Select Page

BSI Act – BSIG

Act on the Federal Office for Information Security and on the Security of Information Technology of Institutions

Part 1 –  General regulations

§ 1 - Federal Office for Information Security

The Federal Office for Information Security (Federal Office) is a higher federal authority within the portfolio of the Federal Ministry of the Interior and for Home Affairs. It is the central office for information security at national level. The Federal Office performs tasks for the federal ministries on the basis of scientific and technical findings.

§ 2 - Definitions

For the purposes of this Act,

  1. “near miss” means an event that could have affected the availability, integrity or confidentiality of stored, transmitted or processed data or the services offered or accessible via information technology systems, components and processes, but the occurrence of which was successfully prevented or did not occur for other reasons;
  2. “Authorized access users”
    1. the Federal Office,
    2. the Land authorities that the Länder have designated as competent authorities for the supervision of public administration bodies at regional level in accordance with Article 2(2)(f)(ii) of the NIS 2 Directive,
    3. law enforcement authorities,
    4. federal and Länder police forces, and
    5. the constitution protection authorities of the Federation and the Länder;
  3. ‘ground infrastructure’ means facilities relating to the space sector which are used to control the launch, flight or eventual landing of space objects;
  4. “Cloud computing service” means a digital service that enables the on-demand management of a scalable and elastic pool of shared computing resources and comprehensive remote access to this pool, even if the computing resources are distributed across multiple locations;
  5. “Content Delivery Network” or ‘CDN’ means a group of geographically distributed, interconnected servers, together with the necessary infrastructure, which are connected to the Internet and serve to provide digital content and services to Internet users on behalf of content and service providers, with the aim of ensuring high availability, accessibility or delivery with the lowest possible latency;
  6. “cyber threat” means a cyber threat as defined in Article 2(8) of Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on cybersecurity certification of information and communication technology and repealing Regulation (EU) No 526/2013 (Cybersecurity Act, OJ L 151, 7.6.2019, p. 15);
  7. “data traffic” means the data transmitted by means of technical protocols; it may include telecommunications content in accordance with Section 3(1) of the Telecommunications Digital Services Data Protection Act and usage data in accordance with Section 2(2)(3) of the Telecommunications Digital Services Data Protection Act;
  8. ‘DNS service provider’ means a natural or legal person who
    1. provides publicly available recursive domain name resolution services to Internet end-users; or
    2. provides authoritative domain name resolution services for use by third parties, with the exception of root name servers;
  9. “domain name registry service provider” means a registrar or an entity acting on behalf of registrars, in particular providers or resellers of data protection or proxy registration services;
  10. “significant cyber threat” means a cyber threat that has the potential to significantly impair information technology systems, components and processes due to the specific technical characteristics of the cyber threat; an impairment is significant if it can cause considerable material or immaterial damage;
  11. ‘significant security incident’ means a security incident that
    1. has caused or may cause serious disruption to the operation of services or financial loss to the entity concerned; or
    2. has adversely affected or may adversely affect other natural or legal persons through significant material or immaterial damage, unless the statutory order pursuant to Section 56 (5) contains a more specific definition;
  12. “research organization” means an organization whose primary objective is to carry out applied research or experimental development with a view to using the results of that research for commercial purposes; educational institutions are not considered research organizations;
  13. “Management” means a natural person who is appointed by law, the articles of association or a partnership agreement to manage the business and represent a particularly important institution or important institution; heads of federal administration institutions pursuant to section 29 are not deemed to be management;
  14. ‘ICT service’ means an ICT service as defined in point (13) of Article 2 of Regulation (EU) 2019/881;
