FAQ on companies in the special public interest: Reporting obligation
In principle, a separate reporting office is not necessary; it can also be combined with other reporting offices. However, the registered contact point pursuant to § 8f (5) BSIG, which is regularly also the notifying body pursuant to (7) and (8), should be located in Germany in parallel to the regulations in the area of critical infrastructure. To ensure smooth communication, a location at the facility or one of the facilities in Germany is preferable, but a location at the registered office of the German legal entity is also possible.
UBI must be able to identify reportable disruptions when the reporting obligation comes into force. However, as the implementation of information security is a continuous process, it is obvious that improvements to the systems will be made gradually.
For operators of critical infrastructures and companies in the special public interest, different requirements apply as to when disruptions must be reported to the BSI. This is due to the different security objective that is relevant from the legislator’ point of view.
KRITIS
Disruptions regarding the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that have resulted in a failure of or significant impairment to the functionality of the critical infrastructure that they operate OR significant disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that may lead to a failure of or significant impairment to the functionality of the critical infrastructure that they operate.
UBI 1 and 2
Disruptions regarding the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that have resulted in a failure of or significant impairment to the achievement of value creation OR significant disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that may lead to a failure of or significant impairment to the achievement of value creation.
UBI 3
Disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that have led to a major accident according to the Major Accident Ordinance in the respective valid version. OR significant disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that could lead to a major accident according to the Major Accident Ordinance in the respective valid version.
Particularity UBI 3: Here, the focus is not on the functionality of the facility as a whole, but only on protection with regard to a major accident.
Yes, you are welcome to do so. Please indicate clearly that this is a test message, as is usual for exercises.
Disruptions must always be reported, even if the reason is known. Reports to the Federal Office - also in advance of concrete events of damage - are necessary to ensure the most comprehensive and early warning possible of companies in the special public interest or operators of critical infrastructures that may also be affected, and also to be able to make well-founded statements on the IT security situation in Germany.
