opexxx · February 4, 2022 12:36
diff --git a/Legal and Regulatory Implications for Information Security b/Legal and Regulatory Implications for Information Security
 Germany:
 The Federal Republic of Germany is a federal state made up of 16 states (the Länder). The main sources of law
 include the written constitution, referred to as the Basic Law (Grundgesetz), federal laws passed by the national
 parliament (Bundestag) and laws of the Länder. This overview focuses solely on federal laws, which apply across
 the federal territory.
 Germany’s Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) is
 the national cyber security authority. Among other functions, it is responsible for protecting federal networks,
 providing technical expertise, analysing threat information and incident reporting, and developing security
 standards for the federal government. A recent initiative is the Cyber Innovation Hub, which was created by the
 German Armed Forces (Bundeswehr) to foster collaboration between the military and start-ups with the aim of
 identifying and validating technologies that can advance military capability.

 Data Protection and Privacy:
 To align existing German law with the GDPR, the Data Protection Adaptation and Implementation Act (Datenschutz-
 Anpassungsund Umsetzungsgesetz EU - DSAnpUG-EU) was adopted in July 2017 to update the Federal Data Protection
 Act (Bundesdatenschutzgesetz - BDSG) and enact exemptions permitted under the GDPR.
 A second Act was passed in June 2019 (2nd DSAnpUG-EU) and entered into force on 26 November 2019, introducing
 further amendments to the BDSG that relate to:
 ‒ competence and powers of the Federal Data Protection Commissioner (Sections 9 and 6 BDSG)
 ‒ threshold for the compulsory appointment of a Data Protection Officer (Section 8 BDSG)
 ‒ processing of special categories of personal data (Section 22 BDSG)
 ‒ means of providing consent for employment-related processing (Section 26 BDSG).
 The 2nd DSAnpUG-EU also includes amendments to 154 federal laws to ensure alignment with the GDPR. For the most
 part, these amendments are editorial to achieve consistency in language and terminology.
 Responsibility for enforcing data protection laws in Germany is split between the Federal Commissioner for Data
 Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit - BfDI) and
 the supervisory authorities within each of the 16 German states (Landesdatenschutzbeauftragten). The BfDI monitors
 compliance by federal authorities, telecommunications providers and postal services.
 All other organisations, including local government bodies, are subject to the supervision of the
 Landesdatenschutzbeauftragten. This accounts for the fact that in addition to the Federal Data Protection Act, the individual
 states have also enacted their own data protection laws (Datenschutzgesetz).

 Infrastructure Security:
 The primary statute that sets legally binding security standards for critical infrastructure is the IT Security Act (ITSicherheitsgesetz
 – IT-SIG), which requires the implementation of state-of-the art organisational and technological
 measures to protect IT systems and facilities. The IT-SIG amended several existing laws, including:
 ‒ Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der
 Informationstechnik – BSIG), which applies to all operators of critical infrastructure and enumerates the duties and
 powers of the Federal Office for Information Security.
 ‒ Telemedia Act (Telemediengesetz), which applies to providers of online services, including search engines, websites
 and mobile applications.
 ‒ Telecommunications Act (Telekommunikationsgesetz), which applies to providers of a public electronic
 communications network or service.
 The IT-SIG came into force in 2015 prior to the NIS Directive, and already encapsulated a number of the key
 requirements. To fully transpose the NIS Directive into German law, the NIS Directive Implementation Act (NISRichtlinien-
 Umsetzungsgesetz) was adopted in June 2017.
 A regulation known as BSI- Kritisverordnung specifies in more detail the criteria that determines those service providers
 who qualify as critical infrastructure operators. Those identified as such must demonstrate to BSI every two years that
 they have taken the necessary measures to achieve compliance.
 In March 2019, a new bill was proposed by the German Federal Ministry of the Interior to update IT-SIG with the objective of
 imposing more robust requirements and mandating additional obligations. Some of the key proposals in the draft bill include:
 ‒ granting additional competences to the Federal Office for Information Security (Bundesamt für Sicherheit in der
 Informationstechnik)
 ‒ adding waste management as an additional critical infrastructure sector
 ‒ imposing new obligations on manufacturers of products
 ‒ introducing new criminal and administrative offences and impose stricter fines.
 The Federal Network Agency (Bundesnetzagentur) is also in the process of updating its catalogue of security requirements
 for the operation of telecommunications and data processing systems (Katalog von Sicherheitsanforderungen für das
 Betreiben von Telekommunikations- und Datenverarbeitungssystemen sowie für die Verarbeitung personenbezogener
 Daten). The catalogue provides clarification on the security measures that should be implemented under Section 109 of the
 Telecommunications Act to protect personal data and ensure the availability of networks and services.
 Financial Processing
 The Banking Act (Kreditwesengesetz) requires credit and financial services institutions to have in place appropriate
 and effective risk management (Section 25a). As part of clarifying the parameters of risk management, the regulator –
 Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) – has issued several circulars that specify the information security
 requirements that are legally binding on banks, financial services institutions and insurance undertakings. The key
 circulars are:
 ‒ Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement – MaRisk), which
 applies to banks and financial services institutions
 ‒ Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT – BAIT), which
 applies to banks and financial services institutions
 ‒ Supervisory Requirements for IT in Insurance Undertakings (Versicherungsaufsichtliche Anforderungen an
 die IT – VAIT), which applies to all insurance undertakings subject to the German Insurance Supervision Act
 (Versicherungsaufsichtsgesetz).
 The PSD2 was transposed into German law in January 2018 through the Payment Services Implementation Act
 (Zahlungsdiensteumsetzungsgesetz).