  15. ‘ICT product’ means an ICT product as defined in point (12) of Article 2 of Regulation (EU) 2019/881;
  16. ‘ICT process’ means an ICT process as defined in Article 2(14) of Regulation (EU) 2019/881;
  17. “Information security” means the appropriate protection of the confidentiality, integrity and availability of information;
  18. “Information technology” means a technical means of processing information;
  19. “Social security institutions” means corporate bodies pursuant to Section 29 of the Fourth Book of the German Social Code, working groups pursuant to Section 94 of the Tenth Book of the German Social Code, Deutsche Gesetzliche Unfallversicherung e.V. and Deutsche Post AG, insofar as it is entrusted with the calculation or payment of social benefits;
  20. “Internet Exchange Point” or ‘IXP’ means an infrastructure that
    1. enables the interconnection of more than two independent autonomous systems, used primarily for the exchange of Internet traffic,
    2. is used only for the interconnection of autonomous systems; and
    3. does not require that
      1. the Internet traffic between any two participating autonomous systems passes through a third autonomous system, or
      2. alters or otherwise interferes with the data traffic in question;
  21. “Federal communications technology” means information technology operated by one or more federal administration institutions or on behalf of one or more federal administration institutions and used for communication or data exchange within a federal administration institution, between federal administration institutions or between federal administration institutions and third parties; Federal communications technology” does not include the communications technology of the Federal Constitutional Court, the Federal Courts, insofar as they do not perform administrative tasks under public law, the Bundestag, the Federal Council, the Federal President and the Federal Audit Office, insofar as it is operated exclusively within their own remit;
  22. “critical facility” means a facility that is essential for the provision of a critical service; the critical facilities within the meaning of this Act shall be defined in more detail by the statutory order pursuant to section 56(4);
  23. “Critical components” ICT products,
    1. which are used in critical installations,
    2. for which disruptions to availability, integrity and confidentiality can lead to a failure or to a significant impairment of the functionality of critical systems or to threats to public safety, and
    3. which, on the basis of a law with reference to this regulation
      1. are determined as critical components or
      2. realize a function determined as critical on the basis of a law;
        1. If no critical components and no critical functions from which critical components can be derived are determined for one of the sectors referred to in point 24 on the basis of a law with reference to this provision, there are no critical components in this sector within the meaning of this point;
  24. “critical service” means a service for the supply of the general public in the sectors of energy, transportation and traffic, finance, social security institutions and basic security for job seekers, health care, water, food, information technology and telecommunications, space or municipal waste disposal, the failure or impairment of which would lead to significant supply bottlenecks or threats to public safety;
  25. “Managed Security Service Provider” or ‘MSSP’ means an MSP that performs or provides support for activities related to cybersecurity risk management;
  26. “Managed Service Provider” or ‘MSP’ means a provider of services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems through support or active management at the Customer’s premises or remotely;
  27. “NIS 2 Directive” means Directive 2022/2555 of the European Parliament and of the Council of 14 December 2022 concerning measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (OJ L 333, 27.12.2022, p. 80), as amended;
  28. “Online marketplace” means a service pursuant to Section 312l (3) BGB;
  29. “online search engine” means a digital service as defined in Article 2(5) of Regulation (EU) 2019/1150 of the European Parliament and of the Council of June 20, 2019 on promoting fairness and transparency for business users of online intermediation services (OJ L 186, 11.7.2019, p. 57);
  30. “Platform for social network services” means a platform on which end users with different devices can contact and communicate with each other and share and discover content, in particular through chats, posts, videos and recommendations;
