Advanced Search

Law on the Federal Office of Security in Information Technology

Original Language Title: Gesetz über das Bundesamt für Sicherheit in der Informationstechnik

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.

Law on the Federal Office for Information Security (BSI-Law-BSIG)

Unofficial table of contents

BSIG

Date of completion: 14.08.2009

Full quote:

" BSI Law of 14 August 2009 (BGBl. 2821), which is provided by Article 8 of the Law of 17 July 2015 (BGBl. I p. 1324).

Status: Last amended by Art. 3 (7) G v. 7.8.2013 I 3154
Note: Amendment by Art. 1 G v. 17.7.2015 I 1324 (No 31) not yet taken into account
Amendment by Art. 8 G v. 17.7.2015 I 1324 (No 31) in a textual proof, not yet concludedly processed in a documentary form
Note: Mediable change by Art. 9 G v. 17.7.2015 I 1324 (No. 31) not yet taken into account

For more details, please refer to the menu under Notes

Footnote 

(+ + + Text proof: 20.8.2009 + + +)
The G was decided by the Bundestag as Art. 1 of the G v. 14.8.2009 I 2821. It's gem. Article 3, first sentence, of this G entered into force on 20.8.2009. Unofficial table of contents

§ 1 Bundesamt für Sicherheit in der Informationstechnik

The Federal Office of Information Technology (Bundesamt für Sicherheit in der Informationstechnik, Bundesamt) is the Federal Office of the Federal Supreme Authority. The Federal Office is responsible for information security at the national level. It is subject to the Federal Ministry of the Interior. Unofficial table of contents

§ 2 Definitions

(1) Information technology within the meaning of this Act covers all technical means for the processing or transmission of information. (2) Security in the information technology within the meaning of this Act means compliance with certain Security standards relating to the availability, integrity or confidentiality of information, by means of security measures
1.
in information technology systems, components or processes, or
2.
in the application of information technology systems, components or processes.
(3) The communication technology of the federal government within the meaning of this law is the information technology operated by one or more federal authorities or on behalf of one or more federal authorities and the communication or data exchange of the Federal authorities shall serve each other or with third parties. Communication technology of the Federal Courts, insofar as they do not perform public administrative tasks, the Bundestag, the Federal Council, the Federal President and the Federal Court of Auditors is not the communication technology of the Federal Government, insofar as it (4) Interfaces of the communication technology of the Federal Government within the meaning of this Act are security-relevant network transitions within the communication technology of the Federal Government and between this and the information technology of the individual federal authorities, Groups of federal authorities or third parties. This does not apply to the components at the network crossings operated under the jurisdiction of the courts and constitutional bodies referred to in the second sentence of paragraph 3. (5) Damage programmes within the meaning of this Act are programmes and others. information technology routines and procedures which serve the purpose of using or erasing unauthorised data or which serve the purpose of making unauthorized use of other information-related processes. (6) Security gaps in the sense of this law are Characteristics of programmes or other information technology systems, by (7) Certification in the sense that it is possible for third parties to gain access to external information technology systems against the will of the authorized person or to influence the function of the information technology systems. this law is the determination by a certification body that a product, a process, a system, a protection profile (security certification), a person (personal certification) or an IT security service provider specific Requirements. (8) Protocol data within the meaning of this Act are tax data an information protocol for data transmission, which is transmitted independently of the content of a communication process or stored on the servers involved in the communication process and for ensuring communication between the receiver and the transmitter. Data may contain traffic data in accordance with Section 3 (30) of the Telecommunications Act and usage data pursuant to Article 15 (1) of the German Telemedia Act. (9) Data traffic within the meaning of this Act is the data transferred by means of technical protocols. Data. The data traffic can contain telecommunication contents in accordance with § 88 (1) of the Telecommunications Act and usage data pursuant to § 15 paragraph 1 of the Telemedia Act. (10) Critical infrastructures within the meaning of this law are facilities, installations or parts thereof,
1.
the energy, information technology and telecommunications, transport and transport sectors, health, water, nutrition and financial and insurance sectors; and
2.
are of great importance for the functioning of the community, because their failure or impairment would result in significant supply shortages or threats to public safety.
The critical infrastructures within the meaning of this Act shall be determined by the Legal Regulation in accordance with § 10 (1). Unofficial table of contents

