Law On The Federal Office For Security In Information Technology

Original Language Title: Gesetz über das Bundesamt für Sicherheit in der Informationstechnik

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$20 per month, or Get a Day Pass for only USD$4.99.

Law on the Federal Office for Information Security (BSI-Law-BSIG)

Non-official table of contents

BSIG

Date of release: 14.08.2009

Full quote:

" BSI law of 14. August 2009 (BGBl. 2821), as defined by Article 8 of the Law of 17. July 2015 (BGBl. I p. 1324) "

:Last modified by Art. 3 (7) G v. 7.8.2013 I 3154
Note:Change by Art. 1 G v. 17.7.2015 I 1324 (No 31) not yet taken into account
Change by Art. 8 G v. 17.7.2015 I 1324 (No 31) in a textual, documentary yet not yet conclusive manner
Note: Mediable change by Art. 9 G v. 17.7.2015 I 1324 (No 31) not yet taken into

For details, see the Notes

Footnote

(+ + + text evidence:) for details: 20.8.2009 + + +)

The G was considered to be a G v type. 14.8.2009 I 2821 of the Bundestag. It's gem. Article 3, first sentence, of this G entered into force on 20.8.2009. Non-official table of contents

§ 1 Federal Office for Information Security

Bundesamt für Sicherheit in der Informationstechnik, Federal Office for Information Security) The federal government has a federal office for security in the Information technology (Federal Office) as federal authority. The Federal Office is responsible for information security at the national level. It is under the responsibility of the Federal Ministry of the Interior. Non-official table of contents

§ 2 Definitions

(1) The information technology within the meaning of this law includes all technical means to Processing or transfer of information.(2) Security in the information technology within the meaning of this Act means compliance with certain safety standards concerning the availability, integrity or confidentiality of information by means of security measures
1.
in information technology systems, components, or processes, or
2.
at Application of information technology systems, components or processes.
(3) The communication technology of the federal government within the meaning of this law is the information technology, which is carried out by one or more federal authorities or on behalf of one or more federal authorities. Federal authorities are operated and serve the purpose of communicating or exchanging data between the federal authorities themselves or with third parties. Communication technology of the Federal Courts, insofar as they do not perform public administrative tasks, the Bundestag, the Federal Council, the Federal President and the Federal Court of Auditors is not communications technology of the federal government, insofar as they is operated exclusively within its own competence.(4) Interfaces of the communication technology of the federal government within the meaning of this law are security-relevant network transitions within the communication technology of the federal government as well as between this and the information technology of the individual federal authorities, Groups of federal authorities or third parties. This shall not apply to the components at the network crossings operated under the jurisdiction of the courts and constitutional bodies referred to in the second sentence of paragraph 3.(5) Malicious programs within the meaning of this Act are programs and other information-related routines and procedures that serve the purpose of using or erasing unauthorised data or serve the purpose, unauthorized access to other information-related information technology To intervene.(6) Security gaps within the meaning of this Act are properties of programs or other information technology systems, by means of which it is possible for third parties to gain access to foreign persons against the will of the authorized person. information technology systems or may influence the function of information technology systems.(7) Certification within the meaning of this Act is the determination by a certification body that a product, a process, a system, a protection profile (security certification), a person (person certification) or a IT security service provider meets certain requirements.(8) Protocol data within the meaning of this Act are tax data of an information-technical protocol for data transmission which are transmitted independently of the content of a communication process or on the servers involved in the communication process and are necessary to ensure communication between the receiver and the transmitter. Data may contain traffic data in accordance with Section 3 (30) of the Telecommunications Act and usage data in accordance with § 15 paragraph 1 of the German Telemedia Act.(9) Data traffic within the meaning of this Act is the data transmitted by means of technical protocols. The data traffic can contain telecommunication contents in accordance with § 88 (1) of the Telecommunications Act and usage data in accordance with § 15 paragraph 1 of the Telemedia Act.(10) Critical infrastructures within the meaning of this Act are facilities, installations or parts thereof, which are
1.
the energy, information technology and telecommunications sectors, Transport and transport, health, water, nutrition and finance and insurance, and
2.
are of great importance for the functioning of the community; The critical infrastructure within the meaning of this Act shall be determined by the Regulation on the basis of the legal provisions of this Act, since their failure or impairment would result in significant supply shortages or threats to public safety.
§ 10 (1). Non-official table of contents

