Reporting obligation

The reporting obligation detailed in the BSI-Act has applied to operators from the energy, information technology and telecommunications, water and food sectors since the BSI Kritis Regulation came into force on 3 May 2016. Since the first ordinance amending the BSI Kritis Regulation, this reporting obligation has also applied to operators from the health, transport and traffic, and finance and insurance sectors. Please register your contact point first (see Designate a contact point). After registering, you will be provided with comprehensive information by post -- including information on the reporting obligation (reporting form, instructions on how to submit a report in the report and information portal (MIP)) -- so that established and trustworthy reporting channels are available to you in the event of a reportable incident.

Voluntary reports

Operators of critical infrastructures that are not covered by the BSI Kritis Regulation can also submit voluntary reports about unusual IT incidents via the Alliance for Cyber Security's reporting office.

Questions

For questions that not covered by our FAQ on the German IT Security Act and the FAQ on reporting obligations, please contact Kritische.Infrastrukturen@bsi.bund.de. Please do not use this e-mail address for reporting purposes, as it is not monitored at all times.