Skip to content
Datenschutz_im_21ten_Jahrhundert_Konferenz
09 September 2014

Germany is preparing for new IT security legislation

As an essential cornerstone of the Government’s Digital Agenda on 19 August Thomas de Maizière, Federal Minister of the Interior, presented a new draft law which aims at increasing the security of information technology systems (IT Security Act).

The IT Security Act draft (IT-SIG-E) provides for amendments in several specific legal acts, particularly in the BSI-G, TMG, TKG, BKA-G and AWG. The law aims to increase the minimum level of IT security. It primarily targets to boost IT security in critical infrastructures. Such infrastructures operate in various sectors which play a very important role for society (energy, health, transport, finance, etc.).

How does the IT Security Act affect the Internet?

Since large parts of the Internet are, in the legal sense, to be understood as “telecommunications infrastructure”, area-specific requirements for the security level already exist – in the German Telecommunications Act or, for telemedia services provider, in the German Teleservices Act.1 These are supposed to be modified and extended by the present legal draft.2 Telecommunications service provider (e.g. access provider) and Telemedia services provider (e.g. website operator), “which play a key role in the security of cyberspace,” are to “made even more accountable.”3

Problems of Internet regulation

Legal regulation however is not capable of resolving all problems regarding the Internet. Due to its global character, legal measures alone – especially when they “only” come from the national or the European level – cannot provide for the security of and in the Internet. For the Internet is just not an intranet. In addition, is an issue as well on the physical as on the logical level. Internet communication, for example, is based on internationally standardized protocols. Many features and services of the Internet which are essential to its security (here in the broad sense) are administrated by decentral actors who are not legally regulated. The Domain Name System (DNS), as another example, is necessary for the functioning of the Internet (it is important for the translation of domain names to IP addresses); the system is however managed by non-governmental organizations. Thus, IT security law can only serve as a partial solution.

Problems to be dicussed

Currently, the IT-SIG-E is submitted for inter-departmental coordination and approval. But However, it should not only be discussed in the ministries but also by computer scientists, legal experts, Internet activists and all other Internet users (and providers). The IT-SIG-E contains many contentious points. These include: the effectiveness and the scope of incident reporting requirements, the extent to which competencies to store inventory, traffic and usage data are required and whether the proposed act alltogether suffices to rise to the complex and manifold challenges.


  1. cf. § 109 TKG bzw. § 13 TMG; see also § 9 BDSG.
  2. for a more detailed legal analysis see Leisterer/Schneider, Das neue IT-Sicherheitsgesetz – Änderungen und Problemfelder, CR 09/2014, (forthcoming). Among other changes, the draft law extends the competences to storage data, modifies the cyber incident notifications requirements, introduces a notification requirement for service providers and makes it mandatory for personalised telemedia providers to offer a authentification method.
  3. IT-SIG-E, explanation, p. 3.

This post is part of a weekly series of articles by doctoral candidates of the Alexander von Humboldt Institute for Internet and Society. It does not necessarily represent the view of the Institute itself. For more information about the topics of these articles and associated research projects, please contact presse@hiig.de.

This post represents the view of the author and does not necessarily represent the view of the institute itself. For more information about the topics of these articles and associated research projects, please contact info@hiig.de.

Hannfried Leisterer, Dr.

Former associate doctoral Researcher: Global Constitutionalism and the Internet
Du siehst eine Tastatur auf der eine Taste rot gefärbt ist und auf der „Control“ steht. Eine bildliche Metapher für die Regulierung von digitalen Plattformen im Internet und Data Governance. You see a keyboard on which one key is coloured red and says "Control". A figurative metaphor for the regulation of digital platforms on the internet and data governance.

Data governance

We develop robust data governance frameworks and models to provide practical solutions for good data governance policies.

Sign up for HIIG's Monthly Digest

and receive our latest blog articles.

Further articles

two Quechuas, sitting on green grass and looking at their smartphones, symbolising What are the indigenous perspectives of digitalisation? Quechuas in Peru show openness, challenges, and requirements to grow their digital economies

Exploring digitalisation: Indigenous perspectives from Puno, Peru

What are the indigenous perspectives of digitalisation? Quechuas in Peru show openness, challenges, and requirements to grow their digital economies.

eine mehrfarbige Baumlandschaft von oben, die eine bunte digitale Publikationslandschaft symbolisiert

Diamond OA: For a colourful digital publishing landscape

The blog post raises awareness of new financial pitfalls in the Open Access transformation and proposes a collaborative funding structure for Diamond OA in Germany.

a pile of crumpled up newspapers symbolising the spread of disinformation online

Disinformation: Are we really overestimating ourselves?

How aware are we of the effects and the reach of disinformation online and does the public discourse provide a balanced picture?