Reporting and information portal
Frequently wanted

Overview and explanation of the reporting points

Alliance for Cyber Security reporting point

Companies and organisations have the opportunity to report a security incident via the reporting form on the website of the BSI's reporting and information portal. These reports are used to create a reliable and meaningful picture of the situation, to recognise possible correlations and to be able to initiate appropriate measures or issue warnings on this basis. If you provide contact details, the BSI can get in touch with you on request, subject to availability. However, you are also welcome to submit an anonymous report. In this FAQ list, we explain what a report on an IT security incident should ideally look like.

German Federal reporting point (Bund)

Reports pursuant to Section 4(3) of the BSIG

According to Section 4(3) BSIG (2009), German federal institutions are obliged to inform the BSI immediately if they become aware of information required for the prevention of threats to information technology security. The details of the reporting procedure have been specified in a general administrative regulation. The reporting obligations of the regulation remain in effect until a new administrative regulation is issued pursuant to Section 43(5) of the BSIG (2026).

Baseline data collection pursuant to Section 7 of the BSIG

Pursuant to Section 7 of the BSIG, the BSI is authorized to assess and evaluate the state of information security within the federal administration. In addition to the BSI’s review of federal institutions following the standard revision, Section 7 of the BSIG is implemented through an annual baseline data collection via the MIP.The submitted baseline data survey serves, among other things, as the basis for the planned standard revision and is used to prepare for it in a targeted manner. The results of the annual baseline data survey of all federal institutions are validated by the relevant auditing bodies and are incorporated into the strategic management of information security within the federal administration.

CyberGovSecure Program

CyberGovSecure is the program of measures of the Federal CISO designed to quickly and effectively strengthen information security within the German federal administration. It defines and prioritizes measures, supports their implementation, and ensures transparency regarding progress and effectiveness.

Cyber Security Network reporting point

All registered digital first responders in the cybersecurity network have access to the CSN reporting center. There, they submit digitally anonymized reports on the IT security incidents they have dealt with as part of the CSN. These incident reports are used to create a reliable and comprehensive picture of the situation and are an important indicator of the IT security situation for private individuals in Germany.

KRITIS reporting point

IT Security Act, BSI Act and BSI KRITIS Regulation

With the (Act to Increase the Security of Information Technology Systems (IT Security Act)), which has been in force since July 2015, the German government is helping to make Germany's IT systems and digital infrastructures the most secure in the world. Particularly in the area of critical infrastructures (KRITIS) - such as electricity and water supply, finance or food - a failure or impairment of supply services would have dramatic consequences for the economy, state and society in Germany. The availability and security of IT systems therefore plays an important and central role, especially in the area of critical infrastructures.

However, the aim of the IT Security Act is also to improve IT security at companies and in the federal administration, as well as to better protect citizens on the internet. Individual provisions of the IT Security Act therefore also apply to operators of commercial websites. These must also fulfil higher requirements for their IT systems. Telecommunications companies will also be required to do more in future. They will be obliged to warn their customers if they discover misuse of a customer connection. In addition, they are to show those affected possible solutions, if possible. The responsible supervisory authority in these cases is the Federal Network Agency. In order to achieve these goals, the tasks and powers of the Federal Office for Information Security (BSI) have been expanded.

The IT Security Act is an article law that amends existing laws, including the BSI Act. The BSI Act (BSIG) defines critical infrastructures in Section 2 (10).

Critical infrastructures within the meaning of the BSIG are facilities, installations or parts thereof that belong to the energy, information technology and telecommunications, transport and traffic, health, water, food, finance and insurance and municipal waste disposal sectors and are of great importance for the functioning of the community because their failure or impairment would result in significant supply bottlenecks or threats to public safety. Critical infrastructures within the meaning of the BSIG are defined in more detail by the ordinance pursuant to Section 10 (1) BSIG.