§ 3 Tasks of the Federal Office

(1) The Federal Office promotes security in information technology. To this end, the following tasks are carried out:
1.
Prevention of threats to the security of information technology of the federal government;
2.
Collection and analysis of information on security risks and security precautions and provision of the findings obtained to other bodies, to the extent that this is necessary for the performance of their duties or as necessary, and for third parties, where: this is necessary in order to safeguard their security interests;
3.
Investigation of security risks in the application of information technology, as well as the development of security measures, in particular information technology processes and devices for security in information technology (IT security products), insofar as this is necessary for the performance of tasks of the Federal Government, including research in the context of its legal tasks;
4.
Development of criteria, procedures and tools for the verification and evaluation of the security of information technology systems or components and for the verification and evaluation of conformity in the field of IT security;
5.
Audit and assessment of the security of information technology systems or components and issue of security certificates;
6.
Verification and confirmation of conformity in the area of IT security of information technology systems and components with technical guidelines of the Federal Office;
7.
Examination, evaluation and approval of information technology systems or components, the information held in secret for processing or transmission in accordance with § 4 of the German Security Review Act in the area of the Federal Government or the Federal Republic of Germany. companies are to be used in the context of federal orders;
8.
Production of key data and operation of crypto-and security management systems for information-keeping systems of the federal government, which are in the field of state secret protection or at the request of the affected authority also in other areas shall be used;
9.
Support and advice on organizational and technical security measures as well as conduct of technical examinations for the protection of officially classified information in accordance with § 4 of the Security Examination Act against the acceptance of the information by unauthorised persons;
10.
Development of safety-related requirements for the information technology of the Federal Government and the suitability of contractors in the field of information technology with special protection requirements;
11.
Provision of IT security products for federal agencies;
12.
Support of the federal authorities responsible for security in information technology, in particular as far as they carry out consulting or control tasks; this is primarily the case for the Federal Commissioner for Data Protection, whose support in the a framework of independence which is due to him in the performance of his duties in accordance with the Federal Data Protection Act;
13.
Support
a)
the police and law enforcement authorities in the performance of their legal duties,
b)
the constitutional protection authorities in the evaluation and evaluation of information relating to the monitoring of terrorist activities or intelligence activities within the framework of the legal powers under the constitutional protection laws of the the federal and the federal states,
c)
of the Federal Intelligence Service in the performance of its legal tasks.
Support may only be provided in so far as it is necessary to prevent or to investigate activities which are directed against security in information technology or which take place using information technology. Requests for assistance are to be provided by the Federal Office of the Federal Republic of Germany;
14.
Advising and warning of federal, state, and manufacturers, distributors and users on questions of security in information technology, taking into account the possible consequences of missing or insufficient security measures;
15.
Establishment of appropriate communication structures for early crisis detection, crisis response and crisis management as well as coordination of cooperation to protect security in the information technology of Critical Infrastructures in conjunction with the Private sector;
16.
Tasks as a central body in the field of information technology security with a view to cooperation with the competent authorities abroad, without prejudice to the special responsibilities of other bodies;
17.
Tasks in accordance with § § 8a and 8b as the central office for security in the information technology of critical infrastructures.
(2) The Federal Office may assist the Länder in securing their information technology upon request. (3) The Federal Office may advise and support operators of critical infrastructures at their request in securing their information technology. or to qualified security service providers. Unofficial table of contents

§ 4 Central Reporting Office for Security in the Information Technology of the Federal Republic of Germany

(1) The Federal Office shall be the central reporting body for cooperation between the federal authorities in matters of security in information technology. (2) The Federal Office shall have the task of carrying out this task
1.
all information required for the defence of risks to security in information technology, in particular security gaps, malware, attacks or attempted attacks on security in information technology and the collect and evaluate the approach observed,
2.
inform the federal authorities without delay of the information in question referred to in paragraph 1 and the relationships which have been brought into experience.
(3) If other federal authorities are aware of the information referred to in paragraph 2 (1), which are important for the performance of tasks or the security of information technology of other authorities, they shall inform the Federal Office as of 1 January 2010. (4) The information provided pursuant to paragraph 2 (2) and (3) shall not be subject to the information provided for in paragraph 2 and paragraph 3 shall be subject to the provisions of paragraph 2 and paragraph 3 of this Article shall be information which is based on rules on secret protection or agreements with third parties. should not be passed on or passed on to the contrary to the (5) The provisions on the protection of personal data shall remain unaffected. (6) The provisions of the Treaty shall be without prejudice to the provisions of this Regulation. (6) The Federal Ministry of the Interior, after obtaining the agreement of the Council of the Federal Government's IT officers, shall adopt general administrative provisions for the implementation of paragraph 3. Unofficial table of contents

