SITTIG LAW Law Firm Blog

Fines under the IT Security Act: Sanctions under the BSI Act

Violations of the BSI Act can lead to severe fines of up to 20 million euros. Critical infrastructures and companies in the special public interest are subject to strict IT security obligations under the BSIG. Important aspects include reporting obligations in the event of security incidents, regular audits and appropriate technical protective measures. Preventive compliance measures and expert advice are significantly more cost-effective than subsequent fine proceedings.
Contents

The most important facts at a glance

Why IT security is legally relevant

The Act on the Federal Office for Information Security (BSI Act - BSIG) forms the legal foundation for IT security requirements in Germany. Violations of the legal requirements can not only have technical and economic consequences, but can also result in legal sanctions.

The importance of the BSI Act becomes particularly clear when you consider the constantly growing number of cyberattacks and data breaches. Companies are faced with the challenge of not only protecting their technical systems, but also complying with the complex legal requirements of the BSIG. A Lawyer for IT law can help you understand these complex obligations and implement them in compliance with the law.

Legal basis of the BSI Act

The tasks and powers of the Federal Office for Information Security are partially regulated in the BSI Act.

Operators of critical infrastructures must fulfill their auditing obligations in accordance with Section 8a BSIG - this includes the regular review of their IT security measures, which is usually verified by an audit report from a qualified body.

Equally important are the registration obligations in accordance with Section 8b BSIG. Violations of these reporting and registration requirements can lead to substantial fines.

Fines in accordance with Section 14 of the BSI Act

The law on fines in the BSI Act is regulated in Section 14 BSIG and provides for severe sanctions. The amount of the possible fines depends on the type and severity of the breach and the financial circumstances of the company.

The fining authority takes various factors into account when assessing the fine: the severity of the breach, the duration of the breach of duty, the culpability of the person responsible and the economic impact of the security breach. Preventive measures and the company's willingness to cooperate are also included in the assessment.

Critical infrastructures according to § 8a BSI Act

Critical infrastructures are subject to special IT security obligations under the BSIG. In particular, these include measures in accordance with Section 8a BSIG for operators of critical infrastructures and measures in accordance with Section 8f BSIG for companies in the special public interest. They include companies from the energy, water, food, IT and telecommunications, healthcare, finance and insurance, transportation and traffic, media and culture sectors.

These operators must not only implement appropriate technical and organizational measures in accordance with Section 8a (1) BSIG, but also have regular security audits carried out in accordance with Section 8a (3) BSIG. Operators of critical infrastructures must prove to the BSI at least every two years that they meet the requirements of Section 8a BSIG by means of suitable audits and evidence. For companies in the special public interest, there are deviating verification and reporting obligations in accordance with Section 8f BSIG. Failures in this area can lead to considerable fines in accordance with Section 14 BSIG.

Another critical point is the obligation to report IT security incidents in accordance with Section 8b BSIG. Significant security incidents must be reported immediately in accordance with Section 8b BSIG. Failure to report or late reporting constitutes a separate offense under Section 14 BSIG.

Companies in the special public interest in accordance with Section 8f of the BSI Act

Companies in the special public interest are subject in particular to the requirements of Section 8f BSIG. This regulation covers large groups from various sectors that are classified as systemically relevant either due to their number of employees, their special economic significance or their activities.

These companies must take IT security measures and report IT security incidents. They are also obliged to submit a self-declaration on IT security to the BSI at least every two years. The requirements are based on the state of the art and must be continuously adapted.

Various criteria are used to determine whether a company falls into this category. In particular, companies that are classified as being of special public interest in accordance with the definition in Section 2 (14) BSIG and the corresponding ordinance due to their number of employees, economic importance or particular systemic relevance are subject to the corresponding obligations.

Frequent violations and their consequences under the BSIG

The auditing obligations under Section 8a BSIG and the registration obligations under Section 8b BSIG are of particular importance. Inadequate technical security measures, inadequate documentation of IT security concepts and failures to report security incidents must be avoided. Violations in these areas entail the risk of considerable fines in accordance with Section 14 BSIG.

The authorities are particularly critical of cases in which companies do not take appropriate countermeasures despite known security vulnerabilities. This is particularly the case when inaction actually causes damage or puts sensitive data at risk.

Another common violation concerns the incomplete or late reporting of IT security incidents in accordance with Section 8b BSIG. Many companies underestimate the reporting obligations or are unsure about the classification of incidents as reportable incidents. This regularly leads to fines that could have been avoided with proper advice.

If you have any questions about your specific IT security obligations under the BSI Act, we will be happy to support you in implementing the legal requirements in compliance with the law.

Defense strategies in fine proceedings according to § 14 BSIG

Various defense strategies are available in the event of fine proceedings initiated in accordance with Section 14 BSIG. First of all, a careful examination of the accusation is necessary. It is often possible to find technical or legal arguments that relativize or refute the infringement.

