criminal Police Office (BKA), Federal Police (BPol), Federal Office for the Protection of the Constitution (BfV), Federal Intelligence Service (BND), Federal Office for Military Counterintelligence (BAMAD), Federal Office of Civil Protection and Disaster Assistance (BBK), German Armed Forces (BW), Cyber Defense Bavaria, Hessen CyberCompetenceCenter (Hessen3C), Specialised Public Prosecutor’s Offices for Cybercrime from Bamberg and Cologne and Federal Financial Supervisory Authority (BaFin).
In the Cyber-AZ, details on cyber-attacks on information infrastructure is compiled, evaluated and consolidated. This allows all authorities to benefit from the shared knowledge.
German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI)
In 1991, Germany established the BSI. The office provides security advice to users and standards for public and private bodies. The guiding principle of the BSI is: “As the federal cybersecurity authority, the BSI shares information security in digitisation through prevention, detection and reaction for the state, economy and society.”
Federal Criminal Police (Bundeskriminalamt, or BKA)
As the central office of the German police, the BKA assumes responsibility for co-ordinating tasks in the area of cybercrime, provides information and tools, and is the hub for international co-operation. Furthermore, the BKA conducts investigations in the area of cybercrime within the scope of its responsibilities: for example, if federal authorities, institutions or security-sensitive units of vital institutions are affected, the BKA is usually in charge of the investigations.
Federal Office for the Protection of the Constitution (Bundesamt für Verfassungsschutz, or BfV)
The BfV monitors and analyses the activities of foreign governments and states, directed against Germany, and supports threatened agencies and victims of cyber-attacks.
UP KRITIS
The UP KRITIS is a public-private co-operation between operators of critical infrastructure, their associations and the responsible government agencies. The central objective of UP KRITIS is to maintain the supply of critical infrastructure in Germany. UP KRITIS is a cross-sector co-operation platform for IT security between operators of critical infrastructure and their supervisory authorities. The BSI provides all participants in the UP KRITIS with information and warnings on IT security. In addition, the operators and authorities in the working groups exchange information about new challenges in the area of IT security in critical infrastructure and possible solutions for these, as well as developing recommendations for this purpose. The UP KRITIS working groups are also used to develop industry-specific security standards. These serve as guidelines for implementing the legal requirements of the BSIG.
Economic Protection Initiative (Initiative Wirtschaftsschutz)
The Economic Protection Initiative has established itself as an umbrella organisation for a holistic economic protection model against digital or non-digital attacks – supported by all relevant state and economic players. In this alliance, the leading business associations as well as the security associations work together effectively with the security authorities, for the defence against concrete threats, especially from industrial espionage and white-collar crime.
German Competence Centre Against Cyber Crime (G4C)
The G4C is an independent, operational association and its members include various companies (especially banks). The BKA and BSI are co-operative partners of the G4C. It develops assistance, methods and recommendations for prevention of cybercrime based on the exchange of information about cybercrime phenomena.
Central Office for Information Technology in the Security Sector (Zentrale Stelle für Informationstechnik im Sicherheitsbereich, or ZITiS)
The Central Office for Information Technology in the Security Sector is an unincorporated federal agency under the authority of the Federal Ministry of the Interior and Community. ZITiS is responsible for supporting and advising federal authorities with security tasks, in relation to information technology capabilities. For this purpose, the central office develops and researches methods and tools.
Computer Emergency Response Team for Federal Authorities (CERT-Bund)
The CERT-Bund is the central contact point for preventative and reactive measures in the event of security-relevant incidents in computer systems. It serves as a warning and information service for authorities and private internet users. It provides information about security leaks in software, provides a weakness indication (green/yellow/red) for commonly used software and lists present and past security holes.
Digital Cluster Bonn
The Digital Cluster Bonn is a voluntary coalition of six German Federal Authorities: Federal Financial Supervisory Authority (BaFin), Federal Office of Justice (BfJ), Federal Office for Information Security (BSI), Federal Commissioner for Data Protection and Freedom of Information (BfDI), Federal Cartel Office (BKartA) and Federal Network Agency (BNetzA). The aim of the Cluster is to strengthen co-operation in the digital sector by facilitating an exchange of information and experience. A key focus of the initiative is the field of regulation and supervision.
The supervisory data protection authorities have powers of investigation and remedy. They conduct investigations on the application of the GDPR, including on the basis of information received from another supervisory authority or other public authority. They may also initiate legal proceedings.
They may use the following methods for their investigation purposes:
In general, data protection authorities tend to visit larger companies or those companies whose processing operations are likely to result in a high risk to the rights and freedoms of data subjects. Small and medium-sized enterprises are usually only marginally controlled by the authorities so as not to overburden them financially and in terms of personnel.
Companies that have received fines can file objections and take legal action.
