Since 2015, the issue of cyber security has been addressed by various legal acts in both German and European legislation. These include the German IT Security Act (IT-SiG, 2015), the current draft version of the German IT Security Act 2.0 (IT-SiG 2.0), the EU Directive on Network and Information Security (NIS Directive, 2016) and the EU Cybersecurity Regulation announced for the turn of the year 2018/2019 (indeed June 2019). As an outlook, there is also a still ongoing legislative procedure concerning the draft of the new EU regulation for a Competence Center on Cyber Security.
German IT Security Act
The IT-SiG came into force on 25 July 2015 with the aim of ‘significantly improving the security of information technology systems (IT security) in Germany’ (Bundestagsdrucksache 18/4096, p. 1). It is not an independent law that directly contains obligations for citizens and companies, but modifies and supplements various existing individual laws as a so-called omnibus law. Examples of such amended laws include the Act on the Federal Office for Information Security (BSIG), the Telemedia Act (TMG), the Telecommunications Act (TKG) and the Federal Criminal Police Office Act (BKAG).
However, the IT-SiG largely leaves open the question of which operators and facilities are specifically subject to the legal requirements. Clarification was, nonetheless, provided by the BSI KRITIS Regulation (BSI-KritisV), which the Federal Ministry of the Interior (BMI) is authorized to adopt on the basis of § 10 (1) BSIG. This form of specifying the scope of application was deliberately opted for in order to be able to react more rapidly to (above all technical) developments in the sectors concerned. As sublegal ‘public authority law’, the regulation is more flexible in this regard and thus better suited to reflect changes in the area of application than a formal law.
The provisions of the BSI-KritisV are largely based on so-called ‘sector studies’ commissioned by the BSI. They not only cover the health sector but also other typical areas of critical infrastructure such as energy, nutrition and water, finance and insurance, information technology and telecommunications, transport and traffic, logistics, media and culture.
German IT-Security Act 2.0
As a follow-up of the first German IT-Security Act, there is currently a still ongoing legislative procedure for a second law, containing more powers of the German BSI, and special regulations for consumer protection. A separate presentation of this law may be found here.
EU Directive 2016/1148 on Network and Information Security
As with German law, the regulatory structure of European IT security is not covered by a single legal act, either. In this instance, the current legal situation is even more confusing than national law, particularly since upon the turn of the millennium, a large number of regulations have been adopted in the European Union with varying degrees of specificity concerning cybersecurity. Particularly noteworthy in this context is EU Directive 2016/1148 ‘on measures to ensure a high level of common network and information security in the Union’ (NIS Directive), which came into force in August 2016 and places the EU’s political cyber security strategy on a clear legal basis following serious IT security incidents such as ‘WannaCry’ and ‘Petya’.
Since the NIS Directive is a legislative act in terms of Art. 288 (3) TFEU, its effectiveness in the respective member states depends on its transposition into national law. With respect to Germany, this transposition was achieved by the ‘Act on the Implementation of Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 June 2016 on Measures to Ensure a High Common Security Level of Network and Information Systems in the Union’, which passed the German parliament in April 2017.
EU Cybersecurity Regulation (Adoption expected at the Turn of the Year 2018/2019)
Following the publication of the new EU Cyber Security Strategy in September 2017, the European Union defined the political area of IT security even more strongly by also presenting a draft regulation ‘on the EU Cyber Security Agency (ENISA) and on the repeal of Regulation (EU) No. 526/2013 as well as on the certification of the cyber security of information and communication technology (legal act on cyber security)’, which is commonly referred to as the ‘Cybersecurity Regulation’. The legislative process for this regulation is to be completed in 2019 (Kipker D.-K., MMR-Aktuell 2017, 395945). The new regulation paves the way for two primary objectives that go beyond the existing European regulatory approaches in the area of cyber security: Firstly, the legal act sets requirements not covered by the EU NIS Directive by referring to matters that affect more than merely critical infrastructures and the providers of digital services. Secondly, the future regulation is intended to standardize provisions which are to be applied uniformly throughout Europe, as they partly concern the content of the regulation regarding the digital internal market.
In the course of drafting the EU certification framework, the European cyber-security authority ENISA will act as a market monitoring body and actively participate in shaping new cyber-security standards. The Committee on Civil Liberties, Justice and Home Affairs (LIBE) and the Committee on the Internal Market and Consumer Protection (IMCO) already took a stand on the Commission’s draft in the ongoing legislative process of the EU Cybersecurity Regulation. Both have also stressed that the inclusion of standardization and regulation as well as the corresponding institutions is of indispensable importance for the new European certification framework. A plenary decision on the EU Cyber Security Regulation is expected for the turn of the year 2018/2019.
Draft of the new EU regulation for a Competence Center on Cyber Security
Last year, the ‘Proposal for a Regulation of the European Parliament and of the Council on the ‘EU Cyber Security Agency’ (ENISA) and for repealing Regulation (EU) No. 526/2013 and on the certification of the cyber-security of information and communication technologies (‘Legal act on cyber-security’) also known as the ‘Cyber-security Directive’ (‘Legal act on cyber-security of information and communication technologies’) was published which stresses the importance of ‘Cybersecurity’ in the EU. Now follows a ‘Proposal for a Regulation of the European Parliament and of the Council establishing the European Competence Centre for Cyber Security in Industry, Technology and Research and the Network of National Coordination Centers’.
Tasks of the new European Competence Center: The basic idea and impetus for the concept of competence centers is the pan-European coordination of research and the promotion of cyber-security. This activity has so far often been idle, especially in the case of joint capacity development amongst state organizations, industry and the military, due to a lack of effective cooperation. Consequently, various branches of industry are working in parallel. Therefore, the aim is to enable access to a consolidated state of knowledge in the field of IT security. Research funding under the ‘Digital Europe’ and ‘Horizon Europe’ programs will be directed towards this goal as a responsibility of the competence center. The competence center is intended to support users from the entire Union, both from industry (including SMEs) and from the public sector, as well as from research and science, through its technical competence and financial support measures. Due to this rather science-oriented approach of the EU Competence Centre, ENISA has no conflict of interest in this regard. Rather, the proposal states that ENISA primarily focuses on advising on research and innovation in the field of cyber security, whereas the competence center is practically working on improving the EU’s ‘cyber security defenses’.
Complementation of the Competence Center by National Coordination Centers and the Competence Community:In addition to the higher-level competence center, national coordination centers and a competence community are also to be established, whereby the competence center is responsible for coordination, networking and task sharing. The national coordination centers serve, among other things, as contacts within the countries with regard to the tasks of the competence center and assume various other tasks such as the accreditation of the members of the competence community. As a further institution, the Competence Community consists of industrial, academic and non-profit research institutions and associations as well as public and other institutions dealing with operational and technical issues.
Collaboration with the ENISA: The competence center will also assume tasks with regard to the planned EU cyber security certification; its technical expertise will support companies in the certification process and thus accelerate the process as a whole. In return, ENISA will be responsible for supporting the competence center by, for instance, actively participating in the Technical Advisory Board of the Administrative Council, which is made up of representatives from all Member States. This is another way of achieving one of the fundamental objectives of the establishment of the Competence Centre, which is to promote European cooperation in cyber security. However, only those EU Member States that contribute to the financing of the Competence Centre are eligible to vote on its Administrative Council.