§ 5 Defense of malicious programs and dangers for the communication technology of the federal government

(1) The Federal Office shall be entitled to prevent threats to the communication technology of the Federal Republic of Germany
1.
Data collected during the operation of the communication technology of the Federal Republic of Germany shall be collected and automatically evaluated to the extent that this is necessary for the recognition, limitations or elimination of faults or errors in the communication technology of the Federal Government or of the Federal Republic of Germany. Attacks on federal information technology are required,
2.
Evaluate the data generated at the interfaces of the communication technology of the Federal Republic of Germany in an automated manner, insofar as this is necessary for the detection and defence of malware.
If the following paragraphs do not permit further use, the automated evaluation of these data must be carried out without delay and must be deleted immediately and without trace after the matching has been made. The usage restrictions do not apply to historical data, provided that they do not include personal data or data subject to telecommunications secrecy. The Federal Authorities are obliged to assist the Federal Office in the case of measures in accordance with the first sentence and in this case to ensure the Federal Office's access to the internal data of the authorities according to the first sentence of the first sentence and the interface data set out in point 2 of the first sentence. The data of the Federal Courts may be collected only by agreement. (2) Protocol data referred to in the first sentence of the first sentence of paragraph 1 may be beyond the period required for the automated evaluation referred to in the first sentence of the first sentence of the first subparagraph of paragraph 1, However, for a period of three months, where there are actual indications that they may be used in the event of confirmation of suspicion referred to in the second sentence of paragraph 3 for the prevention of risks arising from or for recognition of the malicious programme found and defenses of other malicious programs. Organisational and technical measures shall ensure that the data stored in accordance with this paragraph is evaluated only in an automated manner. The data are to be pseudonymized, as far as this is possible in an automated manner. Non-automated evaluation or personal use shall be permitted only in accordance with the following paragraphs. To the extent that this requires the restoration of the personal reference of pseudonymised data, it must be arranged by the President of the Federal Office. The decision shall be recorded. (3) The use of personal data beyond the provisions of paragraphs 1 and 2 shall be permitted only if certain facts give rise to the suspicion that:
1.
they contain a malicious program,
2.
they have been transmitted through a malicious programme, or
3.
out of them may give evidence of a malicious program,
and as far as the data processing is necessary in order to confirm or disproportion the suspicion. In the case of confirmation, the further processing of personal data shall be permitted, insofar as this is done
1.
for the defence of the damage programme,
2.
to avert the risk posed by the harmful programme that has been found, or
3.
is required to detect and defend other malicious programs.
A malicious program can be removed or prevented from functioning. The non-automated use of the data according to the sentences 1 and 2 may only be arranged by a staff member of the Federal Office with the qualification to the judge's office. (4) The participants in the communication process shall be at the latest after the recognition of the data. , and the defence of a malicious program or of hazards arising from a malicious program, if it is known or its identification is possible without disproportionate further investigation and does not presume overriding protection The interests of third parties are contrary. The information may not be provided if the person has been affected only insignificantly, and is to be assumed to have no interest in a notification. The Federal Office shall submit cases in which it shall be notified of a notification, the official data protection officer of the Federal Office of the Federal Office and another servant of the Federal Office who has the qualifications to the office of judicial authority for control. In the exercise of this task, the official data protection officer is free of instructions and must therefore not be penalised (Section 4f (3) of the German Data Protection Act). If the official data protection officer contradicts the decision of the Federal Office, the notification is to be collected. The decision on non-notification is to be documented. The documentation may only be used for the purposes of data protection control. It is to be deleted after twelve months. In the cases referred to in paragraphs 5 and 6, the notification shall be notified by the authorities referred to in that paragraph in the appropriate application of the rules applicable to those authorities. If these do not contain any provisions on notification requirements, the provisions of the Code of Criminal Procedure shall be applied accordingly. (5) The Federal Office may provide the personal data used in accordance with paragraph 3 to the law enforcement authorities. The prosecution of a criminal offence committed by means of a malicious program in accordance with § § 202a, 202b, 303a or 303b of the Criminal Code. It may also transmit these data