An important aspect is the presentation of the security measures actually taken in accordance with Section 8a or Section 8c BSIG. Many companies have taken appropriate precautions, but are unable to document them sufficiently or classify them legally. A well-founded review of the security architecture can form the basis for a successful defense.

Preventive compliance measures in accordance with the BSI Act

The most effective strategy for avoiding fines is preventive compliance design in the IT security area in accordance with the BSIG. This begins with a comprehensive analysis of the existing IT infrastructure and the legal requirements in accordance with Sections 8a to 8c BSIG.

A central component is proper auditing by a suitable auditor who checks and documents compliance with the requirements in accordance with Section 8a BSIG. This audit must take place regularly and cover all technical and organizational measures.

The reporting processes for IT security incidents in accordance with Section 8b BSIG deserve special attention. Companies should define clear internal processes that enable incidents to be quickly assessed and, if necessary, reported.

Checklist for BSI law compliance

  • Check classification according to BSIGDetermine whether your company is to be classified as a critical infrastructure in accordance with Section 8a BSIG or a company in accordance with Section 8c BSIG
  • Develop an IT security conceptHave a comprehensive safety concept drawn up by a qualified auditor in accordance with the requirements of the BSIG
  • Establish reporting processes in accordance with § 8b BSIGImplement clear processes for identifying and reporting IT security incidents
  • Train employeesConduct regular training on IT security and reporting obligations
  • Ensure documentation: Fully document all safety measures and decisions
  • Emergency planningDevelop plans for dealing with IT security incidents and fines

Proactive BSI law compliance as a success factor

The BSI Act and the associated risks of fines require companies to take a proactive approach to IT security. The potential penalties under Section 14 of the BSIG are considerable and can be life-threatening for larger companies. At the same time, a well thought-out compliance strategy not only offers protection against fines, but also against the even more serious consequences of IT security incidents.

Investing in appropriate IT security measures in accordance with the BSIG and legal advice is significantly more cost-effective than having to deal with subsequent fine proceedings or even actual security incidents. Companies that take their obligations under the BSI Act seriously and implement them professionally not only create legal certainty, but also trust among customers and business partners.

If you have any questions regarding the legal assessment of your IT security measures in accordance with the BSI Act or if you have been fined, we are at your disposal with our expertise in IT law and criminal law. Our experience in both areas of law enables us to provide you with comprehensive advice and representation.

Frequently asked questions

This primarily affects operators of critical infrastructures in accordance with Section 8a BSIG and companies in the special public interest in accordance with Section 8f BSIG. In particular, companies that are classified as being in the special public interest in accordance with the definition in Section 2 (14) BSIG and the corresponding ordinance due to their number of employees, economic importance or particular systemic relevance. The exact classification depends on various factors and should be examined individually.

The fines under Section 14 BSIG vary considerably depending on the type of violation. Fines of up to two million euros can be imposed for violations of enforceable orders in accordance with certain regulations. Violations of basic obligations such as inadequate IT security measures or late submission of evidence can be punished with fines of up to one million euros. Reporting and registration violations as well as other specific breaches of duty result in fines of up to 500,000 euros. In less serious cases, fines of up to 100,000 euros are provided for.

Significant IT security incidents must be reported to the BSI immediately in accordance with Section 8b BSIG.

Failure to report or late reporting constitutes a separate offense under Section 14 BSIG and can be punished with the corresponding sanctions, regardless of the original incident.

Yes, if they are classified as operators of critical infrastructures in accordance with Section 8a BSIG. The size of the company is not the only criterion for the applicability of the regulations.

The measures must correspond to the state of the art and be appropriate. This is a case-by-case assessment that must be reviewed regularly.

Appeals against fines can be lodged within two weeks. Expert legal advice is recommended.

Yes, operators of critical infrastructures must prove to the BSI at least every two years that they meet the requirements of Section 8a BSIG by means of suitable audits and evidence. Companies in the special public interest are subject to different verification and reporting obligations in accordance with Section 8f BSIG.

German branches of international companies are subject to the German BSI Act obligations if they fulfill the relevant criteria.

The requirements are continuously being tightened and expanded. The BSI regularly publishes information on current changes to the BSI Act and relevant regulations on its website. Companies should keep a close eye on legal developments and adapt their compliance measures accordingly.

Hamburg location
Head office
Martinistrasse 11
20251 Hamburg
Phone: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559
Kassel location
Branch office
Motzstrasse 1
34117 Kassel
Phone: +49 (0) 561 510 053 80
Fax: +49 (0) 561 510 053 99
Frankfurt location
Branch office
Oeder Weg 11
60318 Frankfurt am Main
Phone: +49 (0) 69 710 471 070
Fax: +49 (0) 69 710 471 079
SITTIG LAW
Lawyer.
Specialist lawyer for criminal law.
Specialist lawyer for IT law.

[email protected]
Hamburg location
Head office
Martinistr. 11
20251 Hamburg
Tel: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559

Contact form