While there is no unitary law for cybersecurity and data protection in Germany, the cyber security landscape is held together by a combination of federal and European laws and regulations. Like every European country, Germany’s data protection is governed and enforced by the strict EU-GDPR.
Germany’s newest attempt at refreshing cybersecurity laws and regulations is passing the German IT Security Act 2.0, which aims to enhance IT system security and harmonize other cyber security laws to combat the ever-increasing digital threat landscape and cyber security challenges like growing ransomware attacks.
However, the mesh of combined cybersecurity laws and regulations may be difficult for businesses and organizations to comply with. Moreover, the staggeringly high penalties for non-compliance threaten organizations with fines of up to €20 million or 4% of their annual global turnover. To date, the largest cybersecurity fine Germany has ever imposed €35 million on Sweden’s H&M for unlawfully processing sensitive employee data.
German and European businesses dealing with German businesses and organizations must comply with the regulations that protect their citizens’ data and keep organizations accountable for their security posture, especially in the financial and healthcare sectors.
This article will cover the biggest cybersecurity laws and regulations in Germany and serve as a comprehensive guide for all businesses and organizations on German cybersecurity laws and regulations, fees, and penalties, as well as their requirements for compliance.
Here's how UpGuard helps businesses and their vendors achieve compliance >
The Federal Office for Information Security (BSI)
Established in 1991, the Federal Office for Information Security (BSI) (or Bundesamt für Sicherheit in der Informationstechnik, in German) is the federal cybersecurity office and federal authority responsible for supervising IT security in the country.
As a predecessor to the BND, BSI is Germany’s cryptographic Department of Foreign Intelligence, famous for designing cryptographic algorithms. It’s credited for initiating the Gpg4win cryptographic suite. Simply put, what NIST is to the US, the BSI is to Germany.
The BSI also serves as a source for guidelines and recommendations on technical support for cryptographic processes for businesses in IT. It may also provide information for businesses to coordinate them better in responding to incidents.
The BSI Act (BSIG)
The BSI Act (Federal Information Technology Security Act) of the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik; BSI-Gesetz or BSIG) is the first legal basis of the BSI that came into force since 2009 and still acts as the foundation of other German cybersecurity acts that exist today.
The BSI covers preventive cybersecurity for German computer and communication laws, critical infrastructure like energy, healthcare, food, IT and telecommunications, and finance. Other obligations include spying, counterintelligence, and certification of security products.
Under the BSI Act, the main responsibilities of the BSI are to:
- Act as a major entity for all unitary IT security standards in Germany;
- Serve as a main consultative body for the government and other organizations regarding IT security;
- Protect the federal networks of Germany and implement preventive cybersecurity;
- Enforce cyber security detection and cyber defense against cyber attacks and malware;
- Serve as an IT security reporting center for all operators of critical infrastructures;
- Act as a major entity for the development of cryptography;
- Certify, test, and accredit potential IT products to combat faulty security products;
- Inform the public and raise cybersecurity awareness.
As of July 2015, the BSI Act was supplemented with major changes with the Act-On Increasing the Security of IT Systems (German IT Security Act 1.0). By the standards of the IT-Grundschutzhandbuch, the BSI acts as the main testing and certification entity of IT system security in Germany and covers computer and data security.
German IT Security Act 2.0 (IT-Sicherheitsgesetz 2.0)
Germany’s newest cybersecurity law, the German IT Security Act 2.0, was passed in April 2021 to enhance IT system security. The new act amended multiple cybersecurity laws like the BSIG, and it serves to combat cybersecurity threats and emphasize the importance of safeguarding IT and communication technology in Germany.
What Is the Purpose of the IT Security Act 2.0?
Primarily, the new act strengthens the BSI with new extensive rights, powers, and responsibilities for covering IT security risk on a national level, countering IT deficits, and enhancing IT security.
The new act aims to:
- Harmonize most German cyber security and data protection laws;
- Enhance the security of IT systems;
- Improve consumer protection.
How Does the IT Security Act 2.0 Affect the BSI?
Under the amended BSI Act, the BSI now has the authority to:
- Conduct security risk assessments, monitoring, and auditing vis-à-vis the federal administration;
- Be more closely involved with all digitization projects of the federal government;
- Approve sector-specific security standards;
- Gather, evaluate, process, and assess vulnerability information and protocol data for enhancing IT security and cybersecurity measures;
- Define security standards for the federal administration;
- Use port scans of federal facilities and honeypots for simulating cyber attacks to evaluate the security strength of IT systems.