Differences Between Personal Data Security Incidents and Other Cybersecurity Events
In the event of a personal data security incident, companies/institutions must report the incident to the competent authority (see 1.2 Regulators). This is the essential difference from a security event. In principle, a personal data security incident is always also a cybersecurity event, whereas a cybersecurity event is not necessarily a personal data security incident.
Each federal state has its own data protection authorities and its own data protection laws, which do not contradict the federal or EU laws, but partly extend them. A federal state’s data protection law only applies to that state’s public bodies.
A good example of the manner in which EU laws have been implemented at the national level is the German NIS Directive Implementation Act (the “Implementation Act”), which came into effect on 30 June 2017 as a transposition of the EU Network and Information Systems Directive (EU 2016/1148 (the “Directive”)). The Implementation Act amended the BSIG, the Atomic Energy Act (Atomgesetz), the EnWG, the Social Security Code V (Sozialgesetzbuch V), and the TKG. The key requirements laid out in the Directive, had, however, already been part of the German IT Security Act (ITSA), which amended the BSIG before the Implementation Act. Therefore, the ITSA assumed the role of “pace-setter” for the Directive. As a consequence of the ITSA, the changes required to be made to the German law resulting from the Directive were relatively small.
The NIS2 Directive, which Germany still needs to implement (NIS2UmsuCG), will necessitate a further adjustment to the BISG and the BSI Criticality Ordinance in 2024. The deadline for member states to incorporate the directive into their national legislation is 17 October 2024.
The Act to Increase the Security of Information Technology Systems (IT Security Act 2.0) came into force on 28 May 2021. This new act is aimed at strengthening the position of the BSI, heightened consumer protection, stronger precautionary corporate obligations and reinforcing the state’s protective functions.
The tasks of the BSI include:
The CERT-Bund informs about security leaks in software and lists present and past security holes.
Alliance for Cybersecurity
An example in this context is the Alliance for Cybersecurity (ACS), which provides companies with up-to-date information on the threat situation in cyberspace as well as practical assistance for the design and implementation of suitable protective measures. Membership is open to all companies and institutions having their headquarters/branch office in Germany. Several thousand companies and institutions have already joined the initiative, which was launched in 2012 by the BSI and the digital association Bitkom, making the Alliance for Cybersecurity a successful model for building trust and profitable co-operation between government and industry in the field of cybersecurity.
Member companies benefit from the expertise of the BSI and their ACS partners, the exchange of knowledge and experience with other companies and institutions on granular topics of cybersecurity and partner services, which in turn increases cybersecurity proficiency within member companies. Furthermore, companies that possess pre-existing expertise in the field of cybersecurity have the opportunity of becoming partners in the ACS to contribute to the network.
The Alliance for Cybersecurity’s extensive information offering includes BSI recommendations on topics such as the secure configuration of software products, securing systems for manufacturing and process automation, and monitoring and detecting network anomalies.
Cybersecurity Council Germany e.V.
In August 2012, the Cybersecurity Council Germany e.V. was founded by well-known personalities. The Berlin-based association is politically neutral and aims to advise companies, authorities and political decision-makers in the field of cybersecurity and to strengthen them in the fight against cybercrime.
The members of the association include large and medium-sized companies, operators of critical infrastructure, numerous federal states, local authorities as well as experts and political decision-makers with an interest in cybersecurity. Through its members, the association represents more than three million employees from the industry and almost two million members of other associations and societies.
The Cybersecurity Council Germany e.V. pursues the following goals:
Member companies are integrated into the council-network, which includes decision-makers in the field of politics, economics, science and society. Members are also integrated into an international network of leaders and heads of cybercommunities. Private member companies are afforded representation of their corporate interests in the political field of cybersecurity.
With the introduction of the GDPR, the EU was the first polity to introduce new regulations in the area of data protection and security of personal data. Furthermore, the regulations apply in a supranational manner throughout the entire EU and other countries use the GDPR as the foundation of their own laws on data security.
The Second EU Data Protection Adaptation and Implementation Act (2.DSAnpUG – EU) was passed in 2019 in order to amend a total of 154 pre-existing laws in an “omnibus process” to further harmonise German data protection legislation with the GDPR. The vast majority of changes under the omnibus act involved aligning the terminology in German federal legislation with the terms used in the GDPR.
Germany also introduced the BSIG before the EU addressed similar topics with the NIS Directive. However, in certain areas, Germany’s federal structure can lead to delays and a patchwork of laws and authorities.
The protection of critical infrastructure enjoys special attention because it is particularly at risk in the context of cybersecurity. The central security requirements for critical infrastructure are set out in the IT Security Act (IT-Sicherheitsgesetz, or IT-SiG) and the BSI Criticality Ordinance (BSI-Kritis-Verordnung, or BSI-KritisV). The central provision for operators of critical infrastructure is Section 8a of the BSiG, which defines the particular organisational and technical precautions KRITIS operators must take and implement appropriately to ensure the security of their IT and processes and provide evidence of this. It also regulates the obligation to report security incidents.
