1. GOVERNING TEXTS

1.1. Legislation

There is no code of cybersecurity law in Germany addressing cybersecurity comprehensively. German legislators have enacted diverse rules on cybersecurity in several statutes, acts, and ordinances. This is accompanied by numerous rules and guidelines by the respective competent authorities.

In order to understand general legislature in Germany, the federal system has to be taken into account, according to which the competence to create law is divided between the country's authorities and parliaments and the federal authorities and Parliament of the Federal Republic of Germany. Moreover, the Basic Law for the Federal Republic of Germany (Constitution of the Federal Republic of Germany), which provides a complex system to assign this competence, does not assign any jurisdiction in the field of cybersecurity to the countries or the Federal State. This starting position hinders the coherent and concise law-making for cybersecurity in Germany.

Generally, German law is influenced by some European directives which are briefly mentioned below.

The following overview provides a short summary of the most important regulations which impose cybersecurity requirements to companies or penalise certain violations of cybersecurity rules.

General Legislation

IT Security Act

German cybersecurity legislation started with the IT Security Act of 25 July 2015 ('IT Security Act') (only available in German here).

On 16 December 2020, the German government passed a draft of a major amendment to the IT Security Act. Thereafter, the IT Security Act of 27 May 2021 ('IT Security Act 2.0') (only available in German here) entered into force on 28 May 2021 and amended the Act on the Federal Office for Information Security (BSI Act - BSIG) of 14 August 2009 (as amended) ('BSIG') (only available in German here), the Telecommunications Act of 23 June 2021 (only available in German here) ('Telecommunications Act') and other legislations.

The IT Security Act is not applicable on its own, but it has made several important changes to further important acts mentioned below.

BSIG

The BSIG is the most important regulation concerning cybersecurity in Germany. It defines the competences of the Federal Office for Information Security ('BSI') and imposes requirements on the IT infrastructure of the federal administration and the providers of critical infrastructure.

The BSIG empowers the BSI together with other authorities to enact ordinances in order to define cybersecurity requirements and the definition of critical infrastructure in more detail. In the Ordinance on the Determination of Critical Infrastructures under the BSI Act 2016, as amended on 6 September 2021 ('Critical Infrastructures Ordinance') (only available in German here), sector-specific thresholds are defined to determine whether an undertaking provider must be considered a provider of critical infrastructure.

The IT Security Act 2.0 is intended to strengthen the rights of the BSI. To exercise the new powers, the IT Security Act 2.0 provides for the BSI to be given almost 800 new posts. The BSI is thus growing faster than any other federal authority in Germany. Currently, the BSI has approximately 1,550 positions. In 2016, there were fewer than 700. In addition, consumer protection has become a task of the BSI. For example, consumers should be better informed about the IT security of products through the introduction of IT security labels.

GDPR

The introduction of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') is a crucial development in IT security law. As most of the data contained in any IT System must be considered as personal data, the GDPR imposes the obligation to implement adequate organisational and technical IT-security measures for nearly each IT-system (pursuant to Article 32 of the GDPR).

Federal Data Protection Act

The Federal Data Protection Act of 30 June 2017 (implementing the GDPR) ('Federal Data Protection Act') provides some minor additions to the general rules of the GDPR, among which some have detailed requirements on IT-security, like Section 22 (2) of the Federal Data Protection Act regarding the cybersecurity measures within the frame of the processing of special categories of personal data. Similar rules exist on the level of the 16 states (for example the Data Protection Law North Rhine-Westphalia ('DSG NRW') 2018 (only available in German here), imposing general security obligations within the frame of data protection law to the local public authorities.

Criminal Law

Due to the Convention on Cybercrime of 23 November 2001, Germany enacted more specific rules to criminalise hacking, including the production, sale, and distribution of hacking tools. This is primarily regulated by the German Criminal Code. The relevant provisions are:

• Section 202a: Data espionage / unauthorised obtaining of data;
• Section 202b: Interception of data;
• Section 202c: Preparing unauthorised obtaining or interception of data;
• Section 206: Violation of the postal and telecommunications secret;
• Section 269 and 270: Falsification of digital evidence;
• Section 303a: Data tampering;
• Section 303b: Computer sabotage; and
• Section 42 of the Federal Data Protection Act: Unjust processing of personal data with the intention to enrichment or to harm someone.