1.
to avert a threat to public security directly from a malicious programme to the police forces of the federal and state governments,
2.
to the Federal Office for the Protection of the Constitution for information on facts that reveal security-threatening or intelligence-related activities for a foreign power.
(6) For other purposes, the Federal Office may transmit the data
1.
to the law enforcement authorities for the prosecution of a criminal offence, including in individual cases of considerable importance, in particular a criminal offence referred to in § 100a (2) of the Code of Criminal Procedure,
2.
to the police force of the federal and state governments to avert a danger to the stock or security of the state or limb, life or freedom of a person or property of significant value, the preservation of which is in the public interest,
3.
to the constitutional protection authorities of the Federal Government and the Länder, if there are actual indications of aspirations in the Federal Republic of Germany, which are due to the use of force or preparatory acts directed against them in accordance with § 3 paragraph 1 of the Federal Constitutional Protection Act.
The transfer in accordance with the first sentence of 1 and 2 shall be subject to prior judicial consent. The provisions of the Law on the Procedure in Family Matters and in the Matters of Voluntary Jurisdiction shall apply in accordance with the procedure laid down in points 1 and 2 of the first sentence. The district court, in whose district the Federal Office has its seat, is responsible. The transmission in accordance with the first sentence of sentence 1 shall take place after the approval of the Federal Ministry of the Interior; § § 9 to 16 of the Article 10 Act shall apply accordingly. (7) A content evaluation for other purposes beyond the preceding paragraphs and the transfer of personal data to third parties is inadmissible. As far as possible, it is technically necessary to ensure that data relating to the core area of private life is not collected. If, on the basis of the measures taken in paragraphs 1 to 3, findings from the core area of private life-design or data within the meaning of Section 3 (9) of the Federal Data Protection Act are obtained, they may not be used. Findings from the core area of private life design must be deleted immediately. This also applies in case of doubt. The fact of their obtaining and deletion is to be documented. The documentation may only be used for the purposes of data protection control. It shall be deleted if it is no longer necessary for these purposes, but at the latest at the end of the calendar year following the year of documentation. Where, within the framework of paragraphs 4 or 5, the contents or circumstances of the communication of persons referred to in the first sentence of Article 53 (1) of the Code of Criminal Procedure shall be communicated to which the right of denial of evidence of the said persons extends, the The use of such data for the purposes of evidence in criminal proceedings shall be admissible only in so far as the subject-matter of this criminal proceedings is a criminal offence punishable by a maximum of at least five years ' imprisonment. (8) Prior to the collection of the data collection and -Use of the Federal Office to create a data collection and usage concept and to provide for controls by the Federal Commissioner for Data Protection and Freedom of Information. The concept has to take into account the special protection requirements of government communication. The criteria used for the automated evaluation must be documented. The Federal Commissioner for Data Protection and Freedom of Information also informs the Council of the Federal Government's IT officers the result of his checks according to § 24 of the Federal Data Protection Act. (9) The Federal Office shall inform the Federal Office of the Federal Envoy for Data Protection and Freedom of Information each year by 30 June of the year following the reporting year on
1.
the number of operations in which the data referred to in the first sentence of paragraph 5, paragraph 5, first sentence, point 1 or paragraph 6, point 1, have been communicated, broken down by the individual powers of transmission,
2.
the number of personal evaluations referred to in the first sentence of paragraph 3, in which the suspicion has been refuted;
3.
the number of cases in which the Federal Office has, in accordance with paragraph 4, sentence 2 or 3, apart from the notification of the persons concerned.
(10) The Federal Office shall inform the Committee on the Internal Affairs of the German Bundestag of the application of this provision by 30 June of the year following the reporting year. Unofficial table of contents

