Interior Minister Thomas de Maizière has promised efforts to tighten IT-security laws as a consequence of the global ransom-ware attack in mid-May, describing the security situation as “dramatic” in a draft seen by Handelsblatt.
The German cabinet will pass a resolution for the protection of critical infrastructure on Wednesday. The federal government will list a total of 1,699 facilities as critical for the safe supply of the population. Operators of these facilities have to report cyber-attacks to a national authority and guarantee minimum standards for security.
Since 2016, the areas of energy, water, food, as well as information technology and telecommunications have been registered under the critical infrastructure program. The new list will also include the sectors of health, finance, insurance, transportation and traffic in the future.
“We will now look at whether we need to expand that circle,” the draft said, adding that “many manufacturing corporations,” such as car or steel makers, were still not included.
German lawmakers should also consider a broader overhaul of the country’s IT-security laws in the next legislative period, Mr. de Maizière wrote.
German companies have long opposed tighter regulations, saying that stricter obligations to report on hacks did not solve the actual problem. They criticize that also non-critical entities are included on the minister’s list, such as train stations, logistics centers, traffic lights and even weather forecast stations.
“The aim of the regulation is not the protection against cyber attacks, but the continuously secure provision of the population with goods,” industry sources say.
Critics complain that companies were already heavily investing in their cyber security portfolio, and that additional regulatory measures would add to the costs. Fulfilling the ministry’s minimum standards will cost €120,000 per year. Each report on a hack will clock in at €660 in compliance costs.
Daniel Delhaes reports on politics, transport and airlines from Handelsblatt’s Berlin office. email@example.com