§ 3 Tasks of the Federal Office

(1) The Federal Office promotes security in the information technology sector. To do this, it performs the following tasks:
1.
Defense Threats to the Federal Information Technology Security;
2.
Collection and analysis of information on security risks and safety precautions and provision of the lessons learned for other entities, as far as this is concerned. the performance of their duties or is necessary, as well as for third parties, to the extent that this is necessary in order to safeguard their security interests;
3.
Investigation of Security risks related to the application of information technology as well as the development of security precautions, in particular information technology and equipment for information technology security (IT security products), insofar as this is the case. Fulfilling the tasks of the federal government, including research as part of its legal tasks;
4.
Development of criteria, procedures and Tools for testing and evaluating the security of information technology systems or components and for checking and evaluating compliance in the field of IT backup;
5.
Review and evaluate the security of information technology systems or components and issue security certificates;
6.
Verification and confirmation of compliance in the IT security field of information technology systems and components with federal technical guidelines;
7.
Examination, evaluation and approval of information technology systems or components for the processing or transfer of officially classified information in accordance with § 4 of the Security review law in the federal state or in the case of companies in the context of federal orders should be used;
8.
Production of key data and the operation of crypto-and security management systems for information-keeping systems of the federal government, which are also used in other areas in the area of state secret protection or at the request of the affected authority
9.
Support and advice on organizational and technical security measures, as well as the implementation of technical audits for the protection of official secret services. Information held in accordance with § 4 of the Security Examination Act against the acceptance by unauthorised persons;
10.
Development of safety-related requirements the information technology to be used by the federal government and the suitability of contractors in the field of information technology with special protection requirements;
11.
Provisioning of IT security products for federal agencies;
12.
Support for the federal authorities responsible for security in information technology, in particular as far as they are concerned. The Federal Data Protection Act (Bundesdatenschutzgesetz), the Federal Commissioner for Data Protection (Bundesdatenschutzgesetz), whose support in the framework of the independence of the Federal Data Protection Act (Bundesdatenschutzgesetz) is responsible for the performance of his duties in accordance with the Federal Data Protection Act
13.
a)
the police and law enforcement agencies at the Exercise of its legal tasks,
b)
the constitutional protection authorities in the evaluation and evaluation of information which is carried out in the observation of terrorist acts. Efforts or intelligence activities within the scope of the legal powers under the constitutional laws of the federal and state governments are incurred,
c)
Federal Intelligence Service in the performance of its legal tasks.
Support may only be granted to the extent that it is necessary to prevent or explore activities that are against the security in the Information technology is or can be done using the information technology. The requests for assistance are to be made public by the Federal Office of the Federal Republic of Germany;
14.
Advice and warning of federal, state and producer bodies, distributors and distributors. Users on security issues in information technology, taking into account the possible consequences of missing or insufficient security precautions;
15.
Construction appropriate communication structures for early detection, crisis response and crisis management as well as coordination of cooperation for the protection of security in the information technology of critical infrastructures in conjunction with the Private sector;
16.
Tasks as a focal point in the field of information technology security with a view to cooperation with the relevant bodies in the Abroad, without prejudice to special responsibilities of other bodies;
17.
Tasks in accordance with § § 8a and 8b as the central office for security in information technology Critical infrastructures.
(2) The Federal Office can assist the countries in securing their information technology upon request.(3) The Federal Office may advise and support operators of critical infrastructures on their request in securing their information technology, or refer to qualified security service providers. Non-official table of contents

§ 4 Central Reporting Office for Security in Information Technology of the Federal Republic of Germany

(1) The Federal Office is the central office of the Federal Office of the Federal Republic of Germany. Reporting point for the cooperation of the federal authorities in matters of security in information technology.(2) The Federal Office has, in order to perform this task,
1.
all information necessary for the prevention of risks to security in the information technology, , in particular, to address security vulnerabilities, malware, or attempted attacks on information technology security and the methodology used, to collect and evaluate it,
2.
To inform the federal authorities immediately of the information in question referred to in point 1 and the relationships that have been experienced.
(3) Other Federal authorities shall inform the information referred to in paragraph 2, point 1, which are relevant for the performance of tasks or the security of the information technology of other authorities, shall inform them as from 1. The Federal Office shall immediately, in so far as other provisions do not preclude, the Federal Office of the Federal Republic of Germany.(4) The information required under paragraph 2 (2) and (3) of the teaching obligations shall be information which may not be disclosed pursuant to rules relating to the protection of privacy or agreements with third parties, or the disclosure of which may be contrary to the provisions of the the constitutional position of a Member of the Bundestag or of a constitutional body or of the legally regulated independence of individual bodies.(5) The provisions on the protection of personal data shall remain unaffected.(6) The Federal Ministry of the Interior, after obtaining the agreement of the Council of the IT officers of the Federal Government, shall adopt general administrative provisions for the implementation of paragraph 3. Non-official table of contents

