Companies in the special public interest are:

1. “Manufacturers/developers as defined in Section 60 (1) No. 1 and 3 of the applicable version of the Foreign Trade and Payments Ordinance (AWV)”; that is, companies that operate in the area of weapons, munitions and military goods or in the area of products with an IT security function that are used for processing classified state information or components of such products that are vital to the IT security function. (UBI 1)
2. Companies in Germany “that are the largest in terms of their domestic value creation, and that are therefore of significant economic importance to the Federal Republic of Germany”. This refers to the largest companies in Germany. A regulation will be issued to define the exact economic parameters used to identify the largest companies (UBI 2). Once this regulation is published and the parties affected by this UBI category have been determined, the BMI may issue a further regulation to set out the key parameters used to determine which suppliers are of significant importance to the company in question and therefore also fall under the legal provisions of the BSI Act.
3. Operators “of an upper-tier establishment as defined in the applicable version of the Hazardous Incident Ordinance” or operators that “are equivalent to operators of this kind in accordance with Section 1 (2) of the Hazardous Incident Ordinance”; this refers to companies that hold large volumes of hazardous substances that are equal to or exceed the thresholds listed in column 5 of the substances list in Annex I of the Hazardous Incident Ordinance. (UBI 3)

Companies that operate critical infrastructures are excluded; see the questions below.

No. Companies that are operators of critical infrastructures (KRITIS) under the BSI Act are subject to the provisions of the BSI Act as KRITIS operators and not to the provisions that apply to companies in the special public interest. A company cannot be both an operator of critical infrastructures and a company in the special public interest.

Each company (legal person) is considered as a separate entity. If only one company in a group of multiple companies is an operator of a critical infrastructure, this company is classed as an operator of a critical infrastructure and is subject to the relevant provisions as a KRITIS operator, and not to the provisions that apply to companies in the special public interest. This means that, within this kind of organisation, there may be companies that are classed as KRITIS operators and companies that are classed as UBIs. In groups, for example, there may be some subsidiaries that are KRITIS operators, while other subsidiaries are UBIs.

UBI 1

(E.g.: weapons technology, processing classified state information with BSI approval etc.)

Registration/point of contact

Obligation to register to designate a point of contact (Section 8f (5))

Reporting obligation in the event of a security incident

Faults in IT systems that lead to failure or have a significant impact on value creation, or major faults that could have an impact on value creation (Section 8f (7))

Obligation to complete a self-declaration on IT security

Template for self-declaration on IT security (to be completed every two years) (Section 8f (1) No. 1 to 3)

Contents of self-declaration:

• IT security certifications covering the past 2 years
• Other IT security audits and assessments from the past 2 years
• Information on measures in place to protect particularly sensitive IT systems, components & processes
  

Deadline

Register from 1 May 2023, submit self-declaration on IT security and report faults (Section 8f (1) and (4) Sent. 1, and (7) BSIG).

UBI 2

Registration/point of contact

Obligation to register to designate a point of contact (Section 8f (5))

Reporting obligation in the event of a security incident

Faults in IT systems that lead to failure or have a significant impact on value creation, or major faults that could have an impact on value creation (Section 8f (7))

Obligation to complete a self-declaration on IT security

Template for self-declaration on IT security (to be completed every two years) (Section 8f (1) No. 1 to 3)

Contents of self-declaration:

• IT security certifications covering the past 2 years
• Other IT security audits and assessments from the past 2 years
• Information on measures in place to protect particularly sensitive IT systems, components & processes

Deadline

Register at the earliest 2 years after the UBI VO enters into force, submit self-declaration on IT security and report faults (Section 8f (1) and (4) Sent. 2, and (7) BSIG).

UBI 3

Registration/point of contact

Voluntary only, with immediate effect (Section 8f (6))

Reporting obligation in the event of a security incident

Faults affecting the availability, integrity, authenticity and confidentiality of their IT systems, components or processes that lead to an incident as defined in the Hazardous Incident Ordinance and significant disruptions that could lead to an incident (Section 8f (8))

Obligation to complete a self-declaration on IT security

None

Deadline

From 1 November 2021, these companies must report faults to the BSI (Section 8f (8) BSIG).

For operators of critical infrastructures and companies in the special public interest, different requirements apply as to when disruptions must be reported to the BSI. This is due to the different security objective that is relevant from the legislator’ point of view.

KRITIS

• Disruptions regarding the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that have resulted in a failure of or significant impairment to the functionality of the critical infrastructure that they operate OR significant disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that may lead to a failure of or significant impairment to the functionality of the critical infrastructure that they operate.

UBI 1 and 2

• Disruptions regarding the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that have resulted in a failure of or significant impairment to the achievement of value creation OR significant disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that may lead to a failure of or significant impairment to the achievement of value creation.

UBI 3

• Disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that have led to a major accident according to the Major Accident Ordinance in the respective valid version. OR significant disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that could lead to a major accident according to the Major Accident Ordinance in the respective valid version.

Particularity UBI 3: Here, the focus is not on the functionality of the facility as a whole, but only on protection with regard to a major accident.

The actions required differ depending on the UBI category:

1. UBI 1 – manufacturers/developers of goods as defined in Section 60 of the Foreign Trade and Payments Ordinance (AWV) – must submit a self-declaration and registration to the BSI by 1 May 2023.
2. For UBI 2 – companies of significant economic importance – the BMI will issue a regulation to determine which companies fall into this category. Until this regulation takes effect, there is no need to take any action.
3. UBI 3 – hazardous incident UBIs – must report all incidents from 1 November 2021. The FAQ below under “Hazardous incident UBIs (UBI 3): FAQ on reporting obligations” are targeted at this group.

Irrespective of the legal regulations in the BSI Act and the associated ordinances and deadlines, the BSI recommends, for reasons of IT security, that all companies strive to continually improve and enhance their IT security.

-The BSI supports UBIs in various ways, including through its Alliance for Cyber Security (ACS) offering. This includes, for example:

• Warning messages (in addition to the freely available cyber security warnings (CSWs), plus CSWs categorised according to the Traffic Light Protocol
• Overview reports such as the monthly BSI IT situation assessments
• Cyber security recommendations
• Partner offers from the Alliance for Cyber Security (ACS) network
• Events based on the latest developments in cyber security
• Networking opportunities such as PSGs and expert sessions
• Other publications such as IT emergency cards

The BSI will establish formats for ongoing collaboration and trusting partnerships with UBIs in good time to promote information sharing and a common understanding of the topic. The BSI also provides relevant information on information security in the form of the IT-Grundschutz. Other important information on the protection of industrial systems is available here.

All information (FAQ, contact, etc.) for the newly regulated UBI group is available here.

Yes, regardless of the legal requirements, we recommend implementing an ISMS.

The use of an ISMS is strongly recommended, regardless of legal requirements. At the BSI, we recommend the IT-Grundschutz. However, the ISO 27000 series of standards can also be used as an alternative.

The separate regulation regimes are set out in the BSI Act. The situation may change with the implementation of the NIS 2 Directive. The European Commission, European Parliament and European Council were discussing this directive at the start of 2022. It is expected to be implemented in 2023/24.

There is no public register of UBIs.

Yes. Large weapons manufacturers, for example, could even fall into all three categories. These companies must observe all the obligations associated with the different deadlines and reporting, self-declaration and registration requirements.

Yes, please contact the UBI Office with any questions.

The BSI Mobile Incident Response Teams (MIRTs) can, in exceptional circumstances, also respond to incidents involving UBIs; see Section 5b (1) BSIG.

The slides from the event are available here.