Part 1: The new German IT Security Act
- Part 1: The new German IT Security Act
- Part 2: IT Compliance in cooperation with the agency
- Part 3: How to implement the measures correctly
The new German IT Security Act
The IT Security Act came into force in July 2015, which is intended to help increase the security of information technology systems. The law came about as a result of the cyber security strategy for Germany adopted in June 2011. Website operators now had 2 years to adapt their applications to the new regulations.
The NIS Directive for EU Member States
In June of this year, the European Network and Information Security Directive (NIS Directive) was also passed at European level. This defines the measures to ensure a high common level of security for network and information systems in the European Union. The EU member states now have until the end of May 2018 to convert the directive into national law.
The IT Security Act, which came into force in June 2015, already covers most of the measures to be taken in Germany.
But what exactly is behind the law and what do website operators have to pay attention to?
As part of the law, the requirements for websites have been tightened in the first place. In principle, the law obliges all those affected to comply with a minimum of defined safety aspects. Various technical and organizational measures must be taken for this.
The IT Security Act introduces the legal obligation to carry out software updates.
Website operators are obliged to keep their systems up to date with the latest technology and to regularly monitor possible problems and security gaps. Prompt software updates and the rapid import of security and maintenance patches are therefore future requirements.
Companies are obliged to protect their systems against cyber attacks.
When the new regulations come into force, operators of websites, web shops and other web applications have to take various measures to prevent unauthorized access to IT systems and data and prevent disruptions.
Companies that fail to comply with the new regulations face high fines.
A new reporting obligation has also been introduced, which obliges operators of digital services to report any security incidents to the Federal Ministry for Information Security (BSI). The BSI, on the other hand, undertakes to inform all operators about the reported incidents in an annual status report.
In the next part we will tell you everything about the topic of IT compliance: what is behind the term and what benefits can you derive from mature IT compliance in your company?
Please feel free to share this article.
Comments
Ute
Was bedeutet den Zeitnah? Gibt es dafür eine zeitliche Vorgabe?
Muss ich nun jeden Übergriff auf meine Webseite, in der ein Schadecode zum Beispiel eingefügt wurde dem BSI melden? Was passiert dann bei einer „Selbstanzeige“?
Luisa Sofie Faßbender
Hallo Ute!
Zeitnah bedeutet im Kontext von Software-Updates „sofort, sobald eine stabile Version (major) veröffentlicht wurde“. Es gibt keine feste zeitliche Vorgabe, allerdings empfehlen wir das sofortige Einspielen eines stabilen Software-Updates, da Sicherheitslücken unserer Erfahrung nach sehr zeitnah ausgenutzt werden. Ganz ausführlich erläutern wir das aber noch einmal in Teil 3.
Zur zweiten Frage:
Die Meldepflicht gilt nur für die Betreiber kritischer Infrastrukturen. Darunter fallen die Sektoren Informationstechnik, Telekommunikation, Energie, Ernährung, Finanz- und Versicherungswesen, Gesundheit und Wasser. Erst, wenn die KRITIS 500.000 Menschen oder mehr versorgt, besteht eine Meldepflicht. Betreiber Kritischer Infrastrukturen, die nicht unter die BSI-Kritisverordnung fallen, können freiwillige Meldungen über außergewöhnliche IT-Störungen über die Meldestelle der Allianz für Cyber-Sicherheit abgeben.