European Cyber Security Act

According to the Proposal for a Regulation on ENISA, the 'EU Cybersecurity Agency,' and Repealing Regulation (EU) 526/2013, and on Information and Communication Technology Cybersecurity Certification ('the Cybersecurity Act'), the European Union Agency for Cybersecurity ('ENISA') will be given a permanent and stronger mandate (in force beyond 2020) in order to support Member States with tackling cyberattacks. Furthermore, an EU-wide cybersecurity certification of products, processes, and services will be established.

The NIS Directive

The Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('NIS Directive') requires Germany to implement specific cybersecurity rules on the providers of critical infrastructure. The NIS Directive was mostly implemented in the BSIG one year before the NIS Directive was enacted. The small remaining gaps between the requirements of the NIS Directive and the German law especially regarding digital service providers were implemented in Section 8c of the BSIG. The regulation is to remain in place under the new draft of the IT Security Act 2.0.

On 16 December 2020 the European Commission submitted a proposal to replace the NIS Directive with a revised Directive on Security of Network and Information Systems ('NIS 2 Directive') and thereby address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU.

Please note that the Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555) ('NIS 2 Directive') was published in the Official Gazette of the European Union on 27 December 2022 and became effective as of 16 January 2023. Pursuant to Article 41 of the NIS 2 Directive, by 17 October 2024, Member States must transpose the NIS 2 Directive into their national legislation, and the transposition laws shall apply from 18 October 2024. On the same date, the NIS Directive will be repealed. For further information please see our Insight article on the NIS Directive here.

Sectoral Legislation

IT security rules for specific sectors

There are specific regulations regarding cybersecurity requirements of certain concession holders and providers of certain services in Germany. These include inter alia:

• Section 13(7) of the Telemedia Act of 26 February 2007 ('Telemedia Act') (only available in German here) requires each telemedia provider (e.g. each provider of a website, a web app, or a smartphone app) to ensure through appropriate and economically proportional arrangements that unauthorised access is not possible;
• Section 25a of the Banking Act of 9 September 1998 ('Banking Act') requires each bank licence holder to implement an appropriate risk management scheme. In accordance with the administrative instructions of the Federal Financial Supervisory Authority ('BaFin') the risk management must also take into consideration requirements regarding cybersecurity;
• the European Central Bank has created the Threat Intelligence-based Ethical Red Teaming Framework ('TIBER-EU Framework') which was conducted by IT forensics in order to assess the robustness and resilience of the cybersecurity of European banks. The TIBER-EU Framework is not a legal act yet, but in Germany the legislator has discussed with stakeholders (such as BaFin and BSI) how to implement the TIBER-EU Framework as a legally binding standard in the financial sector;
• Section 33 of the Securities Trading Act of 9 September 1998 ('Securities Trading Act') requires securities service companies to fulfil the same requirements as a bank with respect to Section 25a of the Banking Act (see above);
• Section 165 of the Telecommunications Act requires providers of a public telecommunications network and/or a telecommunication service to implement adequate technical measures to prevent hacking or other disturbances, appoint a security officer, and adopt an IT-security concept. The security concept must be revealed to the Federal Network Agency ('BNetzA'). Operators of public telecommunications networks and providers of publicly accessible telecommunications services with increased risk potential must implement appropriate attack detection systems;
• the German Energy Industry Act of 7 July 2005 (only available in German here) ('the Energy Industry Act') establishes rules in the energy industry for certain IT security measures; and
• the Act on the Peaceful Utilisation of Atomic Energy and the Protection against its Hazards of 15 July 1985 ('Atomic Energy Act') establishes rules for the operators of atomic energy regarding cybersecurity, especially reporting obligations (Section 44b of the Atomic Energy Act).

