IT-Security Regulatory Update | August 2022

Focus: National Digital Strategy

← IT-Security Regulatory Update | July 2022 X1F Group continues to grow together in terms of content and visuals →

Highlight from August 2022

Digital strategy: Germany on the way to the European top ten

With its national digital strategy, the German government aims, among other things, to be among the top ten in the European Digital Economy and Society Index and is also including the topics of data protection and cybersecurity on its agenda until 2025.

“Stay up to date with our monthly regulatory update on IT Security Management!”

Germany’s digital fitness is on the agenda of the German government

The German government adopted its digital strategy on August 31, 2022. It sets the political priorities in the cross-cutting topic of digitization as an overarching framework until 2025.

Behind the strategy is the guiding principle of Germany’s technological and digital sovereignty. Germany is currently ranked 13th in the European Digital Economy and Society Index (DESI). Volker Wissing, Federal Minister of Transport and Digital Infrastructure, aims to be among the top ten. The strategy is not intended to be a mere vision of the future, but to serve concrete implementation. In the course of this, three fields of action are defined, which are described in more detail on the basis of 18 lighthouse projects.

The focus is on a person dressed in a suit operating a tablet. Arranged in a circle all around are symbols in the context of digitization and further development. On the left and right edges of the image, there are centered meshing lines that connect to the circle.

1st field of action: Networked and digitally sovereign society

One of the topics is protection and competence in the digital space. The focus here is on consumer protection with the General Data Protection Regulation (GDPR) as a solid European foundation. However, digital consumer protection is to be further promoted and strengthened. As a result, new regulations to protect consumer data can be expected by 2025.

2nd field of action: Innovative economy, working world, science and research

Among other aspects, the strategy aims to make the data economy attractive, secure and agile. This should enable the potential of data to be used effectively. Accordingly, the availability of data as well as the use of data should be strengthened. The first steps are already being taken here with Gaia-X. In the course of this, representatives from business, science and politics are considering a proposal for a data infrastructure. A data law is planned as the national basis.

3rd field of action: Learning, digital state

Among other things, the focus here is on the topic of cyber security. Accordingly, it includes cyber domestic policy, cyber foreign policy, and cyber defense. The cybersecurity strategy is to be further developed in this course. Critical infrastructures should prepare for legal innovations, as the requirements for their cybersecurity will likely be adapted.

As a further measure, the Federal Office for Information Security (BSI) is to be expanded into a central office in the area of IT security. In addition, the independence of the BSI is to be strengthened.

In addition to critical infrastructures, manufacturers can also prepare for new requirements: in the future, they will be liable for damages negligently caused by IT security vulnerabilities in their products.

Finally, the German government would like to strengthen cooperation with the economy and, among other things, provide companies with recommendations for action on cyber security.

You can find the digital strategy of the Federal Government here.
You can find more details about the digital strategy here on the corresponding website.
Information about Gaia-X can be here on their website.

ENISA sheds light on ransomware attacks

As part of a Threat Landscape, the European Union Agency for Cybersecurity (ENISA) looks at ransomware attacks and their consequences. To do this, it mapped 623 incidents between May 2021 and June 2022. It concluded that attackers’ software evolves and adapts, making it more effective and resulting in more negative outcomes of such attacks. As part of this, ENISA recommends that companies work on their resilience and build awareness of such incidents.

Overall, ENISA gained the following key insights, among others:

In the majority of cases, it is not known how the attacker first gained access to the data;
A total of 47 unique actors were identified;
More than 10 TB of data was stolen each month during the period studied;
Of the data stolen, more than half was personal data as defined by the GDPR;
More than 60% of the companies concerned have paid the ransom.

The Threat Landscape is based on a recently published methodology by ENISA. Read more here in our July update.

You can find the landscape of ENISA here on their website.

Source: European Union Agency for Cybersecurity – enisa.europa.eu

BSI addresses the use of outsourcing in the context of the IT-Grundschutz-Compendium

In addition to the IT-Grundschutz-Compendium published in February, the BSI has now published a community draft and a cross-reference table for module OPS.2.3 “Use of outsourcing“.

For more information on the IT-Grundschutz-Compendium, please refer here to our Regulatory Update from February 2022.

The module addresses the issue of outsourcing to ensure confidentiality, integrity and availability throughout the outsourcing process. This supports the detection, prevention and mitigation of potential hazards. The focus here is on information security; other topics are not specifically addressed. The basic requirements (mandatory requirements), standard requirements (target requirements) and the requirements for increased protection needs (target requirements) are dealt with.

The following elements are included in the basic requirements:

Requirement profiles
Risk-oriented approach
Suitability requirements for bidders
Contract requirements
Agreement on mandate capability
Safety requirements and safety concept
Exit measures

The draft also addresses other sources of information around outsourcing in the context of information security.

The community draft of the BSI can be found here on its website.
You can find the cross-reference table here on the BSI website.

Source: Federal Office for Information Security – BSI, bsi.bund.de

The digital strategy will most likely result in new requirements around IT security, cybersecurity and data protection. Keep an eye on updates and start implementing them as early as possible!

We at ADWEKO are happy to assist you with our expertise.

The current regulatory developments can be found here.

BaFin publishes English version of its annual report
BIS addresses operational resilience

BSI provides guidance on communicating about secure passwords

BaFin provides information on regulatory reporting

Cookie	Duration	Description
cookielawinfo-checkbox-analytics		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional		The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary		This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy		The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.