On 1 January 1991, the BSI commenced its work on the basis of the „Act Establishing the German Federal Office for Information Security" (BSI-Establishment Act) This Act was based on a new understanding of prevention and information policy that was initially formulated in the German government’s ‘Plan for the Future of Information Technology’ in July 1989. It sought to ensure that all affected and interested parties would be informed of the risks involved in information technology and the protective measures that could be taken in response. Since the internet began to see more widespread use around 1993, the foresight of this approach has become very clear. Today, the basis for the BSI's work is established in the ‘Federal Office for Information Security Act’ (BSI-Act/BSIG), which first entered into force on 20 August 2009 as the ‘Act to Strengthen the Security of Federal Information Technology’ and has been amended on several occasions since. Meanwhile, several additional items of specialised legislation define the BSI's tasks in connection with certain topics, such as within the scope of the energy transition or in relation to telecommunications.

From the outset, the BSI’s remit has included protecting government networks and securing core network gateways. With the amendments made to the BSI Act in 2009, the BSI was able to develop binding security standards for government agencies in relation to IT procurement and deployment. The BSI also became the Central Reporting Office for IT Security within the federal administration, a position in which it provides both information and analysis to ensure the federal government’s ability to act during IT crises of national importance. For businesses, the research community, civil society, and ordinary German citizens, the BSI offers expert advice and consulting services that address all facets of information security.

Both the remit and the powers assigned to the BSI were expanded considerably by the ‘Act to Improve the Security of Information Technology Systems’ (IT-Sicherheitsgesetz). which entered into force in July 2015.By setting out binding minimum standards of IT security, the Act improved the protection offered to critical infrastructure (KRITIS) in particular while increasing network security in sectors whose failure or impairment would have dramatic consequences for the German economy, government and civil society. The Act also introduced a requirement for KRITIS operators to report significant IT security incidents to the BSI.

The IT Security Act 2.0 (‘IT SiG 2.0’) is set to expand the remit of the BSI once more in 2021 to meet the challenges of the ongoing advance of digitalisation. IT SiG 2.0 also incorporates digital consumer protection into the BSI’s portfolio. As the architect of secure digitalisation in Germany, the BSI provides advice and support to consumers regarding the assessment of risks in technologies, products, services and media offerings. The introduction of an IT Security Mark forms part of this work.

The IT SiG 2.0 also envisages granting the BSI further competencies in relation to the federal administration. This will further expand the agency's monitoring and auditing powers to protect government networks. The BSI is also to be involved early on in important federal digitalisation projects.