While there is no unitary law for cybersecurity and data protection in Germany, the cyber security landscape is held together by a combination of federal and European laws and regulations. Like every European country, Germany’s data protection is governed and enforced by the strict EU-GDPR.
Germany’s newest attempt at refreshing cybersecurity laws and regulations is passing the German IT Security Act 2.0, which aims to enhance IT system security and harmonize other cyber security laws to combat the ever-increasing digital threat landscape and cyber security challenges like growing ransomware attacks.
However, the mesh of combined cybersecurity laws and regulations may be difficult for businesses and organizations to comply with. Moreover, the staggeringly high penalties for non-compliance threaten organizations with fines of up to €20 million or 4% of their annual global turnover. To date, the largest cybersecurity fine Germany has ever imposed €35 million on Sweden’s H&M for unlawfully processing sensitive employee data.
German and European businesses dealing with German businesses and organizations must comply with the regulations that protect their citizens’ data and keep organizations accountable for their security posture, especially in the financial and healthcare sectors.
This article will cover the biggest cybersecurity laws and regulations in Germany and serve as a comprehensive guide for all businesses and organizations on German cybersecurity laws and regulations, fees, and penalties, as well as their requirements for compliance.
Established in 1991, the Federal Office for Information Security (BSI) (or Bundesamt für Sicherheit in der Informationstechnik, in German) is the federal cybersecurity office and federal authority responsible for supervising IT security in the country.
As a predecessor to the BND, BSI is Germany’s cryptographic Department of Foreign Intelligence, famous for designing cryptographic algorithms. It’s credited for initiating the Gpg4win cryptographic suite. Simply put, what NIST is to the US, the BSI is to Germany.
The BSI also serves as a source for guidelines and recommendations on technical support for cryptographic processes for businesses in IT. It may also provide information for businesses to coordinate them better in responding to incidents.
The BSI Act (Federal Information Technology Security Act) of the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik; BSI-Gesetz or BSIG) is the first legal basis of the BSI that came into force since 2009 and still acts as the foundation of other German cybersecurity acts that exist today.
The BSI covers preventive cybersecurity for German computer and communication laws, critical infrastructure like energy, healthcare, food, IT and telecommunications, and finance. Other obligations include spying, counterintelligence, and certification of security products.
Under the BSI Act, the main responsibilities of the BSI are to:
As of July 2015, the BSI Act was supplemented with major changes with the Act-On Increasing the Security of IT Systems (German IT Security Act 1.0). By the standards of the IT-Grundschutzhandbuch, the BSI acts as the main testing and certification entity of IT system security in Germany and covers computer and data security.
Germany’s newest cybersecurity law, the German IT Security Act 2.0, was passed in April 2021 to enhance IT system security. The new act amended multiple cybersecurity laws like the BSIG, and it serves to combat cybersecurity threats and emphasize the importance of safeguarding IT and communication technology in Germany.
Primarily, the new act strengthens the BSI with new extensive rights, powers, and responsibilities for covering IT security risk on a national level, countering IT deficits, and enhancing IT security.
The new act aims to:
Under the amended BSI Act, the BSI now has the authority to:
After 2022, more legislative updates will follow. The BSI is planned to serve as a central authority for cybersecurity in Germany. In the future, the BSI will also act as a major info hub that will provide individuals, businesses, and organizations with best practices and security recommendations against IT threats.
With the new German IT Security Act 2.0, the German Bundestag and the Federal Council aim to “hit two birds with one stone” and reform information security and digitalization with amendments to the BSIG/BSI-KritisV (Ordinance on the Designation of Critical Infrastructures according to the Act on the Federal Office for Information Security).
Formerly, the first BSI Act only addressed critical infrastructures. As of April 2016, with an increased range of obligations, the new regulation focuses on both critical infrastructures and digital service providers.
The BSIG and the BSI-KritisV set out security obligations for:
The German IT Security Act 2.0 will regulate IT security and enforce their requirements on “operators of critical infrastructure.”
The critical infrastructure sectors and services, as specified in the Ordinance on the Identification of Critical Infrastructures (KritisVO), include energy, water, food, information technology and telecommunications, healthcare, finance and insurance, transport, and municipal waste disposal, also known as KRITIS companies.
