Datenschutz_im_21ten_Jahrhundert_Konferenz

Germany is preparing for new IT security legislation

09 September 2014

As an essential cornerstone of the Government’s Digital Agenda on 19 August Thomas de Maizière, Federal Minister of the Interior, presented a new draft law which aims at increasing the security of information technology systems (IT Security Act).

The IT Security Act draft (IT-SIG-E) provides for amendments in several specific legal acts, particularly in the BSI-G, TMG, TKG, BKA-G and AWG. The law aims to increase the minimum level of IT security. It primarily targets to boost IT security in critical infrastructures. Such infrastructures operate in various sectors which play a very important role for society (energy, health, transport, finance, etc.).

How does the IT Security Act affect the Internet?

Since large parts of the Internet are, in the legal sense, to be understood as “telecommunications infrastructure”, area-specific requirements for the security level already exist – in the German Telecommunications Act or, for telemedia services provider, in the German Teleservices Act.1 These are supposed to be modified and extended by the present legal draft.2 Telecommunications service provider (e.g. access provider) and Telemedia services provider (e.g. website operator), “which play a key role in the security of cyberspace,” are to “made even more accountable.”3

Problems of Internet regulation

Legal regulation however is not capable of resolving all problems regarding the Internet. Due to its global character, legal measures alone – especially when they “only” come from the national or the European level – cannot provide for the security of and in the Internet. For the Internet is just not an intranet. In addition, is an issue as well on the physical as on the logical level. Internet communication, for example, is based on internationally standardized protocols. Many features and services of the Internet which are essential to its security (here in the broad sense) are administrated by decentral actors who are not legally regulated. The Domain Name System (DNS), as another example, is necessary for the functioning of the Internet (it is important for the translation of domain names to IP addresses); the system is however managed by non-governmental organizations. Thus, IT security law can only serve as a partial solution.

Problems to be dicussed

Currently, the IT-SIG-E is submitted for inter-departmental coordination and approval. But However, it should not only be discussed in the ministries but also by computer scientists, legal experts, Internet activists and all other Internet users (and providers). The IT-SIG-E contains many contentious points. These include: the effectiveness and the scope of incident reporting requirements, the extent to which competencies to store inventory, traffic and usage data are required and whether the proposed act alltogether suffices to rise to the complex and manifold challenges.


  1. cf. § 109 TKG bzw. § 13 TMG; see also § 9 BDSG.
  2. for a more detailed legal analysis see Leisterer/Schneider, Das neue IT-Sicherheitsgesetz – Änderungen und Problemfelder, CR 09/2014, (forthcoming). Among other changes, the draft law extends the competences to storage data, modifies the cyber incident notifications requirements, introduces a notification requirement for service providers and makes it mandatory for personalised telemedia providers to offer a authentification method.
  3. IT-SIG-E, explanation, p. 3.

This post is part of a weekly series of articles by doctoral candidates of the Alexander von Humboldt Institute for Internet and Society. It does not necessarily represent the view of the Institute itself. For more information about the topics of these articles and associated research projects, please contact presse@hiig.de.

This post represents the view of the author and does not necessarily represent the view of the institute itself. For more information about the topics of these articles and associated research projects, please contact info@hiig.de.

Related articles

ryoji-iwata-625080-unsplash

Status Work in the Data Society: Übercapital and Hyper-individualization

Whether it is childcare, credit or consumer goods: ratings, scores and the digital footprint produce new social classifications. This increasing quantification of the social is the reason for new forms...
kaltheuner_twitter.com-kalogatias

“It’s about human dignity and autonomy”

Privacy and data protection are currently being debated more intensively than ever before. In this interview, Frederike Kaltheuner from the civil rights organisation Privacy International explains why those terms have...
coworking

Employee empowerment or workers’ control? The use case of enterprise social networks

In the context of the digitization of the workplace, numerous companies are introducing digital platforms that are intended to strengthen employee participation. The implications of social media for the meaning...