The Bundesrat of Germany – the country’s Federal Council – passed legislation last week requiring critical infrastructure businesses and institutions to implement more robust information security standards. According to reports, the new law will affect more than 2,000 essential service providers, including transportation, health, water, utilities, telecoms, as well as financial services and insurance firms. Companies are given a two-year timeline to adhere to the cyber security measures, or face up to €100,000 in fines. Germany’s new IT security law would oblige firms and federal agencies to certify for minimum cyber security standards and obtain Federal Office of Information Security (BSI) clearance, reported RT. Organizations must also alert the Office of suspected attacks against their systems. In addition to the new rules and regulations, several federal agencies will be expanded to assist with the country’s increased security efforts, including the BSI’s expansion to the international center for IT security, where it will be responsible for evaluating reports of potential “cyber-violations” in critical infrastructure, said RT. The Federal Intelligence Service, known as BND, will be granted access to foreign data linking to malware signatures and traces, and the Federal Office for the Protection of the Constitution (BfV) will collaborate with BSI to assess the potential impact of critical infrastructure attacks. Furthermore, the Office of Criminal Investigation (BKA) will head investigations related to cyber crimes, such as data spying, intercepting or manipulating. Many changes enacted by Germany’s new legislation have reportedly raised privacy concerns for data protection activists, as telecommunication providers will be required to store traffic data for up to six months in the event of an investigation. Meanwhile, other concerns revolve around the financial expense companies must endure in order to implement the new cyber security standards.