 Protection of Intellectual Property:
 The Trade Secrets Act (Gesetz zum Schutz von Geschäftsgeheimnissen) was adopted on 21 March 2019 to transpose
 the EU Trade Secrets Directive (2016/943) into German law. It requires organisations to put in place appropriate security
 measures to safeguard the confidentiality of trade secrets and protect against unlawful disclosure.
 Cyber Crime
 Under the German Criminal Code (Strafgesetzbuch), a number of computer-related offences are listed, including:
 ‒ Data espionage (Section 202a)
 ‒ Interception of data (Section 202b)
 ‒ Preparatory acts for committing a cybercrime by producing, acquiring or making available passwords or software
 (Section 202c)
 ‒ Dealing with illegally obtained data (Section 202d)
 ‒ Unlawful disclosure of personal information for professionals with a duty of secrecy (Section 203a)
 ‒ Unlawful disclosure of facts subject to postal or telecommunications confidentiality (Section 206)
 ‒ Data tampering (Section 303a)
 ‒ Computer sabotage (Section 303b)
 ‒ Falsification of digital evidence (Sections 269 and 270).

 Monitoring and Surveillance:
 The following federal laws apply to the monitoring of employee activity in the workplace:
 ‒ BDSG permits processing of employee personal data if it is necessary for entering into, performing or terminating an
 employment contract, or for the purposes of a criminal investigation (Section 26).
 ‒ Telemedia Act and Telecommunications Act impose privacy obligations that may apply to monitoring employees’
 use of the internet, telephone and email, depending on whether personal use of an organisation’s electronic
 communications is permitted.
 ‒ German Works Constitution Act (Betriebsverfassungsgesetz – BetrVG) enacts the right of codetermination, which
 requires the works council’s consent for each technical device that is used to monitor the conduct or performance of
 employees.
 ‒ Basic Law for the Federal Republic of Germany (Grundgesetz für die Bundesrepublik Deutschland protects the
 privacy of correspondence, post and telecommunications (Article 10).
 A works council (Betriebsrat) is a body formed of employees elected for a four year term and mandated to represent the
 interests of the workforce across a range of issues, including social policy, environmental and financial matters.
 There are several pieces of legislation governing the surveillance powers of federal law enforcement and intelligence
 agencies, including interception of communications. Relevant laws include:
 ‒ Act on the Federal Office for the Protection of the Constitution (Bundesverfassungsschutzgesetz)
 ‒ Act on the Federal Intelligence Service (Gesetzt über den Bundesnachrichtendienst)
 ‒ Act on the Military Counter-Intelligence Service (Gesetz über den militärischen Abschirmdienst)
 ‒ Act on the Limitation of Privacy of Correspondence, Post and Telecommunications (Gesetz zur Beschränkung des
 Brief-, Post- und Fernmeldegeheimnisses)
 ‒ Federal Criminal Police Office Act (Bundeskriminalamtgesetz)
 ‒ Federal Police Act (Bundespolizeigesetz)
 ‒ Criminal Procedure Code (Strafprozessordnung).
 Under the Telecommunications Act, providers of public electronic communications services are obliged to facilitate the
 execution of a warrant or court order authorising the interception of communications. Certain providers must maintain
 an interception capability in accordance with technical requirements specified in the Telecommunications Surveillance
 Regulation (Telekommunikations-Überwachungsverordnung).

