Govern­ment bill published: the vol­un­t­a­ry IT secu­ri­ty label is coming

The IT Secu­ri­ty 2.0 Act (only in Ger­man) tasks the Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI) with intro­du­cing a vol­un­t­a­ry IT secu­ri­ty label in order to pro­vi­de con­su­mers with bet­ter infor­ma­ti­on about IT secu­ri­ty. The­se labels, which are to be intro­du­ced by the end of the year, will allow con­su­mers to easi­ly obtain infor­ma­ti­on about the secu­ri­ty func­tions pro­mi­sed by manu­fac­tu­r­ers in their pro­ducts and ser­vices. The IT secu­ri­ty label is con­cei­ved as a vol­un­t­a­ry label for IT pro­ducts based on § 9c of the BSI Act (only in Ger­man) but makes no state­ments with regard to data protection.

The vol­un­t­a­ry IT secu­ri­ty label is com­pa­ra­ble, but not iden­ti­cal, to cyber­se­cu­ri­ty cer­ti­fi­ca­ti­on in accordance with the Cyber­se­cu­ri­ty Act. It is likely that natio­nal IT secu­ri­ty labels will even­tual­ly be trans­for­med into Euro­pean cyber­se­cu­ri­ty cer­ti­fi­ca­ti­on. Pos­si­ble indi­ca­ti­ons of such a trans­for­ma­ti­on can alre­a­dy be found on the BSI web­site, but it is by no means certain.

Rele­van­ce for companies

The labels will allow com­pa­nies to easi­ly adver­ti­se the secu­ri­ty fea­tures of their IT pro­ducts, which could enable them to stand out in com­pe­ti­ti­on. Pla­ce­ment of the labels may ser­ve as a sel­ling point in view of the gro­wing demand among con­su­mers for infor­ma­ti­on about cyber­se­cu­ri­ty aspects.

Appli­ca­ti­on pro­cess and mar­ket surveillance

In the cour­se of the year, it will be pos­si­ble to sub­mit appli­ca­ti­ons (only in Ger­man) for broad­band rou­ters fal­ling within the scope of BSI Tech­ni­cal Gui­de­line TR-30148. Other pro­duct cate­go­ries are expec­ted to fol­low. The decla­ra­ti­ons sub­mit­ted by manu­fac­tu­r­ers will be sub­jec­ted to a com­ple­ten­ess and plau­si­bi­li­ty check, for which BSI typi­cal­ly sets asi­de a peri­od of six weeks.

Labels will gene­ral­ly be issued for a peri­od of at least two years, during which time the manu­fac­tu­rer will be requi­red to main­tain the con­for­mi­ty of its pro­duct and report any chan­ges to BSI. At the same time, BSI may seek to veri­fy the fea­tures pro­mi­sed by the manu­fac­tu­rer by means of spot checks, or as the cir­cum­s­tances require.

An appli­ca­ti­on may be rejec­ted if the­re is evi­dence that the pro­duct, or the soft­ware which is deli­ver­ed along with the pro­duct, con­ta­ins known secu­ri­ty vul­nerabi­li­ties and if a war­ning or noti­fi­ca­ti­on has alre­a­dy been issued in accordance with §§ 7 and 7a BSI Act, and/or if mea­su­res have been taken in accordance with § 9c(8) of the BSI Act. In accordance with § 9c(8) of the BSI Act, the IT secu­ri­ty label may be revo­ked later on if the manufacturer’s decla­ra­ti­on is vio­la­ted or if the manu­fac­tu­rer fails to meet the sta­tu­to­ry requirements.

Recent deve­lo­p­ments

Just recent­ly, Germany’s Fede­ral Minis­try of the Inte­ri­or, Buil­ding and Com­mu­ni­ty (BMI) published a draft Ordi­nan­ce on IT secu­ri­ty labels from the Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI) (only in Ger­man). The draft Ordi­nan­ce addres­ses the design and use of the IT secu­ri­ty label, which is to be com­pri­sed of the manufacturer’s decla­ra­ti­on and secu­ri­ty infor­ma­ti­on, and the label is to con­tain refe­ren­ces to both of the­se docu­ments. The draft Ordi­nan­ce also con­ta­ins pro­vi­si­ons rela­ting to the appli­ca­ti­on pro­cess and the pro­ce­du­re for eva­lua­ting appli­ca­ti­ons. Con­su­mer infor­ma­ti­on about appro­ved pro­ducts is to be published on BSI’s website.

Addi­tio­nal ques­ti­ons are rai­sed in this con­text regar­ding the requi­re­ment for manu­fac­tu­r­ers to pro­vi­de BSI with neces­sa­ry infor­ma­ti­on for the pro­duct web­site (dyna­mic infor­ma­ti­on source). The new­ly enac­ted § 327f of the Civil Code (only in Ger­man) (taking effect on 1 Janu­ary 2022), rela­ting to con­su­mer con­tracts for digi­tal pro­ducts, requi­res sup­pli­ers to update their pro­ducts during the term of use in order to main­tain their con­for­mi­ty with the terms of the con­tract and to noti­fy con­su­mers of such updates. The­se updates include secu­ri­ty updates. This sta­tu­te ser­ves to imple­ment Direc­ti­ve (EU) 2019/770 on “cer­tain aspects con­cer­ning con­tracts for the sup­p­ly of digi­tal con­tent and digi­tal ser­vices” (the Digi­tal Ser­vices Direc­ti­ve). For digi­tal pro­ducts which are sup­pli­ed for a long peri­od of time, updates are requi­red for the dura­ti­on of the sup­p­ly peri­od; in other cases, the update requi­re­ment is deter­mi­ned based on reasonable con­su­mer expec­ta­ti­ons. But whe­ther the­re is an inter­play bet­ween the vol­un­t­a­ry IT secu­ri­ty label and the requi­re­ments for com­pa­nies in accordance with § 327f of the Civil Code can­not be con­clu­si­ve­ly deter­mi­ned at this time.

Sin­ce com­pa­nies can use the dyna­mic infor­ma­ti­on source to point out exis­ting secu­ri­ty pro­blems and secu­ri­ty updates and com­mu­ni­ca­te recom­men­ded actions, the pro­vi­si­on of such infor­ma­ti­on should, at least, be taken as an indi­ca­ti­on in favor of the com­pa­ny that the requi­re­ments of § 327f of the Civil Code have been satis­fied. Simi­lar­ly, the IT secu­ri­ty label may be taken as an indi­ca­ti­on that the com­pa­ny has satis­fied the IT secu­ri­ty requi­re­ments ari­sing from Artic­le 32 of the GDPR, which are also of signi­fi­can­ce for manu­fac­tu­r­ers. This would fur­ther rein­force the trend in which data pro­tec­tion aut­ho­ri­ties have been stron­gly incli­ned to fol­low BSI’s gui­de­lines in ques­ti­ons rela­ting to IT security.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.