What IT security requirements in Germany are Website operators and mobile app developers actually already subject to?

As part of its digital strategy, the EU is currently working on various regulations and directives on cyber security, such as the Cyber Resilience Act (CRA).?An overview?listing the upcoming and current data protection and IT security-related norms at EU level, as well as a?news series on the CRA?in particular, can be found on our website.?

At national level, too, "special players" such as operators of critical infrastructures and operators of energy supply networks and energy plants are subject to ?special“ IT security obligations (BSIG?/?EnWG).?

But ?general“ IT security requirements already exist in Germany for "normal" companies as well. According to?Sec. 19 Para. 4 Sen. 1 TTDSG??telemedia providers shall, insofar as this is technically possible and economically reasonable, ensure within the scope of their respective responsibility for telemedia offered on a businesslike basis by means of technical and organizational measures that

1. no unauthorized access is possible to the technical equipment used for their telemedia offerings, and

2. these are secured against malfunctions, including those caused by external attacks.“

It should be noted that Sec. 19 TTDSG applies, pursuant to Sec. 1 Para. 3 TTDSG, to all companies and persons who have an establishment or provide or participate in the provision of services or make goods available on the German market within the scope of the TTDSG. The territorial scope of application is therefore very broad.?

We have therefore addressed the question of what IT security requirements Sec. 19 Para. 4 Sen. 1 TTDSG already imposes on?the operation of a website or (the development of) a mobile app?directed towards the German market and how these can be implemented in practice. For example, the implementation of the following points is recommended:

-???????Access configurations and disabling of unused protocols

-???????Restrictions on the group of IP addresses with access rights

-???????Use of secure encryption methods and security updates

-???????Encryption of data

-???????Checking for malware, using firewall and applying security patches

-???????Backups

-???????Contractually oblige partners to take protective measures and control them

The German Federal Office for Information Security (BSI) has also published?additional requirements regarding Sec. 19 Para. 4 TTDSG (the document has not yet been updated and refers to the predecessor standard with the same content).

Apart from these IT security requirements, it makes economic sense to take preventive measures tailored to the individual situation - because prevention is often more financially sustainable than dealing with the damage of a possible cyber attack.