Government bill published: the voluntary IT security label is coming
The IT Security 2.0 Act (only in German) tasks the Federal Office for Information Security (BSI) with introducing a voluntary IT security label in order to provide consumers with better information about IT security. These labels, which are to be introduced by the end of the year, will allow consumers to easily obtain information about the security functions promised by manufacturers in their products and services. The IT security label is conceived as a voluntary label for IT products based on § 9c of the BSI Act (only in German) but makes no statements with regard to data protection.
The voluntary IT security label is comparable, but not identical, to cybersecurity certification in accordance with the Cybersecurity Act. It is likely that national IT security labels will eventually be transformed into European cybersecurity certification. Possible indications of such a transformation can already be found on the BSI website, but it is by no means certain.
Relevance for companies
The labels will allow companies to easily advertise the security features of their IT products, which could enable them to stand out in competition. Placement of the labels may serve as a selling point in view of the growing demand among consumers for information about cybersecurity aspects.
Application process and market surveillance
In the course of the year, it will be possible to submit applications (only in German) for broadband routers falling within the scope of BSI Technical Guideline TR-30148. Other product categories are expected to follow. The declarations submitted by manufacturers will be subjected to a completeness and plausibility check, for which BSI typically sets aside a period of six weeks.
Labels will generally be issued for a period of at least two years, during which time the manufacturer will be required to maintain the conformity of its product and report any changes to BSI. At the same time, BSI may seek to verify the features promised by the manufacturer by means of spot checks, or as the circumstances require.
An application may be rejected if there is evidence that the product, or the software which is delivered along with the product, contains known security vulnerabilities and if a warning or notification has already been issued in accordance with §§ 7 and 7a BSI Act, and/or if measures have been taken in accordance with § 9c(8) of the BSI Act. In accordance with § 9c(8) of the BSI Act, the IT security label may be revoked later on if the manufacturer's declaration is violated or if the manufacturer fails to meet the statutory requirements.
Just recently, Germany's Federal Ministry of the Interior, Building and Community (BMI) published a draft Ordinance on IT security labels from the Federal Office for Information Security (BSI) (only in German). The draft Ordinance addresses the design and use of the IT security label, which is to be comprised of the manufacturer's declaration and security information, and the label is to contain references to both of these documents. The draft Ordinance also contains provisions relating to the application process and the procedure for evaluating applications. Consumer information about approved products is to be published on BSI's website.
Additional questions are raised in this context regarding the requirement for manufacturers to provide BSI with necessary information for the product website (dynamic information source). The newly enacted § 327f of the Civil Code (only in German) (taking effect on 1 January 2022), relating to consumer contracts for digital products, requires suppliers to update their products during the term of use in order to maintain their conformity with the terms of the contract and to notify consumers of such updates. These updates include security updates. This statute serves to implement Directive (EU) 2019/770 on "certain aspects concerning contracts for the supply of digital content and digital services" (the Digital Services Directive). For digital products which are supplied for a long period of time, updates are required for the duration of the supply period; in other cases, the update requirement is determined based on reasonable consumer expectations. But whether there is an interplay between the voluntary IT security label and the requirements for companies in accordance with § 327f of the Civil Code cannot be conclusively determined at this time.
Since companies can use the dynamic information source to point out existing security problems and security updates and communicate recommended actions, the provision of such information should, at least, be taken as an indication in favor of the company that the requirements of § 327f of the Civil Code have been satisfied. Similarly, the IT security label may be taken as an indication that the company has satisfied the IT security requirements arising from Article 32 of the GDPR, which are also of significance for manufacturers. This would further reinforce the trend in which data protection authorities have been strongly inclined to follow BSI's guidelines in questions relating to IT security.