The BSI KRITIS Regulation defines which facilities, installations or parts thereof are considered critical infrastructures within the meaning of the BSIG due to their importance for the supply of the population and thus for the functioning of the community. Whether a significant level of supply exists depends on whether the threshold values listed in the BSI KRITIS Regulation are reached or exceeded. If these thresholds are reached or exceeded, the statutory reporting and verification obligations of the BSIG apply to KRITIS operators.

Further information and FAQs on various topics relating to KRITIS can be found on the website of the KRITIS department.

Designate a contact point

Operators of critical infrastructures

According to Section 8b (3) BSIG, operators of a critical infrastructure within the meaning of Section 2 (10) BSIG must designate a contact point to the BSI through which they can be reached at any time. The BSI sends IT security information to this address.

Operators of energy supply networks and energy installations (EnWG)

Pursuant to Section 11 (1d) of the German Electricity and Gas Supply Act (EnWG), operators of energy supply grids and energy systems that have been designated as critical infrastructure by the entry into force of the statutory ordinance pursuant to Section 10 (1) of the BSI Act are obliged to register their systems with the BSI and appoint a contact point. On the basis of this registration, the operators must report IT incidents to the BSI (see Section 11 (1c) EnWG). These obligations apply to all operators of energy supply grids, regardless of the thresholds specified in the BSI KRITIS regulation.

Obligation to report

The reporting obligation pursuant to Section 8b (4) BSIG applies to operators of critical infrastructures that have been identified as critical infrastructures within the meaning of the BSIG on the basis of the thresholds set out in the BSI KRITIS Regulation.

Operators of energy supply grids and energy systems that have been designated as critical infrastructure by the entry into force of the ordinance pursuant to Section 10 (1) of the BSI Act must report IT incidents to the BSI (see Section 11 (1c) EnWG). The obligation to report IT incidents to the BSI applies to all operators of energy supply networks, regardless of whether they exceed the threshold value as critical infrastructure according to the BSI Critical KRITIS Regulation.

Detailed information can be found in the FAQ on the reporting obligation.

Registration

If your institution is already registered, you can log in with your user name and password via the Login link. You can start the registration of an institution via the Registration link. You can find the registration manual here. Your registration details will be checked at the BSI and the registered institution will be activated for the KRITIS reporting point in the MIP. After submitting the registration, the BSI will inform you about the progress of your registration by e-mail.

Access to the information area of the Reporting and Information Portal (MIP) is only possible once the registration process has been completed. Only after registration can operators subject to the reporting obligation send reports to the BSI via the MIP and view (situation) information and products from the BSI.

Registration for authorities / supervisory authorities / central contact points of the federal states

The competent supervisory authorities and other competent federal and state authorities as well as the central contact points designated by the federal states for this purpose cannot register via the MIP. We ask these institutions to register with the BSI using the appropriate forms. Please request the forms by e-mail from: Kritische.Infrastrukturen@bsi.bund.de

Authorities that operate KRITIS facilities register as operators of critical infrastructures via the reporting and information portal using the online registration form.

Submit changes to the registration data to the BSI

If you want to make changes to your registration data, please DO NOT register again in the reporting portal. Instead, please log in to the reporting portal and download the following forms from the Information (Category: KRITIS-Formulare) menu:

  • for changes to the institution data the form „aenderung-kontaktstelle.pdf“
  • for changes to the registered Critical Infrastructures or new registrations of Critical Infrastructures the form „Anlage KRITIS“
  • for deregistration of a Critical Infrastructure the form „antrag-deregistrierung-kritis.pdf“

You can edit the forms electronically or alternatively print them out, fill them in manually and send them scanned to Kritische.Infrastrukturen@bsi.bund.de senden.

Meldestelle Luftsicherheit

Companies subject to the Aviation Security Act (LuftSiG) can register on the new BSI portal. Registration via MIP2 is no longer possible. The BSI portal can be found at https://portal.bsi.bund.de. Further information and details on how to register on the BSI portal can be found at https://www.bsi.bund.de/dok/faq-bsi-portal .