1.2. Regulatory authority 

There is no regulatory authority in Germany which supervises IT Security in its entirety. The authorities' competences are widely scattered. The most important authorities which deal in their practise with cybersecurity are the following.

BSI

The BSI investigates security risks related to the use of IT and develops preventive security measures. It provides information and warnings on IT-risks and IT-threats and elaborates appropriate solutions. This includes IT security testing and assessment of IT systems in cooperation with the industry. The BSI is the main authority which gathers information and provides a comprehensive situation picture. It also supervises federal authorities regarding cybersecurity. Furthermore, the BSI observes the compliance with the requirements under the BSIG and the Critical Infrastructures Ordinance for providers of critical infrastructure.

In many cases, the BSI takes action by means of administrative assistance, requested by other German and/or European authorities.

Data protection authorities

Companies that process personal data are monitored by the Federal Commissioner for Data Protection and Freedom of Information ('BfDI') or one of the 16 local data protection authorities ('DPAs'). Due to the requirement to implement appropriate technical and operational measures for the security of personal data (and also many other requirements) under the GDPR and the Federal Data Protection Act, the DPAs can (parallel to BSI, BaFin, BNetzA, and all other mentioned authorities) issue an administrative order and impose administrative fines in cases of noncompliance with this requirement. The DPAs have already started to enhance law enforcement in this field in practice. For example, a social platform had to pay a fine of €20,000 for not encrypting account-data of its users. So far, the highest imposed fine – based on insufficient technical and organisational measures to ensure information security – amounted to €900,000, although it has to be mentioned that the original fine imposed by the DPA reached €9,550,000 but was significantly reduced by the court.

Sector specific authorities

Furthermore, there are sector specific authorities which are responsible for specific topics or subjects even further than in the 'usual way.' These include:

• the BaFin, which enforces regulations such as Section 25a of the Banking Act and Section 33 of the Securities Trading Act toward banks, securities service companies, and payment providers;
• the BNetzA on telecommunication and energy supply networks and cybersecurity; and
• the Federal Institute for Drugs and Medical Devices ('BfArM').

Criminal prosecution authorities

In cases involving criminal offences, the respective local public prosecutor's office is the competent authority. Public prosecutors have established special centres to prosecute cybercrime. For example, the Cybercrime Centre and Contact Point for Nord Rhine-Westphalia was established for the whole federal state of North Rhine-Westphalia.

Secret Services

Furthermore, the Federal Office for the Protection of the Constitution and State Office for the Protection of the Constitution offer their assistance to companies, especially regarding counterespionage and the prevention of economic espionage. However, they do not impose obligations as to certain IT security measures.

ENISA

ENISA's mission is to ensure the necessary high level of IT security in the EU by providing expert advice on network and information security to national authorities and EU institutions, by acting as a forum for the exchange of best practice and by facilitating contacts between EU institutions, public authorities, and companies. ENISA has not yet had a specific influence on the practice of cybersecurity in Germany. However, it is expected that this will change in the near future, especially in the area of EU-wide unified cybersecurity certification.

1.3. Regulatory authority guidance

BSI IT-Basic Protection Compendium

The BSI published a guideline which defines a large number of typical risks for IT security and corresponding measures to mitigate or exclude them, as updated in 2022 ('IT-Basic Protection Compendium') (only available in German here).

The IT-Basic Protection Compendium is a comprehensive and widely acknowledged standard in Germany and it succeeds the IT-Grundschutz-catalogue which existed before.

BSI-Guideline of Penetration Tests

The BSI also offers an IT-penetration test (only available in German here). Federal authorities and providers of critical infrastructure can request the BSI to examine their IT-systems regarding IT-vulnerabilities.

European Central Bank – TIBER-EU Framework

The TIBER-EU Framework provides a test of financial infrastructures' and institutions' critical live production systems and their resilience against cyberattacks.