The BISG and the BSI Criticality Ordinance will need to be adjusted in 2024 to comply with the NIS2 Directive. This directive broadens the scope of application by including new sectors and defining a clear size threshold rule. Germany is still implementing the directive (NIS2UmsuCG) and has until 17 October 2024 to do so.
Many operators of critical infrastructure use industrial control systems (ICS) to comply with these special provisions. In contrast to traditional IT, ICS have different requirements for the protection goals of availability, integrity and confidentiality. This manifests itself, for example, in longer operating times and infrequent maintenance windows. The BSI has published an ICS security compendium which defines basic principles for IT security in ICS.
On 10 July 2023, the European Commission issued a new adequacy decision that restored the free flow of personal data from the EU to US companies participating in the Data Privacy Framework. This decision came after a European Court of Justice judgment in July 2020 (Case C-311/18, Schrems II) that had severely limited data transfer from the EU to the US.
No Claim for Damages Without Concrete Damages (Article 82 GDPR)
The European Court of Justice ruled, in its judgment of 4 May 2023, that the mere infringement of the provisions of the GDPR is not sufficient to confer a right to compensation (Case C‑300/21). Data scraping, for example, does not necessarily lead to a claim for damages (Higher Regional Court of Hamm, Judgment of 15 August 2023, 7 U 19/23).
German Whistleblower Protection Act (HinSchG)
The German Whistleblower Protection Act (Hinweisgeberschutzgesetz, or HinSchG) came into force on 2 July 2023. The HinSchG protects individuals who report violations of statutory provisions or other binding regulations from being penalised as a consequence of their report. According to Section 2 (1) No 3 lit. p HinSchG, the scope of application also includes violations of the provisions of the GDPR.
The broad spectrum of applicable law closes many of the security gaps in cyberspace. But the growing number of cyber-attacks makes it clear that security standards must be continuously adapted to the changing risks. A further issue is that the rules on cybersecurity are not condensed into one cybersecurity act but are spread among numerous different laws. This poses profound challenges for companies to determine which legal framework applies to them.
All EU member states agreed on a final version of the AI Act on 2 February 2024, paving the way for a new regulation for artificial intelligence in the EU. The regulation is expected to come into force in 2024, but it still requires a vote by a key committee of EU lawmakers and the European Parliament.
The AI Act divides AI systems into four main categories, based on four different levels of risk: minimal risk, high risk, unacceptable risk, and specific transparency risk. The aim of the Regulation is as follows:
AI and Cyber-Attacks
As AI advances, so does the threat of cyber-attacks. Cybercriminals exploit AI tools to enhance their schemes such as phishing or social engineering, to create malware and to automate attacks. Firms need to be more vigilant and proactive in order to detect malicious messages and secure their IT systems. Moreover, firms and their employees should follow some “in-house rules” for the use of AI tools. These rules should ensure the protection of personal data and trade secrets, among other aspects. For instance, prompt injection attacks are used to steal sensitive data or to alter the results.
The key cybersecurity laws, as opposed to the cybersecurity-related provisions of general criminal law, are:
German Criminal Act (StGB)
Any unlawful alteration, deletion, suppression or rendering unusable of external data fulfils the facts of the case according to Section 303a of the StGB (data alteration). In particularly serious cases, this is also punishable under Section 303b I No 1 of the StGB (“computer sabotage”) and is punishable by imprisonment of up to five years or a fine. Since 2007, distributed denial-of-service (DDoS) attacks have also constituted computer sabotage; the same applies to any action that causes damage to an information system that is essential to another.
Spying on data (Section 202a, StGB) – ie, gaining access to external data that is specially protected against this – is punishable with a prison sentence of up to three years or a fine. Intercepting foreign data in networks or from electromagnetic radiation has also been a punishable offence since 2007. In contrast to Section 202a of the StGB, no special access protection is required here. Procuring, creating, distributing, making publicly accessible, etc, so-called hacker tools has also been a punishable offence since 2007, if a criminal offence is prepared with them (Section 202c, StGB).
According to Section 202a paragraph 2 in conjunction with paragraph 1 of the StGB, data is only protected from being spied on if it is “specially secured” in order to prevent the offence from escalating. This means that only where users protect their data by technical means do they enjoy protection under criminal law. The earlier debate as to whether “hacking” without retrieving data is punishable under criminal law is no longer relevant since the wording of Section 202a paragraph 1 of the StGB was changed in 2007 in such a way that criminal liability begins as soon as access to data is gained. It is also disputed whether encryption is part of special security. Although it is very effective, it is argued that the data is not secured, but is only available in an “incomprehensible” or simply “different” form.
Computer fraud is punishable under Section 263a of the StGB with a fine or imprisonment for up to five years if data processing operations are manipulated to obtain financial gain. Even the creation, procurement, offering, safekeeping or transfer of suitable computer programs is punishable.
