IT Security Act in force

The IT Security Act is a law that amends the BSI Act, the Atomic Energy Act, the Energy Industry Act, the Telemedia Act, the Telecommunications Act, the Federal Salaries Act, the Federal Criminal Police Office Act and the Act on the Structural Reform of Federal Fees Law. What is it all about?

The IT Security Act obliges operators of critical infrastructures to comply with security standards and to report impairments to the BSI. Critical infrastructures are those of companies in the energy, IT, telecommunications, transport and traffic, health, water, food, finance and insurance sectors if they are of great importance to the functioning of the community. A more precise definition will be provided by a legal ordinance. The average online store will probably not meet this definition.

However, the IT Security Act also brings a change for every online shop operator: Section 13 (7) of the German Telemedia Act has been amended. Every online shop operator must now take "technical and organizational precautions to ensure [...] that [...] no unauthorized access to the technical equipment used for their [online stores] is possible". Furthermore, the online stores must be secured against data protection breaches and disruptions. The "state of the art" must therefore be observed. The obligation to "use an encryption method recognized as secure" is explicitly mentioned.

Violations of the obligations are subject to fines. Available software updates should therefore be installed promptly. As most store operators have transferred the administration to third parties, these should be contractually obliged to comply with the new regulations. It is likely that warnings will also be issued in the near future for alleged infringements. However, warnings in this area may already fail for formal reasons.

Date: 5. Aug 2015