§ 5 Abuse of malicious programs and threats to the communication technology of the federal government

(1) The Federal Office shall be entitled to repel Hazards for the communication technology of the federal government
1.
Data collected during the operation of the communication technology of the federal government, collect and automatically evaluate the data, insofar as this is necessary for the recognition, confining or elimination of faults or errors in the communications technology of the federal government or of attacks on the information technology of the Federal Republic of Germany,
2.
The data generated at the interfaces of the communication technology of the federal government automatically evaluate data as far as this is necessary for the detection and defence of malware
If the following paragraphs do not permit further use, the automated evaluation of these data must be carried out without delay and must be deleted immediately and without trace after the completion of the comparison. The usage restrictions do not apply to historical data, provided that they do not include personal data or data subject to telecommunications secrecy. The Federal Authorities are obliged to assist the Federal Office in the case of measures in accordance with the first sentence and in this case to ensure the access of the Federal Office to the internal data of the authorities according to the first sentence of the first sentence and the interface data set out in the first sentence of the first sentence of 1. The Federal Courts may only collect historical data in agreement with them.(2) Protocol data referred to in the first sentence of the first subparagraph of paragraph 1 may be stored in excess of the period required for the automated evaluation referred to in the first sentence of the first paragraph of paragraph 1, but at the latest for three months, in so far as there are actual indications of such evidence: They shall insist that, in the event of a suspicion of suspicion in accordance with the second sentence of paragraph 3, the prevention of risks arising from the damage programme found or that may be necessary for the detection and defence of other harmful programmes. Organisational and technical measures shall ensure that the data stored in accordance with this paragraph is evaluated only in an automated manner. The data are to be pseudonymized, as far as this is possible in an automated manner. Non-automated evaluation or personal use shall be permitted only in accordance with the following paragraphs. To the extent that this requires the restoration of the personal reference of pseudonymised data, it must be arranged by the President of the Federal Office. The decision must be recorded.(3) The use of personal data beyond the provisions of paragraphs 1 and 2 shall be permitted only if certain facts give rise to the suspicion that
1.
Malicious Program,
2.
passed through a malicious program or
3.
may give you clues about a malicious program,
and as far as the data processing is required to confirm or disproportion the suspicion. In the case of confirmation, further processing of personal data is permissible as far as this is
1.
for the defenses of the malicious program,
2.
to prevent hazards from the malicious program that has been discovered, or
3.
for discovery and Defense of other malicious programs is required.
A malicious program can be removed or prevented in its functioning. The non-automated use of the data in accordance with sentences 1 and 2 may only be ordered by a staff member of the Federal Office with the qualification to the judge's office.(4) The parties to the communication process shall be notified at the latest after the recognition and defence of a malicious program or of hazards emanating from a malicious program, if they are known or their identification without Disproportionate further investigations are possible and do not prevent the overriding protection of third party interests. The information may not be provided if the person has been affected only insignificantly, and is to be assumed to have no interest in a notification. The Federal Office shall submit cases in which it shall be notified of a notification, the official data protection officer of the Federal Office of the Federal Office and another servant of the Federal Office who has the qualifications to the office of judicial authority for control. In the exercise of this task, the official data protection officer is free of instructions and must therefore not be penalised (Section 4f (3) of the German Data Protection Act). If the official data protection officer contradicts the decision of the Federal Office, the notification is to be collected. The decision on the non-notification is to be documented. The documentation may only be used for the purposes of data protection control. It is to be deleted after twelve months. In the cases referred to in paragraphs 5 and 6, the notification shall be notified by the authorities referred to in that paragraph in the appropriate application of the rules in force for those authorities. If these do not contain provisions on notification requirements, the provisions of the Code of Criminal Procedure shall apply accordingly.(5) The Federal Office may transmit the personal data used in accordance with paragraph 3 to the law enforcement authorities for the prosecution of a criminal offence committed by means of a malicious program in accordance with § § 202a, 202b, 303a or 303b of the Criminal Code. It can also transmit these data
