In our study "Municipal information security and resilience – an analysis of the German approach to support" by author Julia Schuetze, options for action are presented that are taken up or supplemented here. 

Cooperation between federal states and municipalities can be expanded

Both the federal government and the federal states provide municipalities with services designed to increase municipal information security and resilience. Cooperation between the federal states and their municipalities is crucial here, as regional differences and special features in the federal system are better recognised and the municipalities in particular are dependent on the support of the federal states. Local authorities often lack knowledge of the available services. A nationwide and continuously updated overview of the services on offer could initially provide a remedy – based on the cyber security compass, for example.

To date, cooperation between the federal states on existing services has been very limited. If cooperation is established or stabilised, duplicating or overlapping services (such as handouts, checklists or exercise formats) could be avoided and made available across federal states.

Establish a standardised framework through state legislation

The federal states often do not have contact persons for information security in the municipalities. Here, a state law regulation such as the Saxon Information Security Act (SächsISichG) could oblige municipal organisations and bodies to appoint an information security officer. The minimum standards for critical sectors set out in the NIS 2 Implementation Act are unlikely to apply to municipalities. Therefore, reporting obligations and channels for incidents, standards for security concepts and exchange platforms for municipal information security should be introduced as part of state legislation.

Create a mandatory standardised nationwide understanding of the function(s) of the federal states

The federal states define their role in supporting municipal information security differently. Within the framework of our study "Municipal information security and resilience – an analysis of the German approach to support" author Julia Schuetze distinguishes between administrative (e.g. through framework agreements), educational (e.g. through training), financing (e.g. through the allocation of funds), informational (e.g. through guidance) and operational functions (e.g. through tools for hazard detection). A standardised nationwide understanding of the function(s) of the federal states should be created in order to delineate the areas of responsibility, offer targeted support services and save financial and human resources.

Establish regional and transnational security operations centres (SOC) 

The municipalities mainly lack support in the administrative and operational areas. Accordingly, federal states should fulfil more administrative and operational functions. For example, regional security operations centres (SOCs) could be set up, for example based on the Hessen3C CyberCompetenceCenter, which also work on a transnational basis or in cooperation with several countries. These security centres are either operated by the country or several countries themselves or by an external IT service provider. A 24/7 hotline and an emergency response team (CERT team) could provide support in dealing with cyber incidents. At the same time, this SOC could operate a warning and information service and provide municipalities with the necessary information about incidents, threats or new vulnerabilities in a customisable way via a platform. Furthermore, tools for detecting threats (software programmes, website checks or online antivirus searches) could also be made available via this platform.

The SOZ could serve as a framework for dialogue between the municipalities.

Ensure administrative support for municipalities through involvement into framework agreements

Alternatively, administrative support for municipalities would be conceivable. Some federal states use external IT service providers themselves and bind them to a framework contract. External service providers could operate at municipal level so that the services are initially procured by the municipalities via the state and the municipalities are liable to the state for the costs incurred. This involvement of the municipalities in framework agreements could in turn be used by the state as an incentive system: The more a local authority invests in information security, the lower the compensation amount to the state could be. This would ensure targeted and unbureaucratic financial support for municipalities and the federal states would have a better overview of investments and the state of municipal information security.

This publication is only available in German.