As part of the ‘digital agenda’, on 17 December 2014, the German government adopted a draft bill to improve the security of IT systems in Germany, the (draft) IT-Security Law (IT-Sicherheitsgesetz, ITS) (available in German at http://www.bmi.bund.de/SharedDocs/Downloads/DE/Nachrichten/Kurzmeldungen/entwurf-it-sicherheitsgesetz.pdf?__blob=publicationFile). Since the first draft had been published in March 2013 the ITS has been controversially discussed and has been subject to extensive lobbying efforts. These discussions are likely to continue in the Bundestag and Federal Council where the draft is now referred to in accordance with the ordinary legislative procedure.
Like the proposed Network & Information Security (NIS-) Directive (COM(2013)0048 – C7-0035/2013 – 2013/0027(COD), the ITS aims to improve IT security by setting out (minimum) IT security requirements for operators of critical infrastructure in certain sectors and by introducing a mandatory notification scheme for IT security incidents. The implementation of the security standards will have to be regularly proven to the competent German authority, the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI), in security audits and the BSI may issue respective orders in case of non-compliance. Based on the information gathered through the notification scheme and the security audits, the BSI shall also issue warnings to other operators of critical infrastructure and administrative authorities in order to prevent future IT security incidents. Under certain conditions and within limitations, applicants may also request information from the BSI ...Zum vollständigen Artikel