1.
to avert a threat to public security directly from a malicious program to the police force of the Federal and State Governments,
2.
for information on facts that reveal security-threatening or intelligence-related activities for a foreign power, to the Federal Office for the Protection of the Constitution.
(6) For other purposes, the Federal Office may transmit the data
1.
to the law enforcement authorities for the prosecution of a criminal offence. Also in individual cases of considerable importance, in particular of a criminal offence referred to in § 100a (2) of the Code of Criminal Procedure,
2.
to the police officers of the federal government and the Countries to avert a risk to the stock or security of the State or body, life or freedom of a person or property of significant value, the preservation of which is offered in the public interest,
3.
to the constitutional protection authorities of the federal and state governments, if there are actual indications of aspirations in the Federal Republic of Germany, which are due to the use of force or preparatory actions addressed to it are directed against the protection goods referred to in § 3 (1) of the Federal Constitutional Protection Act.
The transmission according to the first sentence of 1 (1) and (2) shall be subject to prior legal consent. The provisions of the Law on the Procedure in Family Matters and in the Matters of Voluntary Jurisdiction shall apply in accordance with the procedure laid down in points 1 and 2 of the first sentence. The district court, in whose district the Federal Office has its seat, is responsible. The transmission in accordance with the first sentence of sentence 1 shall take place after the approval of the Federal Ministry of the Interior; § § 9 to 16 of the Article 10 Act shall apply accordingly.(7) A content evaluation beyond the above paragraphs for other purposes and the transfer of personal data to third parties shall be inadmissible. As far as possible, it is technically necessary to ensure that data relating to the core area of private life is not collected. If, on the basis of the measures taken in paragraphs 1 to 3, findings from the core area of private life-design or data within the meaning of Section 3 (9) of the Federal Data Protection Act are obtained, they may not be used. Findings from the core area of private life design must be deleted immediately. This also applies in case of doubt. The fact of their obtaining and deletion is to be documented. The documentation may only be used for the purposes of data protection control. It shall be deleted if it is no longer necessary for these purposes, but at the latest at the end of the calendar year following the year of documentation. Where, within the framework of paragraphs 4 or 5, the content or circumstances of the communication of persons referred to in the first sentence of Article 53 (1) of the Code of Criminal Procedure shall be communicated to those persons to which the right of denial of evidence of the said persons extends, the The use of such data for the purposes of evidence in criminal proceedings shall be admissible only in so far as the subject-matter of this criminal proceedings is a criminal offence punishable by a maximum of at least five years ' imprisonment.(8) Prior to the collection and use of data, the Federal Office has to draw up a data collection and usage concept and to keep it available for inspection by the Federal Commissioner for Data Protection and Information Freedom. The concept has to take into account the special protection requirements of government communication. The criteria used for the automated evaluation must be documented. The Federal Commissioner for Data Protection and Freedom of Information, according to § 24 of the German Data Protection Act, also informs the Council of the Federal Government's IT officers the result of his checks.(9) The Federal Office shall inform the Federal Commissioner for data protection and the freedom of information calendar each year up to 30 years. June of the year following the year under review,
1.
the number of operations in which the data referred to in the first sentence of paragraph 5, paragraph 5, second sentence, point 1 or paragraph 6, point 1 , broken down according to the individual powers of transmission,
2.
the number of personal evaluations referred to in the first sentence of paragraph 3, in which the suspicion is refuted
3.
the number of cases in which the Federal Office has, in accordance with paragraph 4, sentence 2 or 3, apart from a notification of the persons concerned.
(10) The Federal Office shall inform each year of the calendar up to 30 years. June of the year following the reporting year the Committee on the Interior of the German Bundestag on the application of this provision. Non-official table of contents