§ 6 Delete

Insofar as the Federal Office collects personal data within the scope of its powers, these shall be deleted immediately as soon as they are no longer for the performance of the tasks for which they have been collected or for a possible judicial review. is needed. To the extent that the deletion is only granted for a possible judicial review of measures pursuant to § 5 paragraph 3, the data may be used without the consent of the person concerned only for this purpose; they shall be blocked for other purposes. Section 5 (7) shall remain unaffected. Unofficial table of contents

§ 7 Warnings

(1) In order to fulfil its tasks pursuant to § 3 (1) sentence 2 number 14, the Federal Office of the Federal Republic of Germany
1.
the following warnings shall be sent to the public or to the affected parties:
a)
Warnings about security vulnerabilities in information technology products and services,
b)
Warnings against malicious programs and
c)
warnings in the event of loss of or unauthorized access to data;
2.
Recommend security measures as well as the use of certain security products.
The Federal Office may include third parties in order to carry out the tasks in accordance with the first sentence, if this is necessary for an effective and timely warning. Manufacturers of products concerned shall be informed in good time of any warnings relating to such products, provided that this does not endanger the achievement of the purpose of the measure. Insofar as security gaps or harmful programs are not to be generally known in order to prevent any further spread or unlawful exploitation or because the Federal Office is obliged to confidentiality with regard to third parties, it may limit the circle of persons to be warned on the basis of factual criteria; factual criteria may in particular be the particular risk to certain establishments or to the particular reliability of the recipient. (2) To fulfil his Tasks according to § 3 paragraph 1 sentence 2 number 14 the Federal Office may open the public warn of security gaps in information technology products and services and against malware or security measures and the use of certain safety products, with the name and manufacturer of the product concerned , if there is sufficient evidence to suggest that information technology is safe from this. If the information given to the public is in retrospect as false or the circumstances underlying it are rendered inaccurate, this shall be made public without delay. Unofficial table of contents

§ 7a Investigation of security in information technology

(1) The Federal Office may investigate information technology products and systems provided on the market or provided for provision on the market for the performance of its tasks pursuant to the second sentence of section 3 (1), second sentence, number 1, 14 and 17. It may in this case serve the support of third parties, insofar as the legitimate interests of the manufacturer of the products and systems concerned are not contrary to this. (2) The findings obtained from the investigations may only be used for the purpose of fulfilling the Tasks in accordance with § 3 (1), second sentence, number 1, 14 and 17 shall be used. The Federal Office may disclose and publish its findings to the extent that this is necessary for the performance of these tasks. The manufacturer of the products and systems concerned shall be given the opportunity to give an opinion at a reasonable time. Unofficial table of contents

§ 8 specifications of the Federal Office

(1) The Federal Office shall draw up minimum standards for the security of information technology in the Federal Republic of Germany. The Federal Ministry of the Interior, in consultation with the IT Council, may adopt these minimum standards, in whole or in part, as general administrative provisions for all bodies of the federal government. At the request of the Federal Office, the Federal Office advises the Federal Office on the implementation and compliance with the minimum standards. In the case of the courts and constitutional bodies referred to in Article 2 (3) sentence 2, the provisions of this paragraph shall have a non-binding character. (2) The Federal Office shall, within the limits of its tasks, provide technical guidelines pursuant to Section 3 (1), second sentence, point 10. which are taken into account by the federal authorities as a framework for the development of appropriate requirements for contractors (suitability) and IT products (specification) for the implementation of procurement procedures. The provisions of the procurement law and the secret protection remain unaffected. (3) The provision of IT security products by the Federal Office pursuant to Article 3 (1), second sentence, point 11 shall be effected by self-development or after the implementation of Procurement procedures based on a corresponding requirement. IT security products can only be made available in justified exceptional cases by an in-house development of the Federal Office. The provisions of the procurement law shall remain unaffected. If the Federal Office provides IT security products, the federal authorities can obtain these products from the Federal Office. By decision of the Council of the Federal Government's IT officers, it can be determined that the federal authorities are obliged to retrieve these products at the Federal Office. Self-procurements of other federal authorities are only permissible in this case if the specific requirement profile requires the use of deviating products. Sentences 5 and 6 shall not apply to the courts and constitutional bodies referred to in Article 2 (3) sentence 2. Unofficial table of contents

§ 8a Security in the Information Technology of Critical Infrastructures

(1) The operators of critical infrastructures shall be obliged to take appropriate organisational and technical measures to avoid disruptions of availability at the latest two years after the entry into force of the legal regulation in accordance with § 10 paragraph 1. the integrity, authenticity and confidentiality of their information technology systems, components or processes that are relevant to the functioning of the critical infrastructures they operate. In this case, the state of the art is to be maintained. Organisational and technical arrangements are appropriate if the effort required for this is not disproportionate to the consequences of a failure or an impairment of the critical infrastructure concerned. (2) Operators of Critical Infrastructure and its interbranch organisations may propose industry-specific safety standards in order to meet the requirements laid down in paragraph 1. At the request of the Federal Office, the Federal Office shall determine whether they are capable of ensuring the requirements laid down in paragraph 1. The determination shall be made
1.
in consultation with the Federal Office for Civil Protection and Disaster Assistance,
2.
in agreement with the competent supervisory authority of the federal government or in consultation with the otherwise competent supervisory authority.
(3) The operators of Critical Infrastructures shall demonstrate, at least every two years, the fulfilment of the requirements referred to in paragraph 1 in a suitable manner. Proof can be provided by means of security audits, tests or certifications. The operators shall submit to the Federal Office a list of the audits, examinations or certifications carried out, including the security defects that have been discovered. The Federal Office may ask for a safety defect:
1.
the transmission of the entire audit, audit or certification results; and
2.
in agreement with the competent supervisory authority of the Federal Government or in consultation with the competent supervisory authority, the removal of the safety deficiencies.
(4) The Federal Office may, in order to form the procedure for the security audits, examinations and certifications referred to in paragraph 3, requirements in the manner and manner of implementation, the evidence to be issued and the technical and organisational requirements. determine the requirements for the verifier post after consultation of representatives of the operators concerned and of the business associations concerned. Unofficial table of contents

