Part 1: The new German IT Security Act

The IT Security Act came into force in July 2015, which is intended to help increase the security of information technology systems. The law came about as a result of the cyber security strategy for Germany adopted in June 2011. Website operators now had 2 years to adapt their applications to the new regulations.

In June of this year, the European Network and Information Security Directive (NIS Directive) was also passed at European level. This defines the measures to ensure a high common level of security for network and information systems in the European Union. The EU member states now have until the end of May 2018 to convert the directive into national law.

The IT Security Act, which came into force in June 2015, already covers most of the measures to be taken in Germany.

The IT Security Act basically affects all website operators.

As part of the law, the requirements for websites have been tightened in the first place. In principle, the law obliges all those affected to comply with a minimum of defined safety aspects. Various technical and organizational measures must be taken for this.

The IT Security Act introduces the legal obligation to carry out software updates.

Website operators are obliged to keep their systems up to date with the latest technology and to regularly monitor possible problems and security gaps. Prompt software updates and the rapid import of security and maintenance patches are therefore future requirements.

Companies are obliged to protect their systems against cyber attacks.

When the new regulations come into force, operators of websites, web shops and other web applications have to take various measures to prevent unauthorized access to IT systems and data and prevent disruptions.

Companies that fail to comply with the new regulations face high fines.

A new reporting obligation has also been introduced, which obliges operators of digital services to report any security incidents to the Federal Ministry for Information Security (BSI). The BSI, on the other hand, undertakes to inform all operators about the reported incidents in an annual status report.

In the next part we will tell you everything about the topic of IT compliance: what is behind the term and what benefits can you derive from mature IT compliance in your company?