German Cyber Law

The BSI-Gesetz and IT-Sicherheitsgesetz

The primary statutory framework for cybersecurity in Germany is founded upon the BSI-Gesetz, which establishes the Bundesamt für Sicherheit in der Informationstechnik as the national cybersecurity authority, and the IT-Sicherheitsgesetz, which imposes sector-specific cybersecurity obligations on operators of critical infrastructure. The IT-Sicherheitsgesetz 2.0, enacted in May 2021, significantly expands the scope of the original 2015 legislation by extending mandatory security requirements and incident reporting obligations to companies of particular public interest — including manufacturers of critical components, cloud computing service providers, and companies in the defence, energy, and telecommunications sectors. The amendments introduced a regulatory framework for the detection of IT vulnerabilities, empowering the BSI to conduct automated scans and to inspect source code and other proprietary information where necessary to eliminate security deficiencies. The BSI is also authorised under the revised Act to issue administrative fines of up to €2 million for non-compliance with reporting obligations and up to €50,000 for failure to implement required organisational and technical measures. The Act requires operators of critical infrastructure to deploy systems for attack detection, to report significant IT security incidents to the BSI, and to demonstrate compliance every two years through audits conducted by accredited certification bodies.

Critical Infrastructure Protection (KRITIS)

The KRITIS regime, established within the BSI-Gesetz and detailed by the BSI-Kritisverordnung, defines critical infrastructure as facilities, installations, or parts thereof belonging to the energy, water, food, information technology and telecommunications, health, finance and insurance, transport and traffic, and media and culture sectors, where their failure or impairment would lead to significant supply shortages or threats to public safety. Sector-specific threshold values determine which operators within each sector qualify as KRITIS operators. These operators are subject to mandatory obligations: the implementation of state-of-the-art IT security measures, biannual compliance audits or certifications (such as ISO 27001 certification based on IT-Grundschutz), and the reporting of significant IT security incidents to the BSI within specific timeframes. The IT-Sicherheitsgesetz 2.0 expanded the KRITIS designation to include municipal waste disposal, certain categories of defence industry contractors, and digital infrastructure services such as cloud computing. The BSI maintains a publicly accessible register of KRITIS operators and publishes an annual report on the state of IT security in Germany.

The BSI’s Role and Powers

The Bundesamt für Sicherheit in der Informationstechnik, established in 1991 and significantly expanded through successive legislative amendments, serves as Germany’s national cybersecurity authority. The BSI exercises responsibility for the protection of federal government networks, including the operation of the National Cyber Defence Centre; the development and publication of the IT-Grundschutz methodology, a comprehensive framework of standard security safeguards analogous to the NIST Cybersecurity Framework; the certification of IT products and systems under the BSI-Gesetz and the EU Cybersecurity Act; the operation of the national Computer Security Incident Response Team and the CERT-Bund for federal civilian networks; and the issuance of legally binding orders requiring KRITIS operators to take specific remediation measures in response to identified security deficiencies. The BSI’s National Cyber Defence Centre coordinates incident response across federal authorities, the Länder, and private sector partners. The BSI-Gesetz authorises the BSI to obtain information from telecommunications providers and internet access providers regarding identified security vulnerabilities and to issue public warnings identifying specific IT products or services where a serious security deficiency exists and no adequate remedial measures have been implemented.

Computer Crimes Under the Strafgesetzbuch

The German Criminal Code, the Strafgesetzbuch, contains a comprehensive set of computer-related offences in sections 202a through 202d and 303a through 303c. Section 202a criminalises Ausspähen von Daten (data espionage) — the unauthorised obtaining of data that are not intended for the perpetrator and are specifically protected against unauthorised access. Section 202b addresses Abfangen von Daten (data interception) — the non-public transmission of data or electromagnetic emissions from a computer. Section 202c, added in 2007 in implementation of the Council of Europe Cybercrime Convention, criminalises the preparation of data espionage and data interception by prohibiting the production, procurement, sale, and dissemination of passwords, access codes, and software tools intended for the commission of offences under sections 202a and 202b. Section 202d, introduced by the Act to Combat Cybercrime in 2015, criminalises the purchase and sale of personal data without authorisation. Sections 303a and 303b address Datenveränderung (data alteration) and Computersabotage (computer sabotage) — intentionally altering, deleting, suppressing, or rendering unusable data, or interfering substantially with data processing operations, respectively. Section 303c criminalises the attempt to commit computer sabotage. These offences carry penalties ranging from fines to imprisonment for up to ten years in cases of computer sabotage affecting critical infrastructure.

Data Protection Under the BDSG

The Bundesdatenschutzgesetz (BDSG), in conjunction with the General Data Protection Regulation, constitutes Germany’s data protection framework. The BDSG-neu (new version), enacted in 2017 and effective from 25 May 2018, supplements the GDPR through opening clauses permitting national derogations in specified areas, including data processing for employment purposes, video surveillance, credit reporting, and scientific research. Section 64 of the BDSG establishes criminal penalties for data processing offences committed with intent for commercial gain or with the intention of enriching oneself or another; such offences carry penalties of up to two years’ imprisonment or a fine. The BDSG also addresses data protection in the context of credit scoring (section 31), the processing of special categories of personal data (section 22), and the appointment of data protection officers (sections 38–40). The German data protection supervisory authorities, led by the federal BfDI and including sixteen state-level authorities, exercise enforcement powers including administrative fines of up to €20 million or four per cent of annual worldwide turnover for GDPR violations. German enforcement practice is notable for its rigorous approach to data minimisation, purpose limitation, and the documentation of processing activities.

The NIS-2-Umsetzungsgesetz

Germany has transposed the EU NIS 2 Directive through the NIS-2-Umsetzungsgesetz, which entered into force in 2024. The legislation substantially revises the BSI-Gesetz and related statutes to align German law with the expanded scope, enhanced security requirements, and stricter enforcement mechanisms of Directive (EU) 2022/2555. The Umsetzungsgesetz extends mandatory cybersecurity obligations to entities in eighteen sectors, including postal and courier services, waste management, food, chemicals, and digital infrastructure providers, significantly broadening the KRITIS framework. The legislation introduces a more graduated approach to incident notification, requiring early warnings within twenty-four hours of becoming aware of a significant incident, incident notification within seventy-two hours, and a final report within one month. The BSI is empowered to conduct ex ante inspections of covered entities and to impose administrative fines of up to €10 million or two per cent of annual worldwide turnover for non-compliance. The NIS-2-Umsetzungsgesetz also strengthens the liability framework for corporate officers, extending individual accountability for failures to implement adequate cybersecurity measures.