§ 6 Deletion

If the Federal Office collects personal data within the scope of its powers, these data shall be immediately as soon as they are no longer required for the performance of the tasks for which they have been collected or for any judicial review. To the extent that the deletion is only granted for a possible judicial review of measures pursuant to § 5 paragraph 3, the data may be used without the consent of the person concerned only for this purpose; they shall be blocked for other purposes. Section 5 (7) shall remain unaffected. Non-official table of contents

§ 7 Warnings

(1) For the performance of its tasks in accordance with § 3 paragraph 1 sentence 2 number 14, the Federal Office may
1.
the following warnings to the public or to the affected circles:
a)
Warnings Security vulnerabilities in information technology products and services,
b)
malware warnings and
c)
Warnings in the event of loss of or unauthorized access to data;
2.
Recommend security measures as well as the use of certain security products.
The Federal Office may include third parties for the performance of the tasks according to the first sentence if this is done for an effective and timely warning is required. Manufacturers of products concerned shall be informed in good time of any warnings relating to such products, provided that this does not endanger the achievement of the purpose of the measure. Insofar as security gaps or harmful programs are not to be generally known in order to prevent any further spread or illegal exploitation, or because the Federal Office is obligated to confidentiality in relation to third parties, it may Restrict the circle of persons to be warned on the basis of factual criteria; factual criteria may, in particular, be the particular danger to certain establishments or to the particular reliability of the recipient.(2) In order to carry out its tasks in accordance with § 3 (1) sentence 2, point 14, the Federal Office may inform the public, stating the name and manufacturer of the product concerned, of security gaps in information technology products and services. and warn against malware or safety measures, as well as the use of certain safety products, if there is sufficient evidence that risks to information technology security are posed by this. If the information given to the public is in retrospect as false or the circumstances underlying it are rendered inaccurate, this shall be made public without delay. Non-official table of contents

§ 7a Investigation of security in information technology

(1) The Federal Office may perform its tasks in accordance with § 3 of the German Federal Office of the Arts. In the case of information technology products and systems provided on the market or intended to be made available on the market, the second sentence of paragraph 1, points 1, 14 and 17 shall be examined. It may use the support of third parties in this case, insofar as the legitimate interests of the manufacturer of the products and systems concerned are not in conflict with this.(2) The findings obtained from the investigations may only be used for the performance of the tasks referred to in § 3 (1) sentence 2, points 1, 14 and 17. The Federal Office may disclose and publish its findings to the extent that this is necessary for the performance of these tasks. The manufacturer of the products and systems concerned shall be given the opportunity to give their opinion at an appropriate time. Non-official table of contents

§ 8 requirements of the Federal Office

Germany (1) The Federal Office shall draw up minimum standards for the security of information technology of the Federal Office of Technology (Bundesamt). Federal government. The Federal Ministry of the Interior, in consultation with the IT Council, may adopt these minimum standards, in whole or in part, as general administrative provisions for all bodies of the federal government. At the request of the Federal Office, the Federal Office advises the federal authorities on the implementation and compliance with the minimum standards. For the courts and constitutional bodies referred to in Article 2 (3) sentence 2, the provisions of this paragraph shall have a non-binding character.(2) The Federal Office shall, within the scope of its tasks pursuant to § 3 paragraph 1 sentence 2 number 10, provide technical guidelines which are provided by the federal authorities as a framework for the development of appropriate requirements for contractors (suitability) and IT products. (specification) shall be taken into account for the implementation of procurement procedures. The provisions of the procurement law and of the secret protection shall remain unaffected.(3) The provision of IT security products by the Federal Office pursuant to Article 3 (1), second sentence, point 11 shall be effected by self-development or by the execution of award procedures on the basis of a corresponding requirement determination. IT security products can only be made available in justified exceptional cases by an in-house development of the Federal Office. The provisions of the procurement law shall remain unaffected. If the Federal Office provides IT security products, the federal authorities can obtain these products from the Federal Office. By decision of the Council of the Federal Government's IT officers, it can be determined that the federal authorities are obliged to retrieve these products at the Federal Office. Self-procurements of other federal authorities are only permissible in this case if the specific requirement profile requires the use of deviating products. Sentences 5 and 6 shall not apply to the courts and constitutional bodies referred to in Article 2 (3) sentence 2. Non-official table of contents

