Critical infrastructures and other companies with reporting obligations: manage an incident, report, inform, prevent
I must or want to report an incident.
Operators of critical infrastructures and energy supply networks
For operators of critical infrastructures that are above the threshold values of the BSI KRITIS Regulation, the reporting obligation of Section 8b (4) of the BSI Act (BSIG) applies in the event of IT disruptions. These operators have established contact and reporting channels for contacting the Federal Office for Information Security (BSI) and submitting reports.
With the Act Implementing the European Network and Information Security Directive (NIS Directive), this reporting obligation was extended to all energy supply network operators pursuant to Section 11 (1c) of the German Energy Act (EnWG).
For operators of critical infrastructures below the threshold values of the BSI KRITIS Regulation, this reporting obligation does not apply, with the exception of operators of energy supply networks. However, they can still submit voluntary reports of IT security incidents and cyber attacks via the reporting form on the BSI website Melde- und Informationsportals.
Digital service providers
For providers of digital services (online marketplaces, online search engines, cloud computing services), the reporting obligation applies on the basis of Section 8c (3) of the BSI Act. The reporting obligation applies to security incidents that have a significant impact on the provision of digital services provided within the European Union.
Operators of public telecommunications networks and providers of publicly accessible telecommunications services
Operators of telecommunications networks and telecommunications services must comply with the reporting obligation pursuant to Section 109 (5) of the Telecommunications Act (TKG) in the event of security breaches and report them to the BSI and the Federal Network Agency.
Reporting obligation under the EU regulation on electronic identification and trust services (eIDAS Regulation)
According to the eIDAS Regulation, qualified and non-qualified trust service providers are obliged to notify the BSI without delay of any breach of security or loss of integrity that has a significant impact on the trust service provided or the personal data it contains. Notification must be made within 24 hours of becoming aware of the incident in question.