Datenschutz_im_21ten_Jahrhundert_Konferenz

Germany is preparing for new IT security legislation

09 September 2014

As an essential cornerstone of the Government’s Digital Agenda on 19 August Thomas de Maizière, Federal Minister of the Interior, presented a new draft law which aims at increasing the security of information technology systems (IT Security Act).

The IT Security Act draft (IT-SIG-E) provides for amendments in several specific legal acts, particularly in the BSI-G, TMG, TKG, BKA-G and AWG. The law aims to increase the minimum level of IT security. It primarily targets to boost IT security in critical infrastructures. Such infrastructures operate in various sectors which play a very important role for society (energy, health, transport, finance, etc.).

How does the IT Security Act affect the Internet?

Since large parts of the Internet are, in the legal sense, to be understood as “telecommunications infrastructure”, area-specific requirements for the security level already exist – in the German Telecommunications Act or, for telemedia services provider, in the German Teleservices Act.1 These are supposed to be modified and extended by the present legal draft.2 Telecommunications service provider (e.g. access provider) and Telemedia services provider (e.g. website operator), “which play a key role in the security of cyberspace,” are to “made even more accountable.”3

Problems of Internet regulation

Legal regulation however is not capable of resolving all problems regarding the Internet. Due to its global character, legal measures alone – especially when they “only” come from the national or the European level – cannot provide for the security of and in the Internet. For the Internet is just not an intranet. In addition, is an issue as well on the physical as on the logical level. Internet communication, for example, is based on internationally standardized protocols. Many features and services of the Internet which are essential to its security (here in the broad sense) are administrated by decentral actors who are not legally regulated. The Domain Name System (DNS), as another example, is necessary for the functioning of the Internet (it is important for the translation of domain names to IP addresses); the system is however managed by non-governmental organizations. Thus, IT security law can only serve as a partial solution.

Problems to be dicussed

Currently, the IT-SIG-E is submitted for inter-departmental coordination and approval. But However, it should not only be discussed in the ministries but also by computer scientists, legal experts, Internet activists and all other Internet users (and providers). The IT-SIG-E contains many contentious points. These include: the effectiveness and the scope of incident reporting requirements, the extent to which competencies to store inventory, traffic and usage data are required and whether the proposed act alltogether suffices to rise to the complex and manifold challenges.


  1. cf. § 109 TKG bzw. § 13 TMG; see also § 9 BDSG.
  2. for a more detailed legal analysis see Leisterer/Schneider, Das neue IT-Sicherheitsgesetz – Änderungen und Problemfelder, CR 09/2014, (forthcoming). Among other changes, the draft law extends the competences to storage data, modifies the cyber incident notifications requirements, introduces a notification requirement for service providers and makes it mandatory for personalised telemedia providers to offer a authentification method.
  3. IT-SIG-E, explanation, p. 3.

This post is part of a weekly series of articles by doctoral candidates of the Alexander von Humboldt Institute for Internet and Society. It does not necessarily represent the view of the Institute itself. For more information about the topics of these articles and associated research projects, please contact presse@hiig.de.

This post represents the view of the author and does not necessarily represent the view of the institute itself. For more information about the topics of these articles and associated research projects, please contact info@hiig.de.

Related articles

5611657857_39cff21f7d_b_edited

Proposed Directive on Copyright in the Digital Single Market: a missed opportunity?

Do news aggregators impact traffic generation towards online news sites? Will platforms like Instagram and TripAdvisor automatically filter user content? Is an EU news publishers’ right really a good idea? ...
5395779761_e4000a420e_o_edited

Storm in a teacup: predatory journals are irrelevant

A team of investigative journalists has discovered so-called “Predatory publishing”. Since then media has quickly picked up the term "fake science". Yet, the phenomenon is well-known to researchers and only...
ales-nesetril-734016-unsplash Cropped

Student Assistant DICDE (Advocate Europe)

Das The team of the Alexander von Humboldt Institute for Internet and Society (HIIG) is looking for the following at the earliest opportunity a student employee with an IT background....