Regulatory framework for Cybersecurity – what happened in 2015…
…and what that means for 2016.
At the end of the year 2015 the EU achieved a political consent on a draft of a European Network and Information Security Directive (NIS). Germany already transformed at least parts of the NIS into a German IT Security Law, which already came into force on 25 July 2015. But a number of question remain, in particular regarding the scope of application of the IT Security Law and the impact of the NIS on the IT Security Law.
EU Directive on Network and Information Security (NIS)
At the end of the year 2015 the EU not only accelerated the matter of a unified Data Protection Law, but also the matter of Cybersecurity. Representetives of the EU Commission, the European Parliament and the Member States just achieved a political consent on a draft of a European Network and Information Security Directive (NIS). In particular, the goal of the NIS is to develop the same high level of Cybersecurity among all EU member states and the NIS has to be transformed into national law by each member state.
The NIS stipulates the obligation to report Cyber attacks and Security or Data incidents happening to companies within the field of IT and telecommunications (ICT), transport and traffic, healthcare, water, nutrition as well as finance and insurance.
Historically the NIC is based on a directive paper of the EU Commission in connection with the EU Strategy on Cybersecurit, which was released on 7 February 2013 already. Altogether all matters in the context of the ongoing digitalization are pretty popular. Managed by the European Union Agency for Network and Information Security (ENISA) different initiatives in connection with the “Digital Single Market Strategy” have been launched.
German IT Security Law
Germany already transformed at least parts of the NIS into a German IT Security Law, which already came into force on 25 July 2015. But a number of question remain, in particular regarding the scope of application of the IT Security Law and the impact of the NIS on the IT Security Law. Insofar a number of current laws will be modified, in particular the BSIG, EnWG, AtG as well as the TMG and TKG.
Like the NIS also the IT Security Law stipulates the obligation of operators of so-called critical infrastructures to comply with certain IT Security minimum standards as well as the obligation to report relevant IT Security incidents. Additional obligations specific for providers of Telecommunications and telemedia services apply. The definition of the affected operators of a critical infrastructures will be subject to additional statutory orders, announced by the Federmal Ministry of the Interior (BMI) for the first quarter of 2016.
There is a two year transition period beginning with the entry into force of the applicable statutory order to implement the requirements. Afterwards companies have to prove their compliance with the minimum standards every two years by certifications and audits. Certain non-compliance may be sanctioned with a fine up to EUR 100,000.00.
Beside the definition of affected companies there are also some questions regarding the relation between the IT Security Law and other regulations. In particular the impact of the new obligations to report on already excisting obligations alike, e.g. according to the TMG or TKG is not yet clear.
Further questions in connection with the transformation of the NIS arise. Although Germany already transformed essential parts of the NIS future modifications of the IT Security Law are likely. To some extent the IT Security Law already differs from the NIS. In particular the IT Security Law extent its scope of application to all kind of operators of critial infrastructures, without regard to their form of organization. Therefore it applies also to Federal and public institutions while the NIS adresses private companies only. Moreover, according to the NIS each member state shall establish one “responsible national authority”. The Federal Office for Information and Security (BSI) manages matters of IT Security in Germany and according to the IT Security Law it is suppose to be the central reporting authority. But in addition other Federal Ministries and subordinated authorities are involved, in particular the Federal Ministry of the Interior (BMI) and the Federal Criminal Police Office (BKA). Germany already planned to spend more than EUR 20 million for the responsible public authorities with respect to the IT Security Law. Therefore - like regarding the matter of the new EU Data Protection Law – questions concerning the responsibilities arise.
Especially in the field of IT Security it will be more and more important how cooperative and effective public authorities and private companies collaborate, in particular regarding the matters of standarization and certification (likewise in the field of EU Data Protection Law). Insofar both the NIS and the IT Security Law follow “cooperative” approaches which bring the cooperation between public authorities and private companies into consideration.
The EU Commission currently launches a survey regarding Public Private Partnership (PPP) in the field of IT Security. Its goal is to support the European IT Security industry. Beside statements on the status of IT Security, market conditions and future topics in Europe the survey asks the industries for suggestions on standardization and certification. The Survey continues until March 2016 and the results will be published in the course of the year 2016.
Also the IT Security Law expressly stipulates the cooperation between public authorities and private companies. The required minimum standards to be fulfilled will be defined by the industries themselves and then confirmed by the BSI.
In conclusion we suggest companies to prove in time, if they are potentially adressed by the IT Security Law, which defines so far at least industries. Anyway, the final decision on this matter is subject to the proposed statutory orders. Although future modifications of the IT Security Law caused by the NIS seem likely companies should already work on a strategy to implement the foreseable new requirements on IT Security.