11.12.2020

eco on German IT Security Act 2.0: Premature National Regulation Poses High Risk for Companies and Private Users

After an almost two year lead-up, the German Federal Ministry of the Interior (BMI) has now presented a draft bill on the German IT Security Act 2.0. eco – Association of the Internet Industry sharply criticizes the fact that the BMI has only granted a period of 26 hours for input on the nearly 100-page document.

“This all comes down to wanting to get drafts to the cabinet before the end of this year,” says eco Vice Chair Klaus Landefeld. “This is a manifestation of sheer legislative and political impotence before the end of this legislative term.”

The debate on the IT Security Act is also taking place against the backdrop of a sweeping amendment of the Telecommunications Act. In this instance, the German Federal Ministry for Economic Affairs and Energy (BMWi) issued a new draft act with 465 pages on 9 December, and set a deadline for Friday 11 December.

eco recommends deferring deliberations on the IT Security Act 2.0

In recognising the impact this will have on the further legislative process, eco now appeals to policy-makers to reset the timing for the deliberations on the IT Security Act 2.0 and to await further developments at European level. In particular, this concerns the intended harmonisation of the IT Security Act with the planned revision of the NIS Directive – a directive for the guarantee of a high common level of security and information systems across the Union – which is also imminent.

With this in mind, Landesfeld cautions against premature steps: “A premature national regulation carries the risk of having to re-open legislative action afterwards,” says Landefeld. “For companies, such amendments often involve additional costs associated with having to once again adapt systems and solutions which have already been introduced for the new regulatory framework.” A revision of the NIS Directive has been announced for 2021.

The regulations aimed for in the IT Security Act for the use of so-called critical components or their prohibition should also be addressed and dealt with as far as possible on a European level. “National special regulations should only be provided for narrowly defined areas with clear legal definitions,” says Landefeld. Otherwise, companies are threatened with considerable legal uncertainty. “In order for IT security in Germany to be effectively regulated and to be able to develop and strengthen itself meaningfully in the European Digital Single Market, these problems must now be addressed and dealt with as quickly as possible.”

The new powers of the German Federal Office for Information Security (BSI) throw a spotlight on a central debate about the IT Security Act 2.0. This concerns the handling of information about security vulnerabilities and the data that the BSI can gather within the scope of its new powers. Among other things, the act stipulates that the BSI is to withhold information about security vulnerabilities if it is obliged to maintain secrecy in dealings with security authorities. In addition, the BSI can now have data traffic redirected to servers designated by the BSI and can itself fake attacks on IT systems and, in the course of this, also infiltrate these systems.

Landefeld: “The measures which the BSI can take and issue orders on cast doubt on whether the protection of constitutional rights is safeguarded in this arena.”

On the background:

The first draft of the IT Security Act 2.0 was unofficially published in 2019 and was heavily criticised by eco. After the BMI initially published an uncoordinated discussion draft on 1 December, on which eco issued a German-language statement, an updated draft was published on 9 December. In spite of the fact that other aspects of IT security were fundamentally revised in this draft, the Federal Ministry of the Interior only granted a feedback period until Friday, 11 December, 2 pm. eco also submitted a German-language statement on this version within the given time limit.

Klaus Landefeld