To protect your data, only usage data is processed on this website according to the EU General Privacy policy Regulation (GDPR).
For privacy policy information with explanation of the web analysisOverview and explanation of the reporting points
- Alliance for Cyber Security reporting point
- Federal reporting point (§ 4 BSIG)
- Cyber Security Network reporting point
- KRITIS reporting point
- IT Security Act, BSI Act and BSI KRITIS Regulation
- Designate contact point
- Obligation to report
- Registration
- Registration for authorities / supervisory authorities / central contact points of the federal states
- Submit changes to the registration data to the BSI
- Aviaton Security reporting point
- Reporting point for vulnerabilities
Alliance for Cyber Security reporting point
Companies and organisations have the opportunity to report a security incident via the reporting form on the website of the BSI's reporting and information portal. These reports are used to create a reliable and meaningful picture of the situation, to recognise possible correlations and to be able to initiate appropriate measures or issue warnings on this basis. If you provide contact details, the BSI can get in touch with you on request, subject to availability. However, you are also welcome to submit an anonymous report. In this FAQ list, we explain what a report on an IT security incident should ideally look like.
Federal reporting point
According to Section 4 (3) BSIG, German federal authorities are obliged to inform the BSI immediately if they become aware of information required for the prevention of threats to information technology security. The details of the reporting procedure are set out in a general administrative regulation for the implementation of paragraph 3 of the BSIG.
Cyber Security Network reporting point
All registered helpers of the Cyber Security Network - i.e. digital first responders, incident practitioners and incident experts - as well as IT security service providers have access to the CSN reporting point. There they submit digitally anonymised reports on the IT security incidents they have dealt with as part of the CSN. These incident reports are used to create a reliable and comprehensive picture of the situation and are an important sensor for the IT security situation of private individuals and SMEs.
KRITIS reporting point
IT Security Act, BSI Act and BSI KRITIS Regulation
With the (Act to Increase the Security of Information Technology Systems (IT Security Act)), which has been in force since July 2015, the German government is helping to make Germany's IT systems and digital infrastructures the most secure in the world. Particularly in the area of critical infrastructures (KRITIS) - such as electricity and water supply, finance or food - a failure or impairment of supply services would have dramatic consequences for the economy, state and society in Germany. The availability and security of IT systems therefore plays an important and central role, especially in the area of critical infrastructures.
However, the aim of the IT Security Act is also to improve IT security at companies and in the federal administration, as well as to better protect citizens on the internet. Individual provisions of the IT Security Act therefore also apply to operators of commercial websites. These must also fulfil higher requirements for their IT systems. Telecommunications companies will also be required to do more in future. They will be obliged to warn their customers if they discover misuse of a customer connection. In addition, they are to show those affected possible solutions, if possible. The responsible supervisory authority in these cases is the Federal Network Agency. In order to achieve these goals, the tasks and powers of the Federal Office for Information Security (BSI) have been expanded.
The IT Security Act is an article law that amends existing laws, including the BSI Act. The BSI Act (BSIG) defines critical infrastructures in Section 2 (10).
Critical infrastructures within the meaning of the BSIG are facilities, installations or parts thereof that belong to the energy, information technology and telecommunications, transport and traffic, health, water, food, finance and insurance and municipal waste disposal sectors and are of great importance for the functioning of the community because their failure or impairment would result in significant supply bottlenecks or threats to public safety. Critical infrastructures within the meaning of the BSIG are defined in more detail by the ordinance pursuant to Section 10 (1) BSIG.
The BSI KRITIS Regulation defines which facilities, installations or parts thereof are considered critical infrastructures within the meaning of the BSIG due to their importance for the supply of the population and thus for the functioning of the community. Whether a significant level of supply exists depends on whether the threshold values listed in the BSI KRITIS Regulation are reached or exceeded. If these thresholds are reached or exceeded, the statutory reporting and verification obligations of the BSIG apply to KRITIS operators.
Designate a contact point
Operators of critical infrastructures
According to Section 8b (3) BSIG, operators of a critical infrastructure within the meaning of Section 2 (10) BSIG must designate a contact point to the BSI through which they can be reached at any time. The BSI sends IT security information to this address.
