IT Security Law Enters into Force – New Rules for Critical Energy Infrastructure

On 25 July 2015 the IT Security Act (IT-Sicherheitsgesetz) entered into force. The law is a response to the increasing number of cyber attacks and shall improve IT security for public authorities and the private sector. It contains new provisions for critical infrastructure, including in the energy sector.

Particularly important for operators of critical infrastructure are changes to the law on the Federal Office for Information Security (BSIG).

A new Section 1 para. 10 BIG defines critical infrastructure as facilities, installations or parts thereof (Einrichtungen, Anlagen oder Teile davon) which

  1. belong to one of the following sectors: energy, information technology, telecommunications, transport and traffic (Verkehr), health, water, food supply (Ernährung), finance and insurance (Finanz- und Versicherungswesen), and
  2. are of high importance for the functioning of the community (Funktionieren des Gemeinwesens) because a breakdown or impairment would result in significant supply shortages (erhebliche Versorgungsengpässe) or dangers for public security (Gefährdungen für die öffentliche Sicherheit).

The definition thus contains qualitative and quantitative elements that are likely to cause further legal debate going forward. However, further specifications will be made in an ordinance based on Section 10 BSIG, which is currently being drafted by the Interior Ministry. This ordinance shall further delineate the relevant sectors and services that shall qualify as critical due to their relevance, the relevant level of supply, and which facilities, installation or parts shall qualify as critical infrastructure. The relevant levels of supply shall be industry specific for each critical service in the relevant sector. Therefore, important decisions remain to be taken in the ordinance.

Section 8a BSIG sets new substantial requirements for critical infrastructure. Operators are required to take appropriate organisational and technical measures to prevent adverse effects (Störungen) on the availability, integrity, authenticity and confidentiality of information technology systems, components and processes that are decisive for the functioning of their critical infrastructure.

Unless otherwise provided, the requirements shall be implemented within a period of two years following the entry into force of the above mentioned ordinance. They will have to furnish proof of compliance in two year intervals.

According to the new Section 8b BSIG, operators of critical infrastructure will have to report significant security incidents to BSI. The obligation applies six months after the entry into force of the above mentioned ordinance via a contact for communication with BSI (Kontaktstelle) to be name by the operators (cf. Section 8b paras. 3 and 4 BSIG). Operators of nuclear power plants already have to report security incidents named in the new Section 44 b Atomic Energy Act (AtG).

A new Section 14 BSIG provides that breach of the obligations under Sections 8a and 8b BSIG can be fined up to EUR 100,000 for operators of critical infrastructure.

In any event, potentially affected parties should assess to what extent they are or may be affected, what beneficial role they can play in establishing further requirements in the upcoming ordinance, and in what process measures shall be implemented. As the operators of critical infrastructure will also look towards suppliers and service providers when it comes to compliance with the new requirements, the IT Security Act affects many more than just the operators themselves.

Furthermore, companies need to be mindful that the IT Security Act is only one step. It precedes the EU Network and Information Security (NIS) Directive which will cover similar – and probably also partially differing – requirements. It is also connected with the existing and upcoming EU data protection legislation which also contains IT security and (data breach) notification obligations.

More information on the new IT Security Act is available on the Bird & Bird website. Please let us know should you be interested in more energy specific information on this.

Sources: Federal Law Gazette; Bird & Bird; heise online

Related posts:

7 Responses to “IT Security Law Enters into Force – New Rules for Critical Energy Infrastructure”


Comments are currently closed.