An important legal mandate for the BSI is the testing, evaluation and approval of information technology systems or components that are to be used for processing officially classified information at the federal government or companies. This mandate is described in Section 3 of the BSI Act (BSIG).

The basis for the approvals is Section 4 of the German Security Screening Act (SÜG) as well as the General Administrative Provision for the Material Protection of Classified Information or the Classified Information Directive (CID). They contain the principles for the protection of classified information and stipulate the involvement of the BSI.

Classified information can be, among other things, products, findings or documents that require confidentiality. The CID regulates the work with classified information in federal authorities and federal organisations under public law. The BSI examines and issues approvals of information technology systems on the basis of Sections 51 and 52 of the CID.