§ 8b Central Office for Security in Information Technology of Critical Infrastructures

(1) The Federal Office is the central reporting point for operators of critical infrastructures in matters of security in information technology. (2) The Federal Office has the responsibility to carry out this task.
1.
collect and evaluate information that is essential for the prevention of threats to security in information technology, in particular information on security vulnerabilities, malicious programs, or attempted attacks on the Security in information technology and the approach observed in this process,
2.
to analyse their potential impact on the availability of critical infrastructures in cooperation with the relevant supervisory authorities and the Federal Office for Civil Protection and Disaster Assistance,
3.
continuously update the situation with regard to security in the information technology of critical infrastructures; and
4.
immediate
a)
the operators of critical infrastructure relating to the information referred to in points 1 to 3;
b)
the competent supervisory authorities and the competent federal authorities responsible for the information required for the performance of their tasks, as referred to in points 1 to 3, and
c)
the competent supervisory authorities of the Länder or the competent authorities designated for this purpose by the Federal Office of the Länder as central contact points, concerning the information required for the performance of their tasks, in accordance with points 1 to 3
shall be informed.
(3) Within six months after the entry into force of the legal regulation pursuant to § 10 (1), the operators of critical infrastructures shall designate a contact point for the communication structures in accordance with § 3 (1) sentence 2 number 15. The operators shall ensure that they are available at any time. The transmission of information by the Federal Office pursuant to paragraph 2 (4) shall be made to this contact point. (4) Operators of Critical Infrastructures have significant disturbances in the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes which may result in a failure or impairment of the operational capability of the critical infrastructures they operate
1.
may or may not
2.
,
Report to the Federal Office of the Federal Office without delay via the contact point. The notification shall indicate the disturbance and the technical framework conditions, in particular the suspected or actual cause, the information technology concerned, the nature of the facility or installation concerned, and the sector of the Operator. The name of the operator is required only if the malfunction has actually resulted in a failure or impairment of the functionality of the critical infrastructure. (5) In addition to its contact point according to paragraph 3, the operator must be able to: Operators of critical infrastructures belonging to the same sector shall designate a common parent contact point. If one is named, the exchange of information between the contact points and the Federal Office shall normally be carried out via the joint contact point. (6) As far as necessary, the Federal Office may require the manufacturer of the information technology concerned. Products and systems shall require participation in the elimination or prevention of a disturbance referred to in paragraph 4. Sentence 1 shall apply to disturbances in the case of operators and marketing authorisation holders within the meaning of Section 8c (3). (7) Where personal data are collected, processed or used under this provision, one above the preceding paragraphs shall apply. processing and use for other purposes not permitted. Section 5 (7), sentences 3 to 8 shall apply accordingly. In addition, the regulations of the Federal Data Protection Act are to be applied. Unofficial table of contents

