IT-Security Regulatory Update | August 2022
Focus: National Digital Strategy
Highlight from August 2022
Digital strategy: Germany on the way to the European top ten
With its national digital strategy, the German government aims, among other things, to be among the top ten in the European Digital Economy and Society Index and is also including the topics of data protection and cybersecurity on its agenda until 2025.
Germany’s digital fitness is on the agenda of the German government
The German government adopted its digital strategy on August 31, 2022. It sets the political priorities in the cross-cutting topic of digitization as an overarching framework until 2025.
Behind the strategy is the guiding principle of Germany’s technological and digital sovereignty. Germany is currently ranked 13th in the European Digital Economy and Society Index (DESI). Volker Wissing, Federal Minister of Transport and Digital Infrastructure, aims to be among the top ten. The strategy is not intended to be a mere vision of the future, but to serve concrete implementation. In the course of this, three fields of action are defined, which are described in more detail on the basis of 18 lighthouse projects.
1st field of action: Networked and digitally sovereign society
One of the topics is protection and competence in the digital space. The focus here is on consumer protection with the General Data Protection Regulation (GDPR) as a solid European foundation. However, digital consumer protection is to be further promoted and strengthened. As a result, new regulations to protect consumer data can be expected by 2025.
2nd field of action: Innovative economy, working world, science and research
Among other aspects, the strategy aims to make the data economy attractive, secure and agile. This should enable the potential of data to be used effectively. Accordingly, the availability of data as well as the use of data should be strengthened. The first steps are already being taken here with Gaia-X. In the course of this, representatives from business, science and politics are considering a proposal for a data infrastructure. A data law is planned as the national basis.
3rd field of action: Learning, digital state
Among other things, the focus here is on the topic of cyber security. Accordingly, it includes cyber domestic policy, cyber foreign policy, and cyber defense. The cybersecurity strategy is to be further developed in this course. Critical infrastructures should prepare for legal innovations, as the requirements for their cybersecurity will likely be adapted.
As a further measure, the Federal Office for Information Security (BSI) is to be expanded into a central office in the area of IT security. In addition, the independence of the BSI is to be strengthened.
In addition to critical infrastructures, manufacturers can also prepare for new requirements: in the future, they will be liable for damages negligently caused by IT security vulnerabilities in their products.
Finally, the German government would like to strengthen cooperation with the economy and, among other things, provide companies with recommendations for action on cyber security.
You can find the digital strategy of the Federal Government here.
You can find more details about the digital strategy here on the corresponding website.
Information about Gaia-X can be here on their website.
Source: © 2022 Press and Information Office of the Federal Government, federalgovernment.com/reg-en
ENISA sheds light on ransomware attacks
As part of a Threat Landscape, the European Union Agency for Cybersecurity (ENISA) looks at ransomware attacks and their consequences. To do this, it mapped 623 incidents between May 2021 and June 2022. It concluded that attackers’ software evolves and adapts, making it more effective and resulting in more negative outcomes of such attacks. As part of this, ENISA recommends that companies work on their resilience and build awareness of such incidents.
Overall, ENISA gained the following key insights, among others:
- In the majority of cases, it is not known how the attacker first gained access to the data;
- A total of 47 unique actors were identified;
- More than 10 TB of data was stolen each month during the period studied;
- Of the data stolen, more than half was personal data as defined by the GDPR;
- More than 60% of the companies concerned have paid the ransom.
The Threat Landscape is based on a recently published methodology by ENISA. Read more here in our July update.
You can find the landscape of ENISA here on their website.
Source: European Union Agency for Cybersecurity – enisa.europa.eu
BSI addresses the use of outsourcing in the context of the IT-Grundschutz-Compendium
In addition to the IT-Grundschutz-Compendium published in February, the BSI has now published a community draft and a cross-reference table for module OPS.2.3 “Use of outsourcing“.
For more information on the IT-Grundschutz-Compendium, please refer here to our Regulatory Update from February 2022.
The module addresses the issue of outsourcing to ensure confidentiality, integrity and availability throughout the outsourcing process. This supports the detection, prevention and mitigation of potential hazards. The focus here is on information security; other topics are not specifically addressed. The basic requirements (mandatory requirements), standard requirements (target requirements) and the requirements for increased protection needs (target requirements) are dealt with.
The following elements are included in the basic requirements:
- Requirement profiles
- Risk-oriented approach
- Suitability requirements for bidders
- Contract requirements
- Agreement on mandate capability
- Safety requirements and safety concept
- Exit measures
The draft also addresses other sources of information around outsourcing in the context of information security.
The community draft of the BSI can be found here on its website.
You can find the cross-reference table here on the BSI website.
Source: Federal Office for Information Security – BSI, bsi.bund.de
The digital strategy will most likely result in new requirements around IT security, cybersecurity and data protection. Keep an eye on updates and start implementing them as early as possible!
We at ADWEKO are happy to assist you with our expertise.
The current regulatory developments can be found here.