On January 25, 2017, the Federal Government adopted the draft law for the transposition of the NIS Directive. In addition to adapting requirements introduced by the IT Security Act for critical infrastructure operators, the draft law also provides for new security requirements for providers of digital services. These services include online marketplaces, online search engines, and cloud computing services.
Providers of these services will be required to establish technical and organizational measures to meet security risks of network and information systems used to provide the digital services. According to the draft law, providers additionally need to take precautionary measures to prevent or minimize the impact of security incidents on the digital services and must report security incidents to the Federal Office for Information Security (BSI).
In case of indications of a violation of the security requirements, the draft law provides for an authorization of the BSI to require evidence of security and the elimination of detected safety deficiencies by the service providers. Accordingly, non-compliance of the new provisions will be punishable as an administrative offense.
It remains to be seen whether the Parliament will discuss the draft law in the current legislative period and adopt the transposition act. EU Member States have until May 9, 2018 to transpose the NIS Directive into national law.