Section 8c Scope

(1) § § 8a and 8b are not to be applied to micro-enterprises within the meaning of Commission Recommendation 2003 /361/EC of 6 May 2003 on the definition of micro-enterprises and small and medium-sized enterprises (OJ L 327, 30.4.2003, p. OJ L 124, 20.5.2003, p.36). Article 3 (4) of the Recommendation shall not apply. (2) § 8a shall not apply to:
1.
Operators of critical infrastructures, in so far as they operate a public telecommunications network or provide publicly available telecommunications services,
2.
Operators of energy supply networks or energy plants within the meaning of the Energy Economics Act of 7 July 2005 (BGBl. I p. 1970, 3621), most recently by Article 3 of the Law of 17 July 2015 (BGBl. 1324), in the current version,
3.
Marketing authorisation holder according to § 7 paragraph 1 of the Atomic Energy Act, as amended by the Notice of 15 July 1985 (BGBl. I p. 1565), most recently by Article 2 of the Law of 17 July 2015 (BGBl. 1324), as amended in each case, for the scope of the authorisation and
4.
Other operators of Critical Infrastructures, in so far as they have to comply with the requirements of the requirements laid down in Article 8a, which are comparable or further to the requirements of the requirements of the legislation.
(3) § 8b (3) to (5) shall not apply to:
1.
Operators of critical infrastructures, in so far as they operate a public telecommunications network or provide publicly available telecommunications services,
2.
Operators of energy supply networks or energy plants within the meaning of the Energy Economics Act,
3.
Marketing authorisation holder pursuant to Section 7 (1) of the Atomic Energy Act for the scope of the authorisation and
4.
Other operators of critical infrastructure which, under the legislation, must comply with requirements comparable to or further to the requirements laid down in § 8b (3) to (5).
Unofficial table of contents

§ 8d requests for information

(1) The Federal Office may, upon request, provide third parties with information on the information received under Section 8a (2) and (3) and on the notifications pursuant to Section 8b (4) only if the legitimate interests of the affected operator are critical. Infrastructures which do not stand in the way and which do not expect to be affected by significant security interests. Access to personal data is not granted. (2) Access to the files of the Federal Office in matters pursuant to § § 8a and 8b will only be granted to parties to the proceedings and to do so in accordance with § 29 of the Administrative Procedure Act. Unofficial table of contents

§ 9 Certification

(1) The Federal Office is the national certification body of the Federal Administration for IT Security. (2) For certain products or services, the Federal Office may have a security or personnel certification or a certification as a IT security service providers are requested. Applications shall be processed in the chronological order of their receipt, which may be dismissed if the Federal Office is not able to carry out an appropriate examination in due time on account of the number and extent of pending examination procedures, and shall be subject to the following conditions: Grant of a certificate is a public interest. The applicant shall submit the documents to the Federal Office and provide the information, the knowledge of which is necessary for the examination and evaluation of the system or the component or the suitability of the person as well as for the issuing of the certificate. (3) The examination and evaluation may be carried out by competent bodies recognised by the Federal Office. (4) The security certificate shall be issued if:
1.
information technology systems, components, products or protective profiles comply with the criteria laid down by the Federal Office; and
2.
The Federal Ministry of the Interior has determined that overriding public interests, in particular security policy concerns of the Federal Republic of Germany, do not preclude the grant of the grant.
(5) Paragraph 4 shall apply to the certification of persons and IT security service providers. (6) The recognition referred to in paragraph 3 shall be granted where:
1.
the factual and staffing equipment and the professional qualifications and reliability of the conformity assessment body comply with the criteria laid down by the Federal Office; and
2.
The Federal Ministry of the Interior has determined that overriding public interests, in particular security policy concerns of the Federal Republic of Germany, do not preclude the grant of the grant.
The Federal Office shall ensure, by means of the necessary measures, that the continuation of the conditions set out in the first sentence is regularly reviewed. (7) Safety certificates of other recognised certification bodies from the European Union are recognized by the Federal Office, insofar as they have a security equivalent to the security certificates of the Federal Office and the equivalence has been established by the Federal Office. Unofficial table of contents

§ 10 authorisation to enact legal orders

(1) The Federal Ministry of the Interior shall, in agreement with the representatives of the scientific community, the operators concerned and the economic associations concerned, determine by agreement with representatives of the scientific community, by means of a decree law which does not require the approval of the Bundesrat. the Federal Ministry of Economic Affairs and Energy, the Federal Ministry of Justice and Consumer Protection, the Federal Ministry of Finance, the Federal Ministry of Labour and Social Affairs, the Federal Ministry of Food and Agriculture, the Federal Ministry of Food and Agriculture Federal Ministry of Health, the Federal Ministry of Transport and digital infrastructure, the Federal Ministry of Defence and the Federal Ministry for the Environment, Nature Conservation, Building and Nuclear Safety, with the determination of the number of sectors in the respective sectors in view of Article 2 (10), first sentence, point 2 Importance as critical services and their significant supply degree, which facilities, installations or parts thereof are considered to be critical infrastructures within the meaning of this Act. The level of supply to be considered as significant in accordance with the first sentence shall be determined on the basis of industry-specific thresholds for each service in the sector concerned because of its importance as a critical service. Access to files relating to the creation or amendment of this Regulation shall not be granted. (2) The Federal Ministry of the Interior shall, after consultation with the trade associations concerned and in agreement with the Federal Ministry of Economic Affairs, and energy by means of a regulation which does not require the consent of the Federal Council, the details of the procedure for issuing security certificates and recognition in accordance with § 9 and their content. (3) For individually attributable public Benefits provided for in this Act and in accordance with the provisions adopted pursuant to this Act Legal regulations are levied on charges and levies. The amount of the fees depends on the administrative burden associated with the services. The Federal Ministry of the Interior, in agreement with the Federal Ministry of Finance, shall determine, by means of a regulation which does not require the approval of the Federal Council, the chargeable facts, the rates of fees and the costs. Unofficial table of contents