After 2022, more legislative updates will follow. The BSI is planned to serve as a central authority for cybersecurity in Germany. In the future, the BSI will also act as a major info hub that will provide individuals, businesses, and organizations with best practices and security recommendations against IT threats.
The BSIG/BSI-KritisV and Operators of Critical Infrastructures
With the new German IT Security Act 2.0, the German Bundestag and the Federal Council aim to “hit two birds with one stone” and reform information security and digitalization with amendments to the BSIG/BSI-KritisV (Ordinance on the Designation of Critical Infrastructures according to the Act on the Federal Office for Information Security).
Formerly, the first BSI Act only addressed critical infrastructures. As of April 2016, with an increased range of obligations, the new regulation focuses on both critical infrastructures and digital service providers.
Who Does the BSIG/BSI-KritisV Apply to?
The BSIG and the BSI-KritisV set out security obligations for:
- Critical infrastructure sectors;
- Digital service providers like online markets, search engines, and cloud services;
- Federal authorities.
The German IT Security Act 2.0 will regulate IT security and enforce their requirements on “operators of critical infrastructure.”
The critical infrastructure sectors and services, as specified in the Ordinance on the Identification of Critical Infrastructures (KritisVO), include energy, water, food, information technology and telecommunications, healthcare, finance and insurance, transport, and municipal waste disposal, also known as KRITIS companies.
Requirements of the BSIG/BSI-KritisV
The Federal Office for Information Security (BSI) mandates all businesses, organizations that are of particular public interest (special interest companies), and entities engaged with critical infrastructure to:
- Conduct security audits once every two years;
- Report all cyber security incidents and significant disruptions to the relevant authorities (the BSI) — a mandatory notification obligation in case of a significant cyber incident;
- Designate a contact point for the BSI to ensure constant availability;
- Enforce operators of critical infrastructure to implement intrusion detection systems against cyber attacks;
- Implement the minimum requirements of appropriate, state-of-the-art organizational and technical measures for combating IT system and information system incidents. Operators must prove that the implemented measures fulfill the minimum requirements in a security audit every two years.
Additionally, all federal authorities must report cybersecurity incidents to the Federal Office of Information Security upon detecting a cybersecurity incident.
The BSI is required to develop minimum standards for strengthening the IT security of the federal administration. The Federal Ministry of the Interior can declare these minimum standards as binding for all authorities because only consultation (rather than agreement) with the IT Council is required.
Is Complying with the BSIG/BSI-KritisV Mandatory?
Yes. Complying with the BSIG/BSI-KritisV is mandatory for all entities, businesses, and organizations engaged with critical structures and organizations of special interest. Formerly, the ordinance offered all affected entities a transition period between meeting the requirements.
As of 2021, with the new IT Security Act 2.0 and the Second KRITIS-Ordinance, companies must comply with the requirements on the first day once regarded as eligible under the ordinance.
According to Section 8a of the BSI Act, all operators of critical infrastructures must frequently prove that they have correctly implemented security measures to the BSI, preferably every two years. With the agreement of supervisory authorities, the BSI may pose sanctions to the entity if they fail to meet requirements.
What are the Penalties for BSIG/BSI-KritisV Non-Compliance?
Companies and organizations that fail to meet the requirements of the BSIG/BSI-KritisV face fines of up to 20 million Euros imposed by the BSI.
All companies must verify whether or not they fall within the scope of the BSIG/BSI-KritisV ordinance and the IT Security Act 2.0. It is advised for all organizations to seek legal counsel to understand if they are eligible to comply.
Federal Data Protection Act (BDSG - Bundesdatenschutzgesetz)
The German Bundesdatenschutzgesetz (BDSG), or the Federal Data Protection Act, adapts German laws in line with the European Union’s GDPR (General Data Protection Regulation) to oversee data protection regulations.
As of 30 June 2017, the BDSG, along with each German state’s federal data protection laws by the authorities of the German federal states (Landesdatenschutzgesetz – LDSG), governs all data processing operations, and German data protection laws for processing of personal data.
While the Federal Office for Information Security (BSI) focuses on overseeing IT security law compliance, the BDSG is responsible for supervising compliance with data protection laws of the 16-state data protection authorities.
How Does the BDSG Work with the GDPR?
The BDSG supplements the GDPR (General Data Protection Regulation), which is mandated by the EU for financial services that process or collect personal data from EU citizens.
The GDPR stipulates cyber security requirements and obligations regarding data privacy, cyber security, and breach management. The GDPR applies to all institutions and organizations that handle personal data and operate within the EU and companies that conduct business with countries in the EU.
