top of page
Search
  • Writer's pictureMarc Borgers

Update 2024: Which laws are particularly relevant in the context of information security?


TKG, StGB, BDSG, information security, guidelines, B3S, ISMS, IT-SiG, BSIG, customer contracts, AktG, KritisV, BVerfG, ElGVG, DSGVO, GeschGehG, GG, GmbHG, GDPdU, GoB, GoBS, GoDV, HGB, KonTraG, SigG, SigV, SGB, SÜG, SÜFV, TDDSG, TDSV, TKÜV, UrhG, VwVfG, laws, BAIT, VAIT, SiKat, contracts, TMG, GoBD

The question is often asked which German laws in the context of information security have a particular influence on the information security management system (ISMS). This question is not easy for information security officers to answer, especially if they have not studied law or have avoided the relevant literature to date. However, knowledge of these laws is of central importance if you have to write appropriate specifications, concepts and guidelines for an ISMS. I have often used the following laws when creating my guidelines and recommend them as reading tips. Of course, you have to make your own appropriate selection.

The following overview and information is of a general nature and intended for educational purposes only. It is not intended to be exhaustive, does not constitute legal advice, and should not be construed as such.

Abbreviation

Title / Article / Paragraph

Remarks

Integration into the ISMS

(if applicable)

AktG

Stock Corporation Act § 91 para. 2

Updated

Requirements for risk management systems, especially with regard to IT risks, must be integrated into the ISMS processes.

BDSG

Federal Data Protection Act

The new BDSG is again referred to as the BDSG; the law has been amended several times, most recently in the course of the GDPR.

Data protection management must be integrated into the ISMS, including measures to ensure compliance with the BDSG.

BSI-KritisV

BSI-Kritis Regulation

Still exists

Requirements for securing critical infrastructures must be included in the ISMS policies and measures.

BSIG

Law on the Federal Office for Information Security

Was supplemented by the IT Security Act 2.0.

Minimum requirements for IT security measures must be taken into account in the ISMS, especially for KRITIS operators.

Federal Constitutional Court

Works Constitution Act

Still exists

Works councils must be involved in safety processes, particularly when introducing monitoring measures.

EU GDPR

European General Data Protection Regulation

Still exists and, together with the BDSG, forms the basis of data protection in Germany.

The I SMS must implement measures to comply with the GDPR, including data processing, backup and deletion.

GeschGehG

Law on the protection of trade secrets

Still exists

The protection of secrets must be ensured in the ISMS through measures such as access controls, encryption and access restrictions.

GG

Basic Law Article 2, 10

Still exists

Rights to data protection and personal freedom must be taken into account when planning ISMS processes.

GmbHG

GmbH Law §43 Para. 1

Still exists

Management responsibilities with regard to IT security must be defined in the ISMS process.

GoB

Principles of proper accounting

Still exists

Accounting processes in the ISMS must ensure the integrity and availability of data.

GoBD

Principles for the proper management and storage of books, records and documents in electronic form and for data access

Still exists

Electronic storage and access processes in the ISMS must be designed in such a way that they comply with the GoBD.

GoDV

Principles for proper data processing

Still exists

ISMS must ensure that data processing processes are GoDV compliant through documentation and regular audits.

HGB

Commercial Code § 37a in conjunction with § 257 HGB or §§ 145-147 AO, §§ 238-239, 257-261

Still exists

Data integrity and availability in IT systems must be ensured in the ISMS according to the German Commercial Code (HGB).

IT-SiG 2.0

IT Security Act 2.0

Expands and updates the previous IT security laws, introduced in 2021.

The ISMS must take into account extended requirements of the IT Security Act, especially for KRITIS operators.

KonTraG

Law on Control and Transparency in the Corporate Sector

Still exists

Risk management and transparency requirements must be integrated into the ISMS strategy.

Supply Chain Due Diligence Act

Law on corporate due diligence obligations in supply chains

New law since December 2021, which combines aspects of the GDPR and the BDSG with regard to telemedia and telecommunications.