  31. “Protocol data” means control data of an information technology protocol for data transmission, which
    1. are necessary to ensure communication between receiver and sender and
    2. are transmitted independently of the content of the communication process or stored on the servers involved in the communication process;
      1. Log data may contain traffic data pursuant to Section 3 No. 70 of the Telecommunications Act and usage data pursuant to Section 2 (2) No. 3 of the Telecommunications Digital Services Data Protection Act;
  32. “Logging data” means records of technical events or conditions within information technology systems;
  33. “qualified trust service” means a qualified trust service as defined in Article 3(17) of Regulation (EU) No 910/2014 of the European Parliament and of the Council of July 23, 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73);
  34. ‘qualified trust service provider’ means a qualified trust service provider as defined in Article 3(20) of Regulation (EU) No 910/2014;
  35. “data center service” means a service that includes structures that serve the primary purpose of centrally housing, interconnecting and operating IT or network equipment and that provide data processing services, including all necessary facilities and infrastructure, in particular for power distribution and environmental control;
  36. “Malware” means programs and other information technology routines and procedures that are used to use or delete data without authorization or to influence other information technology processes without authorization;
  37. “federal communications technology interfaces” means security-relevant network transitions within the federal communications technology and between this and the information technology of the individual federal administration institutions, the information technology of groups of federal administration institutions or the information technology of third parties; the components at the network transitions that are operated under the responsibility of the courts and constitutional bodies referred to in number 21 are not considered federal communications technology interfaces;
  38. “Vulnerability” means a characteristic of ICT products or ICT services that can be exploited by third parties to gain access to the ICT products or ICT services against the will of the authorized party or to influence the function of the ICT products or ICT services;
  39. ‘security in information technology’ means compliance with certain security standards relating to the availability, integrity or confidentiality of information by means of security measures
    1. in information technology systems, components or processes or
    2. in the use of information technology systems, components or processes;
  40. “Security incident” means an event that affects the availability, integrity or confidentiality of stored, transmitted or processed data or the services offered or accessible via information technology systems, components and processes;
  41. “Attack detection systems” means processes supported by technical tools and organizational integration for the detection of attacks on information technology systems; whereby attack detection is carried out by comparing the data processed in an information technology system with information and technical patterns that indicate attacks;
  42. “Top Level Domain Name Registry” means a natural or legal person that manages and operates the re-registration of Internet domain names within a specific Top Level Domain (TLD), including the operation of its name servers, the maintenance of its databases and the distribution of TLD zone files via the name servers, irrespective of whether the operation is carried out by the natural or legal person itself or is outsourced; no Top Level Domain Name Registry is a registry that uses TLD names only for its own purposes;
  43. ‘trust service’ means a trust service as defined in Article 3(16) of Regulation (EU) No 910/2014;
  44. ‘trust service provider’ means a trust service provider as defined in Article 3(19) of Regulation (EU) No 910/2014;
  45. ‘space-based services’ means services relating to the space sector that are based on data and information either generated by or transmitted through space assets, the disruption of which may lead to wider cascading effects that can have far-reaching and long-lasting negative impacts on the provision of services across the internal market;
  46. “Certification” means the determination by a certification body that a product, a process, a system, a protection profile (security certification), a person (personal certification) or an IT security service provider fulfills certain requirements.

