Since 10 May 2018, digital service providers, i.e.

• online marketplaces
• online search engines
• cloud computing services

have been subject to an obligation to report. The legal basis for this is Section 8c (3) of the Federal Office for Information Security Act (BSIG). The obligation to report applies to security incidents that have a significant impact on the provision of digital services provided within the European Union. We answer frequently asked questions about the reporting of security incidents in the Questions about the obligation to report section of our FAQ.

Reporting a security incident

A security incident regarding a digital service (online marketplace, online search engine, cloud computing service) is reported to the Central Reporting Office at the National IT Situation Centre in the BSI. The mailbox meldungen-dsp@bsi.bund.de has been set up to receive reports from digital service providers. All the relevant information about encrypted e-mail communications is available on this sub-page. You will receive an automatic confirmation of receipt as soon as your report arrives.

Please note: reporting the security incident to the BSI is not a substitute for reporting to other bodies such as the Federal Commissioner for Data Protection and Freedom of Information where required.

Report template

You can report a security incident using the template below. The template is available as a PDF file or an Office document; both files have the same content. The template covers all the information that must be reported according to Section 8c (3) of the BSIG.

• Meldung gemäß § 8c Absatz 3 BSIG (PDF)
• Meldung gemäß § 8c Absatz 3 BSIG (Office-Format .docx)

We also provide the relevant content as plain text to support reporting via automated systems. Of course, this template can also be used to manually submit a report in plain text format by e-mail.

• Meldung gemäß § 8c Absatz 3 BSIG (nur Text)

Security incidents requiring reporting are to be reported without delay -- speed, not completeness, is of the essence here. So when the initial report is made, the template does not have to be completed in full. Any missing information can be added retrospectively in another report.

Notes

Privacy

The BSI will process and store the data and information collected solely in order to fulfil its legally mandated tasks. This applies in particular to the competences covered by Section 8c (3) of the BSIG and Section 8e of the BSIG.

If your report contains personal data, please take note of the BSI's data privacy statement.

It is not usually necessary to provide any personal data when reporting a security incident to the BSI. This applies in particular to personal data belonging to affected customers or users of a digital service. Wherever possible, a job title or department contact should be given as the contact details for the BSI to use in case of any queries. This not only helps with data privacy, it also makes it easier to reach someone who can provide support. If you have provided contact details for an individual instead, please notify them of the data protection information given above.