IT Law for Non-Lawyers: The Most Important Laws Surrounding Cybersecurity

Why IT Professionals Need to Know the Legal Landscape

As an IT manager or information security officer, you are not a lawyer and do not need to become one. But you must understand which laws apply to your company, what obligations arise from them, and what happens if you fail to comply. Because the responsibility for implementing these laws in practice frequently falls on the IT department, even though formal legal responsibility lies with executive management.

The legal landscape around cybersecurity has become massively denser in recent years. Where previously only the Federal Data Protection Act was relevant, companies today must observe an entire web of European directives and regulations, national laws, and industry-specific requirements. This article gives you an accessible overview of the most important laws and places them in the context of your ISMS.

NIS2: The EU's New Cybersecurity Law

What Is NIS2?

The NIS2 directive (Network and Information Security Directive 2) is the revised EU directive on cybersecurity, replacing the original NIS directive from 2016. In Germany, it is transposed into national law through the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), which makes extensive amendments to the BSI Act (BSIG).

Who Does NIS2 Affect?

NIS2 covers significantly more companies than its predecessor. Affected are companies in 18 sectors classified as "essential" or "important" entities. The sectors include energy, transport, banking, health, drinking water, wastewater, digital infrastructure, ICT services, public administration, space, postal and courier services, waste management, chemicals, food, manufacturing, digital services, and research.

The thresholds are low: companies with 50 or more employees or EUR 10 million in annual revenue generally fall within scope. In certain sectors (e.g., digital infrastructure, DNS services), there is no size threshold.

Core Obligations Under NIS2

Risk management: Companies must take appropriate technical, operational, and organizational measures to manage cybersecurity risks. Article 21 NIS2 lists at least ten areas, including risk analysis, incident management, business continuity, supply chain security, cryptography, and access controls.

Reporting obligations: Significant security incidents must be reported to the BSI. The reporting deadlines are staggered: initial notification within 24 hours, update within 72 hours, and final report within one month.

Executive liability: Executive management must approve and oversee cybersecurity measures and can be held personally liable. Executive management must also participate in cybersecurity training.

Registration: Affected companies must register with the BSI.

Fines

NIS2 provides for significant fines: for essential entities up to EUR 10 million or 2 percent of global annual revenue, and for important entities up to EUR 7 million or 1.4 percent of global annual revenue.

Practical Implications

For IT professionals, NIS2 concretely means: you need systematic risk management (ISMS), documented security measures, a tested incident response plan, evidence of supply chain security, and regular training — including executive management.

GDPR: Data Protection as a Security Driver

What Does the GDPR Regulate?

The DSGVO (GDPR) — the General Data Protection Regulation — protects the personal data of natural persons in the EU. Personal data is any information relating to an identified or identifiable person: name, email address, IP address, location data, health data, biometric data, and much more.

Security-Relevant Obligations

For IT professionals, the following obligations are particularly relevant:

Technical and organizational measures (TOMs) under Article 32: You must ensure a level of protection appropriate to the risk. The GDPR specifically names pseudonymization and encryption, the ability to ensure confidentiality, integrity, availability, and resilience, the ability to restore data promptly after an incident, and regular testing and evaluation of the effectiveness of measures.

Breach notification obligation under Articles 33 and 34: Data breaches that pose a risk to the rights and freedoms of data subjects must be reported to the competent supervisory authority within 72 hours. In cases of high risk, the affected individuals must also be notified.

Data processing under Article 28: If you have personal data processed by external service providers, you need a Data Processing Agreement (DPA) that governs, among other things, technical and organizational measures.

Data Protection Impact Assessment (DPIA) under Article 35: For processing operations that pose a high risk to data subjects (e.g., video surveillance, profiling, processing of health data), you must conduct a DPIA.

Fines

The GDPR provides for fines of up to EUR 20 million or 4 percent of global annual revenue, whichever is higher. German supervisory authorities have imposed fines in the millions in recent years, including for inadequate technical measures and late breach notifications.

Overlap with NIS2

NIS2 and the GDPR have significant overlaps in security requirements. If you build an ISMS that covers the requirements of both laws, you save effort and avoid duplication. The GDPR focuses on personal data; NIS2 addresses the security of network and information systems as a whole. A comprehensive ISMS covers both.

GeschGehG: Protection of Trade Secrets

What Does the GeschGehG Regulate?

The Trade Secrets Act (Gesetz zum Schutz von Geschäftsgeheimnissen, GeschGehG) implements EU Directive 2016/943 and governs the protection of trade secrets against unlawful acquisition, use, and disclosure.

What Is a Trade Secret?

Information qualifies as a trade secret if it is not generally known or readily accessible, has economic value because it is secret, and is subject to reasonable confidentiality measures. The third point is decisive: without reasonable measures there is no protection, regardless of how valuable the information is.

Reasonable Confidentiality Measures

What is "reasonable" depends on the circumstances. Courts have recognized the following measures as relevant: contractual measures (NDAs, confidentiality clauses in employment contracts), technical measures (access controls, encryption, DRM), organizational measures (information classification, need-to-know principle, training), and physical measures (access control, locked rooms).

An ISMS that systematically implements and documents these measures fulfills the GeschGehG requirements. Without an ISMS, you risk your trade secrets losing their legal protection. Additionally, you should enter into non-disclosure agreements (NDAs) with all parties who gain access to confidential information.

Legal Consequences

The GeschGehG grants the trade secret holder claims for injunctive relief, destruction, surrender, information, and damages. In serious cases, criminal consequences may apply under § 23 GeschGehG.

BSIG and IT Security Act

BSI Act (BSIG)

The Act on the Federal Office for Information Security (BSIG) governs the tasks and powers of the BSI. Through the transposition of NIS2, the BSIG is being significantly expanded and will contain the specific national requirements for cybersecurity.

