Germany’s new cyber-security law aimed at securing critical infrastructure

German institutions and businesses that fall in the “critical infrastructure” category will have to implement new information security measures, as defined by the new IT security law passed on Friday by the German Bundesrat (the country’s “Federal Council”).

According to RT, over 2,000 water and energy utilities, telecoms, health providers, transportation companies, and finance and insurance firms – in short, providers of services essential to the uninterrupted day-to-day life of German citizens – will either have to comply with the new law or pay fines of up to €100,000.

The new law will require both these firms and federal agencies to, among other things, enforce a defined minimum of cyber-security standards and report to the Federal Office of Information Security (BSI) about cyber attacks mounted against their systems.

The legislation will also expand the federal criminal police’s powers. The Office of Criminal Investigation (BKA) will be tasked with investigating various cyber crimes, from data interception and manipulation to data spying.

A provision of the law heavily debated by privacy advocates is that which requires telecoms to store their customers’ traffic data for as far back as six months, so that the police could use it in their investigations.

Another obligation telecoms will have is to notify its customers when their connection was abused.

It seems that no one, apart from the legislators, is satisfied with this new law: privacy advocates are worried about the government spying on the citizens’ communications; companies are worried about the costs of implementation of these security measures, as well as the possibility of successful cyber intrusions becoming public and damaging their reputation with customers and shareholders; and the opposition is wondering how can the government mandate IT security measures when their own have repeatedly been found wanting.