The National Cyber Security Strategy was officially adopted in February 2011. The strategy is based upon 10 main objectives:
OB 1 Protection of critical information infrastructures
OB 2 Secure IT systems in Germany
OB 3 Strengthening IT security in the public administration
OB 4 National Cyber Response Centre
OB 5 National Cyber Security Council
OB 6 Effective crime control also in cyberspace
OB 7 Effective coordinated action to ensure cyber security in Europe and worldwide
OB 8 Use of reliable and trustworthy information technology
OB 9 Personnel development in federal authorities
OB 10Tools to respond to cyber attacks
The National Strategy also set up two federal cyber security entities:
- a National Cyber Response Centre which cooperates with the Federal Office for the Protection of the Constitution and the Federal Office of Civil Protection and Disaster Assistance, as well as federal police, intelligence, and customs agencies. Its main aim is to analyze cybersecurity incidents and provide recommendations for action to a newly established National Cyber Security Council on a regular basis and in response to specific incidents.
- a National Cyber Security Council responsible for implementation of the government’s cybersecurity strategy. The council will include representatives from the Federal Chancellery, Federal Foreign Office, a number of key ministries, including interior, defense, economics and technology, justice, finance, and education and research, as well as from the state governments.
NATIONAL CYBER SECURITY STRATEGY - NIS Capacities
|Year of adoption||The National Cyber Security Strategy was officially adopted in February 2011.|
|Updates and revisions||
Germany has updated its NCSS in 2016 to counter a rising number of threats targeting government institutions, critical infrastructure, businesses and citizens.
The strategy calls for the creation of a mobile Quick Reaction Force housed within the Federal Office for Information Security (BSI), as well as similar teams within the federal police and domestic intelligence agency that are able to respond to cyber threats against government institutions and critical infrastructure.
Germany has conducted several national cyber security exercises to practice crisis response plans for government agencies and specific operators of critical infrastructure. One of these, a 2011 crisis planning and readiness exercise, aimed to understand government response procedures for a multi-pronged attack including distributed denial of service attacks against critical infrastructures, the injection of malware into the banking system, and the insertion of false traffic within air traffic control systems.
Germany also participates in multi-national exercises organized by the European Union and the North Atlantic Treaty Organization (NATO).
|Implementation and monitoring||
One of the key provisions in the amendment of 2009 (“Act to Strengthen the Security of Federal Information Technology”) established the BSI as the central authority responsible for ensuring the security of the federal government’s information technology. When the law went into effect on 20 August 2009, the BSI became the central notification point for federal agencies on matters of IT security. Since then it collects information on security vulnerabilities and new attack methods that threaten the security of information technology, analyses them and issues situation reports.
Because of the potential for threats to spread rapidly from conventional IT systems to industrial systems, the 2015 amendment ( “Act to Increase the Security of Information Technology Systems”) placed particular emphasis on strengthening IT security for operators of critical infrastructures. Because they are equally indispensable for the common good and ever more dependent on IT, in future they are to maintain a minimum level of IT security and report IT security incidents to the BSI. For its part, the BSI collects all information relevant to defence against attacks on the IT security of critical infrastructures. This information is evaluated and referred to the operators and to the competent (supervisory)
The 2011 National Cyber Security Strategy has been implemented by the Minister of Interior.
|Operational capacity building||
A National Cyber Response Centre has been set up in 2011. Members of this centre are different authorities such as The Federal Criminal Police Office (BKA), the Federal Police (BPOL), the Customs Criminological Office (ZKA), the Federal Intelligence Service (BND), the Bundeswehr and authorities supervising critical infrastructure operators.
The centre aims at optimizing the cooperation between others incident response team and national authorities.
The centre will report to the Federal Office for Information Security (BSI) and cooperate directly with the Federal Office for the Protection of the Constitution (BfV) and the Federal Office of Civil Protection and Disaster Assistance (BBK).
|Other capacity-building measures: research and education||
Fraunhofer and a select group of universities have created a Cybersecurity Training Lab, which focuses on:
- Critical infrastructures / Use cases for energy and water infrastructures
- High-security and emergency-response facilities
- Internet security and IT forensics
- Software quality / Product certification
- Embedded systems, mobile security and the internet of things
IABG, the leading German engineering services and technology provider, announced the planned opening of the country's advanced cybersecurity training facility in June of 2017. The center, located at IABG Ottobrunn in the Munich area, will be managed by IABG and powered by the Cyberbit Range, the world's most widely deployed cybersecurity training and simulation platform. The multi-year agreement between IABG and Cyberbit will help Germany in addressing the shortage in cybersecurity talent and developing a world-class cybersecurity workforce.
In July 2015 Germany passed the IT Security Act affecting institutions listed as critical infrastructure (transpotation, health, water utilities,finance and insurance, telecommunications).
Germany has enacted specific legislation and regulation on cyber security through the following:
-Electronic Signature Act 2001(German language)
|Public Private partnership||
UP KRITIS is a public-private collaborative initiative between critical infrastructure operators, their professional associations and the relevant government agencies. The aim of this cooperation is to maintain the supply of critical infrastructure services in Germany.
|Date of last WISER analysis||August 2017|
Compliance with the GDPR and NIS Directive: Report a cyber incident
|Report a cyber incident to national CERT/CSIRT||
CERT-BUND is the national accredited CERT for Germany. It provides information on risks and threats relating to the use of information technology and seeks out appropriate solutions. This work includes IT security testing and assessment of IT systems, including their development, in co-operation with industry.
CERT NRW (Computer Emergency Response Team Nordrhein-Westfalen) has been commissioned as a focal point for preventive and reactive measures related to security and availability incidents in IT systems by the Interior Ministry of North Rhine-Westphalia. It serves as an information interface between the authorities and institutions of the state administration, the technical expertise of IT.NRW and other German CERTs, in particular the federal and state governments as well as companies.
CERT-RLP depends organizationally to the highest authorities of the Rhineland-Palatinate state administration. Technically, this involves basically the appropriate subset of directly connected to the operated by the LDI nationwide RLP network organizational units.
CERTBw is responsible as the central service in the framework of the Cyber Defence for monitoring, maintaining and restoring the IT security in the Bundeswehr.
Bayern-CERT is primarily aimed at the authorities connected to the Bavarian Authority Network. It includes regular preventive security checks of central components (for example, penetration testing) as well as the advice of the security team and the Commissioner for IT security to the daily tasks of the Bayern-CERT.
Siemens-CERT is the central team for responding to potential security incidents and vulnerabilities related to Siemens products, solutions and services.
S-CERT is the computer emergency response team of the German Sparkassen-Finanzgruppe (Savings Banks Financial Group).
CSIRT-ECB (Computer Security Incident Response Team - European Central Bank)
ComCERT is the Computer Emergency Response Team for Commerzbank network and clients
RUS-CERT (Stuttgart University's Computer Emergency Response Team ) is responsible for the computer and network security in the Stuttgart University's IT infrastructure
KIT-CERT is the Computer Emergency Response Team for Karlsruhe Institute of Technology
DFN-CERT is the Computer Emergency Response Team of the German research network (DFN)
The National Cyber Security Strategy states that “Federal Government will regularly review whether the aims of the Cyber Security Strategy have been achieved under the overall control of the National Cyber Security Council and will adapt the strategies and measures to the given requirements and framework conditions.”
The Bundesamt für Verfassungsschutz (BfV), the domestic intelligence service of the Federal Republic of Germany, publishes annual cyber threat reports. The 2016 report stated that Russia and China are the leading sources of cyber attacks on Germany.
|Date of last WISER analysis||July 2017|