Exceptions for operators in the IT and telecommunications sector
Requirements for operators of public telecommunications networks and providers of publicly accessible telecommunications services
The provisions of Section 8a of the BSI-Act do not apply to operators of critical infrastructures 'insofar as they operate a public telecommunications network or provide publicly accessible telecommunications services' (Section 8d (2) BSI-Act). In particular, operators of these systems do not have to comply with the special requirements of Section 8a (1) of the BSI-Act when implementing security measures and they do not have to provide the biennial evidence required in Section 8a (3) of the BSI-Act to the BSI. The Telecommunications Act (TKG) is relevant for these operators. The exceptions described here apply exclusively to the systems that are to be assigned to the telecommunications network or the telecommunications service according to the BSI Kritis Regulation. This exemption does not apply to other systems of the same KRITIS operator, e.g. a server farm for hosting customers.
Other statutory or regulatory requirements are not affected
The exemption only excludes the application of Section 8a of the BSI-Act. Other legal or regulatory requirements remain unaffected. In particular, reference should be made to the requirements of Section 109 of theTelecommunications Act (TKG). For these, the Federal Network Agency, in agreement with the BSI and the Federal Commissioner for Data Protection and Freedom of Information (BfDI), has drawn up an extensive catalogue of security requirements.
Reporting obligation for operators of public telecommunications networks and providers of publicly accessible telecommunications services
The reporting obligation of Section 8a (4) of the BSI-Act does not apply to operators of critical infrastructures 'insofar as they operate a public telecommunications network or provide publicly accessible telecommunications services' (Section 8d (3) of the BSI-Act). To avoid double regulation, the reporting obligation of Section 109 of the Telecommunications Act (TKG) applies.
The Act on the Implementation of the NIS Directive extends the existing reporting obligation in that impairments of telecommunications networks and services must be reported to both the Federal Network Agency and the BSI if they lead or could lead to significant security breaches.
For reporting to the BSI, the Federal Network Agency reporting form can also be used in compliance with the implementation concept, which can be found on the Federal Network Agency website. For confidential transmission of the reporting form, please refer to the FAQs on reporting.
The BSI also expressly welcomes the submission of voluntary reports, as these make an important contribution to the overview of the IT security situation and can help other operators of critical infrastructures to protect their IT systems.
The earlier and more reliably the BSI can identify an emerging IT security situation, the earlier the BSI can provide warnings and information. Voluntary reports can be submitted via the same reporting channel.
Obligation to report disruptions in other systems
The exceptions described above apply exclusively to disruptions in systems that are classed as a telecommunications network or telecommunications service according to the BSI Kritis Regulation. The exceptions do not apply to disruptions in other systems of the same KRITIS operator, e.g. a server farm for hosting customers. Disruptions in these systems must be reported to the BSI in accordance with the requirements of Section 8b (4) of the BSI-Act. The BSI's report and information portal (MIP) should be used for this.
Registration with the BSI still mandatory for KRITIS operators
The exceptions for operators of public telecommunications networks and providers of publicly accessible telecommunications services do not exempt operators from the obligation to designate a contact point at the BSI pursuant to Section 8b (3) of the BSI-Act.
Operators of public telecommunications networks and providers of publicly accessible telecommunications services who do not exceed the threshold specified in the BSI Kritis Regulation are not obliged to designate a contact point to the BSI, although registering a contact point at the BSI is nevertheless recommended. On the one hand, the BSI can thus ensure that incoming reports actually originate from operators of public telecommunications networks and providers of publicly accessible telecommunications services. On the other hand, the operators are thus also included in the recipient group for situation and warning information from the BSI. IT security and situation information is produced from the BSI's constant information gathering, which includes both non-public and confidential information. By registering a contact point with the BSI, operators of public telecommunications networks or publicly accessible telecommunications services can obtain these updates to help them protect their systems.