 Reporting Requirements:
 Organisations may be subject to multiple reporting requirements depending on the type of security incident and who it
 affects. The legal requirements that may be applicable are:
 ‒ Personal data breaches shall be reported to the local supervisory authority within 72 hours of becoming aware of the
 breach. If the breach is likely to pose a high risk to affected data subjects, they must also be informed without undue
 delay. For related derogations from the GDPR, see Sections 29(1), 45, 56(2) and 66(5) of the BDSG.
 ‒ The Federal Office for Information Security (BSI) shall be notified immediately of security incidents that have resulted
 in a failure or material impairment to the functionality of critical infrastructure (see Section 8 of the BSIG). If failure
 or material impairment has yet to occur but is possible, the operator is only required to report the incident if it is
 significant.
 ‒ Disruptions or changes to the activity of telecommunications providers shall be reported without undue delay to the
 Federal Network Agency (Bundesnetzagentur).
 ‒ Major security incidents affecting payment services shall be reported to the Federal Financial Supervisory Authority
 (BaFin) without undue delay.
 Key Regulators
 Regulators and competent authorities responsible for enforcing compliance with information security requirements under federal
 law include:
 ‒ Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI): Federal Commissioner for Data Protection and
 Freedom of Information
 ‒ Bundesamt für Sicherheit in der Informationstechnik (BSI): Federal Office for Information Security
 ‒ Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin): Federal Financial Supervisory Authority
 ‒ Bundesnetzagentur (BNetzA): Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway.
 There are also regulators in each of the 16 states who oversee laws applicable to information security.

 source ISF
	Germany:
	The Federal Republic of Germany is a federal state made up of 16 states (the Länder). The main sources of law
	include the written constitution, referred to as the Basic Law (Grundgesetz), federal laws passed by the national
	parliament (Bundestag) and laws of the Länder. This overview focuses solely on federal laws, which apply across
	the federal territory.
	Germany’s Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) is
	the national cyber security authority. Among other functions, it is responsible for protecting federal networks,
	providing technical expertise, analysing threat information and incident reporting, and developing security
	standards for the federal government. A recent initiative is the Cyber Innovation Hub, which was created by the
	German Armed Forces (Bundeswehr) to foster collaboration between the military and start-ups with the aim of
	identifying and validating technologies that can advance military capability.

	Data Protection and Privacy:
	To align existing German law with the GDPR, the Data Protection Adaptation and Implementation Act (Datenschutz-
	Anpassungsund Umsetzungsgesetz EU - DSAnpUG-EU) was adopted in July 2017 to update the Federal Data Protection
	Act (Bundesdatenschutzgesetz - BDSG) and enact exemptions permitted under the GDPR.
	A second Act was passed in June 2019 (2nd DSAnpUG-EU) and entered into force on 26 November 2019, introducing
	further amendments to the BDSG that relate to:
	‒ competence and powers of the Federal Data Protection Commissioner (Sections 9 and 6 BDSG)
	‒ threshold for the compulsory appointment of a Data Protection Officer (Section 8 BDSG)
	‒ processing of special categories of personal data (Section 22 BDSG)
	‒ means of providing consent for employment-related processing (Section 26 BDSG).
	The 2nd DSAnpUG-EU also includes amendments to 154 federal laws to ensure alignment with the GDPR. For the most
	part, these amendments are editorial to achieve consistency in language and terminology.
	Responsibility for enforcing data protection laws in Germany is split between the Federal Commissioner for Data
	Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit - BfDI) and
	the supervisory authorities within each of the 16 German states (Landesdatenschutzbeauftragten). The BfDI monitors
	compliance by federal authorities, telecommunications providers and postal services.
	All other organisations, including local government bodies, are subject to the supervision of the
	Landesdatenschutzbeauftragten. This accounts for the fact that in addition to the Federal Data Protection Act, the individual
	states have also enacted their own data protection laws (Datenschutzgesetz).