Standard Data Protection Model of the DSK

The German Data Protection Conference ('DSK') created a guidance paper regarding their own standards of data protection related to technical and organisational measures (only available in German here). It aims to provide guidelines to enable the establishment of a comprehensive data protection compliance management system, which includes issues of IT security and certain IT security measures.

Supervisory Requirements for IT in Financial Institutions

BaFin has issued the Minimum Requirements for Risk Management ('MaRisk') standard. Among other issues, MaRisk also explicitly addresses the minimal acceptable cybersecurity standards for financial institutions in Germany. The entire MaRisk clarifies requirements for the IT systems of financial institutions. In particular, Section AT 7.2 specifies the technical and organisational equipment, taking into account the current standards of IT systems and IT processes, and their appropriateness to the requirements. In addition, the IT must be reviewed and tested regularly. Appropriate monitoring and control processes are to be set up and data security established. The, at times, very abstract and general cybersecurity clauses of MaRisk are interpreted in more detail in the Supervisory Requirements for IT in Financial Institutions ('BAIT') (only available in German here) by BaFin. The clauses of BAIT explain what is meant by adequate technical and organisational equipment of the IT systems, with special consideration of the requirements for IT security and an appropriate emergency concept.

2. SCOPE OF APPLICATION

2.1. Network and Information Systems

Providers of a public telecommunication network and providers of publicly available telecommunication services have to designate an IT-security officer, and must draft and maintain a security concept according to Section 166 (2) of the Telecommunication Act. It must be noted that the definition of a provider of telecommunication services is very broad and covers, for example, the provider of wireless internet conception in a hotel or the provider of messenger services. Thus, the threshold to be subject to this regulation is very low.

Providers of public telecommunication networks must also provide the security concept (including a declaration from the top management that the cybersecurity measures are implemented in practice as described in the concept) to the BNetzA every two years. Furthermore, operators of public telecommunications networks and providers of publicly accessible telecommunications services with increased risk potential must implement appropriate attack detection systems according to Section 165 (3) of the Telecommunication Act. The BNetzA can additionally request the security concept from each provider of publicly available telecommunication service (and does so sometimes in practice).

In addition, the BSIG defines 'critical components' which may only be used by an operator of public telecommunications networks with increased risk potential if they have been tested and certified by a recognised certification body before being used for the first time.

2.2. Critical Information Infrastructure Operators

There are specific obligations determined by the BSIG for some sectors which are referred to as 'providers of critical infrastructure'. According to Section 2(10) of the BSIG, the following sectors fit in this definition:

• energy;
• IT and telecommunications;
• transportation;
• health;
• water;
• nutrition;
• finance and insurance; and
• municipal waste management.

Nevertheless, not all companies in these sectors are subject to the BSIG. The rules apply only if the company is of great importance to the functioning of the community. However, the Federal Ministry of the Interior ('the Ministry') can define in more detail, which companies fall under the regulation (Section 10(1) of the BSIG).

The Ministry already created one regulation and changes and additions to it:

• Critical Infrastructures Ordinance; and
• Amended Critical Infrastructures Ordinance of 29 June 2017 (only available in German here).

2.3. Operator of Essential Services

Not applicable.

2.4. Cloud Computing Services

Not applicable.

2.5. Digital Service Providers

Each provider of a website and each provider of an app is subject to Section 13 (7) of the Telemedia Act which imposes, in a general clause, the obligation to implement adequate organisational and technical cybersecurity measures. Furthermore, digital service providers shall take appropriate and proportionate technical and organizational measures to manage risks to the security of network and information systems according to Section 8c of the BSIG. Since the IT Security Ac. 2.0 was enacted, telemedia providers may also be subject to regulation by the BSI according to Section 7c of the BSIG.

2.6. Other

Not applicable.

3. REQUIREMENTS

3.1. Security measures

General requirements

Most cybersecurity regulations only provide a very general and broad wording stating that 'adequate' cybersecurity measures must be implemented, and consider the technical state of the art. However, it is in most cases not clarified in practice what 'state of the art' is and what is considered to be 'proportional and adequate.' Additionally, only slowly emerges case law which could help to identify in detail what has to be done by companies in most cases.

