Germany, like most industrialized nations, is wary of the state of its critical infrastructure sectors to adequately address their cyber security gaps. As a result, Germany has passed a strict cyber security law aimed to protect critical infrastructure:
The law passed its final hurdle in the upper house of the German parliament, the Bundesrat, on Friday after having passed the lower house in June.
The law will affect institutions listed as “critical infrastructure,” such as transportation, health, water utilities, telecommunications providers, as well as finance and insurance firms. It gives companies two years to introduce cyber security measures or face fines of up to €100,000 ($111,000).
The Bundesrat-approved IT security law obliges firms and federal agencies to certify for minimum cyber-security standards and obtain Federal Office of Information Security (BSI) clearance. The companies must also notify the Office of suspected cyber-attacks on their systems.
The new set of rules also obliges telecommunications providers to warn customers when their connection was abused, for example in a botnet attack, and store the traffic data for up to six months for investigative purposes, thus potentially violating privacy rights.
BSI will also be expanded to the international center for IT security. Its main task will be to evaluate the reports of possible cyber-violations in critical infrastructure. The Federal Intelligence Service (BND) will be allowed access to foreign data linking to malware signatures and malware traces.