BSI law

The German BSI Act ( BSIG ) contains regulations relating to the Federal Office for Information Security .

structure

The law has the following structure:

• § 1 Federal Office for Information Security
• § 2 Definitions
• § 3 Duties of the Federal Office
• § 4 Central reporting office for security in the federal information technology
• § 5 Defense against malware and threats to federal communications technology
• § 5a Restoring the security or functionality of information technology systems in highlighted cases
• § 6 deletion
• § 7 warnings
• Section 7a Investigation of security in information technology
• § 8 Requirements of the Federal Office
• § 8a Security in Information Technology in Critical Infrastructures
• Section 8b Central Office for Information Security in Critical Infrastructures
• § 8c Special requirements for providers of digital services
• § 8d scope
• § 8e request for information
• § 9 Certification
• § 10 Authorization to issue statutory ordinances
• § 11 Restriction of Fundamental Rights
• Section 12 Council of the Federal Government's IT Commissioners
• Section 13 Reporting Obligations
• § 14 Administrative fines
• § 15 Applicability of the regulations for providers of digital services

content

According to § 1 , the federal government maintains a Federal Office for Information Security as the higher federal authority . It is responsible for information security at the national level. It is subordinate to the Federal Ministry of the Interior, Building and Home Affairs (BMI).

With the new version of the law in 2009, the catalog of tasks of the BSI was considerably expanded and the BSI was granted its own powers without having to ask for official assistance . The primary task of the BSI is the promotion of safety in the information technology ( § 3 , para. 1 BSIG), the latter all technical means for processing and transmission of information are ( § 2 , para. 1 BSIG).

The tasks include in detail z. B.

• Defense against threats to the security of federal information technology
• Collection and evaluation of information about security risks and security precautions
• Investigation of security risks when using information technology as well as development of security precautions
• Development of criteria, procedures and tools for testing and evaluating the security of information technology systems
• Testing and evaluation of the security of information technology systems
• Production of key data and operation of crypto and security management systems for federal information security systems

On request, the BSI can support the federal states in securing their information technology ( Section 3 (2) BSIG). If personal data has been collected, it must be deleted immediately when it is no longer needed ( Section 6 (1) BSIG). The BSI can warn of security gaps and malware and recommend the use of certain security products ( Section 7 (1) BSIG). It also develops minimum standards for the security of information technology of the Federation ( § 8 para. 1 BSIG). The BSI is the national certification body of the Federal Administration for IT Security. The Federal Office informs the Federal Ministry of the Interior about its activities ( Section 13 (1) BSIG).

Protection of critical infrastructures

The Federal Ministry of the Interior determines by ordinance which facilities, systems or parts thereof are considered critical infrastructures ( Section 10 (1) sentence 1 BSIG). Their operators are obliged to take appropriate organizational and technical precautions to avoid disruptions to the availability , integrity , authenticity and confidentiality of their information technology systems, components or processes , taking into account the state of the art ( Section 8 (1) sentence 1, 2 BSIG). Anyone who intentionally or negligently fails to take such precautions, takes them correctly, completely or in good time, is acting improperly . The fine can be up to 50,000 euros ( § 14 BSIG).

Restriction of fundamental rights

According to the quotation requirement , § 11 BSIG stipulates that §§ 5 and 5a BSIG restrict telecommunications secrecy ( Article 10 of the Basic Law ).

Defense against malware and threats to communication technology

In order to avert threats to federal communications technology, the Federal Office may collect and automatically evaluate protocol data that arise during the operation of federal communications technology ( Section 5 (1) sentence 1 BSIG). If the security or functionality of an information technology system of a federal agency or an operator of a critical infrastructure is impaired, the Federal Office can take the measures that are necessary to restore the security or functionality of the information technology system concerned ( Section 5a (1) sentence 1 BSIG). To this end, it may collect and process personal data or data subject to telecommunications secrecy ( Section 5a (3) sentence 1 BSIG).

Cooperation with security authorities

The BSI supports the police and law enforcement authorities in performing their statutory duties. It also supports the Federal Office for the Protection of the Constitution (BfV), the Military Counter-Intelligence Service (MAD) and the State Authorities for the Protection of the Constitution in the evaluation and assessment of information that arises from the observation of terrorist activities or intelligence activities , as well as the Federal Intelligence Service in performing its statutory tasks . Support may only be granted if it is necessary to prevent or research activities that are directed against security in information technology or that are carried out using information technology ( Section 3 Paragraph 1 Sentence 2 No. 13 BSIG). It may transmit personal data to these authorities under the conditions of § 5 BSIG.

Please note the information on legal issues!