Some regulations contain the restriction that only the cybersecurity measures which are 'economically reasonably' must be implemented (Section 13(7) of the Telemedia Act). Furthermore, the cost of implementation is considered in some cases (Section 32 of the GDPR). This gives companies, to some degree, room to specify an individually tailored IT security concept, based on a reasonable budget.

The most specific requirements derive from 165 (3) of the Telecommunications Act and requires the implementation of an 'intrusion detection system', which must be able to identify hazards or threats through continuous and automatic detection and evaluation. However, only very few specific telecommunication providers must adhere to this regulation.

Since the relevant law is rather vague and case law is very rare, there is considerable uncertainty about which concrete cybersecurity measures a company must implement to comply with the law. Thus, companies should align their technical and organisational measures with common cybersecurity standards. Companies are mostly free to choose which standard they will implement in their cybersecurity concept. However, companies are well advised to follow any internationally recognised standards, otherwise it can be considered as a serious liability risk in case of an IT security incident.

However, neither of the following standards have the status of an act of parliament or an ordinance of a competent authority. They simply specify what could be considered as the state of art in cybersecurity. The standards are:

• the IT-Basic Protection Compendium;
• the ISO 2700x standards, especially:
  • ISO 27001 Information Security Management (please see the ISO 27001Guidance Note for further information);
  • ISO 27005 Information Technology — Security Techniques — Information Security Risk Management;
  • ISO 27006 Information Technology - Security Techniques Requirements for Bodies Providing Audit and Certification of Information Security Management Systems;
• Common Criteria for Information Technology Security Evaluation, standardised as ISO/IEC 15408, defines criterion for the security evaluation of IT products and IT systems; and
• Control Objectives for Information and Related Technology, a standard for IT-governance which was developed mainly by IT auditors.

The common feature of all the standards is that they are based on the same core principles:

• the need for protection measures must be defined (including the definition of all potential risks, the probability of adverse events, and the potential impact of such effects); and
• the respective security measures must be chosen and implemented.

Requirements for provider of critical Infrastructure

Apart from that, it should be kept in mind that providers of critical infrastructure must comply with much higher standards according to Section 8a (1) of the BSIG. The security measures shall ensure that critical infrastructure is available without disturbance to the availability, integrity, authenticity, and confidentiality of their IT systems. The cybersecurity measures must be adequate, i.e. the effort involved shall not be disproportionate to the consequences of a failure or impairment of the critical infrastructure concerned. The BSI has specified these measures for providers of critical infrastructures in a published catalogue (only available in German here) ('the Catalogue'). The Catalogue is intended to serve as a guideline and assistance in the selection, implementation, and testing of the IT security precautions to be implemented by the providers in accordance with Section 8a(1) of the BSIG. However, compliance with the Catalogue is not a binding obligation.

In order to create a more detailed standard for specific branches of critical infrastructure, Section 8a(2) of the BSIG allows critical infrastructure operators and their industry associations to elaborate and propose industry-specific standards which shall define the requirements of Section 8a(1) of the BSIG. If such an industry-specific standard is proposed, it becomes legally effective if the BSI and further authorities officially accept the standard. Currently, standards for seven specific sectors (water supply and sewerage maintenance, food, IT and telecommunications, energy, pharma, laboratory diagnostics,  hospital healthcare, transport and traffic, and health and care insurers) have been accepted by the relevant authorities (only available in German here).

Furthermore, critical infrastructure operators must identify critical components within the meaning of Section 2 (13) of the BSIG. The usage of such critical components requires a notification to the Ministry and the fulfilment of many bureaucratic formal requirements according to Section 9b of the BSIG. This requirement is aimed to prevent the implementation of components from possibly untrustworthy suppliers. However, the term 'critical component' is defined by authorities only with regards to telecommunications infrastructure of 5G networks. For other critical infrastructure operators, Section 9b of the BSIG will only be applicable if a respective authority defines 'critical components' for a specific sector.  

