On December 16, 2020, the German Federal Government passed a draft law that substantially amends some of Germany’s information technology laws (“IT laws”). These amendments aim to adapt the current legal framework to the increasing digitalization of products and services, the proliferation of IoT products, and the appearance of new cybersecurity threats. The draft law is expected to be enacted in the German Parliament in the first quarter of 2021.

The draft law is called the “Second Act to Increase the Security of Information Technology Systems” or “IT Security Law 2.0” (Zweites Gesetzes zur Erhöhung der Sicherheit informationstechnischer Systeme or IT-Sicherheitsgesetz 2.0). As the name indicates, this is the second amendment to Germany’s IT laws. The first amendment was enacted in July 2015.

The draft law substantially amends the following three laws:

  • the Law on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik);
  • the Telecommunications Law (Telekommunikationsgesetzes); and
  • the Electricity and Gas Supply Law (Elektrizitäts- und Gasversorgung).

Objectives

The amendments proposed by the draft law are intended to:

  • strengthen the Federal Office for Information Society – more concretely, to:
    • strengthen the Federal Office for Information Security’s (“Federal Office”) auditing and control powers over the IT systems and products used by the federal administration’s; and
    • grant to the Federal Office the power to:
      • process log data generated by the federal administration’s IT systems and products, and deploy systems and procedures to detect security threats and inform those affected about these threats;
      • request log data from any entities providing or participating in the provision of telecommunication services to the federal administration, with certain exceptions; and
      • establishing minimum security standards for IT systems and products used by the federal administration.
    • strengthen consumer protection in the area of IT security – more concretely, the to grant the Federal Office the power to:
      • take measures to further consumer protection in the area of IT security, for example, by warning consumers about security threats and issue guidance on the actions consumers should take to prevent those threats; and
      • establish an IT security label to inform consumers about the IT security of products (N.B., it does not attest the products’ data protection compliance).
    • strengthen the precautionary measures implemented by businesses – more concretely, to:
      • improve the overall level of security of IT systems and products put on the German market:
        • examine IT products and systems made available on the market or intended to be made available on the market; and
        • order telecommunications service providers with more than 100,000 customers and information society service providers to take certain technical and organizational measures in order to protect their services against identified security vulnerabilities.
      • improve the overall level of security of the IT systems of critical operators:
        • require critical operators, such as operators of energy supply networks, to deploy systems and procedures to appropriately detect security threats, to identify and prevent threats on an ongoing basis, and to take appropriate remedial actions.
      • improve the overall level of security of the IT systems of companies that are not critical operators but whose activities are of particular public interest (N.B., these companies will be listed in a Government Ordinance):
        • apply to these companies the same obligations imposed on critical operators.
      • strengthen the German State’s protective function – more concretely, to:
        • require manufacturers of critical components to issue a warranty declaration that guarantees that they take certain measures to secure those components; and
        • prohibit operators of critical infrastructures to use critical components that were not evaluated by and certified by an accredited certification body.

The draft law is part of the Federal Government’s objective to ensure that German IT laws keep up with the fast-developing IT landscape. It is in line with the EU’s recently published Cybersecurity Strategy to increase the level of cyber resilience of all relevant sectors (see blog post here).

The team at Covington will continue to monitor developments in the cybersecurity space.

Photo of Moritz Hüsch Moritz Hüsch

Moritz Hüsch is partner in Covington’s Frankfurt office and co-chair of Covington’s Technology Industry Group and Covington’s Internet of Things (IoT) Group. His practice focuses on complex technology- and data-driven licensing deals and cooperations, outsourcing, commercial contracts, e-commerce, m-commerce, as well as privacy…

Moritz Hüsch is partner in Covington’s Frankfurt office and co-chair of Covington’s Technology Industry Group and Covington’s Internet of Things (IoT) Group. His practice focuses on complex technology- and data-driven licensing deals and cooperations, outsourcing, commercial contracts, e-commerce, m-commerce, as well as privacy and cybersecurity.

Moritz is regularly advising on issues and contracts with respect to IoT, AV, big data, digital health, and cloud-related subject matters. In addition, he regularly advises on all IP/IT-related questions in connection with M&A transactions. A particular focus of Moritz’s practice is on advising companies in the pharmaceutical, life sciences and healthcare sectors, where he regularly advises on complex licensing, data protection and IT law issues.

Moritz is regularly listed as one of the best lawyers in the areas of IT and data protection, among others by Best Lawyers in cooperation with Handelsblatt, Wirtschaftswoche and Legal 500.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.