Anyone who processes personal data must comply with the General Data Protection Regulation (GDPR). The management of companies must demonstrate to shareholders that they have not undertaken unreasonable risks (Limited Liability Companies Act, German Corporate Governance Code). If organisations belong to the critical infrastructure, they must take additional protective measures (CER, NIS-2).
Whether an organisation will soon need to take additional protective measures depends on two factors: the industry and the size; the NIS-2 Implementation Act defines several categories. The website of the German Federal Office for Information Security (BSI) provides initial pointers regarding company obligations and affected organisations (see links).
Helpful Links (only available in German)
NIS-2 Impact Assessment by the BSI
Basic information from the Cybersecurity Transfer Office regarding NIS-2 implementation
The current status of implementation legislation from the OpenKRITIS initiative
A key objective of the new laws is to create more transparency alongside minimum security requirements. As such, incidents must be reported. Reporting must be done securely and be accessible only to authorised stakeholders. Reporting must occur within 24 hours, and for significant incidents, you must notify your customers. Failure to comply can result in severe sanctions; senior management cannot delegate this responsibility.
Whether or not an organisation belongs to critical infrastructure, senior management is responsible for avoiding unreasonable risks. In practice, this means establishing an information security management system. This also applies to data protection risks.
Podcast Folge 1: Gesetzliche Vorgaben zur Informationssicherheit
Über Gesetze zur IT-, Cyber- und Informationssicherheit hat DIHK-Expertin Katrin Sobania mit Prof. Dr. Sachar Paulus von der Fakultät für Informatik der Hochschule Mannheim gesprochen:
To protect the individual rights of people whose data the organisation processes, specific tasks must also be implemented, such as responding to requests for information, releasing, correcting, and deleting data after the retention period has expired.
The Two Top Tips
- Clarify: Will my company be considered critical infrastructure (KRITIS) in the future?
- Compile a list of legal requirements related to IT and cyber security (including data protection) for your own company
Ansprechpartnerin
Dr. Katrin Sobania
Director Department for Information and Communication Technology | E-Government | Postal Services | IT Security