The GDPR encourages controllers and processors to follow relevant protocols, implement data privacy measures, and ensure that data is collected with consent. For example, under the GDPR, German authorities require all entities first to receive the data subject’s explicit consent for accepting tracking mechanisms and advertisement technology such as cookies.
Marketing Emails
The UWG (Act Against Unfair Competition; Gesetz gegen den unlauteren Wettbewerb) falls under the BDSG laws and requires entities not to send marketing emails to recipients without consent. Exceptions apply when:
- The entity used the email for direct advertising;
- The recipient hasn’t objected yet;
- The recipient was informed when the address was collected for this use.
Data Protection Officer
Under the GDPR, a DPO (data protection officer) must be implemented to oversee regular testing, assessing, and evaluating an entity’s effectiveness for data processing. The DPO also serves to ensure compliance with the GDPR.
In addition to Article 37 GDPR, a data protection officer must be designated by the data controller if the organization:
- Commercially process personal data,
- Employs at least 20 people that deal with the processing of personal data;
- It is subject to a data protection impact assessment, according to Article 35 of GDPR.
Who Does the BDSG Apply to?
The BDSG applies to all federal public authorities, public authorities of the German federal states, and private bodies that process, collect, use, and store personal data and other data like company secrets.
According to German laws, “personal data” refers to all data and info that offers “insight and facts about an identifiable, natural person.” This includes names, addresses, occupations, IP addresses, social security numbers, financial data like taxes, and personally identifiable information like racial or ethnic origin.
The data governed by the BDSG also includes trade secrets, which qualify as “data subject to appropriate cyber security confidentiality measures.” All entities with trade secrets are obliged to guard theirs by implementing appropriate confidentiality measures and ensuring their trade secrets comply with the GeschGehG legalities.
Is Complying with the BDSG and GDPR Mandatory?
The BDSG and the GDPR are mandatory and apply to all private businesses, federal public entities, and data controllers that process sensitive data and personal information.
Any business not in the EU but using an EU citizen’s personal data (for example, cookies for monitoring consumer behavior) is subject to the GDPR and BDSG.
What are the Penalties for BDSG and GDPR Non-Compliance?
The BDSG demands criminal sanctions for businesses or individuals that violate the GDPR (Section 42 of the BDSG). Violations include theft of publicly inaccessible personal data acquired for fraudulent use or processed without authorization.
For administrative sanctions for non-compliance, the BDSG imposes fines on all non-compliant entities up to EUR 50,000 for violations of their laws, including all entities that fail to handle data (Section 43 BDSG) properly. Additionally, other administrative fines under the GDPR may also apply.
Since the BDSG is modeled after GDPR, they may revise the catalog of penalties and fines and modify the penalties depending on the severity of the non-compliance.
Depending on the offense, GDPR fines can reach €20 million (about 23 million USD) or 4% of the company’s annual turnover in the preceding business year (whichever is larger). It’s €10 million for minor cases or up to 2%.
It’s important to note that it’s impossible to issue an administrative fine to companies and businesses that do not comply with Section 9 of the BDSG. This relates to entities acting as data processors and “participating in the competition as enterprises governed by public law.”
Read here to learn more about the penalties and fines of the BDSG >
NIS2 Directive
The Security of Network and Information Systems Directive (NIS Directive) is a crucial non-sector-specific legislation for financial services that enhances cyber security collaboration between EU member states.
It’s complemented by the BSIG and the BSI-KritisV. The German legislative also adjusted their German IT Security Act 2.0 as a major part of implementing the NIS Directive, which will be followed by NIS2 in the future.
In December 2020, the European Commission proposed the NIS2, which is a revision of the 2016 NIS Directive that aims to strengthen cyber security, improve digitalization across the European Union, and encourage government bodies, namely in Germany, to supervise their cyber security processes in collaboration with member states.
Learn more about the NIS Directive >
What Are the Requirements of the NIS Directive?
The NIS Directive applies to EU operators of essential services and digital service providers, which include the energy sector, healthcare, transport, online marketplaces, and other services within the digital infrastructure with certain directives. They must:
- Have the proper cyber threat and risk management capabilities to implement CSIRTs (Cyber Security Incident Response Teams);
- Data protection measures for safeguarding IoT and smart infrastructure;
- Regularly conduct cyber exercises;
- Be capable of cross-border collaboration with other countries within a CSIRT network;
- Conduct cyber security monitoring.
For companies and organizations within the EU, the NIS Directive obliges all German operators of essential services (OES), which also includes the German KRITIS companies, to:
- Take appropriate security measures in strengthening their IT infrastructure;
- Report cyber security incidents in a timely manner “without undue delay”;
- Notify all authorities and affected entities in case of a data breach.
