According to Section 8b (3) of the BSI-Act, operators of critical infrastructures within the meaning of Section 2 (10) of the BSI-Act must designate a contact point for the BSI through which they are available at all times. The BSI sends all IT security information to this address.

Specifying a functional mailbox -- i.e. not the personal e-mail address of an individual employee -- is recommended in order to ensure accessibility at all times.

The BSI understands the wording 'available at all times' in the sense of Section 8b (3) of the BSI Act to mean that operators are able to receive BSI products for warning and informing KRITIS operators (BSI products: cyber security warnings, situation information etc.) via the registered contact point around the clock (24/7) and to view and evaluate them without delay (processing of information on demand).
As a rule, BSI products are sent during normal business hours. However, the BSI's option to issue urgent warnings outside normal business hours (on public holidays, weekends or at night) cannot be ruled out in exceptional cases.
The BSI designs its cyber security warnings in such a way that urgency and (potential) need for action can be read (automatically) from the e-mail subject line. This enables permanently accessible services in an organisation, e.g. the gatekeeper, plant security or other on-call services, to recognise an acute need for action and, if necessary, issue an alert or forward it to suitable contacts as appropriate.
Suitable contact persons have the technical competence to assess the specific incident and are integrated into the organisation and processes for incident management.
There are increased requirements for the availability of an operator contact point after an IT incident has been reported to the BSI. To ensure smooth incident management in cooperation with the BSI, internal (forwarding) processes should be set up to ensure that appropriate contact persons are alerted after receipt of the information, even outside normal business hours. This applies in particular if you have reported an IT incident to the BSI and expect further queries from the BSI.

Critical infrastructure (KRITIS) operators can find the forms necessary for registering their contact point on the BSI's report and information portal (MIP). Please complete the registration form, sign it and return it to us using one of the methods indicated in the form.

You can see which data the BSI requires from you for registration in the completed example registration form for critical infrastructure (KRITIS) operators and the corresponding form 'Annex 2 - Critical Infrastructure Information':

Operator Registration Form

Annex 2 to the Operator Registration Form

Operators subject to the Telecommunications Act (TKG) and the Atomic Energy Act (AtG)

Operators subject to the TKG can find specific information on our ICT sector page.

Operators subject to the AtG can find specific information on our Energy sector page.

Supervisory authorities and other competent authorities

Federal supervisory authorities and other supervisory authorities are also asked to designate a contact point so that the BSI can send them relevant information (cyber security alerts and situation information).

If you are a public authority, please contact us by Kritische.Infrastrukturen@bsi.bund.de.