The Federal Office for Information Security (BSI) mandates all businesses, organizations that are of particular public interest (special interest companies), and entities engaged with critical infrastructure to:
Additionally, all federal authorities must report cybersecurity incidents to the Federal Office of Information Security upon detecting a cybersecurity incident.
The BSI is required to develop minimum standards for strengthening the IT security of the federal administration. The Federal Ministry of the Interior can declare these minimum standards as binding for all authorities because only consultation (rather than agreement) with the IT Council is required.
Yes. Complying with the BSIG/BSI-KritisV is mandatory for all entities, businesses, and organizations engaged with critical structures and organizations of special interest. Formerly, the ordinance offered all affected entities a transition period between meeting the requirements.
As of 2021, with the new IT Security Act 2.0 and the Second KRITIS-Ordinance, companies must comply with the requirements on the first day once regarded as eligible under the ordinance.
According to Section 8a of the BSI Act, all operators of critical infrastructures must frequently prove that they have correctly implemented security measures to the BSI, preferably every two years. With the agreement of supervisory authorities, the BSI may pose sanctions to the entity if they fail to meet requirements.
Companies and organizations that fail to meet the requirements of the BSIG/BSI-KritisV face fines of up to 20 million Euros imposed by the BSI.
All companies must verify whether or not they fall within the scope of the BSIG/BSI-KritisV ordinance and the IT Security Act 2.0. It is advised for all organizations to seek legal counsel to understand if they are eligible to comply.
The German Bundesdatenschutzgesetz (BDSG), or the Federal Data Protection Act, adapts German laws in line with the European Union’s GDPR (General Data Protection Regulation) to oversee data protection regulations.
As of 30 June 2017, the BDSG, along with each German state’s federal data protection laws by the authorities of the German federal states (Landesdatenschutzgesetz – LDSG), governs all data processing operations, and German data protection laws for processing of personal data.
While the Federal Office for Information Security (BSI) focuses on overseeing IT security law compliance, the BDSG is responsible for supervising compliance with data protection laws of the 16-state data protection authorities.
The BDSG supplements the GDPR (General Data Protection Regulation), which is mandated by the EU for financial services that process or collect personal data from EU citizens.
The GDPR stipulates cyber security requirements and obligations regarding data privacy, cyber security, and breach management. The GDPR applies to all institutions and organizations that handle personal data and operate within the EU and companies that conduct business with countries in the EU.
The GDPR encourages controllers and processors to follow relevant protocols, implement data privacy measures, and ensure that data is collected with consent. For example, under the GDPR, German authorities require all entities first to receive the data subject’s explicit consent for accepting tracking mechanisms and advertisement technology such as cookies.
The UWG (Act Against Unfair Competition; Gesetz gegen den unlauteren Wettbewerb) falls under the BDSG laws and requires entities not to send marketing emails to recipients without consent. Exceptions apply when:
Under the GDPR, a DPO (data protection officer) must be implemented to oversee regular testing, assessing, and evaluating an entity’s effectiveness for data processing. The DPO also serves to ensure compliance with the GDPR.
In addition to Article 37 GDPR, a data protection officer must be designated by the data controller if the organization:
The BDSG applies to all federal public authorities, public authorities of the German federal states, and private bodies that process, collect, use, and store personal data and other data like company secrets.
According to German laws, “personal data” refers to all data and info that offers “insight and facts about an identifiable, natural person.” This includes names, addresses, occupations, IP addresses, social security numbers, financial data like taxes, and personally identifiable information like racial or ethnic origin.
The data governed by the BDSG also includes trade secrets, which qualify as “data subject to appropriate cyber security confidentiality measures.” All entities with trade secrets are obliged to guard theirs by implementing appropriate confidentiality measures and ensuring their trade secrets comply with the GeschGehG legalities.
The BDSG and the GDPR are mandatory and apply to all private businesses, federal public entities, and data controllers that process sensitive data and personal information.
Any business not in the EU but using an EU citizen’s personal data (for example, cookies for monitoring consumer behavior) is subject to the GDPR and BDSG.