Part 2 – The Federal Office

Chapter 1 – Tasks and powers

§ 3 - Tasks of the Federal Office
  1. The Federal Office promotes security in information technology. To this end, it performs the following important tasks in the public interest:
    1. Averting threats to the security of federal information technology;
    2. collect and evaluate information on security risks and security precautions and make the knowledge gained available to other bodies, insofar as this is necessary to fulfill their tasks, and to third parties, insofar as this is necessary to safeguard their security interests;
    3. perform tasks in the Cooperation Group and the CSIRTs network in accordance with Articles 14 and 15 of the NIS 2 Directive;
    4. Investigate security risks in the use of information technology and develop security measures, in particular information technology procedures and devices for security in information technology (IT security products), insofar as this is necessary for the fulfillment of federal tasks, including research within the scope of its statutory tasks;
    5. Develop criteria, procedures and tools for testing and evaluating the security of information technology systems or components and for testing and evaluating conformity in the area of IT security;
    6. Conduct peer reviews in accordance with Article 19 of the NIS 2 Directive;
    7. Determine security requirements for the communications infrastructure of interdepartmental communications networks and other federal government communications infrastructures in consultation with the respective operators and monitor compliance with these security requirements;
    8. Testing and evaluating the security of information technology systems or components and issuing security certificates;
    9. exercise the tasks and powers referred to in Article 58(7) and (8) of Regulation (EU) 2019/881 as the national cybersecurity certification authority;
    10. Check and confirm conformity in the area of IT security of information technology systems and components with technical guidelines of the Federal Office;
    11. test, evaluate and approve information technology systems or components that are to be used for the processing of officially classified information in accordance with Section 4 of the Security Clearance Act in the area of the federal government or in companies within the framework of federal contracts;
    12. Produce key data and operate crypto and security management systems for federal information security systems that are used in the area of state secret protection or in other areas at the request of the authority concerned;
    13. support and advise on organizational and technical security measures and carry out technical checks to protect officially classified information against unauthorized access in accordance with Section 4 of the Security Inspection Act;
    14. develop security-related requirements for the federal information technology to be used and for the suitability of contractors in the area of federal information technology with special protection requirements;
    15. Provide IT security products and IT security services for federal government institutions;
    16. support the federal authorities responsible for information technology security, in particular insofar as they perform advisory or supervisory tasks; this applies primarily to the Federal Commissioner for Data Protection and Freedom of Information, whose support is provided in the context of the independence he or she enjoys in the performance of his or her duties under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1). April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1; L 314, 22.11.2016, p. 72; L 127, 23.5.2018, p. 2) and the Federal Data Protection Act;
    17. advise and support federal administration institutions in matters of information security, including the handling of security incidents, and provide concrete, practical aids for the implementation of information security requirements, in particular for the implementation of the requirements under § 30 and § 44;
    18. Support
      1. of the federal police and law enforcement authorities in the performance of their statutory duties,
      2. the Federal Office for the Protection of the Constitution and the Military Counterintelligence Service in the evaluation and assessment of information that arises from the observation of efforts directed against the free democratic constitution, the existence of the state or the security of the federal government or a state, or that arises from the observation of security-threatening or secret service activities within the framework of the statutory powers under the Federal Constitution Protection Act or the MAD Act,
      3. of the Federal Intelligence Service in the performance of its statutory duties;
        1. assistance may only be granted to the extent that it is necessary to prevent or investigate activities that are directed against information technology security or are carried out using information technology; requests for assistance must be recorded by the Federal Office;
    19. support the competent authorities of the federal states in matters relating to the prevention of threats to information security at their request;
    20. advise, inform and warn federal administration institutions as well as manufacturers, distributors and users on information technology security issues, in particular with regard to the possible consequences of missing or inadequate security precautions;
    21. Consumer protection and consumer information in the area of security in information technology, in particular advising and warning consumers on questions of security in information technology, taking into account the possible consequences of missing or inadequate security precautions;
    22. Establish suitable communication structures for early crisis detection, crisis response and crisis management and coordinate cooperation with the private sector to protect the security of information technology in critical facilities;
    23. Tasks as a central office in the field of information technology security with regard to cooperation with the competent authorities abroad, without prejudice to special responsibilities of other offices;
    24. Tasks in accordance with § 40 as the central body for the security of information technology of particularly important facilities and important facilities, including the request and provision of administrative assistance in accordance with Article 37 of the NIS-2 Directive;
    25. support the restoration of the security or functionality of information technology systems in exceptional cases in accordance with Section 11;
    26. Develop recommendations for identification and authentication procedures and evaluate these procedures with regard to information security;
    27. describe and publish a state of the art of security requirements for IT products, taking into account existing norms and standards and involving the trade associations concerned;
    28. cooperate with national computer emergency teams of third countries or equivalent agencies of third countries and support these teams or agencies; deployments of the Federal Office in third countries may not take place against the will of the state on whose territory the measure is to take place; the decision on a deployment of the Federal Office in third countries shall be taken by the Federal Ministry of the Interior and for Home Affairs in agreement with the Federal Foreign Office;
    29. cooperate with the Federal Financial Supervisory Authority and exchange information insofar as this is necessary for the fulfillment of its tasks, in particular with regard to the measures taken in accordance with Regulation (EU) 2022/2554; the Federal Financial Supervisory Authority shall provide the Federal Office with the information necessary for the fulfillment of its tasks.
  2. Upon request, the Federal Office can support the federal states in securing their IT systems.
  3. At the request of particularly important institutions, the Federal Office can advise and support them in securing their information technology or refer them to qualified security service providers.