Please register your contact point (Designate a contact point). After registering, you will be sent an extensive package of information by post -- including details on the reporting obligation (reporting form, instructions on how to report) -- providing you with a trustworthy reporting channel in the event of a reportable disruption according to Section 109 (5) of the Telecommunications Act (TKG).
Application of Section 8d of the BSI-Act to systems for the provision of trust services
Trust service providers are regulated according to the requirements of the eIDAS Regulation. This describes requirements for qualified and non-qualified trust services. The responsibility is defined by the Trust Services Act (VDG).
• The Federal Network Agency BNetzA is responsible for trust service providers in the areas specified in Section 2 (1) (1) of the Trust Services Act (VDG)
• The BSI is responsible for trust service providers in the areas specified in Section 2 (1) (2) of the Trust Services Act (VDG).
If a system from the category 'system for the provision of trust services' exceeds the threshold value specified in Annex 4 (3) of the BSI Kritis Regulation, irrespective of the above-mentioned areas, this system is additionally regulated by the BSI-Act.
What must be considered in the regulation?
Trust service providers that are operators of a critical infrastructure must register a contact point pursuant to Section 8b (3) of the BSI-Act. Applications for qualification of 'qualified trust services' remain unaffected by the critical infrastructure registration obligation.
Due to the provisions of Section 8d of the BSI-Act, the obligation to report incidents pursuant to Section 8b (4) of the BSI-Act does not apply to the above categories of critical infrastructures of trust service providers. Trust service providers are generally subject to the reporting obligation pursuant to Article 19 of the eIDAS Regulation.
The following reporting obligations are derived from Article 19 (2) of the eIDAS Regulation:
Trust service providers in the areas specified in Section 2 (1) (1) of the Trust Services Act (VDG) shall
• always report to the Federal Network Agency (BNetzA),
• also report to the BSI in matters related to information security
• also report to the Federal Commissioner for Data Protection and Freedom of Information (BfDI) in matters related to data protection
Trust service providers in the areas specified in Section 2 (1) (2) of the Trust Services Act (VDG) shall
• always report to the BSI
• also report to the Federal Commissioner for Data Protection and Freedom of Information (BfDI) in matters related to data protection
Reports to the BSI can also be submitted on a voluntary basis as usual via the registered contact point or the reporting channel set up for reports in accordance with the eIDAS Regulation. The BSI expressly welcomes the submission of voluntary reports, as these make an important contribution to the overview of the IT security situation and can help other operators of critical infrastructures to protect their IT systems. The earlier and more reliably the BSI can identify an emerging IT security situation, the earlier the BSI can provide warnings and information.
Is it necessary to provide documentation of compliance with the requirements of Section 8a of the BSI-Act?
The obligation to provide documentation pursuant to Section 8a of the BSI-Act does not apply to the above category of critical infrastructures of trust service providers due to the provisions of Section 8d of the BSI-Act. This means that the operators of such a category of system do not have to submit evidence to the BSI pursuant to Section 8a (3) of the BSI-Act. Of course, trust service providers can still submit evidence of the security of their operated critical infrastructure on a voluntary basis in the course of cooperative collaboration.
Other statutory or regulatory requirements are not affected
The exception only excludes the application of Section 8a of the BSI-Act and Section 8b (4) of the BSI-Act. Other legal or regulatory requirements remain unaffected. In particular, reference should be made here to the obligations of the trust service providers to provide evidence to the BNetzA and the BSI in accordance with Article 20 of the eIDAS Regulation.
Overview of the obligations of trust service providers
| Recipient: BNetzA | Recipient: BSI |
|---|---|---|
| Registration obligation according to Section 8b of the BSI-Act | No | Yes |
| Reporting obligation for incidents | Yes, pursuant to Section 19 eIDAS Regulation | Yes, pursuant to Section 19 eIDAS Regulation |
| Obligation to provide documentation of compliance | Yes, pursuant to Section 20 eIDAS Regulation | Yes, pursuant to Section 20 eIDAS Regulation |
