4 minute read
Germany’s go alone: Towards an IT Security Law 2.0
Henceforth,
… in the context of school education, digital literacy should be taught from the first grade onwards. In addition to the experienced handling of common devices, operating systems and applications, this includes in particular the basics of IT security and the responsible and secure handling of data, also with regard to social media. Thus, even primary school pupils should experience an IT education that teaches them data and system security.
Digital content, e.g. concerning the safe usage of digital technologies (hardware and software), must be more firmly anchored in vocational education and training, universities and lifelong learning. In consultation with the economic and social partners, the corresponding content has already been developed and introduced into the federal government's initial and continuing training regulations.
Germany’s go-alone: Towards an IT-Security Law 2.0
Germany’s current grand coalition agreed in their coalition agreement in 2018 on revising the German IT-Security Law. On May 7, 2020, the draft for the IT-Security Law 2.0 was leaked. Especially considering the EU Commission’s intention to review the EU’s Network and Information Security Directive by the end of 2020, German industry takes a rather critical view of the German go-alone. While unambiguous and supplier-neutral security requirements for 5G components are urgently needed, a national goalone –as foreseen in the leaked draft of the IT-Security Law 2.0 –on new OES sectors, definitions of critical components, the introduction of the category “companies of special public interest” as well as a catalogue of fines should be avoided.
According to German industry’ perspective, the following three aspects to be introduced by the German IT-Security Law should be considered when conducting the NIS review:
New sectors of essential services /critical infrastructures: The German government is planning to introduce the new critical infrastructure sector “waste disposal”. The introduction of the new sector “waste disposal” does make sense, especially in view of the latest developments in the course of the corona pandemic. However, German industry would appreciate if an extension of the scope of the OES / critical infrastructure was done at European level. When including “waste disposal” as an essential services sector, it would
be of particular importance to distinguish between the different material flows and origins of waste. The NIS Directive should be limited on those material flows of municipal waste that raise the risk of pandemics or could pollute the environment.
Companies of special public interest: The German government aims at introducing the new category “companies of special public interests. This category includes three types of companies: (1) armament industry and its suppliers, (2) companies of outstanding economic importance, and (3) companies as stated in the German Regulation on Hazardous Substances. These companies will inter alia be required to register with the German Cybersecurity Agency (BSI) and will have to inform BSI about cyber-attacks. German industry recommends refraining from a national introduction of the category “companies of special public interest”. The criteria according to which a company should fall into the category of “outstanding economic importance” cannot be derived from qualitative or quantitative criteria. This proposal would lead to further significant inconsistencies and fragmentation of the regulatory landscape in the EU, which may undermine the level playing field for some operators and lead to further fragmentation of the single market. Furthermore, the government’s proposal completely ignores that German companies are often integrated into European and international value chains. In addition, foreign suppliers would not fall under the scope of the regulation. Henceforth, German industry calls on the EU Commission to discuss with the German government, how such inconsistencies can be avoided. Both the EU Commission and the German government should strive for a level playing field that ensures that no company inside the single market encounters regulatory requirements that have negative repercussions for competition.
Disproportionate fines foreseen: The German IT-Security Law 2.0 foresees fines for non-compliance with certain requirements stipulated in the IT-Security Law 2.0, such as registration with the BSI, mirroring those introduced by the GDPR. These are completely disproportionate. Already the GDPR’s fines can lead to a company’s bankruptcy. In addition, an OES failing to comply with the obligation to register with BSI could be confronted with fines up to 10 million euros or two per cent of global revenues. In addition, the German government’s proposed maximum level of fines (up to 20 million euros, or up to four per cent of total annual
revenues), which could be imposed on a company not complying with the German IT Security Law 2.0, would be significantly higher than those introduced by other EU member states. For example, the Spanish legal system only foresees fines up to one million euros, and the Italian system even only fines up to 150,000 euros. This comparison illustrates the need for introducing EU-wide comparable fines. These should not exceed the current maximum level applicable in Spain. The EU Commission should ensure that OES, DSP and operators of critical infrastructures are confronted with an EU-wide level playing field when it comes to maximum fines, since the current developments hamper the idea of a European Single Market with comparable competitive conditions across the European Union.
Non-coordinated, individual national measures can result in enormous additional costs and thus competitive disadvantages for globally active companies. This would cause lasting damage to Germany as a business location. The long-term goal of European harmonisation in the field of IT-security is made more difficult by the German government’s IT-Security Law 2.0. Therefore, the EU Commission should strive to work towards an EUwide level playing field for OES and DSP when revising the NIS Directive.
