Germany has passed legislation ordering that more than 2,000 essential service providers implement new minimum information security standards or face penalties if they fail to do so within two years.
The law will affect institutions listed as "critical infrastructure,” such as transportation, health, water utilities, telecommunications providers, as well as finance and insurance firms. It gives companies two years to introduce cyber security measures or face fines of up to $111,000, reported Reuters.
"The IT security law obliges firms and federal agencies to certify for minimum cyber-security standards and obtain Federal Office of Information Security (BSI) clearance. The companies must also notify the Office of suspected cyber-attacks on their systems," Reuters said. "The new set of rules also obliges telecommunications providers to warn customers when their connection was abused, for example in a botnet attack, and store the traffic data for up to six months for investigative purposes."
BSI will also be expanded to the international center for IT security, and its main task will be to evaluate the reports of possible cyber-violations in critical infrastructure.
Critics of the law say that that the government first implement their own IT security before forcing companies to do it. They also argue that the new IT security law will drain German economy and will offer little in return. In addition, the companies also complain that the government has not formulated a clear requirement of how severe the cyber-intrusion must be to fall under the reporting requirement, Reuters said. The companies also fear that information about hacker attacks might become public and will result in a negative impact on customers and shareholders.