	Infrastructure Security:
	The primary statute that sets legally binding security standards for critical infrastructure is the IT Security Act (ITSicherheitsgesetz
	– IT-SIG), which requires the implementation of state-of-the art organisational and technological
	measures to protect IT systems and facilities. The IT-SIG amended several existing laws, including:
	‒ Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der
	Informationstechnik – BSIG), which applies to all operators of critical infrastructure and enumerates the duties and
	powers of the Federal Office for Information Security.
	‒ Telemedia Act (Telemediengesetz), which applies to providers of online services, including search engines, websites
	and mobile applications.
	‒ Telecommunications Act (Telekommunikationsgesetz), which applies to providers of a public electronic
	communications network or service.
	The IT-SIG came into force in 2015 prior to the NIS Directive, and already encapsulated a number of the key
	requirements. To fully transpose the NIS Directive into German law, the NIS Directive Implementation Act (NISRichtlinien-
	Umsetzungsgesetz) was adopted in June 2017.
	A regulation known as BSI- Kritisverordnung specifies in more detail the criteria that determines those service providers
	who qualify as critical infrastructure operators. Those identified as such must demonstrate to BSI every two years that
	they have taken the necessary measures to achieve compliance.
	In March 2019, a new bill was proposed by the German Federal Ministry of the Interior to update IT-SIG with the objective of
	imposing more robust requirements and mandating additional obligations. Some of the key proposals in the draft bill include:
	‒ granting additional competences to the Federal Office for Information Security (Bundesamt für Sicherheit in der
	Informationstechnik)
	‒ adding waste management as an additional critical infrastructure sector
	‒ imposing new obligations on manufacturers of products
	‒ introducing new criminal and administrative offences and impose stricter fines.
	The Federal Network Agency (Bundesnetzagentur) is also in the process of updating its catalogue of security requirements
	for the operation of telecommunications and data processing systems (Katalog von Sicherheitsanforderungen für das
	Betreiben von Telekommunikations- und Datenverarbeitungssystemen sowie für die Verarbeitung personenbezogener
	Daten). The catalogue provides clarification on the security measures that should be implemented under Section 109 of the
	Telecommunications Act to protect personal data and ensure the availability of networks and services.
	Financial Processing
	The Banking Act (Kreditwesengesetz) requires credit and financial services institutions to have in place appropriate
	and effective risk management (Section 25a). As part of clarifying the parameters of risk management, the regulator –
	Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) – has issued several circulars that specify the information security
	requirements that are legally binding on banks, financial services institutions and insurance undertakings. The key
	circulars are:
	‒ Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement – MaRisk), which
	applies to banks and financial services institutions
	‒ Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT – BAIT), which
	applies to banks and financial services institutions
	‒ Supervisory Requirements for IT in Insurance Undertakings (Versicherungsaufsichtliche Anforderungen an
	die IT – VAIT), which applies to all insurance undertakings subject to the German Insurance Supervision Act
	(Versicherungsaufsichtsgesetz).
	The PSD2 was transposed into German law in January 2018 through the Payment Services Implementation Act
	(Zahlungsdiensteumsetzungsgesetz).

	Protection of Intellectual Property:
	The Trade Secrets Act (Gesetz zum Schutz von Geschäftsgeheimnissen) was adopted on 21 March 2019 to transpose
	the EU Trade Secrets Directive (2016/943) into German law. It requires organisations to put in place appropriate security
	measures to safeguard the confidentiality of trade secrets and protect against unlawful disclosure.
	Cyber Crime
	Under the German Criminal Code (Strafgesetzbuch), a number of computer-related offences are listed, including:
	‒ Data espionage (Section 202a)
	‒ Interception of data (Section 202b)
	‒ Preparatory acts for committing a cybercrime by producing, acquiring or making available passwords or software
	(Section 202c)
	‒ Dealing with illegally obtained data (Section 202d)
	‒ Unlawful disclosure of personal information for professionals with a duty of secrecy (Section 203a)
	‒ Unlawful disclosure of facts subject to postal or telecommunications confidentiality (Section 206)
	‒ Data tampering (Section 303a)
	‒ Computer sabotage (Section 303b)
	‒ Falsification of digital evidence (Sections 269 and 270).

