Germany is preparing for new IT security legislation

As an essential cornerstone of the Government’s Digital Agenda on 19 August Thomas de Maizière, Federal Minister of the Interior, presented a new draft law which aims at increasing the security of information technology systems (IT Security Act).

The IT Security Act draft (IT-SIG-E) provides for amendments in several specific legal acts, particularly in the BSI-G, TMG, TKG, BKA-G and AWG. The law aims to increase the minimum level of IT security. It primarily targets to boost IT security in critical infrastructures. Such infrastructures operate in various sectors which play a very important role for society (energy, health, transport, finance, etc.).

How does the IT Security Act affect the Internet?

Since large parts of the Internet are, in the legal sense, to be understood as “telecommunications infrastructure”, area-specific requirements for the security level already exist – in the German Telecommunications Act or, for telemedia services provider, in the German Teleservices Act.¹ These are supposed to be modified and extended by the present legal draft.² Telecommunications service provider (e.g. access provider) and Telemedia services provider (e.g. website operator), “which play a key role in the security of cyberspace,” are to “made even more accountable.”³

Problems of Internet regulation

Legal regulation however is not capable of resolving all problems regarding the Internet. Due to its global character, legal measures alone – especially when they “only” come from the national or the European level – cannot provide for the security of and in the Internet. For the Internet is just not an intranet. In addition, is an issue as well on the physical as on the logical level. Internet communication, for example, is based on internationally standardized protocols. Many features and services of the Internet which are essential to its security (here in the broad sense) are administrated by decentral actors who are not legally regulated. The Domain Name System (DNS), as another example, is necessary for the functioning of the Internet (it is important for the translation of domain names to IP addresses); the system is however managed by non-governmental organizations. Thus, IT security law can only serve as a partial solution.

Problems to be dicussed

Currently, the IT-SIG-E is submitted for inter-departmental coordination and approval. But However, it should not only be discussed in the ministries but also by computer scientists, legal experts, Internet activists and all other Internet users (and providers). The IT-SIG-E contains many contentious points. These include: the effectiveness and the scope of incident reporting requirements, the extent to which competencies to store inventory, traffic and usage data are required and whether the proposed act alltogether suffices to rise to the complex and manifold challenges.

1. cf. § 109 TKG bzw. § 13 TMG; see also § 9 BDSG.
2. for a more detailed legal analysis see Leisterer/Schneider, Das neue IT-Sicherheitsgesetz – Änderungen und Problemfelder, CR 09/2014, (forthcoming). Among other changes, the draft law extends the competences to storage data, modifies the cyber incident notifications requirements, introduces a notification requirement for service providers and makes it mandatory for personalised telemedia providers to offer a authentification method.
3. IT-SIG-E, explanation, p. 3.

This post is part of a weekly series of articles by doctoral candidates of the Alexander von Humboldt Institute for Internet and Society. It does not necessarily represent the view of the Institute itself. For more information about the topics of these articles and associated research projects, please contact presse@hiig.de.