§ 8a Security in the information technology of critical infrastructures

(1) Operators of Critical Infrastructures , at the latest two years after the entry into force of the regulation pursuant to Section 10 (1), it requires appropriate organisational and technical measures to avoid disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes that are relevant to the functioning of the critical infrastructures they operate. In this case, the state of the art is to be adhered to. Organisational and technical arrangements are appropriate if the effort required is not disproportionate to the consequences of a failure or an impairment of the critical infrastructure concerned.Operators of Critical Infrastructures and their interbranch organisations may propose industry-specific safety standards to meet the requirements of paragraph 1. At the request of the Federal Office, the Federal Office shall determine whether they are capable of ensuring the requirements laid down in paragraph 1. The determination is made
1.
in consultation with the Federal Office for Civil Protection and Disaster Assistance,
2.
in agreement with the competent supervisory authority of the federal government or in consultation with the otherwise competent supervisory authority.
(3) The operators of critical infrastructures to demonstrate, at least every two years, the fulfilment of the requirements referred to in paragraph 1 in an appropriate manner. Proof can be provided by means of security audits, tests or certifications. The operators shall submit to the Federal Office a list of the audits, examinations or certifications carried out, including the security defects that have been discovered. The Federal Office may require:
1.
the transmission of all audit, audit or certification results, and
2.
in agreement with the competent supervisory authority of the federal government or in consultation with the otherwise competent supervisory authority, the elimination of the safety deficiencies.
(4) The In order to form the procedure for the security audits, examinations and certifications referred to in paragraph 3, the Federal Office may request the manner in which it is to be carried out, the evidence to be issued thereon, and the technical and organisational aspects of the procedure. determine the requirements for the verifier post after consultation of representatives of the operators concerned and of the business associations concerned. Non-official table of contents

§ 8b Central Office for Security in Information Technology of Critical Infrastructures

(1) The Federal Office is the Central reporting point for operators of critical infrastructures in information technology security matters.(2) The Federal Office has to collect information essential for the prevention of threats to security in information technology for the purpose of carrying out this task
1.
and to evaluate, in particular, information on security vulnerabilities, malicious programs, attempted attacks or attempted attacks on information technology security, and on the approach observed,
2.
their potential impact on the availability of critical infrastructures in collaboration with the relevant supervisory authorities and the Federal Office of Civil Protection and To analyze disaster relief,
3.
to continuously update the situation regarding security in the information technology of critical infrastructures and
4.
a)
the operators of Critical Infrastructures related to them Information according to points 1 to 3,
b)
the competent supervisory authorities and the competent federal authorities responsible for the performance of their duties information required under points 1 to 3 as well as
c)
the competent supervisory authorities of the countries or for this purpose the Federal Office of the Länder as (3
The operators of Critical Infrastructures have the Federal Office within six months ' notice.
(3) The operators of critical infrastructures have months after the entry into force of the legal regulation pursuant to § 10 (1), a contact point for the communication structures pursuant to section 3 (1) sentence 2 number 15 shall be appointed. The operators shall ensure that they are available at any time. The transmission of information by the Federal Office pursuant to paragraph 2 (4) shall be made to this contact point.(4) Operators of critical infrastructures have significant disturbances in the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes, which may result in a failure or impairment of the Capability of the critical infrastructures they run
1.
can lead or
2.
to report thepoint immediately to the Federal Office. The notification shall indicate the disturbance and the technical framework conditions, in particular the suspected or actual cause, the information technology concerned, the nature of the facility or installation concerned, and the sector of the Operator. The name of the operator is required only if the fault has actually resulted in a failure or impairment of the functionality of the critical infrastructure.(5) In addition to the point of contact referred to in paragraph 3, operators of critical infrastructures belonging to the same sector may designate a common parent contact point. If one is named, the exchange of information between the contact points and the Federal Office shall normally be carried out via the joint contact point.(6) Where necessary, the Federal Office may require the manufacturer of the information technology products and systems concerned to participate in the elimination or prevention of a disturbance in accordance with paragraph 4. The first sentence shall apply to operators and marketing authorisation holders within the meaning of Section 8c (3).(7) Insofar as personal data are collected, processed or used within the scope of this provision, processing and use beyond the preceding paragraphs shall be prohibited for other purposes. § 5 (7), sentences 3 to 8 shall apply accordingly. In addition, the regulations of the Federal Data Protection Act are to be applied. Non-official table of contents