	Monitoring and Surveillance:
	The following federal laws apply to the monitoring of employee activity in the workplace:
	‒ BDSG permits processing of employee personal data if it is necessary for entering into, performing or terminating an
	employment contract, or for the purposes of a criminal investigation (Section 26).
	‒ Telemedia Act and Telecommunications Act impose privacy obligations that may apply to monitoring employees’
	use of the internet, telephone and email, depending on whether personal use of an organisation’s electronic
	communications is permitted.
	‒ German Works Constitution Act (Betriebsverfassungsgesetz – BetrVG) enacts the right of codetermination, which
	requires the works council’s consent for each technical device that is used to monitor the conduct or performance of
	employees.
	‒ Basic Law for the Federal Republic of Germany (Grundgesetz für die Bundesrepublik Deutschland protects the
	privacy of correspondence, post and telecommunications (Article 10).
	A works council (Betriebsrat) is a body formed of employees elected for a four year term and mandated to represent the
	interests of the workforce across a range of issues, including social policy, environmental and financial matters.
	There are several pieces of legislation governing the surveillance powers of federal law enforcement and intelligence
	agencies, including interception of communications. Relevant laws include:
	‒ Act on the Federal Office for the Protection of the Constitution (Bundesverfassungsschutzgesetz)
	‒ Act on the Federal Intelligence Service (Gesetzt über den Bundesnachrichtendienst)
	‒ Act on the Military Counter-Intelligence Service (Gesetz über den militärischen Abschirmdienst)
	‒ Act on the Limitation of Privacy of Correspondence, Post and Telecommunications (Gesetz zur Beschränkung des
	Brief-, Post- und Fernmeldegeheimnisses)
	‒ Federal Criminal Police Office Act (Bundeskriminalamtgesetz)
	‒ Federal Police Act (Bundespolizeigesetz)
	‒ Criminal Procedure Code (Strafprozessordnung).
	Under the Telecommunications Act, providers of public electronic communications services are obliged to facilitate the
	execution of a warrant or court order authorising the interception of communications. Certain providers must maintain
	an interception capability in accordance with technical requirements specified in the Telecommunications Surveillance
	Regulation (Telekommunikations-Überwachungsverordnung).

	Reporting Requirements:
	Organisations may be subject to multiple reporting requirements depending on the type of security incident and who it
	affects. The legal requirements that may be applicable are:
	‒ Personal data breaches shall be reported to the local supervisory authority within 72 hours of becoming aware of the
	breach. If the breach is likely to pose a high risk to affected data subjects, they must also be informed without undue
	delay. For related derogations from the GDPR, see Sections 29(1), 45, 56(2) and 66(5) of the BDSG.
	‒ The Federal Office for Information Security (BSI) shall be notified immediately of security incidents that have resulted
	in a failure or material impairment to the functionality of critical infrastructure (see Section 8 of the BSIG). If failure
	or material impairment has yet to occur but is possible, the operator is only required to report the incident if it is
	significant.
	‒ Disruptions or changes to the activity of telecommunications providers shall be reported without undue delay to the
	Federal Network Agency (Bundesnetzagentur).
	‒ Major security incidents affecting payment services shall be reported to the Federal Financial Supervisory Authority
	(BaFin) without undue delay.
	Key Regulators
	Regulators and competent authorities responsible for enforcing compliance with information security requirements under federal
	law include:
	‒ Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI): Federal Commissioner for Data Protection and
	Freedom of Information
	‒ Bundesamt für Sicherheit in der Informationstechnik (BSI): Federal Office for Information Security
	‒ Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin): Federal Financial Supervisory Authority
	‒ Bundesnetzagentur (BNetzA): Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway.
	There are also regulators in each of the 16 states who oversee laws applicable to information security.

	source ISF