Please see 1.2 Regulators.
ENISA
The European Network and Information Security Agency (ENISA) was created in 2004. The objective of ENISA is to serve as a contact point and centre of expertise for the member states and the institutions of the European Union on issues related to network and information security. Its activity consists of:
ENISA also publishes reports and studies on cybersecurity: for example, on privacy, cloud security or the detection of cyber-attacks.
ENISA’s main target groups are public sector organisations, in particular:
The Agency also provides support to:
The European ENISA Regulation 2019/881 (Cybersecurity Act), adopted on 17 April 2019, grants a permanent mandate to ENISA and broadens its powers. ENISA has been made responsible for drafting the European Certification Schemes for Cybersecurity. These are to serve as a basis for the certification of products, processes and services that support the provision of the digital single market.
The BSI
The BSI acts in an advisory capacity to the business community and supports companies of all sizes and from all industries in questions of IT and information security. The objective of the BSI is the preventative promotion of information and cybersecurity in order to enable and promote the secure use of information and communication technology in the state, economy and society.
At federal level, the BSI is also responsible for the protection of critical information infrastructures (KRITIS).
In addition to its advisory function, the BSI co-operates with the business community in a variety of ways. For example, co-operation in the area of certification has long been established. Through the independent testing of IT products and services, the BSI offers manufacturers an opportunity to ensure transparency and more trust in the IT security features of their products and services.
The tasks of the BSI also include:
Please see 1.2 Regulators.
Aspects of cybersecurity are handled by the authorities listed under 1.2 Regulators. Additionally, the Federal Institute for Financial Institutions and Insurances (Bundesanstalt für Finanz- und Versicherungsaufsicht, or BaFin) publishes the MA-Risk, which contains procedural and security requirements to be considered by banks, payment service providers and insurers.
TeleTrusT
The Federal Association for IT Security (TeleTrusT) is a competence network comprising of domestic and foreign members from industry, administration, consulting and science as well as thematically related partner organisations. Due to the broadly diversified membership and the partner organisations, TeleTrusT embodies the largest competence network for IT security in Germany and Europe. TeleTrusT offers forums for experts, organises events or participations in events and gives its opinion on current issues of IT security.
For additional information, please see 1.2 Regulators.
In Germany, the operators of critical infrastructures are obliged by the IT Security Act to comply with certain security standards and reporting requirements. This law was modified to comply with the requirements of the Directive (EU) 2016/1148 (the “NIS Directive”). On 16 January 2023, the Directive (EU) 2022/2555 (the “NIS 2 Directive”) came into force. As a result, the IT Security Act has to be amended to comply with the NIS 2 Directive by 17 October 2024.
However, many companies have chosen to voluntarily comply with the ISO/IEC 27001 and ISO/IEC 27018 standards, as this is a good way to improve cybersecurity. The Federal Network Agency (Bundesnetzagentur, or BNetzA) even explicitly ordered ISO 27001 certification for electricity and gas network operators in its IT security catalogue by 2018. Furthermore, BaFin also refers to common IT standards such as ISO 27001 or the BSI basic protection catalogues in its minimum requirements for risk management.
Further, on 8 February 2023 the International Organization for Standardization (ISO) adopted ISO 31700, which relates to privacy-by-design principles. The new standard does not require conformity immediately. Instead, the standard features 30 requirements and guidance on privacy-by-design principles to enable consumers to “enforce their privacy rights, assigning relevant roles and authorities, providing privacy information to consumers, conducting privacy risk assessments, establishing and documenting requirements for privacy controls, how to design privacy controls, lifecycle data management, and preparing for and managing a data breach”. It can therefore safely be assumed that ISO 31700 will set the benchmark for privacy by design across the globe.
As part of its IT Basic Protection Compendium, the BSI offers guidance on the creation of systematic policies for dealing with security breaches in the section entitled “Detection and Reaction”. These steps walk companies through the task of preparing their own incident information security management policies and establishing minimum requirements, including for:
Additionally, the BSI guidance provides an overview of what it considers to be the best practice when responding to security breaches.
In addition to the BSI standards and recommended practices, international norms such as the recently updated ISO/IEC 27001:2022 represent recognised standards for IT security management systems. ISO/IEC 27035:2023, which builds upon both the former version and on ISO/IEC 27002:2022, also provides a structured standard that is specifically tailored for responses to cybersecurity incidents.
The Federal Crime Office also provides a series of recommendations for companies in a leaflet entitled “Cybercrime: Recommended actions for businesses”, which similarly recommends employee training courses and the establishment of internal procedures prior to breaches, as well as the documentation and collection of information after being the subject of a cybercrime to aid with the investigation. Further examples of measures recommended by the Federal Crime Office include the installation of a filter to prevent DDoS attacks and the isolation of network areas that are the subject of attacks.