§ 8c Scope

(1) § § 8a and 8b are not to be applied to micro-entities within the meaning of the recommendation 2003 /361/EC of the Commission of 6 On the definition of micro-enterprises and small and medium-sized enterprises (OJ L 327, 22.3.2003, p. OJ L 124, 20.5.2003, p.36). Article 3 (4) of the Recommendation shall not apply.(2) § 8a is not applicable to
1.
Operator of critical infrastructures, as far as they operate a public telecommunications network or publicly accessible telecommunications services,
2.
operators of energy supply networks or energy installations within the meaning of the Energy Law of the 7th European Energy Act (Energiewirtschaftsgesetz) of 7. July 2005 (BGBl. 1970, 3621), as last amended by Article 3 of the Law of 17. July 2015 (BGBl. 1324), as amended,
3.
Authorisation holder in accordance with Section 7 (1) of the Atomic Energy Act, as amended by the 15. July 1985 (BGBl. 1565), as last amended by Article 2 of the Law of 17. July 2015 (BGBl. 1324), as amended, for the scope of the authorisation as well as
4.
Other operators of critical infrastructures, insofar as they are (
) § 8b (3) to (5) shall not apply to
1.
. style="font-weight:normal; font-style:normal; text-decoration:none;"> operators of critical infrastructures, as far as they operate a public telecommunications network or provide publicly available telecommunication services,
2.
Operators of energy supply networks or energy systems as defined by the Energy Economics Act,
3.
Authorisation holder according to § 7 paragraph 1 of the Atomic Energy Act for the scope of the permit as well as
4.
other operators of critical infrastructures that need to comply with requirements similar to the requirements of § 8b (3) to (5) on the basis of legislation, or
Non-official table of contents

§ 8d Request for information

(1) The Federal Office may, upon request, provide information to third parties on the following information: information received from § 8a (2) and (3) as well as to the notifications pursuant to Section 8b (4) only if the legitimate interests of the affected operator of critical infrastructures are not contrary to this and by means of the information no Impairment of essential security interests is to be expected. Access to personal data shall not be granted.(2) Access to the files of the Federal Office in matters pursuant to § § 8a and 8b shall only be granted to procedural parties and this shall be granted in accordance with Section 29 of the Administrative Procedure Act. Non-official table of contents

§ 9 Certification

(1) The Federal Office is the national certification body of the Federal Administration for IT Security.(2) For certain products or services, a security or personal certification or certification as an IT security service provider can be requested from the Federal Office. Applications shall be processed in the chronological order of their receipt, which may be dismissed if the Federal Office is not able to carry out an appropriate examination in due time on account of the number and extent of pending examination procedures, and shall be subject to the following conditions: Grant of a certificate is a public interest. The applicant shall submit the documents to the Federal Office and provide the information which is necessary for the examination and evaluation of the system or the component or the suitability of the person and for the issuing of the certificate.(3) The examination and evaluation may be carried out by competent bodies recognised by the Federal Office.(4) The security certificate is issued if
1.
Information technology systems, components, products or protective profiles are the criteria defined by the Federal Office , and
2.
The Federal Ministry of the Interior has determined that overriding public interests, in particular security policy concerns, are Federal Republic of Germany.
(5) Paragraph 4 shall apply for the certification of persons and IT security service providers.(6) A recognition as referred to in paragraph 3 shall be granted where
1.
means the factual and staffing equipment, as well as the professional qualifications and reliability of the Conformity assessment body corresponds to the criteria laid down by the Federal Office and
2.
The Federal Ministry of the Interior has determined that the majority of the public
theOffice shall ensure, by means of the necessary measures, that the existence of the conditions set out in the first sentence of the first sentence of the first sentence of the first sentence of the first sentence of the first sentence of the first sentence of the first sentence of the first sentence shall be reviewed regularly.(7) Security certificates issued by other recognised certification bodies in the European Union are recognized by the Federal Office, insofar as they have a security equivalent to the security certificates issued by the Federal Office and the security certificates issued by the Federal Office of the Federal Republic of Germany Equivalence has been established by the Federal Office. Non-official table of contents

§ 10 empowerment to enact legal regulations

(1) The Federal Ministry of the Interior shall be governed by a decree law, which does not require the approval of the Federal Council, after consultation with representatives of the scientific community, the operators concerned and the business associations concerned, in agreement with the Federal Ministry for Economic Affairs and Energy, the Federal Ministry of Economics and Technology the Justice and Consumer Protection, the Federal Ministry of Finance, the Federal Ministry of Labour and Social Affairs, the Federal Ministry of Food and Agriculture, the Federal Ministry of Health, the Federal Ministry of Transport and the Federal Ministry of Health, digital infrastructure, the Federal Ministry of Defence and the Federal Ministry for the Environment, Nature Conservation, Building and Nuclear Safety, with the determination of the number of sectors in the respective sectors in view of Article 2 (10), first sentence, point 2 Importance as critical services and their significant supply degree, which facilities, installations or parts thereof are considered to be critical infrastructures within the meaning of this Act. The level of supply to be considered as significant in accordance with the first sentence shall be determined on the basis of industry-specific thresholds for each service in the sector concerned, owing to their importance as a critical service. Access to files relating to the establishment or amendment of this Regulation shall not be granted.(2) The Federal Ministry of the Interior, after hearing the economic associations concerned and in agreement with the Federal Ministry for Economic Affairs and Energy, shall, by means of a regulation which does not require the approval of the Federal Council, shall determine the following: on the procedure for issuing security certificates and recognitions in accordance with § 9 and their content.(3) Charges and levies are levied for individually attributable public services under this Act and in accordance with the legal regulations issued for the implementation of this Act. The amount of the fees depends on the administrative burden associated with the services. The Federal Ministry of the Interior, in agreement with the Federal Ministry of Finance, shall determine, by means of a regulation which does not require the approval of the Federal Council, the chargeable facts, the rates of fees and the costs. Non-official table of contents