Is Complying with the NIS Directive Mandatory?
Yes. All EU member states, organizations, and businesses can comply with the NIS Directive by implementing proper risk management measures and following the incident reporting protocol.
What are the Penalties for NIS Directive Non-Compliance?
All entities that fail to comply with the NIS Directive will face fines of up to £17m or 4% of their global annual turnover.
Telecommunications-Telemedia Data Protection Act
In December 2021, the Telemedia Act (Telemediengesetz – TMG) and the Telecommunications Act (Telekommunikationsgesetz – TKG) were merged into a single act called the Data Protection and Privacy Act of Telecommunications and Telemedia Services (Telekommunikations-Telemedien-Datenschutzgesetz – TTDSG).
By merging these acts, the German legislature fulfilled its obligation to transpose European law into national law regarding the European NIS Directive. The German IT Security Act 2.0 also plays a role in amending cyber security regulations in the mobile network.
What Are the Requirements of the TMG?
The TMG stipulates security obligations for businesses and digital service providers to:
- Implement state-of-the-art organizational and technical measures that prevent unauthorized access to systems and personal data;
- Preventing both internal and external malfunctions and cybersecurity incidents.
- Implement technical measures like encryption.
What Are the Requirements of the TKG?
The Telecommunications Act of 22 June 2004 (Telekommunikationsgesetz – TKG) gives cyber security requirements to electronic communications network operators and electronic communication service providers. This includes internet access providers and vendors like Deutsche Telekom but excludes broadcasting services.
Operators of publicly available telecommunications networks are particularly obliged to:
- Implement technical and organizational measures to protect the network against disruptions;
- Put together a security concept by appointing a security officer and submit it to the BNetzA immediately after starting network operation;
- Notify the BNetzA and the BSI without delay of any impairments to telecommunications networks and services that (can) lead to significant security breaches.
Providers of publicly available electronic communication services are obliged to:
- Implement technical and organizational measures to protect the secrecy of telecommunications and other personal data, as well as to protect the underlying network against disruptions;
- Put together a security concept by appointing a security officer and submit it to the BNetzA immediately after starting network operation;
- Immediately notify the BNetzA and the BSI of any impairments to telecommunications networks and services that (can) lead to significant security breaches;
- Immediately notify the BNetzA and the Federal Commissioner for Data Protection (and, where applicable, additionally the persons concerned) of any violation of the protection of personal data;
- Keep a register of violations of the protection of personal data;
- Immediately inform customers in case of malfunctions caused by customer data processing systems.
Is Complying with the TTDSG Mandatory?
Yes. Compliance with the TTDSG is mandatory for telecommunication services and telemedia services.
All companies and individuals in Germany who provide goods and services in any form will fall under the scope of the TTDSG, which practically means almost every business in Germany. The massive scope may pose an enforcement issue, so businesses must check how they are legally bound separately.
According to the recent TKG revision in December 2021, the TTDSG also applies to providers of so-called over-the-top services like instant messaging or webmail. Telemedia services include all websites and online services like video-on-demand and email platforms.
What are the Penalties for TTDSG Non-Compliance?
The BNetzA (Federal Network Agency) is responsible for supervising and ensuring data protection provision for the TTDSG telecommunication services.
All telecommunication secrecy violations and cybercrime are subject to the StGB (German Criminal Code) and punishable with imprisonment.
Any business that violates the TTDSG requirements may be fined up to 300,000 euros.
Violating the requirements for confidentiality in communication is a criminal offense and is punishable under both regulatory and criminal law by up to two years of imprisonment or heavy fines, depending on the severity of the breach.
Read more about the penalties and fines regarding TTDSG requirements >
Other Cybersecurity Organizations For Reporting Cybersecurity Incidents
The BSI has IT crisis centers for analyzing, assessing, monitoring, and reporting cybersecurity incidents and acts as an incident response support unit, aiding companies in due diligence regarding managing cyber incidents.
Other cybersecurity organizations include the Alliance for cybersecurity (Allianz für Cybersicherheit), a cooperation platform that mediates the exchange of information between German science research sectors and the BSI.
Germany has their own CERT (Computer Emergency Response Team). The CERT-Bund provides individuals, businesses, and organizations with information and guidelines on cyber security. The CERT-Bund has the following responsibilities:
- Informs about possible vulnerabilities in cyber security products and other hardware or software products;
- Creating and publishing cyber security recommendations for preventive organizational measures;
- Helps public agencies to respond better to IT security-related incidents;
- Recommends updated mitigation measures for businesses and organizations.