The reporting obligation applies to major accident UBI in particular to events that lead to serious threats that threaten the lives of people or where there is a risk of serious damage to the health of people or where the health of a large number of people may be affected. The reporting obligation is intended to help overcome critical situations quicker and/or better and to warn third parties in good time of recurring threats.

Hazardous incident UBI are obliged to report, according to the BSI Act on reports:

1. Disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that have led to a hazardous incident according to the Hazardous Incident Ordinance in the respective valid version,
2. significant disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that could lead to a hazardous incident according to the Hazardous Incident Ordinance in the respective valid version.

The report must contain information on the disruption, the technical framework conditions, in particular the suspected or actual cause, the Information Technology affected and the type of facility or system affected. In the reporting form, all the necessary information for a report is requested.

The term "disruption" is to be understood functionally in accordance with the supreme court case law on §100 (1) TKG<. A disruption as defined in the BSI Act therefore exists if the technology used is no longer able to fulfil its intended function correctly or in full, or an attempt has been made to cause this to happen. These include, in particular, cases of security vulnerabilities, malware and attacks on information technology security that have been carried out, attempted or successfully averted, as well as unusual and unexpected technical defects involving IT (such as after software updates or a failure of the server cooling).

These are disruptions in systems that have actually triggered major accidents within the meaning of the Major Accident Ordinance.

According to the Major Accident Ordinance, a major accident is an event that immediately or later leads to a serious threat or to certain material damage inside or outside an operating area. A serious threat is a threat in which

• human life is threatened or
• where there is a risk of serious damage to the health of people,
• where the health of a large number of people may be affected or
• the environment and cultural and other material assets may be damaged.

In the case of disruptions that have triggered major accidents, there will generally also be an obligation to report the major accident in accordance with § 19 and Annex VI, Part 1, Number I of the Major Accident Ordinance.

This can be a disruption to IT/OT systems, which does not itself cause a major accident, but creates conditions for the occurrence of a hazardous incident by interfering with the function of security precautions or security safeguards. A corresponding facility is moved from a safe state to a latent state by the significant disruption. These include: e.g. significant IT/OT disruptions that impair the function of a security device (according to VDI guideline 2180) or cause the occurrence of hazardous incident conditions. The requirements for a hazardous incident shall already be determined during the preparation of the security report pursuant to § 9 of the Hazardous Incident Ordinance, in particular during the determination of the possible hazardous incident scenarios pursuant to paragraph 1, number 2.

This is, for example, the manipulation or failure of an IT/OT systems, which are required for monitoring, parametrising or operating

• (emergency) cooling water pumps,
• emergency power supply,
• overfill protection,
• fire detection and fire-fighting facilities,
• extinguishing water retention facilities.

This reporting obligation allows safeguards to be implemented to recover IT security and lean from IT/OT disruptions, even without a serious threat (within the meaning of the Hazardous Incident Ordinance) having occurred.

Major accident UBI must report reportable disruptions to the Federal Office for Information Security without delay from 1 November 2021 at the latest.

Detailed information can be found on this page.

The definition of a major accident in § 8f (8) of the Federal Immission Control Act is based on the Major Accidents Ordinance. It should be noted that disruptions of information technology systems, components or processes that can lead to a major accident must also be reported.