Nevertheless, it is usually helpful to develop a framework specifically tailored to the company. For this purpose, sources such as COBIT, NIST and SANS20 should be consulted. These current frameworks for cybersecurity can therefore serve other companies as “idea generators” for the design of internal processes. As an “ISMS-light approach”, small and medium-sized companies can be recommended to use, for example, the “VdS 3473”, which usually represents a preliminary stage for a possible ISO/IEC 27001 and BSI IT-basic-protection certification.
Please see 3.1 De Jure or De Facto Standards.
The Control and Transparency Act
Pursuant to the Control and Transparency Act (Gesetz zur Kontrolle und Transparenz im Unternehmensbereich, KonTraG), which came into force on 27 April 1998, the management of a company is obliged to implement a system for the early identification of developments and risks threatening the continued existence of the company.
The Stock Corporation Act
The German Stock Corporation Act (Aktiengesetz, or GAktG) stipulates that the management board shall be personally liable if it fails to monitor developments that could pose a risk to the company in the future by means of risk management and take appropriate measures to prevent them (Section 91(2) and Section 93(2) of the German Stock Corporation Act). Virtually the same requirements apply in the following cases.
Data Protection Officers
The GDPR establishes the concept of the data protection officer (DPO) at European level. The obligation to appoint a data protection officer affects companies according to their core activities: ie, activities that are essential for achieving the company’s objectives. If these include the processing of sensitive personal data on a large scale or a form of data processing that has particularly far-reaching consequences for the rights of the data subjects, a DPO must be appointed.
There are two ways for groups and companies to fulfil their obligation to appoint a DPO. Either they appoint an employee as internal DPO or an external DPO is appointed.
The tasks of the data protection officer include:
Nevertheless, the company itself remains responsible for compliance with data protection regulations. Failure to appoint a company DPO constitutes an administrative offence subject to a fine.
As stated above, the management of a company is obliged to implement a system for the early identification of developments and risks threatening the continued existence of the company; this includes measures such as internal risk assessments, vulnerability scanning and penetration tests.
Privacy Impact Assessments
Furthermore, Article 35 of the GDPR introduced the instrument of a privacy impact assessment (PIA) or data protection impact assessment (DPIA). A PIA or DPIA must always be conducted when the processing could result in a high risk to the rights and freedoms of natural persons. The Article 29 Working Party published a list of ten criteria that indicate that the processing bears a high risk to the rights and freedoms of a natural person.
In the course of a PIA or DPIA, the effects of data processing on data subjects must be evaluated and effective IT security measures established. Operators of critical infrastructures even have to implement preventative protection measures according to the “state of the art” in order to protect the critical infrastructure from a cyber-attack.
ENISA provides practical advice and solutions to the public and private sector institutions of member states and to EU institutions. Please see 2.3 Over-Arching Cybersecurity Agency for additional information.
Article 32 of the GDPR provides security requirements for the processing of personal data. The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In this process, they shall take into account various aspects, such as:
The technical and organisational measures may include pseudonymisation and encryption or regular testing, assessments and evaluations of the effectiveness of the technical and organisational measures. What constitutes an appropriate level of protection arises, inter alia, from the risks represented by the processing, in particular by destruction, loss or alteration, whether accidental or unlawful, or unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
For additional information, please see 3.3 Legal Requirements and Specific Required Security Practices.
Please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements and Specific Required Security Practices.
Pursuant to Section 8a of the BSIG, operators of critical infrastructures – including intrusion detection systems – must implement IT security in accordance with the “state of the art” and regularly demonstrate compliance with it to the BSI. They are obliged to take appropriate organisational and technical precautions to avoid disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that are essential for the functionality of the critical infrastructures they operate.
If security deficiencies are discovered, the BSI may order their elimination in agreement with the supervisory authorities. In addition, according to Section 8b of the BSIG, the BSI becomes the central reporting office for IT security of critical infrastructures. Operators must report significant faults in their IT to the BSI if such faults could have an impact on the availability of critical services. If reportable faults occur at a critical information infrastructure (KRITIS) operator, the BSI may, if necessary, also require the manufacturers of the corresponding IT products and systems to co-operate. Furthermore, according to Section 7a of the BSIG, the BSI is granted the authority to examine IT products for their security in order to perform its tasks.
For additional information, please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements and Specific Required Security Practices.
Please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements and Specific Required Security Practices.
Please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements and Specific Required Security Practices.
The CRA aims to ensure IoT device security within the EU. Once the regulation comes into force, it applies directly in Germany.
In relation to the manner in which data and IT security is regulated within an IoT platform, there is no IoT platform-specific regulatory framework that has been enacted in Germany. However, the prevalent data privacy and IT security regulations cover aspects of the IoT industry and supply chain landscape. There are also certain technical regulations that govern the same.
