New German Cybersecurity Regulation Brings GDPR-style Penalties, Increasing Compliance Burden for Everyone?

For multi-jurisdictional financial institutions, a large and growing patchwork of cybersecurity regulations is just one of a multitude of compliance challenges to manage. But it’s a crucial one. With GDPR fines in the hundreds of millions now being handed down by European regulators, the stakes have never been higher. The latest news from Germany is that the regulatory environment is about to get more complex still, with the advent of a new cybersecurity law. Based on previous experience, it could even be extended to cover the entire EU – or indeed the world – in time.

All of which makes the case even stronger for automated compliance tools to help financial sector firms get back on the front foot by responding with agility to regulatory change.

A New Act

The IT Security Act (IT-Sicherheitsgesetz) promises to shake-up Germany’s cyber laws by placing best practice requirements on a wider sweep of organizations than are currently covered by the EU’s NIS Directive. Specifically, it will apply to manufacturers of IT software and hardware used in any layer of the critical infrastructure supply chain. These parties will need to report any product-related security incidents to the authorities and provide a declaration of trustworthiness to customers. The law will also cover organizations of public interest, like media companies that help mould public opinion, firms regulated under Frankfurt stock exchange rules, and defense contractors.

The new law will give Germany’s IT security authority (BSI) the power to proactively monitor publicly available IT systems for security gaps, putting more pressure on compliance teams. But perhaps the headline feature is the proposed inclusion of GDPR-level fines, of up to €20m (￡18m), or 4% of global annual turnover. 

Making Sense of Change

The advent of yet another cybersecurity law, on top of the EU-wide GDPR and NIS Directive, adds more cost and complexity for multi-national financial institutions operating in the country. They will need to get familiar with the detail, plan carefully, and ensure they are compliant.

Perhaps even more importantly, Germany’s regulations are often seen as a shining light of best practice within the EU. The forerunner of the NIS Directive was a home-grown law regulating critical infrastructure firms, for example. The new IT Security Act may also make the transition to an EU-wide law – marking this legislation out as an important one to watch.

The challenge remains how to proactively manage this and the countless other laws, directives and regulations that exist across multiple jurisdictions, in order to minimize the risk of compliance gaps. It’s claimed that even the average mid-sized sell-side institution must have insight into over 600 legislative initiatives.

Manual processes are the enemy of compliance: spreadsheets are simply no longer fit-for-purpose in a post-2008 regulatory world. Instead, financial sector firms need automated regulatory change management. These tools continuously monitor and capture global regulatory data in real-time — using AI algorithms to map regulations against existing cyber taxonomies to highlight compliance gaps and identify where policies and controls need updating.

Embracing this approach will not only minimize the chances of astronomical GDPR-style fines, it helps to free-up team members to focus on more strategic tasks.

With reports suggesting the German security law could be adopted before the summer recess, there’s no time to lose.