Germany's Cybersecurity Law: EU ImpactWhy Proposed Notification Law Could Shape European Debate
The German government is proposing a law that would require so-called critical infrastructure organizations to report any significant security incidents. Legal experts say the draft cybersecurity legislation also signals an attempt by German politicians to take a leadership role in related discussions at the EU level.
The proposed German legislation, which has been under discussion since 2013, was submitted Aug. 19 by Interior Minister Thomas de Maiziere to the Bundestag, which is the national parliament of the Federal Republic of Germany. The proposal includes a provision that would require critical infrastructure organizations to disclose all significant security incidents to the Federal Office for Information Security, or BSI, which is the central IT security service provider for the federal government in Germany. The law would also strengthen that agency's powers and give the Federal Criminal Police, or BKA, increased power to investigate cybercrime.
The proposed law, which is a cornerstone of the German government's "digital agenda," would cover numerous critical infrastructure sectors, including IT and financial services, as well as energy, food distribution, health, telecommunications, traffic, transportation and water.
"We need to be more secure than before," says de MaiziÃ¨re in a statement. "Anyone who operates critical infrastructure, they must operate it safely."
Adds Notification Requirements
Currently, the German Federal Data Protection Act requires any data controller to notify relevant government agencies and issue a data breach notification to affected consumers "without delay when it records an unlawful transfer or disclosure of certain types of personal data to a third party," says Munich-based attorney Thomas Jansen, who's in the intellectual property and technology group at DLA Piper. At the EU level, meanwhile, all telecommunications firms and Internet service providers must also report any significant security incidents to relevant government authorities.
The proposed German legislation would create a new, separate notification requirement so that "operators of critical infrastructure would have to report significant security incidents to BSI," Jansen says.
This isn't the first attempt by German officials to enact stronger cybersecurity laws. "German Interior Minister Hans-Peter Friedrich proposed an IT Security Act in March 2013 that would have required operators of critical infrastructure and telecommunications and information security service providers to report to BSI all serious impairment of their IT systems, components, and processes that could affect the proper functioning of critical infrastructure," Jansen says. "The legislation was never implemented."
Tepid Business Response
Many German businesses are reportedly wary of the latest proposal, with cloud computing companies, in particular, wondering whether it will apply to them. "Quite a number of industry organizations in Germany are also lobbying against that new law because it's too strong," DLA Piper's Jansen says. "It increases the bureaucracy burden for German companies, and not only German companies, but any company doing business in Germany - and therefore might have an impact for German companies being competitive within Europe and within the global market."
The proposed law faces another hurdle in that its specifics differ from two similar pieces of legislation being debated at the EU level. Jansen says the discord likely reflects the German proposal having been debated for the past three years or more. As a result, he says the German law would likely be incompatible with forthcoming EU legislation, which may also impose new and binding notification requirements across all EU member states. "Likely, the new legislation will not succeed because it conflicts with the EU directive requiring harmonization among the member states."
The EU continues to debate a revision of its data protection directive - including transforming it into a law that would impose identical requirements on all EU member states - as well as a new cybersecurity directive. Currently, European telecommunications and Internet service providers must disclose significant breaches to relevant authorities. But the new laws would likely extend those breach-reporting requirements to other sectors and types of data.
"The discussion at the European level is very similar to the discussion we're seeing on the German level, in terms of the scope," says Brussels-based attorney JÃ¶rg Hladjk at Hunton & Williams, who specializes in both German and European data protection and cybersecurity matters. "The German proposal should be aligned with what is happening ... with the EU cybersecurity proposal. Because, in the end, if we get a directive at the EU level, the Germans will have to go back and redo theirs."
EU officials have yet to agree on exactly what the new data protection law might mandate. "A lot of lobbying has been going on, especially against that law, and that's one reason it's been delayed and that's why there are still discussions underway in the European Council, as well as with the European Parliament and the European Commission," says Hladjk, referring to the three European government bodies that collectively pass EU laws.
Germany's EU Moves
To date, German officials haven't been spearheading the EU data protection and cybersecurity debates. "In both of these discussions, I think Germany has not been able to take the lead - even though many people expected that," Hladjk says. "Since the EU data protection legislative process has been dragging on for so long, I think Germany wants to be in the driver's seat again, coming with an IT security law, and discussing breach notification for certain sectors, to make sure they maintain a leadership position with the draft EU cybersecurity directive proposal."
As a result, passing a domestic German law could be secondary to the country's politicians simply staking out a position. "To be taken seriously, Germany doesn't have to pass the law, because they already have a long history of strong data protection and data security rules," Hladjk says. "But passing this law would set a precedent in Europe that other legislators and stakeholders could turn to for guidance."