News

Reporting obligations in Germany in the case of security incidents

16.10.2023

When a company is the victim of a cyber attack, one of the first urgent questions for its legal department is usually what reporting obligation must now be met. For some reporting obligations very short time limits apply, which the regulatory authorities take very seriously. This article provides an overview of reporting requirements to authorities in the event of an IT incident.

Depending on a company’s business, it may be subject to several concurrent reporting obligations. Cyber attacks frequently have international ramifications. This in turn can mean that a company also must fulfil additional reporting requirements abroad. Depending on the competent authority, it may be that an authority will inform other authorities as well, at least within Europe.

It can frequently be observed that companies lack an understanding of their contractual obligations to notify their contractual partners of a cyber breach. In particular, such reporting obligations are often “hidden” in confidentiality clauses. A processor for the purposes of data protection law also has an obligation to notify a controller of a data breach (Article 33(2) of the GDPR).

In addition, reporting obligations (Meldeobliegenheiten) to insurers must also be taken into account. Issuers of financial instruments must check whether the IT security incident also triggers an ad-hoc publicity obligation under the Market Abuse Regulation (MAR).

Statutory definition of an IT security incident

Different laws have different definitions of an IT security incident. The majority of these definitions have one thing in common, namely that the information security goals of confidentiality, integrity, authenticity and/or availability must have been compromised. In the case of some laws, a reporting obligation only arises when further preconditions are met.

Overview

(Klick here for the image version)

Legal source

Addressee(s) of the provision

Authority (English language where available)

Time limits

Article 33 of the General Data Protection Regulation, GDPR

Controller for the purposes of data protection law

Relevant data protection authority

Without undue delay and not later than 72 hours after having become aware of the personal data breach

Section 8b(4) of the German Federal Office for Information Security Act

Operators of critical infrastructure

Federal Office for Information Security 

Without undue delay

Section 8c (3) of the German Federal Office for Information Security Act

Digital service providers

Federal Office for Information Security

Without undue delay

Section 8f (7) and (8) of the German Federal Office for Information Security Act

Companies of special public interest

Federal Office for Information Security

Without undue delay (currently only mandatory for hazardous incidents occurring at companies of special public interest )

Section 168 of the German Telecommunications Act

Operators of public telecommunications networks or providers of publicly available telecommunications services

Federal Network Agency and Federal Office for Information Security

Without undue delay

Section 169 of the German Telecommunications Act

Providers of publicly available telecommunications services

Federal Network Agency and Federal Commissioner for Data Protection and Freedom of Information

Without undue delay

Section 11(1c) of the German Energy Industry Act

Operators of energy supply systems

Federal Office for Information Security

Without undue delay

Section 6 of the German Nuclear Safety Officer and Reporting Ordinance and section 44b of the German Atomic Energy Act

Various licence holders (such as nuclear power plant operators)

The Federal Office for Information Security and other nuclear regulatory authorities

Without undue delay

Section 24(1) no. 19 of the German Banking Act

Credit institutions

Federal Financial Supervisory Authority and German Central Bank

Without undue delay

Section 54 of the German Payment Services Oversight Act

Payment services providers

Federal Financial Supervisory Authority

Without undue delay 

Section 329 of the German Social Security Code (Book V)

Telematics infrastructure company (“Gematik”)

Providers of components and services as well as providers of applications

Gematik: Federal Office for Information Security

Provider: Gematik

Without undue delay

Commission Implementing Regulation (EU) 2019/1583

Operators, air carriers and entities

Federal Office for Information Security

Without undue delay

 

This news item is revised regularly. Current at: 4 January 2024.

Further detailed information can be found on the Noerr Cyber Risks Team’s webpages here.

Contact

Julian Monschke
Julian Monschke+49 69 971477179
Paul Vogel
Paul Vogel+49 89 28628542

Data Privacy
Data Tech and Telecoms
Digital Business
IT & Outsourcing
Liability & Insurance
Cyber Risks
Data Protection Litigation

Share

Show all

Insights

Sunrise over mountains with pulse left
News

New Product Liability Directive – massive duties for industry

19.11.2024
Green botanical leaf with pulse
News

Federal Court of Justice judgment on non-material damage under the GDPR in “scraping” cases

18.11.2024
hands bridge with pulse
News

CJEU tightens data protection requirements for online shops

18.10.2024
vehicle in a tunnel with pulse
News

Right of access to repair and maintenance information under the Type Approval Regulation and Data Act

15.10.2024
woman in focus with pulse
News

AI compliance – Balancing regulation and innovation

07.10.2024
touching optical fiber with pulse
News

Cybersecurity in the supply chain: special features of AI systems

07.10.2024
metal structure
News

Evolution of D&O liability using the example of the NIS 2 Network and Information Systems Directive

26.09.2024
data center in server room with pulse
News

Classification of IT service providers as critical ICT third-party service providers under DORA

24.09.2024
human robot background
News

AI Liability Directive: Study of the European Parliament on AI liability

20.09.2024