INTERNAL AND EXTERNAL IT SECURITY OBLIGATIONS

For operators of critical infrastructures, such as energy suppliers, but also cloud providers, it is imminently clear that IT security also has a legal component. But also for other providers, such as SaaS (Software as a Service), online shops and web portals, it is important that the focus is not only on the technical aspects of IT security and the threat of cybercrime, but also on possible legal consequences and the corresponding risk minimisation.

As a law firm specialising in data protection, IT law and IT security law, Piltz Legal advises and accompanies you both in the analysis, drafting of appropriate security measures and contractual texts and in legal disputes. Moreover, with the corresponding technical and content-related understanding.

Our view is directed in three directions.

Firstly, the regulations vis-à-vis your customers, from the offer to the contracts, data protection declarations to service level agreements and software contracts.

On the other hand, your internal regulations, for example corresponding company guidelines, confidentiality agreements and contracts with subcontractors and IT partners.

And last but not least, legal risk minimisation against attacks by unauthorised third parties and precautions in the event of possible damage.

Our goal: to identify risk factors from a legal perspective and with an understanding of technology and to contribute in the best possible way to safeguarding your business.

  • Review of existing contracts, legal texts and regulations
  • Advice and support for projects
  • Contract offers and customer contracts
  • Support in the creation of IT security guidelines
  • Legal assessment of the legal security requirements applicable to you
  • Internal processing of security breaches
  • Examination of possible reporting obligations to authorities

Your Piltz Legal contacts

Business Lawyer, Counsel
Philipp Quiel, LL.M.
Business Lawyer, Counsel
Philipp Quiel, LL.M.
Lawyer, Specialised Lawyer in IT Law, Senior Associate
Johannes Zwerschke, LL.M.
Lawyer, Specialised Lawyer in IT Law, Senior Associate
Johannes Zwerschke, LL.M.

News

Territorial scope of NIS-2 – When does the German BSIG apply to managed service providers (MSPs) from third countries?

In a previous article (only available in German), we addressed the question of who qualifies as a managed service provider (MSP) or managed security service provider (MSSP) under the amended German Act on the Federal Office for Information Security and on information security in entities (BSI Act – BSIG) (Note: There is currently no official English translation of the current version of the BSIG. However, there is at least a machine translation by the EU.). If a company within a group of companies is centrally responsible for the operation of the group's IT, it can be classified as an MSP and thus as an important or particularly important entity within the meaning of Sec. 28 para. 1 no. 4 and/or Sec. 28 para. 2 no. 3 BSIG – provided that it falls within the scope of the BSIG.

NIS-2: Obligation to designate a representative for entities in third countries

Within the scope of the NIS-2 Directive (NIS-2-RL), situations may arise in which providers of certain NIS-2-relevant services, such as managed service providers, are based solely in a third country but offer services within the EU. According to Art. 2 (1) NIS-2 Directive, the territorial scope of application applies as soon as a company provides a service or carries out activities in the EU. Art. 26 NIS-2 Directive specifies this scope of application to the effect that, in principle, the Member State in which the entity is located and thus its respective implementing law is applicable. We have already written an article on this subject.

New awards for our partners

We are very pleased that Prof. Dr. Burghard Piltz and Dr. Carlo Piltz have received further awards from the Handelsblatt and have been included in the 16th edition of The Best Lawyers in Germany™.