BSIG — Act on the German Federal Office for Information Security

An energy provider detects unusual activity on a control-system server over the weekend. The suspicion: preparation for a ransomware attack. The BSIG reporting obligation kicks in as soon as the significance threshold is met — the report to the BSI must be filed without delay, in parallel with containment on your own side. Anyone who hesitates or postpones the report to the authority until Monday morning violates section 8b BSIG and risks fines of up to 2 million euros.

The BSI Act governs the tasks and powers of the Federal Office for Information Security (BSI) and sets the cybersecurity obligations for operators of critical infrastructure, digital services and federal authorities. It is the central German norm for KRITIS compliance and has been extended several times — most recently through the IT Security Act 2.0 and the implementation of the NIS2 directive.

Who is affected?

The BSIG addresses several target groups with different obligation catalogues:

Federal authorities (section 4 ff.) — the BSI is their central IT security service provider, operates the government network and sets minimum standards.
Operators of critical infrastructure (sections 8a, 8b) — sectors: energy, water, food, IT/telecoms, health, finance, transport, municipal waste, state and administration. Thresholds are set by the BSI KRITIS regulation.
Companies of special public interest (UBI) (section 8f) — introduced by IT-SiG 2.0; covers armaments manufacturers, top-value-creation companies, and operators with hazard potential under the Major Accidents Ordinance.
Digital service providers (sections 8c, 8d) — online marketplaces, online search engines, cloud services — obligations stemming from the original NIS 1 directive.
Manufacturers of IT products — increasingly obligated through the future NIS2 implementation and the Cyber Resilience Act.

What does the law require?

The KRITIS obligations under section 8a and 8b BSIG are the core:

State of the art (section 8a(1)) — appropriate organisational and technical precautions to prevent disruptions, based on sector-specific security standards (B3S) or equivalent measures.
Proof every two years (section 8a(3)) — through audits, inspections or certifications, submitted to the BSI.
Attack detection systems (section 8a(1a), introduced by IT-SiG 2.0) — mandatory SIEM and log analysis solutions since May 2023.
Notification of significant disruptions (section 8b(4)) — immediate report via the BSI reporting portal, with follow-up reports as findings develop.
Point of contact (section 8b(3)) — reachable at all times, with deputisation and a clear escalation path.
Information from the BSI (section 8b(2)) — receipt of warnings, situation reports, security recommendations.
BSI ordering powers (section 8a(4), sections 7a, 7b) — prohibition of dangerous components, ordering of measures, detection of security gaps in internet-facing systems.

For UBIs, a reduced obligation list with self-declaration applies (section 8f) — minimum level of IT security, notification of significant disruptions, registration with the BSI.

In practice

Review KRITIS scope annually. KritisV thresholds change, business areas grow or shrink. An organisation once below the threshold will sooner or later rise above it — without self-assessment, this stays unnoticed until a missing report to the BSI exposes it.

Apply a sector-specific security standard (B3S). For most sectors there are BSI-recognised B3S — from BDEW (energy) and DVGW (water) to GMDS for hospitals. Using a B3S gives you a clearly defined audit scope and reduces the burden on the auditing body.

Rehearse and log the notification chain. The duty of immediate reporting does not tolerate escalation through several hierarchy levels. The SOC or CSIRT function must be able to trigger the report itself, with a clear mandate. Tabletop exercises with real stopwatches expose gaps before the real incident arrives.

Mapping to ISO 27001

The BSIG requirements align closely with ISO 27001 — the standard is often the basis for B3S-compliant proof. Particularly relevant are the Annex A controls around suppliers, incidents and attack detection.

Directly relevant controls:

A.5.7 — Threat intelligence: evaluation of BSI warnings and situation reports.
A.5.24 — Information security incident management planning and preparation: prerequisite for the duty of immediate notification.
A.5.25 — Assessment and decision on information security events: classification against the significance threshold.
A.5.26 — Response to information security incidents: structured containment and recovery.
A.5.27 — Learning from information security incidents: lessons learned that feed into the follow-up proof.
A.5.29 — Information security during disruption: operational continuity in line with BSIG logic.
A.5.30 — ICT readiness for business continuity: restart concepts for critical facilities.
A.5.36 — Compliance with policies, rules and standards for information security: compliance review against the B3S.
A.5.37 — Documented operating procedures: runbooks for incident response and BSI reporting.
A.8.7 — Protection against malware: core component of attack detection.
A.8.8 — Management of technical vulnerabilities: patch management and CVE watch.
A.8.16 — Monitoring activities: technical implementation of the section 8a(1a) duty to detect attacks.

Typical audit findings

KRITIS threshold self-assessment outdated — the organisation has been above the threshold for two years without knowing it.
Attack detection systems only in parts — SIEM covers office IT, but OT areas and critical control layers are missing.
Notification chain for section 8b BSIG not rehearsed — only management is allowed to report, but is unreachable at weekends.
B3S not or only partly applied — audit was run against ISO 27001 without the sector-specific extension.
Follow-up proof not filed with the BSI — the two-year cycle was missed, the BSI is actively asking.
BSI orders not implemented — a request for component prohibition stalled because no clear responsibility was assigned.

Sources

BSIG full text (Gesetze im Internet) — official version
BSI KRITIS regulation (BSI-KritisV) — thresholds for the KRITIS sectors
BSI — Federal Office for Information Security — situation reports, B3S overview, reporting portal
BSI situation report on IT security in Germany — annual report on the threat landscape

ISO 27001 Controls Covered

A.5.7 Threat intelligence A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.26 Response to information security incidents A.5.27 Learning from information security incidents A.5.29 Information security during disruption A.5.30 ICT readiness for business continuity A.5.36 Compliance with policies, rules and standards for information security A.5.37 Documented operating procedures A.6.3 Information security awareness, education and training A.8.7 Protection against malware A.8.8 Management of technical vulnerabilities A.8.16 Monitoring activities

Frequently asked questions

Am I a KRITIS operator under the BSIG?

The decisive source is the BSI-Kritisverordnung (KRITIS regulation). It defines thresholds for the nine KRITIS sectors: energy, water, food, IT/telecoms, health, finance, transport, municipal waste, and state and administration. Anyone reaching the threshold is an operator of a critical facility and must meet the obligations under section 8a BSIG. Self-assessment against the KritisV is the first step.

What must I report to the BSI?

Significant disruptions with potential impact on the functioning of the critical facility (section 8b(4) BSIG). This includes cyberattacks, failures of essential IT components and data losses. The report is filed without delay via the BSI reporting portal. What counts as significant is set out in sector-specific security standards (B3S).

How often must I demonstrate security?

Every two years (section 8a(3) BSIG). The proof is provided through audits, inspections or certifications — typically by a qualified auditor under a BSI-recognised procedure. ISO 27001 with a sector-specific extension (B3S) is the most common path. The proof is submitted to and reviewed by the BSI.