IT Security Act (IT-SiG)

The IT Security Act (current version IT-SiG 2.0 from 2021) expanded the BSI's tasks and tightened obligations for operators of critical infrastructure (KRITIS). With the transposition of NIS2, the relevant provisions are being transferred into the revised BSIG.

Critical Infrastructure Operators

Operators of critical infrastructure have special obligations: implementation of appropriate security measures according to the state of the art, proof of implementation to the BSI every two years (through audits, assessments, or certifications), reporting of significant security incidents to the BSI, and establishment of a contact point for the BSI.

BSI as Supervisory Authority

With NIS2, the BSI has received expanded powers: conducting audits and assessments, ordering measures to remedy security deficiencies, imposing fines, and informing the public about security risks.

StGB: Criminal Law Aspects of Cybersecurity

The German Criminal Code (Strafgesetzbuch) contains several criminal offenses relevant to cybersecurity — for both attackers and IT professionals.

Criminal Offenses for Cyberattacks

§ 202a StGB (Data espionage): Unauthorized access to data that is not intended for the perpetrator and is specially secured against unauthorized access. Penalty: imprisonment up to three years or fine.

§ 202b StGB (Interception of data): Unauthorized interception of data from a non-public data transmission or from the electromagnetic emissions of a data processing system. Relevant for man-in-the-middle attacks and network sniffing.

§ 202c StGB (Preparation of data espionage and interception): The production, procurement, sale, or provision of tools intended for offenses under §§ 202a, 202b (the so-called "hacker paragraph"). This paragraph is controversial because it can also affect the work of security researchers and penetration testers.

§ 263a StGB (Computer fraud): Influencing the result of a data processing operation through incorrect program design, use of incorrect or incomplete data, or unauthorized intervention. Relevant for phishing, CEO fraud, and manipulation of financial systems. Penalty: imprisonment up to five years or fine.

§ 303a StGB (Data manipulation): Unlawful deletion, suppression, rendering unusable, or alteration of data. Relevant for ransomware attacks and sabotage. Penalty: imprisonment up to two years or fine.

§ 303b StGB (Computer sabotage): Significant disruption of data processing through data manipulation or through input or transmission of data with the intent to cause harm to another. When affecting businesses, companies, or government agencies: imprisonment up to five years or fine.

Relevance for IT Professionals

As an IT professional, you are typically not the attacker. But there are constellations where criminal risks become relevant for you as well:

Penetration tests: When you commission or conduct a penetration test, you need written consent from the system owner. Without such consent, the testers and you as the commissioning party may be criminally liable under §§ 202a, 303a StGB.

Monitoring and logging: Monitoring employee communications may violate § 206 StGB (violation of telecommunications secrecy) if private use of email and internet is permitted. Clarify the legal framework with the data protection officer and legal department before implementing monitoring measures.

Incident response: When analyzing a security incident, you are generally permitted to examine your company's systems. But caution is warranted: if you encounter private employee data (private emails where private use is permitted), special rules apply.

Additional Relevant Laws

Telecommunications Digital Services Data Protection Act (TDDDG)

The TDDDG (formerly TTDSG) governs data protection and confidentiality in telecommunications and digital services. Particularly relevant is § 25, which governs consent for storing and accessing information on end devices (cookie consent).

Telemedia Act (TMG) and Digital Services Act (DDG)

Providers of online services face additional obligations, particularly regarding legal notices (Impressum), privacy policies, and liability for content.

Industry-Specific Regulation

In certain industries, additional requirements apply: in the financial sector BAIT (Banking Supervisory Requirements for IT), VAIT (Insurance Supervisory Requirements for IT), and DORA (Digital Operational Resilience Act). In healthcare, SGB V with IT security requirements for hospitals and physicians. In the automotive industry, TISAX (Trusted Information Security Assessment Exchange) as an industry standard.

How the Laws Work Together

The various laws are not contradictory but complementary. In practice, they can be understood as concentric circles:

At the innermost circle sits the DSGVO (GDPR), which specifically protects personal data. Around it lies NIS2, which addresses the security of network and information systems as a whole. The GeschGehG protects the economic value of confidential information. And the StGB defines the boundaries whose transgression carries criminal consequences.

An ISMS built according to ISO 27001 or a comparable standard covers the requirements of all these laws to a large extent. The GDPR requires TOMs, NIS2 requires risk management, the GeschGehG requires reasonable protective measures. A well-built ISMS provides all of this.

Practical Recommendations

Check applicability: Determine which laws apply to your company. NIS2 has significantly expanded the circle of affected companies. Use the BSI's applicability check.

Build an ISMS: An ISMS based on ISO 27001 or BSI IT-Grundschutz covers the requirements of most laws and is the most efficient answer to regulatory complexity. Tools like ISMS Lite help map the requirements from NIS2, GDPR, and GeschGehG in a single system and document compliance status in a traceable manner at all times.

Get legal advice: For assessing specific applicability and interpreting particular requirements, you need legal counsel. Find a lawyer who specializes in IT law.

Document: All laws require you to demonstrate what you have done. Documentation is not a side issue — it is a core obligation.

Update regularly: The legal landscape is changing rapidly. Track regulatory developments and adapt your ISMS accordingly.

Collaborate with the data protection officer: Cybersecurity and data protection overlap significantly. Work closely with the DPO to avoid duplication and leverage synergies.

Further Reading

• NIS2 for Mid-Market Companies: What to Do Now
• IT Manager Liability: Personal Risks and How to Protect Yourself
• NIS2 Fines and Liability: What Happens in Case of Violations
• Documenting TOMs: Technical and Organizational Measures Under GDPR
• Non-Disclosure Agreement (NDA): Template and What Matters