The BDSG demands criminal sanctions for businesses or individuals that violate the GDPR (Section 42 of the BDSG). Violations include theft of publicly inaccessible personal data acquired for fraudulent use or processed without authorization.
For administrative sanctions for non-compliance, the BDSG imposes fines on all non-compliant entities up to EUR 50,000 for violations of their laws, including all entities that fail to handle data (Section 43 BDSG) properly. Additionally, other administrative fines under the GDPR may also apply.
Since the BDSG is modeled after GDPR, they may revise the catalog of penalties and fines and modify the penalties depending on the severity of the non-compliance.
Depending on the offense, GDPR fines can reach €20 million (about 23 million USD) or 4% of the company’s annual turnover in the preceding business year (whichever is larger). It’s €10 million for minor cases or up to 2%.
It’s important to note that it’s impossible to issue an administrative fine to companies and businesses that do not comply with Section 9 of the BDSG. This relates to entities acting as data processors and “participating in the competition as enterprises governed by public law.”
The Security of Network and Information Systems Directive (NIS Directive) is a crucial non-sector-specific legislation for financial services that enhances cyber security collaboration between EU member states.
It’s complemented by the BSIG and the BSI-KritisV. The German legislative also adjusted their German IT Security Act 2.0 as a major part of implementing the NIS Directive, which will be followed by NIS2 in the future.
In December 2020, the European Commission proposed the NIS2, which is a revision of the 2016 NIS Directive that aims to strengthen cyber security, improve digitalization across the European Union, and encourage government bodies, namely in Germany, to supervise their cyber security processes in collaboration with member states.
The NIS Directive applies to EU operators of essential services and digital service providers, which include the energy sector, healthcare, transport, online marketplaces, and other services within the digital infrastructure with certain directives. They must:
For companies and organizations within the EU, the NIS Directive obliges all German operators of essential services (OES), which also includes the German KRITIS companies, to:
Yes. All EU member states, organizations, and businesses can comply with the NIS Directive by implementing proper risk management measures and following the incident reporting protocol.
All entities that fail to comply with the NIS Directive will face fines of up to £17m or 4% of their global annual turnover.
By merging these acts, the German legislature fulfilled its obligation to transpose European law into national law regarding the European NIS Directive. The German IT Security Act 2.0 also plays a role in amending cyber security regulations in the mobile network.
The TMG stipulates security obligations for businesses and digital service providers to:
The Telecommunications Act of 22 June 2004 (Telekommunikationsgesetz – TKG) gives cyber security requirements to electronic communications network operators and electronic communication service providers. This includes internet access providers and vendors like Deutsche Telekom but excludes broadcasting services.
Operators of publicly available telecommunications networks are particularly obliged to:
Providers of publicly available electronic communication services are obliged to:
Yes. Compliance with the TTDSG is mandatory for telecommunication services and telemedia services.
All companies and individuals in Germany who provide goods and services in any form will fall under the scope of the TTDSG, which practically means almost every business in Germany. The massive scope may pose an enforcement issue, so businesses must check how they are legally bound separately.
According to the recent TKG revision in December 2021, the TTDSG also applies to providers of so-called over-the-top services like instant messaging or webmail. Telemedia services include all websites and online services like video-on-demand and email platforms.
The BNetzA (Federal Network Agency) is responsible for supervising and ensuring data protection provision for the TTDSG telecommunication services.
All telecommunication secrecy violations and cybercrime are subject to the StGB (German Criminal Code) and punishable with imprisonment.
Any business that violates the TTDSG requirements may be fined up to 300,000 euros.
Violating the requirements for confidentiality in communication is a criminal offense and is punishable under both regulatory and criminal law by up to two years of imprisonment or heavy fines, depending on the severity of the breach.
The BSI has IT crisis centers for analyzing, assessing, monitoring, and reporting cybersecurity incidents and acts as an incident response support unit, aiding companies in due diligence regarding managing cyber incidents.
Other cybersecurity organizations include the Alliance for cybersecurity (Allianz für Cybersicherheit), a cooperation platform that mediates the exchange of information between German science research sectors and the BSI.
Germany has their own CERT (Computer Emergency Response Team). The CERT-Bund provides individuals, businesses, and organizations with information and guidelines on cyber security. The CERT-Bund has the following responsibilities:
