Law On The Federal Office For Security In Information Technology

Original Language Title: Gesetz über das Bundesamt für Sicherheit in der Informationstechnik

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now

Read the untranslated law here: http://www.gesetze-im-internet.de/bsig_2009/BJNR282110009.html

Law on the Federal Office for security in information technology (BSI law - BANSKOTA) BANSKOTA Ausfertigung date: 14.08.2009 full quotation: "BSI law of August 14, 2009 (BGBl. I S. 2821), by article 8 of the Act of July 17, 2015 (BGBl. I S. 1324) is changed" stand: last amended by article 3 paragraph 7 G v. 7.8.2013 I 3154 Note: change article 1 G v. 17.7.2015 I 1324 (No. 31) still not taken into account by change by article 8 G v. 17.7.2015 I 1324 (No. 31) lyrically shown documentary not yet fully edited Note: consequential amendment by article 9 G v. 17.7.2015 I 1324 (No. 31) still not taken into account learn more to the stand number in the menu see remarks footnote (+++ text detection from: 20.8.2009 +++) the G was adopted as article 1 of the G v. 14.8.2009 I 2821 by the Bundestag. It is under article 3 clause 1 of this G on the 20.8.2009 entered into force.

§ 1 Federal Office for security in information technology of the Federal Government maintains a Federal Office for security in information technology (Federal Office) as a federal authority. The Federal Office is responsible for information security at the national level. It is the Federal Ministry of the Interior.

Article 2 definitions (1) the information technology within the meaning of this Act covers all technical means of processing or transfer of information.
(2) the information security within the meaning of this Act means compliance with specific safety standards concerning the availability, integrity or confidentiality of information safeguards 1 in information systems, components, or processes, or 2. in the application of information systems, components, or processes.
(3) communication technology of the Federal Government within the meaning of this Act is information technology, which from one or more federal agencies or on behalf of one or more federal agencies operated, among themselves or with third party serves the communication or sharing of the federal authorities. Communication technology of the federal courts unless they perceive not public administrative tasks, of the Bundestag, Federal Council, the Federal President and of Federal is not communication technology of the Federal Government, insofar as it is operated exclusively in their own responsibility.
(4) interfaces of communications technology of the Federal Government within the meaning of this law are security-related network transitions within the communication technology of the Federal Government, and between this and the information technology of individual federal agencies, groups of federal authorities or third parties. This does not apply to the components on the network transitions, sentence 2 said courts and constitutional institutions operating within its own competence in paragraph 3.
(5) malicious programs in the meaning of this law are programs and other informational routines and procedures that serve the purpose unauthorized to use data or to delete or which are intended to interact with other information technology processes without authorization.
(6) security vulnerabilities are properties of programmes or other information systems, by their use, it is possible to affect that third parties against the will gain the legitimate access to external information technology systems or the function of the information technology systems in the meaning of this Act.
(7) certification within the meaning of this Act is the finding by a certification authority, that a product, a process, a system, a protection profile (security certificate), a person (personnel certification), or an IT security provider complies with certain requirements.
(8) log data in the meaning of this law are tax data of an information technology protocol for data transmission, that regardless of the content of the communication transmitted or stored on the servers involved in the communication process and are necessary to ensure of the communication between the receiver and transmitter. Log data may include traffic data in accordance with § 3 number 30 of the Telecommunications Act and usage data according to article 15, paragraph 1, of the tele-media law.
(9) the data provided by means of technical protocols are traffic within the meaning of this Act. The traffic may contain telecommunications content according to article 88 paragraph 1 of the Telecommunications Act and use of data according to article 15, paragraph 1, of the tele-media law.
(10) critical infrastructures within the meaning of this law are facilities, equipment or parts thereof which 1 belong to the sectors of energy, information technology and telecommunications, transport and traffic, health, water, nutrition, as well as finance and insurance and are 2 of high importance for the functioning of the community, because their loss or damage to their considerable shortfalls or threats would speak out for public safety.
Critical infrastructures in the meaning of this law are determined by the Decree according to § 10 paragraph 1 closer.

Article 3 tasks of the Federal Agency (1) the Federal Office promotes security in information technology. To do this, it has the following duties: 1. defense against threats to the security of information technology of the Federal Government;
2. collection and analysis of information on security risks and safety precautions and making available of the findings for other places, as far as this to the performance of their duties or is required, as well as for third parties, as far as this is required to protect its security interests;
3. investigation of security risks associated with application of information technology and development of security measures, in particular by information technology methods and instruments for security in information technology (IT security products), as far as this is necessary for the accomplishment of tasks of the Confederation, including research in the framework of its statutory duties.
4. development of criteria, procedures and tools for testing and evaluation of security of information systems or components and for the examination and assessment of compliance in the area of IT security.
5. review and evaluation of security of information systems or components and issuing of safety certificates;
6. test and confirmation of conformity with regard to the security of information technology systems and components with technical guidelines of the Federal Office;
7. testing, evaluation, and authorisation of information systems or components; used for the processing or transfer of official secretly held information pursuant to section 4 of the security review law in the area of the Federal Government or company within the framework of orders of the Federal Government
8 production of key data and operation of crypto - and safety management systems for information assurance systems of the Federation; used in the protection of State secret, or at the request of the concerned authority in other areas
9. support and advice on organizational and technical security measures, as well as conducting technical investigations to protect of official secretly held information pursuant to section 4 of the security review law against the knowledge by unauthorized persons;
10 development of safety requirements to be applied in information technology of the Federal Government and the suitability of contractors in the area of information technology with special protection needs;
11 provision of IT security products for bodies of the Federation;
12 support of authorities responsible for security in the information technology of the Covenant, in particular insofar as they perform advisory or supervisory responsibilities; This applies to assistance within the framework of the independence primarily the Federal Commissioner for data protection, is, that is available to him in carrying out his duties according to the Federal Data Protection Act;
13 support a) of the police and law enforcement agencies in carrying out their statutory duties, b) of constitutional protection authorities in the evaluation and assessment of information resulting from monitoring terrorist efforts or intelligence activities in the framework of the statutory powers under the constitutional protection laws of the Federal and State Governments, c) of the federal intelligence service in carrying out its statutory responsibilities.
Support may be granted only insofar as it is necessary to prevent activities or to explore, which are directed against security in the information technology or be carried out with the use of information technology. The requests for assistance are through the Federal Office on record;
14 advice and warning of the bodies of the Federation, the countries and the manufacturer, distributors and users in security issues in the information technology, taking into account the possible consequences of missing or inadequate safety precautions;
15 setting up appropriate communication structures for crisis early warning, crisis response and crisis management and coordination of cooperation to protect of security in the information technology of infrastructure in conjunction with the private sector;
16 tasks as a central point in the field of security in information technology with regard to cooperation with the competent authorities in other countries, without prejudice to specific powers of other bodies;
17 tasks according to the sections 8a and 8B as a Central Office for security in information technology of infrastructure.
(2) the Federal Office can assist countries on request in securing their information technology.
(3) the Federal Office can advise operators of critical infrastructures at their request in securing their information technology and support or refer to qualified security providers.

§ 4 central reporting Office for security in information technology of the Federal Government (1) the Federal Office is the central clearinghouse for federal cooperation in matters of security in information technology.
(2) the Federal Agency has required information, in particular to security vulnerabilities, malicious programs, carried out or attempted attacks on security in information technology and how it observed, to collect and to evaluate, to promptly inform 2. the federal authorities of the information referred to in point 1 concerning them and the links put on the experience to carry out this task 1 all threats for security in information technology.
(3) are information number 1 known other federal authorities referred to in paragraph 2 which are for the execution of tasks or other authorities important information technology security, these inform the Federal Office from January 1, 2010 on this, as far as other provisions do not preclude the.
(4) exempt from the disclosure requirements referred to in paragraph 2, information, which may not be disclosed due to regulations on the security of information or agreements with third parties or whose passing would be contrary to the constitutional position of a member of the Bundestag or a constitutional organ or the regulated independence of individual bodies are number 2 and paragraph 3.
(5) the rules on the protection of personal data shall remain unaffected.
(6) the Federal Ministry of the Interior shall adopt general administrative provisions for the implementation of paragraph 3 after approval by the Board of the Federal Government's IT Commissioner.

§ 5 defense against malicious programs and threats for the communication technology of the Federal Government (1) the Federal agency may to ward off threats to the communication technology of the League 1 log data arising during the operation of communications technology of the Federal Government, raise and automates evaluate, insofar as this is necessary to detect, limit or eliminate errors or errors in the communication technology of the Federal Government or by attacks on the information technology of the Federal Government , 2. at the intersection of communication of the Federal data automatically evaluate, insofar as this is necessary for detection and defense against malicious programs.
If not subsequent paragraphs, allow a further use the automated evaluation of these data must be carried out immediately and must this comparison immediately after calibration and without be deleted. The use restrictions do not apply to log data, unless they involve neither personal nor subject to the secrecy of the data. The federal authorities are obliged to assist the federal measures pursuant to sentence 1 and this access of Federal proponents log data pursuant to sentence 1 number 1, as well as interface data pursuant to sentence 1, paragraph 2 to ensure. Log data of the federal courts may be imposed only in their agreement.
(2) log data referred to in paragraph 1 sentence 1 number 1 may for the automated analysis referred to in paragraph 1 set 1 required period, but no longer than for 3 months, be stored 1 number, which as far as actual evidence that this sentence 2 to avert dangers, emanating from the detected malicious program or the recognition and defense of other malicious programs may be required for the confirmation of a suspected case pursuant to paragraph 3. By organisational and technical measures is to ensure that an evaluation of the information referred to in this paragraph is only automated. The data are to be pseudonymise, as far as this automated is possible. A non-automated evaluation or a personal use is permitted only in accordance with the following paragraphs. As far as, the recovery of the person cover pseudonymised data is required, this must be arranged by the President of the Federal Office. The decision shall be recorded.
(3) an about paragraphs 1 and 2 use of personal data is allowed only when certain facts justify the suspicion that these malware contain 1, 2. they were sent by a malicious program or them evidence of a malicious program can result from 3., and as far as the processing of data is required to confirm or refute the suspected. In case of confirmation, the further processing of personal data is permitted, insofar as this 1 defence of the program of of malicious, 2. to ward off the dangers posed by the detected malicious program, or 3 to the recognition and defense of other malicious programs is required.
A malicious program can be eliminated or hindered in its functioning. The non-automated use of data pursuant to sentences 1 and 2 may be arranged only by an official of the Federal agency with the qualification of judgeship.
(4) the participants in the communication process are at the latest to detect and ward off a malicious program or of dangers posed by a malicious program to notify you if they are known or their identification without disproportionate further investigation is possible and not overwhelming protection concerns preclude third parties. The briefing can be avoided if the person was only slightly affected, and to assume is that it is not interested in a notification. The Federal Office presents cases where it looks down from an alert, the data protection officer of the Federal Agency, as well as a further officials of the Federal Agency, which has the qualification of judgeship, to control. The official Commissioner is free to instruction in carrying out this task and must not be disadvantaged for this reason (section 4f, paragraph 3 of the Federal Data Protection Act). If the regulatory data protection Commissioner is contrary to the decision of the Federal Office, the notification to catch up. The decision on the failure to notify shall be documented. The documentation must be used exclusively for purposes of the data protection supervision. It is to delete after twelve months. In the cases of paragraphs 5 and 6, the notification mentioned there authorities in appropriate application of the rules for these authorities. They contain no provisions on notification obligations, are the rules of the code of criminal procedure apply mutatis mutandis.
(5) the Federal Office can transmit pursuant to paragraph 3 according to the § 202a, 202 b, 303a, 303 b of the Penal Code that used personal data to law enforcement agencies to prosecute an offence committed by means of a malicious program. It can this data also provide 1 to ward off a danger for public safety, who immediately by a malicious program assumes, on the police of the Federal and State Governments, 2. to inform about facts, recognize the malicious or intelligence activities for a foreign power, to the Federal Office for constitutional protection.
(6) for other purposes may the Federal Office the data transmit 1 to the law enforcement agencies to prosecute a crime of also in the case of major importance, in particular one in Article 100a paragraph 2 of the code of criminal procedure referred to offense, 2 on the police forces of the Federal and State Governments to avert of a threat to the stock or the security of the State or body, life or freedom of a person or things of significant value , whose preservation in the public interest is, 3 to the constitutional protection authorities of the Federal and State Governments, if you have actual evidence of efforts in the Federal Republic of Germany which are facing acts of preparation against the protection referred to in article 3, paragraph 1, of the Federal Verfassungsschutz Act through application of violence or that.
Delivery 1 number 1 and 2 require prior judicial approval pursuant to sentence. The procedure pursuant to sentence 1 and 2 apply 1, point the provisions of the law on the procedure in family matters and in matters of voluntary jurisdiction according to. The District Court in whose district the Federal Office has its headquarters is responsible. The delivery follows set 1 number 3 after approval of the Federal Ministry of the Interior; the paragraphs 9 to 16 of article 10 Act shall apply mutatis mutandis.
(7) a beyond of the preceding paragraphs of content evaluation for other purposes and the communication of personal data to third parties is not permitted. It is as far as possible, technically, to ensure that data relating to the core area of private life design, is not collected. Be obtained due to the measures of paragraphs 1 to 3 knowledge of the core area of private life design or data within the meaning of § 3 paragraph 9 of the Federal Data Protection Act, they are not allowed. Findings from the core area of private life design are to delete immediately. This also applies in cases of doubt. The fact of their acquisition and cancellation must be documented. The documentation must be used exclusively for purposes of the data protection supervision. Delete, if it is no longer required for these purposes, but at the latest at the end of the calendar year next following the year of the documentation. In the context of paragraphs 4 or 5 contents or circumstances of communication by in § 53 paragraph 1 sentence 1 of the code of criminal procedure transferred persons referred, which are the privilege of the persons covered, the exploitation of this data as evidence in a criminal case is only to the extent permitted, as subject of this criminal proceedings is a criminal offence that imprisonment is under threat of a maximum with at least five years.
(8) before recording the data collection and use practices, the Federal Agency has to create a collection and use concept and to provide for monitoring by the Federal Commissioner for data protection and freedom of information. The concept has to take into account the special need for protection of Government communication. The criteria used for the automated analysis should be documented. The Federal Commissioner for data protection and freedom of information also to the Council of the Federal Government's IT Commissioner tells the result of its inspections under section 24 of the Federal Data Protection Act.
(9) the Federal Office shall inform the Federal Commissioner for data protection and freedom of information at each until June 30 of the year following the year under review, about 1 the number of operations in which data after paragraph 5 sentence 1, paragraph 5 sentence 2 number 1 or paragraph 6 number 1 received, broken down according to the individual delivery powers of 2. the number of personal evaluations pursuant to paragraph 3 sentence 1 , where the suspect was disproved, 3. the number of cases in which the Federal Office has seen off set 2 or 3 by a notification of the person concerned pursuant to paragraph 4.
(10) the Federal Office shall inform the application of that provision at each until June 30 of the year following the year under review the Interior Committee of the German Bundestag on.

§ 6 as far as the Federal Office within the framework of its powers collects personally identifiable information, are deleted immediately to delete them when they are no longer required for the fulfilment of the tasks for which they are collected, or for a possible judicial review. As far as the deletion only for a possible judicial review of measures pursuant to article 5, paragraph 3 is back, the data without the consent of the person concerned may be used only for that purpose; they are to block them for other purposes. § 5 paragraph 7 shall remain unaffected.

§ 7 warnings (1) for the fulfilment of its tasks according to § 3 paragraph 1 sentence 2 No. 14 can the Federal 1 set the following warnings to the public or stakeholders: a) warnings about vulnerabilities in it products and services, b) warnings about malicious programs and c) warnings in case of loss of or unauthorized access to data.
2. safety measures, as well as the use of certain security products is recommended.
The Federal Office can include 1 third parties to carry out the tasks pursuant to sentence, if this is necessary for an effective and timely warning. The manufacturers of affected products are in time before the release of these products alerts to inform if this do not jeopardize the achievement of the objective pursued by the measure. As far as discovered vulnerabilities or malware are not widely known, to prevent proliferation or illegal exploitation or because the Federal Office to third parties of confidentiality is required, it can restrict the circle of persons to warning on the basis of objective criteria; objective criteria can be especially the particular risk for certain facilities or special reliability of the receiver.
(2) in order to carry out its tasks according to § 3, paragraph 1, sentence 2 number 14 can the public stating the name and the manufacturer of the affected product warn the Federal Office of security vulnerabilities in it products and services and from malicious programs or recommend security measures, as well as the use of certain security products, if there is sufficient evidence to suggest that be dangerous for security in information technology this. Imagine the information given to the public in hindsight as wrong or out, this is the underlying circumstances as na reproduced to make immediate public announcement.

Study of security in information technology (1) can the Federal Office to carry out its tasks according to § 3, paragraph 1, sentence 2 number 1, 14 and 17 provided on the market or intended for deployment on the market information technology products and systems examine § 7a. It may be this support to third parties, as far as legitimate interests of the maker of the affected products and systems which do not preclude.
(2) the findings of the investigations may be used only to carry out the tasks according to § 3, paragraph 1, sentence 2 number 1, 14 and 17. The Federal Office may disclose his findings and publish, as far as this is necessary for the fulfilment of these tasks. Previously, opportunity to comment is the manufacturer of the affected products and systems with reasonable time to give.

Section 8 requirements of the Federal Agency (1) the Federal Office drawn up minimum standards for the security of information technology of the Federal Government. The Federal Ministry of the Interior may issue in consultation with the IT Council these minimum standards wholly or partly as a general administrative provisions for all bodies of the Federation. The Federal Office advises the bodies of the Federation at the request with the implementation and compliance with the minimum standards. For the courts referred to in § 2, paragraph 3, sentence 2 and constitutional institutions, the rules having this character recommended sales.
(2) the Federal Office provides 10 technical guidelines number in the course of its duties according to § 3, paragraph 1, sentence 2, be taken into account by the authorities of the Federal Government as a framework for the development of proper requirements to contractors (fitness) and IT products (specification) for carrying out procurement procedures. Prejudice to the provisions of public procurement law and secret protection.
(3) the provision of IT security products through the Federal Office according to article 3, paragraph 1, sentence 2 number 11 is done through in-house development or implementation of procurement procedures based on a corresponding needs assessment. IT security products can be provided only in exceptional cases by an in-house development of the Federal Agency. Prejudice to the provisions of public procurement law. If the Federal Agency provides IT security products, federal authorities can get these products at the Federal Agency. By resolution of the Board of the Federal Government's IT Commissioner can be set, that the federal authorities are required to get these products at the Federal Agency. Equity purchases of other federal agencies are only allowed in this case, if the specific requirements are required for different products. Sentences 5 and 6 do not apply in section 2, paragraph 3, sentence 2 said courts and constitutional institutions.

section 8a of the security in the information technology of infrastructure (1) operators of critical infrastructures are obliged, no later than two years after entry into force of the regulation according to § 10 paragraph 1 appropriate organizational and technical measures to avoid errors of the availability, integrity, to meet authenticity and confidentiality of their information technology systems, components, or processes which are relevant for the functioning of critical infrastructure operated by them. Here, the State of the art should be held. Organisational and technical measures are adequate, if the required effort not out of proportion to the consequences of a failure or deterioration of the affected critical infrastructure.
(2) the operators of critical infrastructures and their industry associations can propose industry-specific safety standards to ensure of the requirements referred to in paragraph 1. On request, the Federal Office determines whether they are suited to the requirements referred to in paragraph 1. 1. in consultation with the Federal Office for civil protection and disaster relief, 2. in agreement with the competent supervisory authority of the Federal Government or in consultation with the other competent authorities an assessment is made.
(3) the operators of critical infrastructures have compliance requirements pursuant to paragraph 1 appropriately to prove at least every two years. The detection can be done by security audits, inspections, or certifications. The operator shall any of conducted audits, exams or certifications including the safety deficiencies uncovered in the Federal Office. The Federal Office may require security defects: 1 the transfer of the entire audit, audit or certification results and 2. in agreement with the competent supervisory authority of the Federal Government or in consultation with the other competent authorities eliminate the safety deficiencies.
(4) the Federal Office can set requirements on the manner of implementation, of the about-to-be-issued certificates, as well as technical and organisational requirements for the inspection point after hearing from representatives of the affected operators and the affected industry associations for the design of the procedure of security audits, examinations and certifications pursuant to paragraph 3.

section 8 b Central Office for security in information technology of infrastructure (1) the Federal Office is the central reporting Office for operators of critical infrastructures in matters of security in information technology.
(2) the Federal Agency has to collect essential information to carry out this task 1 for threats for security in information technology and to evaluate, in particular information on vulnerabilities, malicious programs, carried out or attempted attacks on security in information technology and how it observed, their potential impact on the availability of critical infrastructure in cooperation with the competent supervisory authorities and the Swiss Federal Office for civil protection and disaster relief to analyze 2. , 3. the picture regarding the security of critical infrastructure information technology continuously to update and 4 without delay a) the operators of critical infrastructures about them information concerning paragraphs 1 to 3, b) the competent supervisory authorities and the otherwise competent federal authorities the information necessary for the fulfilment of their tasks according to the numbers 1 to 3, as well as c) the competent supervisory authorities of the countries or that for this purpose the Federal Office of the countries as central contact points designated to teach the information necessary for the fulfilment of their tasks according to paragraphs 1 to 3.
(3) the operators of critical infrastructures § 10 paragraph 1 have the decree after the Federal agency within six months of entry into force to designate a contact point for the communication structures according to § 3, paragraph 1, sentence 2 number 15. The operators have to ensure that they are accessible at any time on this. The transmission of information by the Federal Agency pursuant to paragraph 2 No. 4 takes place at this point of contact.
(4) the operators of critical infrastructures have significant interruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components, or processes that may lead or have led 2 to report over the contact point immediately to the Federal Office to a failure or deterioration of the functioning of the critical infrastructures operated by them 1. The message must contain information to the disorder and to the technical conditions, in particular the suspected or actual cause, concerned information technology, the nature of the affected facility or plant, as well as to the business of the operator. The naming of the operator is only required if the disorder has actually led to a failure or deterioration of the functioning of critical infrastructure.
(5) in addition to their contact point pursuant to paragraph 3 operators of critical infrastructures belonging to the same sector, may appoint a joint parent response centre. Such a named, is the exchange of information between the contact points and the Federal Agency generally about the common point of contact.
(6) if necessary, the Federal Office of the manufacturer of concerned information technology products and systems may require participation in eliminating or avoiding a disturbance pursuant to paragraph 4. Sentence 1 applies to errors when operators and permit holders within the meaning of § 8 c paragraph 3 in accordance with.
(7) where, in the context of this provision, personal data is collected, processed or used, one is not allowed over the preceding paragraphs further processing and use for other purposes. § 5, paragraph 7, sentence 3 to 8 shall apply accordingly. In addition, the regulations of the Federal Data Protection Act shall apply.

§ not applicable scope (1) which are articles 8a and 8B 8 c on micro-enterprises within the meaning of recommendation 2003/361/EC of the Commission of 6 May 2003 concerning the definition of micro-firms and small and medium-sized enterprises (OJ OJ L 124 of 20.5.2003, p. 36). Article 3 paragraph 4 of the recommendation is not applicable.
(2) § 8a is not to apply 2. operators of power grids or power plants in the energy law of July 7, 2005 on 1 operators of critical infrastructure, if they operate a public telecom network or provide publicly available telecommunications services, (BGBl. I S. 1970, 3621), most recently by article 3 of the Act of July 17, 2015 (BGBl. I S. 1324) is has been modified in the amended , 3. licence holders according to § 7 paragraph 1 of the Atomic Energy Act, as amended by the notice of 15 July 1985 (BGBl. I p. 1565), most recently by article 2 of the Act of July 17, 2015 (BGBl. I S. 1324) is has been modified in the currently valid version for the scope of the authorisation, as well as 4 other operators of critical infrastructure, as far as they must meet requirements on the basis of legislation , with the requirements according to paragraph 8a comparable going on are or.
(3) § 8B is paragraph 3 to 5 not applicable 3 licensee according to § 7 paragraph 1 of the Atomic Energy Act for the scope of the authorisation on 1 operators of critical infrastructure, as far as they operate a public telecommunications network or publicly available telecommunications services providing 2. operators of power grids or power plants in accordance with the Energy Act, as well as 4 other operators of critical infrastructure, which must meet the requirements on the basis of legislation , with the requirements pursuant to § 8b paragraph 3-5 comparable going on are or.

§ 8 d (1) request that can Federal Office is third party at the request of any adverse effect on essential security interests to expect information to the information received in the framework of Article 8a, paragraph 2 and 3, as well as the messages according to § 8B only grant (4), if do not preclude the interests of the affected operators of critical infrastructure protection and information. Access to personal data shall be granted.
(2) access to the files of the Federal Agency in matters according to the § 8a and 8B is only granted to parties to the proceedings, and this in accordance with article 29 of the Administrative Procedure Act.

