• What is the IT Security Label?

  The IT Security Label helps you to find out about the security functionalities of IT products and services as guaranteed by the manufacturer. You find the IT Security Label displayed on digitally networked devices or services and their packaging. The label contains a short link and a QR code that you can simply scan with your mobile device. This directs you to a product-specific information page at the website of the German Federal Office for Information Security (BSI). There you will find information about the security features of the device or service and current status information, for example whether any security vulnerabilities are known to the BSI or if security updates are available.

  The BSI may issue the IT Security Label upon application after the manufacturer has tested its product on conformity to the security requirements published or recognised by the BSI. BSI checks the application on plausibility and may request additional documents or evidence. After positive review of the application, the label is granted and subject to the BSI market surveillance for the full period of validity. Market Surveillance can assess labelled products at any time, both on an ad hoc and on a routine basis, to check if the conformity specifications are complied with.  As a last resort, the label may be revoked if the required it security characteristics as not being met.

• Which information does the IT Security Label provide?

  A product-specific website at the BSI provides information on the underlying requirements, the validity of the label and information on the product status, such as whether vulnerabilities are known or security updates are available. The aim is to enable consumers to make informed, self-determined and well-founded purchasing decisions.

  With the IT Security Label, the BSI provides basic IT security criteria for networked, internet-enabled devices and services. By applying for the IT Security Label, the manufacturer promises to comply with these criteria, which are checked by the BSI market surveillance on a random or ad hoc basis.

• How can I tell if connected products or online services have received the IT Security Label?

  

  You can tell whether an IT product or online service has received the IT Security Label by checking for the affixed label, which can be found on the outer packaging of the product, on the product itself or on the product’s webpage. Scanning the QR code on the label, or entering the short link into your browser, redirects you to the corresponding product information page the BSI. In particular, the security information on the respective product can be called up there, as well as the validity of the label and current status information on the product.

• Is the IT Security Label valid indefinitely?

  No, the IT Security Label has a limited validity. In principle, a product receives the IT Security Label for the duration defined in the respective product category of the BSI. The duration is usually two years. After the label expired, it shall no longer be used. For extended use by the manufacturer, he must submit a follow-up application. The duration for the respective product can be viewed directly on the BSI's product information page.

• Which products receive the IT Security Label?

  The IT Security Label is granted by product categories with suitable underlying technical requirements. If a product belongs to one of the available categories, it may be eligible for a label. BSI currently offers the following product categories:

  1. Broadband routers that fall under the scope of application of BSI TR-03148. These are usually broadband routers for the private sector and for small businesses.
  2. E-mail services that fall under the scope of BSI TR-03108. These are usually email providers where you can set up an email account.
  3. Smart consumer devices that fall under the scope of ETSI EN 303 645 in conjunction with ETSI TS 103 701 and BSI TR-03173. These are usually connected end consumer devices, like smart TVs, smart toys or smart home devices.

  Further relevant product groups are under preparation.

• How does the BSI make sure that manufacturers adhere to the standards of the IT Security Label?

  All labelled products are subject to BSI Market Surveillance. It can check compliance with the manufacturer's declaration at any time, either on a random basis or in response to specific information. If deviations from the manufacturer's declaration or vulnerabilities are found, BSI Market Surveillance can provide respective information on the relevant product information website. In the event of non-compliance with the required IT security features, the BSI can ultimately revoke the label from the product in question. Information on this is also provided on the product information page.

• Are labelled products or services entirely secure?

  For products bearing the IT Security Label, the manufacturer has guaranteed that they have certain IT security functionalities when delivered. However, nobody can guarantee absolute security. Under certain circumstances, the devices can still be attacked by criminals, for example. In this case, the IT Security Label provides support, as the manufacturer undertakes to provide information about any security vulnerabilities that occur and to fix them without delay. In addition, it is also up to the consumer to always install updates offered by the manufacturer shortly after they are released as these often close security gaps. The BSI therefore recommends activating the automatic update mechanism of products. Updates are then installed as soon as they become available. The function can usually be found in the settings of the respective product.

• What is the legal fundament of the IT Security Label?

  With the Second Act to Increase the Security of Information Technology Systems, the so-called IT Security Act 2.0 (IT-SiG 2.0), the BSI received the task of introducing a voluntary security label. For this purpose, the BSI Gesetz (Act on the Federal Office for Information Security, BSIG), which among other things regulates the tasks and responsibilities of the BSI, was amended accordingly. The BSI-ITSiKV (Ordinance on the IT Security Label of the German Federal Office for Information Security) regulates the IT Security Label details, in particular on the application procedure.

• What do manufacturers have to do to obtain an IT Security Label for their IT product or online service?

  In order to receive the IT Security Label, manufacturers must first check their product for conformity with the IT security requirements set by the BSI. They can then submit an application to the BSI and declare that their device or service complies with these technical standards.

  The IT Security Label is granted by categories, which are based on different requirements. According to the law, these can be BSI Technical Guidelines (e.g. for the broadband router category), international standards (e.g. for the smart consumer devices category) or recognized industry standards.

  By submitting an application, the manufacturer undertakes to report vulnerabilities, patch them without due delay and provide corresponding updates.