3.2. Notification of cybersecurity incidents

Section 8b (1) of the BSIG – Security breach of critical infrastructure

According to Section 8b(1) of the BSIG, the BSI acts as a central reporting point for the operators of critical infrastructure. Critical infrastructure is obliged to notify the BSI of significant disruptions to the availability, integrity, and confidentiality of their IT systems, components, or processes that either lead to a failure or impairment, or may potentially cause a failure or impairment of the functionality of the critical infrastructure (Section 8b(4) of the BSIG).

Article 33 of the GDPR – Security breach regarding personal data

In the case of a cybersecurity breach resulting in the destruction, loss, or unauthorised disclosure of personal data, the data controller must report the cybersecurity breach to the competent DPA (Article 33(1) of the GDPR). However, there is an exemption of this obligation if the cybersecurity breach is not likely to result in a risk to the rights and freedoms of natural persons.

The notification must be made immediately, that is within 72 hours after the breach became known to the data controller (Article 33(1) of the GDPR). If the data controller does not meet this deadline, the reasons must be explained to the DPA. The content requirements of the notification are listed in Article 33(3) of the GDPR. Among others, the following information must be disclosed: a description of the IT security incident, an indication of the category of data concerned, and the data subjects concerned, as well as a description of the measures taken or proposed to remedy or mitigate adverse effects.

If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the company must also inform the data subject about the breach without undue delay (Article 34 of the GDPR). However, there are exemptions from this requirement, such as when the data subjects are informed in an equally effective manner, or when the company can significantly reduce the risks to the rights and freedoms of the data subjects.

Other obligations of notification

In some regulated branches, there are further obligations for companies to fulfil in the case of a security breach. For example, a provider of a telecommunications-network must notify any cybersecurity breach to the BNetzA and the BSI, and a provider of an energy supply network has the obligation to report any cybersecurity breach directly to the BSI.

3.3. Registration with a regulatory authority

No registration process is required in general, but operators of critical infrastructures have to appoint contact details towards the BSI (Section 8b(3) of the BSIG). Furthermore, each operator of critical infrastructures must prove its compliance with Section 8a(1) of the BSIG (high level of IT security measures) to the BSI every two years.

3.4. Appointment of a 'security' officer

Providers of publicly available telecommunication services and telecommunication networks must appoint an IT-security officer according to Section 166(1) of the Telecommunication Act. The role is not defined in any way.

The industry specific standards for cybersecurity – which have been explained in section 3.1 above – provide for the appointment of a Chief Information Security Officer ('CISO'). The role of the CISO is aligned with international security standards, especially ISO 27001.

3.5. Other requirements

Not applicable.

4. SECTOR-SPECIFIC REQUIREMENTS

In Germany, there are no further specific laws or regulations on IT security measures for other sectors. In practice, officially recognised standards have been developed. Compliance with these standards fulfils the general requirements for IT security.

The following sectors potentially face IT security related issues.

Cybersecurity in the health sector

Germany has no law with specific requirements for the IT security of medical devices. However, the Act on Medical Devices of 2 August 1994 (only available in German here) ('MPG') sets out requirements for the general safety of medical devices in Section 32(1) No. 2 of the MPG. The scope of the MPG is considered to be so broad that even a medical app is included. A medical device that has IT security gaps regularly does not meet the requirements of the MPG.

The BfArM is the supervisory authority for drugs and medical devices. Regarding IT security issues, the BfArM has no competence except for instructing the respective competent law enforcement authorities of the federal states to take corrective measures if the requirements for IT security for medical devices are not met.

Cybersecurity in the financial sector

Cybersecurity in the financial sector has been an issue for the BaFin. In this context, the BaFin has published detailed guidance for financial institutions on its website (available here). Such guidance includes Guidance on Outsourcing to Cloud Services Providers and Checklist: Authorisation as a Credit Institution. The supervisory requirements for IT are described in section 1.3 above.

