Effective from: 20 August 2009
Published in: Federal Law Gazette Volume 2009 Part I No. 54, issued in Bonn on 19 August 2009.

Consolidated version of the current BSI Act.

Legislative history of the BSI Act

BSI Establishment Act

The first legal basis for the BSI was the BSI Act, in force from the inception of the BSI in January 1991 to 19 August 2009.

The beginnings of today's BSI Act

The Act that came into force on 20 August 2009 laid the foundation for the BSI Act still exists today.

To combat new threats and take account of the increasing importance of information and communication technology, the BSI was granted more extensive tasks and powers:

• in line with Section 4, the BSI became the central reporting office for IT security, gathering and evaluating information on vulnerabilities and new patterns of attacks on the security of information technology. This enables it to create a reliable picture of the current situation, detect attacks at an early stage and implement countermeasures.
• In addition, Section 5 of the BSI Act authorises the BSI to collect, evaluate, store, use and process protocol data and data arising at interfaces of federal communications technology. It can now detect signs of IT attacks and take targeted combat measures.
• According to Section 7 of the BSI Act, the BSI may pass on information and warnings about vulnerabilities in information technology products and services -- as well as malware -- to the affected bodies or the public. It is committed to informing the manufacturer before it publishes this information.
• The BSI is also authorised to define uniform and strict security standards for the federal administration and commission the development of suitable products or coordinate their tender and provision (Section 8 BSI Act). This prevents manipulated IT components or unsuitable products with vulnerabilities from being used in the federal administration and government networks.

The current version of the BSI Act

After some interim minor changes in the law on fees, the BSI Act was further supplemented to a greater extent for the first time with the Act on increasing the security of IT systems (German IT Security Act) on 25.07.2015.

The BSI was given new tasks and powers to counter deficits in the area of IT security effectively, especially outside the federal administration:

• according to Section 8a of the BSI Act, operators of critical infrastructures must regularly prove to the BSI that they comply with IT security in line with the state of the art. If security deficiencies are discovered, the BSI may order their elimination, in agreement with the supervisory authorities.
• Pursuant to Section 8b of the BSI Act, the BSI becomes the central reporting office for the IT security of critical infrastructures. They must now report significant disruptions to their IT to the BSI if they could have an impact on the availability of critical services. Conversely, the BSI must collect and evaluate all information relevant to the defence against attacks on the IT security of critical infrastructures and forward it to the operators and the competent (supervisory) authorities.
• If reportable IT malfunctions occur at a critical infrastructure operator, the BSI may also oblige the manufacturers of the corresponding IT products and systems to cooperate as necessary, in line with Section 8b of the BSI Act.
• The BSI is granted the authority to examine IT products for their security in order to perform its tasks outlined in Section 3 (1) sentence 2 nos. 1, 14 and 17 of the BSI Act.
• Under Section 5 of the BSI Act, the BSI's authority to analyse interface and log data in the networks of the federal administration is expanded and the federal authorities must now support the BSI in this function.
• To strengthen the IT security of the federal administration, the BSI is required to develop minimum standards for the IT of the federal administration. The Federal Ministry of the Interior has the option to declare these minimum standards as binding for all authorities because only consultation (rather than agreement) with the IT Council is required.

More about BSI Act in 2021 by the 'IT-Sicherheitsgesetz 2.0'

The BSI provides further information on the IT Security Act in a list of list of FAQs.