German Federal Cabinet adopts strategy for cybersecurity 2021

In addition to the fields of action, the new strategy for cybersecurity provides for the first time for concrete guidelines, measures and goals by means of which, according to BMI, the challenges and risks of a digitalized world with technologies such as artificial intelligence and networked devices are to be mastered. BMI declares cybersecurity to be a task for society as a whole. The addressees of the new strategy for cybersecurity are in equal measure the state, the economy, science and society.¹

Fields of Action and Guidelines of the new Strategy for Cybersecurity

The strategy for cybersecurity 2021 will at first retain the four fields of action of the strategy for cybersecurity 2016:

• According to field of action 1, the strategy for cybersecurity 2021 sets itself the goal of increasing the "cybersecurity competence" of society. For example, the user-friendliness of IT security solutions is to be improved, digital consumer protection services are to be expanded, electronic identities and electronic communication are to be better protected. AI has a dual role to play here: on the one hand, AI is to be used as a tool to contribute to IT security; on the other hand, AI itself is also to be protected by specific IT security requirements.² 
• In addition, field of action 2 provides for the strengthening of the National Cybersecurity Council, which is to be achieved by the improvement of cooperation between the state, business, science and civil society in the area of cybersecurity, as well as the strengthening of the German digital economy and the protection of German companies.³
• Moreover, field of action 3 aims to expand the federal government's legislative competence to avert danger and the cooperation between the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) and the federal states. Law enforcement in cyberspace is also to be intensified and access by the security authorities to encrypted communications is to be created. Telecommunications and telemedia law is to be adapted to technological progress.⁴
• The strategy for cybersecurity 2021 also provides with field of action 4 for Germany to actively participate in the further development of applicable strategies and regulation (such as EU’s Cybersecurity Strategy for the Digital Decade or the directive concerning network and information systems, in order to achieve a high standard of cybersecurity across the European Union by introducing and implementing agreed minimum standards.⁵ Germany also intends to advocate for the continuous further development of cybersecurity policy at NATO level.⁶

It is new that a total of four guidelines flank the four fields of action of the strategy for cybersecurity, which in turn are for the first time defined by 44 strategic goals. These guidelines are:

• Establish cybersecurity as a joint task of the state, business, science and society;
• Strengthening the digital sovereignty of the state, the economy, science and society;
• Shape digitisation securely and
• make goals measurable and transparent.⁷

The 13 strategic goals of the second field of action are among the most interesting for companies. These include goals such as "Further improve the protection of critical infrastructures"⁸, "Protecting companies in Germany"⁹, "Cybersecurity certification"¹⁰ and "Promote research and development of resilient, secure IT products, services and systems for the internal EU market".¹¹

The IT security of products plays an important role in this. By increasing the IT security of products and creating products to increase their IT security, the BMI aims for strengthening the following economic sectors and their supply chains: Mobility and automotive industry, energy industry, smart home or IoT and smart cities, industry 4.0, healthcare, finance and the IT security industry with the fields of biometrics, long-term security and quantum technology.¹²

In order to evaluate the achievement of the defined strategic goals within the fields of action and to make the implementation of the strategy for cybersecurity 2021 continuously traceable and verifiable through operational measures, the new strategy for cybersecurity also includes for the first time specific measurability criteria. Based on these evaluation criteria, the various departments responsible for implementation report to BMI on the progress made in achieving the strategic goals.¹³

For example, a decline in the number of private individuals affected by cyber attacks or the reach of the BSI's information services for consumers will serve as an indicator of success in implementing the goal of promoting digital skills among all users.  The Federal Ministry of the Interior wants to see whether the goal of protecting companies in Germany is being achieved by the concrete demand for support programmes for the IT security of SMEs, by whether the number of users of the BSI's support services is increasing, and by the fact that the "Economic Protection Initiative" is establishing projects for the holistic protection of the value chain against the outflow of know-how and information.¹⁴

Outlook

After BMI had already published a draft of the strategy for cybersecurity in June 2021, the inclusion of "digital sovereignty" as a guideline¹⁴ and the planned improvement of cooperation between the state, business and civil society¹⁶ were expressly welcomed by interest groups. On the other hand, the planned expansion of German security authorities' access to encrypted communication ¹⁷ and a possible weakening of security technologies in favour of state intervention possibilities¹⁸ as well as the expansion of surveillance powers at the expense of IT security, especially from the point of view that foreign intelligence services and cyber criminals could exploit security gaps, were criticised.¹⁹

Whether and how the strategic goals of the strategy for cybersecurity 2021 can be achieved in the coming years, despite or precisely because of the scope for action granted to the ministries, remains to be seen. In order to ensure an active exchange between government and industry in the meantime, the strategy for cybersecurity 2021 refers, among other things, to initiatives such as the "Initiative IT-Sicherheit in der Wirtschaft" (IT Security Initiative in the Economy) of the Federal Ministry for Economic Affairs and Energy (Bundesministerium für Wirtschaft und Energie, BMWi), the Alliance for Cybersecurity (ACS) or the "Cyber Alliance with Industry" launched by BMI and the Federation of German Industries (Bundesverband der Deutschen Industrie, BDI).²⁰ We will continue to keep you up-to-date on current developments.

Did you know?

On November 4, Hogan Lovells will offer ACS members a webinar on "Standard and Requirements for Networked Consumer Products" (in German). You are a member? In this case, this webinar may be of interest to you. For more information and your option to register, please click here.