Protection of user data and compliance with communication regulations must be taken into account in the ISMS.

NIS2

NIS-2 Directive

Still needs to be converted into national law. Currently not directly applicable in Germany, but expected by 2024/2025.

Future integration into the ISMS, particularly to meet extended security requirements and reporting obligations.

SGB

Social Code I § 35, X §§ 67-78

Still exists

Protecting social data requires specific data protection measures in the ISMS.

Criminal Code

Criminal Code § 202a, § 202b, § 202c, § 206, § 263a, §§ 268-274, § 303a, § 303b, § 317

Still exists

Security measures to prevent and respond to cybercrime must be taken into account in the ISMS.

SÜG

Security Clearance Act

Still exists

Where applicable, employees with access to sensitive information must undergo security clearances.

TKG

Telecommunications Act

Has been updated several times, most recently in 2021, to incorporate, among other things, new EU requirements.

Requirements for the security of telecommunications services must be implemented in the ISMS.

TKÜV

Telecommunications Surveillance Ordinance

Still exists

The ISMS must ensure that telecommunications surveillance is carried out legally correctly and securely.

TMG

Telemedia Act

Still exists, but has recently been slightly adapted in view of the GDPR.

The I SMS must ensure requirements for the protection of personal data in telemedia.

TTDSG

Telecommunications-Telemedia-Data Protection Act

New law since December 2021, which combines aspects of the GDPR and the BDSG with regard to telemedia and telecommunications.

Protection of user data and compliance with communication regulations must be taken into account in the ISMS.

Copyright Act

Copyright Act §§ 69a ff, § 106

Still exists, most recently supplemented by the Copyright Service Provider Act (UrhDaG) and further amendments.

Protection of intellectual property and software must be ensured in the ISMS through appropriate security measures.

Administrative Procedure Act

Administrative Procedure Act § 30

Still exists

ISMS processes must ensure that government administrative procedures are carried out safely and correctly.

...



It is often forgotten that in addition to the laws themselves, other requirements must also be taken into account when creating appropriate guidelines. Examples of this could be:

Abbreviation

title

B3S

Industry-specific safety standards

BAIT

Banking supervisory requirements for IT

IT-SiKat

IT security catalogue according to EnWG § 11 1a/1b

VAIT

Insurance supervisory requirements for IT

...

Data protection, ITSecurity, ISMS, compliance, cybersecurity, IT risks, risk management, legal requirements, data security, security management, GDPR, BDSG, Telecommunications Act, security requirements, IT law, corporate security, contract law, industry-specific security standards, security requirements, NIS2, protective measures, KRITIS, IT laws, IT compliance, copyright law, administrative law, works constitution, Telemedia Act, IT Security Act

But contractual requirements, such as mandatory security measures, reports or reporting deadlines, also play an important role. Many companies (e.g. VW, BMW, Porsche, etc.) specify specific reporting deadlines and reporting channels for relevant security incidents in their purchasing conditions. Also the ENX and DEKRA require to be informed of relevant changes in the company.


For this reason, the chief information security officer must always deal with the contents of the customer contracts and incorporate the relevant requirements into his processes, concepts and guidelines.


ISMS, information security, data protection, ITSecurity, risk management, compliance, cybersecurity, legal requirements, data security, security management, BDSG, GDPR, IT risks, KRITIS, IT law, security requirements, protective measures, corporate security, contract law, industry-specific security standards, IT laws, IT compliance, security requirements, NIS2, telecommunications law, copyright law, administrative law, works constitution, telemedia law, IT security law



In summary, it can be said that at least the legal, regulatory and contractual requirements that have a direct impact on the security objectives, regulations, risk assessments, measures, deadlines and escalation and reporting channels must be recorded, documented, evaluated and taken into account in the ISMS. Because if the information security officer neither knows nor takes into account this relevant information, there is a great risk that the ISMS will ultimately not adequately fulfill its purpose.

3 views

Comments


IMG_0667.png
bottom of page