With regard to the collection and use of personal data, which is often done by consumer IoT devices (eg, location data), the GDPR applies, along with federal data protection rules. Depending upon the industry sector, there may be additional sector-specific rules to be adhered to (eg, telecommunications sector). Article 32(1) of the GDPR lists certain technical and organisational measures (TOMs) to be taken by the controller to protect personal data. Furthermore, and technologically upstream of the TOMs, Article 25(1) of the GDPR stipulates the principle of data protection by design. According to this principle, the data controller is obliged to take into account the protection of personal data during the development of a product. However, it must be noted that the requirements posed by the GDPR are technologically neutral and Article 32(1) only lists a few possible measures as examples. Nevertheless, the required security level is high and could result in a significant improvement in IT security to the IoT if properly implemented.
Since the introduction of the GDPR, however, there has been no noticeable improvement in IT security in the area of the IoT in practice. The enforcement of the GDPR is even more complicated with regards to the supply chain of IoT devices, since measures under the GDPR may only be directed against the controller. This means that data protection authorities cannot take action against manufacturers, suppliers, importers or sellers, even if the controller evades access by the authorities.
The German IT Security Act 2015 focuses on telecommunications and media companies, as well as service providers operating in “critical infrastructure”. Such infrastructure relates to telecommunications, technology, health and water. Any such market player is obliged to take effective measures in order to prevent IT security issues.
Article 1(1) of the EU Cybersecurity Act (the “Act”) defines a framework for the establishment of a European cybersecurity certification for ICT products, ICT services and ICT processes. The Act could be applicable to IoT devices if they represent ICT products. However, it must be noted that the Act does not impose any binding requirements on the IT security of IoT devices in general. Instead, Articles 46 et seq of the Act provide only a voluntary certification framework, which does not create any obligations for the manufacturers to carry out certification or even third-party scrutiny procedures.
Since 1994, the BSI has published an annual catalogue detailing over 1,600 best practices and recommendations on how to secure IT infrastructure (the Grundschutz Kompendium). Upon demonstrating compliance with the Grundschutz Kompendium, organisations may obtain certification under BSI Standards 200-1 to 200-3. One of the chapters relates explicitly to IoT devices. Even though they are not legally binding, the Grundschutz Kompendium recommendations have gained considerable relevance since a number of statutory provisions refer to its content and thresholds.
In May 2019, the German Institute of Standardisation published a new standard called Information Technology – IoT capable devices – Minimum Requirements for Information Security (ie, the DIN SPEC 27072). It provides for the requirements to change the standard password after initial use, authentication requirements, establishment of dedicated update mechanisms, etc. However, the scope of DIN SPEC 27072 is limited to IT security in relation to consumer IoT devices.
The European standard, Cyber Security for Consumer Internet of Things: Baseline Requirements (ETSI EN 303 645 (2020-06)) defines baseline security requirements for IoT devices for consumers. Its generic nature allows the standard to cover a wide range of devices in the IoT environment – from smartwatches to intelligent washing machines. Manufacturers can voluntarily implement the requirements when developing (security by design) and manufacturing their products.
There are no special requirements applicable to ransomware attacks besides the general ones that apply to other data breach and cybersecurity incidents. Government authorities strongly advise against paying the ransom. If a company pays the ransom, it is likely to become a target for other ransomware attacks. Additional risk exists due to the identity and location of the recipient of the ransom being unknown. The anonymity of the ransomware attacker may lead to a situation wherein the recipient or its country is listed on sanctions lists or is embargoed, for example by the USA, EU, UN or Germany. In that case, the paying company could be prosecuted for paying the ransom.
The GDPR defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The BSIG uses the word “malfunction” or “disruption” rather than data breach or incident. Relevant is a malfunction to the availability, integrity, authenticity and confidentiality of information technology systems, components or processes that (can) lead to a malfunction or significant impairment of the functionality of the critical infrastructures.
For additional information, see 1.1 Laws and 1.3 Administration and Enforcement Process.
Any data that is personal data according to Article 4 No 1 of the GDPR is covered.
All systems that are used to process personal data are covered.
Pursuant to EU Regulation 2017/745, medical devices are subject to cybersecurity requirements when they include software components. The EU Regulation 2017/746 covers in vitro diagnostic medical devices for human use.
On 15 March 2023, Regulation (EU) 2023/607 entered into force. The regulation amends EU Regulation 2017/745 and 2017/746 by introducing a longer transition period, which provides medical device manufacturers more time to certify medical devices.
There are no special or additional legal requirements concerning industrial control systems. However, whenever there is processing of personal data, the GDPR is applicable.
The CRA seeks to protect IoT devices from cyberthreats in the EU. It requires products with digital components to meet certain basic cybersecurity standards. Manufacturers must show that their products comply with the relevant standards.
Additionally, whenever there is processing of personal data, the GDPR is applicable.
