Germany must not take the second step before the first – the parallel legislative processes on IT Security at the national and European level must be closely aligned. This, a central position for eco, was discussed by participants at the first eco Policy Breakfast for 2015 in Berlin last Tuesday morning. Among the around 30 guests from politics and industry, there were, along with member companies, representatives from German Federal Ministries, as well as German Members of Parliament and their staff.
Oliver Süme, eco Director of Policy and Law, and also President of the European provider association EuroISPA, warned against the possible emergence of a “patchwork” of different national specifications for IT Security, because alongside Germany, several other EU member states are also currently working on their own IT Security laws. This could lead to considerable legal uncertainty for the affected companies. According to Süme, IT Security is a cross-border challenge which requires European or global solutions and standards.
SĂĽme sees it as the obligation of the German Federal Government to advocate for an alignment of the IT Security regulations within the framework of the planned European Directive on measures for ensuring a high common level of Network and Information Security in the Union (NIS Directive), and in this way to guarantee legal and planning security for companies. Alexander Meissner, Consultant in the Federal Ministry for the Interior, emphasized that the ministry is aware of the challenge and is also striving to align the IT Security Act and the NIS Directive as closely as possible, in order to create as little duplication of effort as possible for the affected companies. He continued that, given the urgent need for action, it was not expedient to wait for Brussels, but rather that the national IT Security Act could create a precedent and provide stimulus for the NIS Directive.
Focus should lie in critical infrastructure
A second discussion focus concerned the scope of application of the IT security Act and the NIS Directive – the as yet unresolved question of which sectors should be included in the statutory provisions for what is known as critical infrastructure. It is still necessary to clarify to what extent services for the information society – from the Internet services for the simple blog through to globally active social media services – should be included. The identification and definition of critical infrastructure requires precise legal criteria. In conjunction with this, eco recommends the scope of application retain its focus on critical infrastructure, and that no special regulations be created for all services for the information society. The German Federal Ministry for the Interior proposes that the definition of the affected sectors of critical infrastructure with regard to the regulation will be undertaken in close consultation with industry.
The Cabinet draft for an IT Security Act agreed by the German Federal Government on 17 December 2014 will now be introduced into parliamentary proceedings and will be debated in the responsible committees. After the conclusion of the parliamentary process, anticipated in the middle of the year, the IT Security Act is expected to be adopted and to enter into force without delay.
The Latvian EU Council Presidency is striving for a rapid agreement in the Council for both the NIS Directive and the EU General Data Protection Regulation. The legislative process for the European NIS Directive is, as a result, soon to be concluded. The NIS Directive could, given speedy agreement in the tri-partite negotiations, be concluded in the second quarter of 2015, and would then need to be implemented in national law within the next 18 months.