§ 10 empowerment to enact legal regulations

(1) The Federal Ministry of the Interior shall be governed by a decree law, which does not require the approval of the Federal Council, after consultation with representatives of the scientific community, the operators concerned and the business associations concerned, in agreement with the Federal Ministry for Economic Affairs and Energy, the Federal Ministry of Economics and Technology the Justice and Consumer Protection, the Federal Ministry of Finance, the Federal Ministry of Labour and Social Affairs, the Federal Ministry of Food and Agriculture, the Federal Ministry of Health, the Federal Ministry of Transport and the Federal Ministry of Health, digital infrastructure, the Federal Ministry of Defence and the Federal Ministry for the Environment, Nature Conservation, Building and Nuclear Safety, with the determination of the number of sectors in the respective sectors in view of Article 2 (10), first sentence, point 2 Importance as critical services and their significant supply degree, which facilities, installations or parts thereof are considered to be critical infrastructures within the meaning of this Act. The level of supply to be considered as significant in accordance with the first sentence shall be determined on the basis of industry-specific thresholds for each service in the sector concerned, owing to their importance as a critical service. Access to files relating to the establishment or amendment of this Regulation shall not be granted.(2) The Federal Ministry of the Interior, after hearing the economic associations concerned and in agreement with the Federal Ministry for Economic Affairs and Energy, shall, by means of a regulation which does not require the approval of the Federal Council, shall determine the following: on the procedure for issuing security certificates and recognitions in accordance with § 9 and their content.(3) (omitted) unofficial table of contents

§ 11 Restriction of fundamental rights

The secrecy of telecommunications (Article 10 of the Basic Law) shall be replaced by § 5 restricted. Non-official table of contents

§ 12 Council of the Federal Government's IT Representatives.

If the Council of the Federal Government's IT officers is dissolved, the Council shall take the following steps: whose body is the successor organisation designated by the Federal Government. The approval of the Council of the IT officers can be replaced by agreement of all federal ministries. If the Council of the IT Representatives is dissolved without replacement, the agreement of all Federal Ministries shall take place in place of its consent. Non-official table of contents

§ 13 reporting obligations

(1) The Federal Office shall inform the Federal Ministry of the Interior of its activities.(2) The information referred to in paragraph 1 shall also be used to inform the public by the Federal Ministry of the Interior on risks to security in information technology, which shall be carried out at least once a year in a summary report. § 7 (1) sentences 3 and 4 shall apply accordingly. Unofficial Table Of Contents

§ 14 Penal Money Provisions

(1) Offers an order that is intentional or negligent
1.
contrary to § 8a (1) sentence 1 in conjunction with a legal regulation pursuant to § 10 paragraph 1 sentence 1, a provision called there is not, not correct, not complete or not meets in time,
2.
a fully-retractable arrangement according to § 8a (3) sentence 4
a)
number 1 or
b)
number 2
,
3.
contrary to § 8b, paragraph 3, sentence 1 in Contact with a legal regulation pursuant to § 10 (1) sentence 1 a contact point not or not in due time or
4.
contrary to § 8b (4) sentence 1, point 2 a Notification not, not correct, not complete or not in good time.
(2) In the cases referred to in paragraph 1 (2) (b), the administrative offence may be subject to a fine of up to one hundred thousand euros, and in the other cases of paragraph 1. are punished with a fine of up to fifty thousand euros.(3) The Federal Office shall be the administrative authority within the meaning of Section 36 (1) (1) of the Law on Administrative Offences.