ENISA has published a list of good practices with respect to security of the internet of things in the context of smart manufacturing and developed an interactive web-based online tool aimed at guiding IoT operators and smart infrastructure firms when conducting risk assessments.
The aim of the CRA is also to ensure for products with digital elements that hardware and software products have fewer vulnerabilities and to ensure that manufacturers take security seriously throughout a product’s life cycle.
Pursuant to Section 327f German Civil Code (Bürgerliches Gesetzbuch, or BGB) traders must provide consumers with the necessary updates, including security updates. This applies for the supply period if there is a continuous supply contract or for the period that the consumer may reasonably expect.
Additionally, whenever there is processing of personal data, the GDPR is applicable.
Every year, the BSI publishes the Basic IT Security Compendium (IT-Grundschutz-Kompendium), the fundamental guideline on basic IT security. The Basic IT Security Compendium focuses on the so-called Basic IT Security Building Blocks (IT-Grundschutz-Bausteine). These modules include software development, patch management and change management.
Article 33 of the GDPR provides that in the event of a breach of the protection of personal data, the controller must notify the competent supervisory authority without delay and, if possible, within 72 hours. To facilitate notification, the supervisory authorities have set up extensive input masks that can be processed online.
Notification may only be dispensed with if the violation “is not likely to pose a risk to the rights and freedoms of natural persons”. However, when processing data on behalf of a contractor, the contractor must immediately inform the responsible party (“controller”) about the data breach and support the responsible party in reporting the data breach by providing the responsible party with the information available to them (Article 28 paragraph 3(f), GDPR). Where the breach of the protection of personal data is likely to present a high risk to the personal rights and freedoms of natural persons, the controller shall notify the data subject of the breach without delay (Article 34 paragraph 1, GDPR).
Pursuant to Section 8b of the BSIG, operators of critical infrastructures must immediately report to the BSI any disruption to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that (can) lead to a failure or significant impairment of the functionality.
The body of the independent federal and state data protection authorities (Datenschutzkonferenz, or DSK) has published a short paper that serves as a first orientation (especially for the private sector) to the manner in which to conduct a risk assessment. According to this, the risk assessment should be done in the following phases.
Risk Identification
In order to identify data protection risks, the following questions can be used as a starting point.
Estimation of the Probability of Occurrence and Severity of Possible Damage
The probability of occurrence and severity are estimated for each potential loss. In general, they cannot be mathematically summarised or calculated. One way of measuring a risk is to show a gradation of the severity and probability of occurrence of a possible loss on a scale, with four values: slight/low, manageable, substantial and big/high.
Allocation to Risk Grades
Once the probability of occurrence and the severity of possible losses have been determined, they must be assigned to the risk categories “low risk”, “risk” and “high risk”. If the potential damage is large and the probability of occurrence is high, there is a high risk. If, on the other hand, the possible damage is small and the probability of occurrence low, there is a low risk.
Sector-Specific Risk Management
Pursuant to Section 8b of the BSIG, operators of critical infrastructures must immediately report to the Federal Office for Information Security any disruption to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes. However, a notification is not required if the disturbance does not and/or cannot lead to a significant impairment of the operability of the operated critical system.
According to the minimum requirements for risk management in banks and financial service providers (MaRisk) issued by BaFin, the following risks are to be classified as material:
The institution must set up appropriate risk management and risk controlling processes that ensure the identification, assessment, management, monitoring and communication of the main risks and associated risk concentrations.
GDPR Considerations
Furthermore, GDPR Recitals 75 and 76 require that, when assessing risk, consideration should be given to both the likelihood and severity of the risk to the rights and freedoms of data subjects. It further states that risk should be evaluated on the basis of objective assessment. Article 29 of the Working Party Guidelines recommend that controllers consider the following specific criteria when assessing the risk of harm:
Lastly, ENISA has produced recommendations for assessing the severity of a potential breach.
The BSI recommends the following basic measures for cybersecurity:
Any conflict or issue with cybersecurity will most likely involve personal data. In that case, the GDPR and the BDSG will be applicable. This underlines the strong connection between cybersecurity, privacy and data protection.
Under Article 33 of the GDPR, in the case of a personal data breach, the controller shall, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory data protection authority. This includes information about:
Pursuant to Section 8b of the BSIG, operators of critical infrastructures must immediately report to the BIS any disruption to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that (can) lead to a failure or significant impairment of the functionality.
The notification shall contain information on the failure, on possible cross-border effects and on the technical conditions, in particular the presumed or actual cause, the information technology affected, the type of facility or installation affected, the critical service provided and the impact of the failure on that service.
The BSI founded the Alliance for Cybersecurity in order to strengthen Germany’s resistance to cyber-attacks. Participants in the Alliance for Cybersecurity will have access to an extended range of services, in particular information on the cybersecurity situation, alerts and further background information. Due to the partially confidential nature of this information, the sharing of this content must be restricted and is subject to restrictions under the Traffic Light Protocol (TLP).