§ 10 authorisation to enact legal orders

(1) The Federal Ministry of the Interior shall, in agreement with the representatives of the scientific community, the operators concerned and the economic associations concerned, determine by agreement with representatives of the scientific community, by means of a decree law which does not require the approval of the Bundesrat. the Federal Ministry of Economic Affairs and Energy, the Federal Ministry of Justice and Consumer Protection, the Federal Ministry of Finance, the Federal Ministry of Labour and Social Affairs, the Federal Ministry of Food and Agriculture, the Federal Ministry of Food and Agriculture Federal Ministry of Health, the Federal Ministry of Transport and digital infrastructure, the Federal Ministry of Defence and the Federal Ministry for the Environment, Nature Conservation, Building and Nuclear Safety, with the determination of the number of sectors in the respective sectors in view of Article 2 (10), first sentence, point 2 Importance as critical services and their significant supply degree, which facilities, installations or parts thereof are considered to be critical infrastructures within the meaning of this Act. The level of supply to be considered as significant in accordance with the first sentence shall be determined on the basis of industry-specific thresholds for each service in the sector concerned because of its importance as a critical service. Access to files relating to the creation or amendment of this Regulation shall not be granted. (2) The Federal Ministry of the Interior shall, after consultation with the trade associations concerned and in agreement with the Federal Ministry of Economic Affairs, and energy by means of law, which does not require the consent of the Federal Council, the details of the procedure for issuing security certificates and recognition in accordance with § 9 and their content. (3) (omitted) Unofficial table of contents

Section 11 Restriction of fundamental rights

The secrecy of telecommunications (Article 10 of the Basic Law) is restricted by § 5. Unofficial table of contents

§ 12 Council of the IT officers of the Federal Government

If the Council of the Federal Government of the Federal Government is dissolved, the successor organisation determined by the Federal Government shall be replaced by the Federal Government. The approval of the Council of the IT officers can be replaced by agreement of all federal ministries. If the Council of the IT Representatives is dissolved without replacement, the agreement of all Federal Ministries shall take place in place of its consent. Unofficial table of contents

§ 13 Reporting obligations

(1) The Federal Office shall inform the Federal Ministry of the Interior of its activities. (2) The information referred to in paragraph 1 shall also be used to inform the public by the Federal Ministry of the Interior on the risks to security in the Information technology, which is carried out at least once a year in a summary report. § 7 (1) sentences 3 and 4 shall apply accordingly. Unofficial table of contents

Section 14 Penal rules

(1) Contrary to the law, those who intentionally or negligently act
1.
Contrary to the first sentence of Article 8a (1), in conjunction with a legal regulation pursuant to Article 10 (1), first sentence, a provision referred to in paragraph 10 (1), first sentence, shall not be correct, not complete or not in good time,
2.
a fully-enforceable arrangement according to § 8a (3) sentence 4
a)
Point 1 or
b)
Point 2
shall be contrary to
3.
in accordance with Article 8b (3), first sentence, in conjunction with a legal regulation pursuant to Article 10 (1), first sentence, a contact point shall not be designated or shall not be designated in time, or
4.
Contrary to § 8b, paragraph 4, sentence 1, point 2, a report shall not be made, not correct, not complete or not in good time.
(2) In the cases referred to in paragraph 1 (2) (b), the administrative offence may be punishable by a fine of up to one hundred thousand euro and, in the other cases in paragraph 1, with a fine of up to EUR 50 000. (3) Administrative authority in the The Federal Office is responsible for the purposes of Section 36 (1) (1) of the Law on Administrative Offences.