Who is liable for IT security gaps? That varies from case to case, but in Germany, the conventional laws on product safety and liability apply. And those, IT security associations criticize, are often not sufficiently phrased for IT liability issues. Expert Marion Steiner says that requirements for product safety must be regulated more clearly, and a study by the German Federal Office for Information Security (BSI) and the University of Göttingen confirms that the current laws do apply, but finds that there are considerable gaps. This is one reason why there is a lot of discussion on the subject, not only on a national but also on a European level. You can find more information on searchsecurity.de.
Please note that the article is currently only available in German.