  As part of the application process, BSI checks the documents submitted and, if necessary, requests further evidence in order to assess compliance with the IT security requirements. If the assessment is positive, the label is granted.

  The labelled product is then immediately subject to BSI Market Surveillance for the entire time that the label is valid. The market surveillance can test products for conformity at any time. This ensures that the IT security features are not only complied with on day X, but for the entire validity of the label.

• Is the IT Security Label mandatory for manufacturers of corresponding IT products?

  The IT Security Label is voluntary. Manufacturers are not obliged to submit a corresponding application to the BSI. According to current EU legislation, a mandatory national label is not possible. However, IT security can be a strong selling point for consumers. The label is therefore an opportunity for manufacturers and service providers to build trust in their products and provide guidance to consumers.

• Is there an IT Security Label at European level?

  With the Cybersecurity Act (CSA), which came into force in June 2019, a certification framework exists in the EU, which in principle also opens up the possibility of a label for the pan-European Digital Single Market. However, there is currently no agreed IT Security Label at EU level.

  The EU Cyber Resilience Act (CRA), planned for around 2025/26, is intended to make basic IT security requirements for IT devices mandatory. A kind of self-declaration for manufacturers is currently planned.

  The IT Security Label therefore also offers a great deal more information for consumers beyond European requirements thanks to the product-specific information page and the integrated security status indicator.

• Where can I get more information about cyber security?

  As the German federal cyber security authority, BSI informs about important recommendations, news and warnings from the world of cyber security. Information is available on our website, in the "Update verfügbar" podcast, in the "Sicher informiert" newsletter and on our social media channels on Facebook, YouTube, Instagram, X and Mastodon.

  On the product-specific subpages of the IT Security Label you also find general "tips and tricks" about cyber security.

  Please note that some of this content may be available in German only.

• What information do I get when I scan the QR code printed on the IT Security Label or type in the BSI short link?

  If you scan the QR code or type in the short link you will be taken to the product information page. At BSI, such a webpage is available for each product with an IT Security Label and contains:

  • Product name,
  • Name of the manufacturer or provider,
  • Images of the labelled product and
  • The associated IT Security Label,
  • Its duration
  • And the underlying security requirements.

  An important element is the security status indicator, which provides information on whether

  • BSI is currently aware of security vulnerabilities for this product,
  • Updates are available for it,
  • The label has expired or

  It has been withdrawn.

• Can I, as a consumer, report a vulnerability in a product?

  Yes, you can. Use the vulnerability reporting form (German language) to do so.

• How do I find out if there is a security update for my product with IT Security Label?

  The product information page of the IT Security Label has a status indicator with current security information about the product.

  

  This status indicator shows whether the BSI is aware of security-relevant vulnerabilities for the corresponding product and whether updates, which may close these vulnerabilities, are available. In case a security update is available, this can be recognised by the green update symbol.

  You can access the product information page for your product by either scanning the QR code on the IT Security Label, entering the printed short link in your browser or searching for your product in the directory of issued IT Security Labels.

• How do I find out about a vulnerability?

  The product information page of the IT Security Label has a status indicator with current security information about the product. This indicator shows whether security-relevant vulnerabilities for this product are known to BSI. This can be recognised by either the yellow info symbol or a green update symbol, provided that the supplier has already made an update available for this.

  You can access the product information page for your product by either scanning the QR code on the IT Security Label with your smartphone, entering the displayed short link in your browser or searching for your device here.

  In addition, BSI also provides general information about vulnerbilities (German) that have come to our attention, regardless of the IT Security Label.

• How can I recognize a genuine IT Security Label?

  Counterfeiting of labels can occur. However, you can easily recognize correct IT Security Labels by this:

  • When you scan the QR code on the label or type in the short link, you will be redirected to the respective product information page on the BSI website. The destination address in the browser always starts with https://www.bsi.bund.de .
  • The short link on the IT Security Label is always https://bsi.bund.de/dok/sik-xxxxx or https://bsi.bund.de/it-sik/en/xxxxx. XXXXX stands for the individual label number with at least 5 digits.
  • All correctly issued labels and products are listed in our directory.

  In summary: The IT Security Label is counterfeit if the QR code or short link do not lead to a webpage within the BSI website and if it cannot be found in our directory.

• What is the difference between an IT Security Label and a certificate? 

  The IT Security Label is a marking, not a certificate. A product certification confirms that a specific product version fulfils certain security features. This is checked by an independent body as part of the certification process. A certification usually reflects a tested conformity at a day X.

  The IT Security Label is a product marking. The manufacturer has tested its product or service itself on the basis of security specifications selected by the BSI. In the application process, the BSI checks in particular the manufacturer's information on the self-testing procedure and some technical information for plausibility and comprehensibility. The BSI does not initially carry out a technical assessment. Yet, once issued, the product is subject to BSI Market Surveillance for the entire duration of the validity of the label. The Market Surveillance checks randomly and on an ad hoc basis, e.g. when vulnerabilities become known, whether the requirements are still met over the term of validity. With the label, the manufacturer has declared that it will maintain the security features for the entire period of validity, e.g. by means of updates.

IT-Sicherheitskennzeichen