The reporting system in the area of medical technology deals primarily with security gaps and other vulnerabilities that have come to light, as well as with acute incidents. Tried-and-tested processes have been established at the BSI to accurately assess such notifications as quickly as possible, forward them to the proper entities, and facilitate measures to address them as required.

In Germany, the top-level federal authority responsible for registering medical products and assessing the risks they present is the BfArM. This is why the BSI reporting processes that relate to medical products typically involve the BfArM, as well. As a rule, those responsible for such products within the meaning of Section 5 of Germany's Act on Medical Devices (MPG) are the respective manufacturers. These manufacturers are therefore included in the reporting process in order to perform a comprehensive analysis and risk assessment, and to take any necessary measures in this regard. For this reason, the cooperation that takes place between manufacturers and the corresponding public authorities is of central importance. In addition, information from third parties (such as those who report a vulnerability) can be relevant in a given procedure.

In particularly serious cases, proceedings pursuant to Section 7a of the BSI Act may be required at the BSI. If a given medical product becomes the subject of a notification of this kind, the BfArM and the BSI issue joint warnings regarding the risks at hand.