Cybersecurity in the energy sector

Regarding the energy sector, Section 11(1a) of the Energy Industry Act defines very abstract IT security requirements for operators of energy supply networks. In order to specify these abstract requirements, the BNetzA, in consultation with the BSI, was given the authority to publish an IT security catalogue in this context, which is intended to represent a legal minimum standard (only available in German here). Since there is a huge number of operators of energy supply networks in Germany and basically every one of them has to be compliant with the IT security catalogue, a certification procedure was implemented to enable the BNetzA to monitor compliance with the catalogue. With regard to the specific requirements for IT security within the catalogue, it is based on ISO 27001.

Cybersecurity practices for employees

There is no specific regulation on cybersecurity in the employment sector. However, since COVID-19, IT-security in home office has become a major topic. Several guidance papers were issued by authorities in this respect, for example the BSI issued its guidance on IT security in the home office in 2020 (only available in German here).

Cybersecurity in the education sector

Not applicable.

5. PENALTIES

Sanctions under the BSIG for operators of critical infrastructure

Violations of Sections 8a, 8b, and 8c of the BSIG (i.e. all requirements for operators of critical infrastructure mentioned above) can be sanctioned with an administrative fine of up to €1 million according to Section 14(5) of the BSIG. In practise, there are seldom fines in this field and if so, they are relatively low. Depending on the specific violation, the threshold might be lower (€500,000 or €100,000).

Sanctions in regulated industries

There are also various sanctions regarding specific industries. Pursuant to Section 228 of the Telecommunication Act, the failure to submit an IT security concept can be sanctioned with an administrative fine of up to €300,000. The omission to report a reportable incident can be sanctioned with an administrative fine of up to €100,000.

Sanctions under the GDPR

Law enforcement will change and already has changed dramatically under the GDPR. Violations of the obligations under Articles 25-39 of the GDPR can be sanctioned with an administrative fine of up to €10 million, or 2% of the worldwide annual turnover, whichever is higher. Violations of the principles under Article 5 of the GDPR can be sanctioned with an administrative fine of up to €20 million, or 4% of the worldwide annual turnover, whichever is higher. Companies are well advised to take the cybersecurity rules of the GDPR very seriously in the future. This has already been demonstrated by many cases, as for example the administrative fine against the social platform (see Section 1.2).

Liability for damages according to general law

Besides the specific sanctions of the GDPR, companies in Germany are liable for damages caused by carelessness and negligent failure to exercise reasonable care. As a result, companies that negligently fail to establish reasonable cybersecurity measures are liable for any damage caused, which would have been avoided with adequate cybersecurity measures.

This general rule applies regardless of the product or service that a company provides or the sector in which the company operates and irrespective of whether specific IT-security rules are applicable or not.

Notably, German courts have started to interpret the claim for damages under Art 82 of the GDPR very broadly, and have submitted relevant questions for preliminary ruling

to the Court of Justice of the EU in order to establish a European practise). It may be that German undertakings must pay small sums to each data subject after a cybersecurity incident, irrespective of the determination of a concrete damage; in this instance, the mere violation of the GDPR might be sufficient to recognise a damage according to some courts in Germany.

6. OTHER AREAS OF INTEREST

The German legislator does not have any further legislations concerning IT-security in other areas of interest (e.g. trust, notable incidents and cyberattacks, cybersecurity of 5G networks, cybersecurity of Internet of Things ('IoT')/artificial intelligence ('AI')-based systems, risk management) in mind. The developments remain to be seen.

However, concerning AI-based systems, the European Commission published, on 19 February 2020, its White Paper On Artificial Intelligence - A European Approach to Excellence and Trust. It is to be predicted that Germany will await further developments at EU-level and not single-handedly start to regulate AI-based systems. This may take some time as this topic is certainly not the top priority in the EU's agenda.

Dr. Lutz Martin Keppeler Partner [email protected] Heuking Kühn Lüer Wojtek, Cologne