BSIG/BSI-KritisV
Operators of critical infrastructure must implement appropriate, state-of-the-art organisational and technical measures to avoid security incidents with their IT systems which could affect the functioning of the infrastructure/service (minimum security requirements). They must prove that these measures fulfil the requirements at least every two years. The BSI can approve sector-specific security standards.
Digital service providers must implement appropriate, state-of-the-art organisational and technical measures to avoid risks to the security of the network and information systems they use to provide the services. These measures will be further defined by the European Commission according to Article 16 para 8 of EU directive (EU) 2016/1148.
Operators of critical infrastructure must provide the BSI with a contact point.
Operators of critical infrastructure and digital service providers must notify the BSI in the event of significant cybersecurity incidents.
GDPR
Controllers and processors are obliged to implement appropriate, state-of-the-art technical and organisational measures to ensure a level of security appropriate to the risk, including (inter alia) pseudonymisation and encryption.
eIDAS, VDG and VDV
The eIDAS Regulation stipulates security requirements for electronic identification schemes (including interoperability requirements), (qualified) trust services, (advanced and qualified) electronic signatures and seals, electronic time stamps, electronic registered delivery services and website authentication.
For instance, the assurance level (low, substantial and/or high) of notified electronic identification schemes depends on whether certain security criteria are fulfilled or not.
(Qualified) trust service providers are obliged to take appropriate, state-of-the-art organisational and technical measures to manage the risks posed to the security of the trust service they provide and to notify the supervisory body and other relevant bodies in the event of significant security incidents. In case the security breach is likely to adversely affect a natural or legal person to whom the trusted service has been provided, the trust service provider is also obliged to notify the natural or legal person of the breach of security.
Qualified trust service providers are additionally subject to recurring inspection by conformity assessment bodies and information obligations.
FuAG
Manufacturers that place radio equipment on the German market shall design and manufacture such device in a way that it does not harm the network or its functioning or misuse network resources, and that it incorporates safeguards to ensure that the personal data and privacy of the user are protected.
TMG
Providers of digital services must implement reasonable, state-of-the-art organisational and technical measures, especially including the use of encryption, that:
- guard against unauthorised access to the technical systems they use to provide their digital services;
- ensure that their technical systems are protected against unauthorised access to personal data; and
- prevent malfunctions, including any caused by external attacks.
TKG
The TKG sets forth cybersecurity related obligations of operators of electronic communications networks and providers of electronic communications services.
Operators of publicly available telecommunications networks are particularly obliged to:
- implement technical and organisational measures to protect the network against disruptions;
- appoint a security officer and draw up a security concept (which needs to be submitted to the BNetzA immediately after commencing network operation); and
- notify the BNetzA and the BSI without delay of any impairments to telecommunications networks and services which (can) lead to significant security breaches.
The measures to be taken are specified in a catalogue of security measures, issued by the BSI and the BNetzA.
Providers of publicly available electronic communication services are in particular obliged to:
- implement technical and organisational measures to protect the secrecy of telecommunications and other personal data as well as to protect the underlying network against disruptions;
- appoint a security officer and draw up a security concept (which needs to be submitted to the BNetzA upon request);
- immediately notify the BNetzA and the BSI of any impairments to telecommunications networks and services which (can) lead to significant security breaches;
- immediately notify the BNetzA and the Federal Commissioner for Data Protection (and, where applicable, additionally the persons concerned) of any violation of the protection of personal data;
- keep a register of violations of the protection of personal data; and
- immediately inform customers in case of malfunctions caused by customer data processing systems.
The measures to be taken are specified in a catalogue of security measures issued by the BSI and the BNetzA.
EnWG
Operators of energy supply networks are obliged to implement adequate protections against threats to telecommunications and electronic data processing systems that are necessary for secure network operation. The measures to be taken are specified in a catalogue of security measures issued by the BSI and the BNetzA.
Operators of energy plants classified as critical infrastructure and connected to energy supply networks are obliged to implement adequate protections against threats to telecommunications and electronic data processing systems which are necessary for secure operation of the plant. The measures to be taken are specified in a catalogue of security measures issued by the BSI and the BNetzA.
Operators of energy supply networks and energy plants classified as critical infrastructure must notify the BSI in the event of significant cybersecurity incidents.
AtG
Licence holders under the AtG are obliged to notify the BSI in case of impairments of their information technology systems, components or processes that could lead to a threat to or interference with the nuclear safety of the nuclear installation or activity concerned.
KWG
Credit and financial services institutions are obliged to implement appropriate risk management structures, including IT-security related structures and measures. The respective minimum requirements are specified in the BaFin Circular 10/2017 (BA) as amended on 14 September 2018 (Banking supervisory requirements for IT (Bankaufsichtliche Anforderungen an die IT (BAIT)). In addition, credit and financial services institutions as well as financial holding companies are required to implement internal security measures to prevent criminal offences that could endanger the institution's assets.
GeschGehG
Holders of trade secrets are required to implement appropriate confidentiality measures to ensure that their trade secrets are subject to the (legal) protections of the GeschGehG.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.