Operators of energy supply networks and energy installations (EnWG)
Pursuant to Section 11 (1d) of the German Electricity and Gas Supply Act (EnWG), operators of energy supply grids and energy systems that have been designated as critical infrastructure by the entry into force of the statutory ordinance pursuant to Section 10 (1) of the BSI Act are obliged to register their systems with the BSI and appoint a contact point. On the basis of this registration, the operators must report IT incidents to the BSI (see Section 11 (1c) EnWG). These obligations apply to all operators of energy supply grids, regardless of the thresholds specified in the BSI KRITIS regulation.
Obligation to report
The reporting obligation pursuant to Section 8b (4) BSIG applies to operators of critical infrastructures that have been identified as critical infrastructures within the meaning of the BSIG on the basis of the thresholds set out in the BSI KRITIS Regulation.
Operators of energy supply grids and energy systems that have been designated as critical infrastructure by the entry into force of the ordinance pursuant to Section 10 (1) of the BSI Act must report IT incidents to the BSI (see Section 11 (1c) EnWG). The obligation to report IT incidents to the BSI applies to all operators of energy supply networks, regardless of whether they exceed the threshold value as critical infrastructure according to the BSI Critical KRITIS Regulation.
Detailed information can be found in the FAQ on the reporting obligation.
Registration
If your institution is already registered, you can log in with your user name and password via the Login link. You can start the registration of an institution via the Registration link. You can find the registration manual here. Your registration details will be checked at the BSI and the registered institution will be activated for the KRITIS reporting point in the MIP. After submitting the registration, the BSI will inform you about the progress of your registration by e-mail.
Access to the information area of the Reporting and Information Portal (MIP) is only possible once the registration process has been completed. Only after registration can operators subject to the reporting obligation send reports to the BSI via the MIP and view (situation) information and products from the BSI.
Registration for authorities / supervisory authorities / central contact points of the federal states
The competent supervisory authorities and other competent federal and state authorities as well as the central contact points designated by the federal states for this purpose cannot register via the MIP. We ask these institutions to register with the BSI using the appropriate forms. Please request the forms by e-mail from: Kritische.Infrastrukturen@bsi.bund.de
Authorities that operate KRITIS facilities register as operators of critical infrastructures via the reporting and information portal using the online registration form.
Submit changes to the registration data to the BSI
If you want to make changes to your registration data, please DO NOT register again in the reporting portal. Instead, please log in to the reporting portal and download the following forms from the Information (Category: KRITIS-Formulare) menu:
- for changes to the institution data the form „aenderung-kontaktstelle.pdf“
- for changes to the registered Critical Infrastructures or new registrations of Critical Infrastructures the form „Anlage KRITIS“
- for deregistration of a Critical Infrastructure the form „antrag-deregistrierung-kritis.pdf“
You can edit the forms electronically or alternatively print them out, fill them in manually and send them scanned to Kritische.Infrastrukturen@bsi.bund.de senden.
Meldestelle Luftsicherheit
With the Implementing Regulation (EU) 2019/1583 and the associated task transfer decree, the BSI was assigned new tasks with regard to information security in aviation as of 31 December 2021.
Supplementary Annex I (to the NLSP) of the Federal Ministry of the Interior and for Home Affairs established the BSI as the central reporting point for this purpose. All registered operators can report IT security incidents relating to aviation security via this reporting point. Further information and FAQs can be found on our website.
Reporting point for vulnerabilities
SIf you have found one or more vulnerabilities in IT products, IT systems or IT services of the Federal Administration, you can report them to the BSI in confidence using the reporting form. We take every reported vulnerability seriously.
If IT products, IT systems or IT services from manufacturers or product owners outside the Federal Administration are affected, you should first report the vulnerability to the manufacturer or product owner. If they do not respond to your vulnerability report or if there is a risk of the CVD procedure being cancelled, security researchers can contact the BSI. We expect that the points listed in the BSI's Coordinated Vulnerability Disclosure (CVD) guideline have been adhered to so that your vulnerability report can be transferred to our CVD process. Further information and the guideline can be found on the WBSI website.