Currently, 4,178 companies and institutions are members of the initiative – and more are joining every day. IT service and consulting companies and IT manufacturers are equally represented in the network as user companies of all sizes and from all sectors. This diversity is an important guarantee for a rich exchange of IT expertise and application experience, from which all participants benefit.
The highest fine imposed by German data protection authorities is EUR35.3 million. The fashion group H&M requested and stored private personal data of its employees. Due to an IT issue, the personal data was made visible to the entire company. H&M accepted the fine.
1&1 Telecommunication SE was fined EUR9.5 million because it had not taken sufficient technical and organisational measures to protect personal customer data.
These fines are all based upon violations of the GDPR. As yet, the BSI has not exercised the right to impose a fine for violations of the BSIG.
Please see 8.1 Regulatory Enforcement or Litigation.
The applicable legal standards are provided by the GDPR, the BDSG, the TKG, the BSIG, the EnWG and the EU Cybersecurity Act.
The highest claims for damages due to breaches of data protection regulations have so far been imposed by Labour Courts. The plaintiffs were awarded damages in the amount of EUR10,000.
In Germany, class actions are generally not permitted, as German law does not allow for group actions. In general, each plaintiff must present and prove their individual affectedness, individual damage and the causal link between the two.
The Model Declaratory Action
However, in 2018, the model declaratory action was introduced. This enables claims of a large number of consumers who have suffered similar damage to be efficiently enforced. Registered consumer protection associations have the option to establish factual and legal prerequisites for the existence or non-existence of claims or legal relationships determined in favour of at least ten affected consumers. The model declaratory action is conducted exclusively between the plaintiff, the consumer protection association and the defendant. The affected consumers can register their claims in a register of actions and thus achieve the suspension of the limitation period of their possible claims. The ruling on the model declaratory action has a binding impact on the subsequent actions of the consumers. It is to be expected that this instrument will be used for damage claims according to Article 82 of the GDPR.
A data breach at Mastercard prompted a model declaratory action by 2,000 customers, who each received EUR400 in damages after a settlement was reached.
A few model declaratory actions have been brought in Germany since 2018. It seems that German courts are carefully considering whether or not those bringing the claims fulfil the requirements of a “qualified institution”. Where the courts are not satisfied that the claimant associations pursue the rights of consumers, but instead forward their own financial interests, the action is terminated.
The Volkswagen model declaratory action revealed that it took the courts almost one year to hold the first oral hearing. This was because claimants actively encouraged individuals to de-register and pursue their claims individually. The reason behind this is that consumers are often under the impression that stand-alone claims will arrive at a quicker solution. In cases of less complexity, judgments can be expected fairly quickly.
The management of a company has a general duty of care from company and commercial law, especially within the scope of the AktG, GmbHG and HGB. Pursuant to the KonTraG, this obligation includes the recognition and management of cybersecurity risks. Management may be liable for violations. These general cybersecurity obligations of the board of directors include risk identification, risk management, implementation of preventative security measures and information obligations. There are no specific requirements for specified board expertise or training requirements.
There is no legal obligation to appoint a Chief Information Security Officer (CISO) but it is highly recommended as they have the expertise to implement and control an effective cybersecurity concept. These concepts are required to be certified, for example after ISO 27001.
After a cyber-attack, there may be reporting and notification requirements as described in 5. Data Breach or Cybersecurity Event Reporting and Notification. Standards for the recovery and resiliency of business operations are described in ISO 27001 and in BSI-Standard 100-4.
BSI-Standard 200-3 sets standards for risk assessment regarding cybersecurity. For risk assessments regarding the processing of personal data pursuant to the GDPR, see 3.3 Legal Requirements and Specific Required Security Practices.
The GDPR provides for draconian penalties for violations. For this reason and because of the reputational and business risks involved, cybersecurity has become a crucial component of due diligence in the mergers and acquisitions sector. The due diligence process shall at least encompass an analysis of the applicable legal requirements regarding cybersecurity, an analysis of cybersecurity practices and, where appropriate, questions to the management department. Share purchase agreements may include guarantees or safeguards of cybersecurity policies and practices, where appropriate.
There is no regulation requiring disclosure for cybersecurity risk profile or experience.
All significant cybersecurity issues in Germany have already been addressed in this chapter.
It should also be noted that the importance of cyber-insurance is likely to increase in the future. At present, it is mainly of interest for large companies and corporations, as these are usually the primary target of cyber-attacks. However, the threat to small and medium-sized enterprises (SMEs) continues to grow. Cyber-insurance can therefore make sense, especially for SMEs, to cushion the financial losses from a cyber-attack and a resulting loss of business.
Prinzregentenstraße 48
80538 Munich
Germany
+49 89 540 31 160
+49 89 540 31 540
t.jansen@heuking.de www.heuking.de