§ 9 certification (1) the Federal Office is national certification authority of the Swiss Confederation for IT security.
(2) for certain products or services, a security or certification of persons, or a certification as an IT security provider can be requested at the Federal Office. The applications are processed in the chronological order of receipt; This may be waived, if the Federal agency because of the number and scope of pending examination procedures can not perform an audit in a timely and in the issuing of a certificate is a public interest. The applicant has to submit the documents to the Federal Office and to provide the information, knowledge of which for the testing and evaluation of the system or the component or the suitability of the person as well as for the granting of the certificate is required.
(3) the examination and assessment can be done by expert bodies recognised by the Federal Office.
(4) the security certificate is issued if 1 information technology systems, components, products and protection profiles meet the criteria laid down by the Federal Office, and 2. the Federal Ministry of the Interior has determined that prevailing public interests, in particular security concerns do not preclude the Federal Republic of Germany, the grant.
(5) paragraph 4 shall apply accordingly for the certification of persons and IT security service providers.
(6) a recognition is granted under paragraph 3 If 1 the factual and personal equipment as well as the competence and reliability of conformity assessment body complies with the criteria laid down by the Federal Office, and 2. the Federal Ministry of the Interior has determined that prevailing public interests, in particular security concerns do not preclude the Federal Republic of Germany, the granting.
By taking the necessary measures, the Federal Office ensures that the continuing existence of the conditions is checked regularly pursuant to sentence 1.
(7) security certificates of other recognised certification authorities in the field of the European Union recognised by the Federal Agency as far as they expel a the security certificates of the Federal equivalent security and equivalence has been established by the Federal Office.
§ 10 authorization to adopt legal regulations (1) the Federal Ministry of the Interior to determine by legal Ordinance which shall not require the consent of the Federal Council, after hearing from representatives of science, the affected operators and the affected industry associations in consultation with the Federal Ministry of economy and energy, the Ministry of Justice and Consumer Affairs, the Federal Ministry of finance, the Ministry of labour and Social Affairs, the Ministry of food and agriculture , the Federal Ministry of health, the Federal Ministry of transport and digital infrastructure, the Ministry of defence and the Ministry for environment, nature conservation, construction and nuclear safety see the in the respective sectors with regard to article 2, paragraph 10, sentence 1 number 2 because of its importance as critically looking services and their significantly looking penetration rate, what facilities, equipment or parts thereof as critical infrastructures within the meaning of this Act considered. To be specified pursuant to sentence 1 as significant penetration is on the basis of industry-specific thresholds for each because of their importance as to determine critical to look at services in the respective sector. Access to records regarding the creation or amendment of this regulation, will not be granted.
(2) the Federal Ministry of the Interior determined details on the procedure of issuance of security certificates and recognitions according to § 9 and its content by legal Ordinance which shall not require the consent of the Federal Council, after consulting the relevant trade associations and in agreement with the Federal Ministry of economy and energy.
(3) individually attributable public services pursuant to this Act and the regulations adopted for the implementation of this law fees and expenses are charged for. The fee depends on the administrative burden associated with the services. The Federal Ministry of the Interior determined in agreement with the Federal Ministry of finance by legal Ordinance which shall not require the consent of the Bundesrat, the chargeable offences, the fees and the costs incurred by.

§ 10 authorization to adopt legal regulations (1) the Federal Ministry of the Interior to determine by legal Ordinance which shall not require the consent of the Federal Council, after hearing from representatives of science, the affected operators and the affected industry associations in consultation with the Federal Ministry of economy and energy, the Ministry of Justice and Consumer Affairs, the Federal Ministry of finance, the Ministry of labour and Social Affairs, the Ministry of food and agriculture , the Federal Ministry of health, the Federal Ministry of transport and digital infrastructure, the Ministry of defence and the Ministry for environment, nature conservation, construction and nuclear safety see the in the respective sectors with regard to article 2, paragraph 10, sentence 1 number 2 because of its importance as critically looking services and their significantly looking penetration rate, what facilities, equipment or parts thereof as critical infrastructures within the meaning of this Act considered. To be specified pursuant to sentence 1 as significant penetration is on the basis of industry-specific thresholds for each because of their importance as to determine critical to look at services in the respective sector. Access to records regarding the creation or amendment of this regulation, will not be granted.
(2) the Federal Ministry of the Interior determined details on the procedure of issuance of security certificates and recognitions according to § 9 and its content by legal Ordinance which shall not require the consent of the Federal Council, after consulting the relevant trade associations and in agreement with the Federal Ministry of economy and energy.
(3) (dropped out) § 11 limitation of fundamental rights the secrecy (article 10 of the Basic Law) is section 5 restricted by.

§ 12 Council of the Federal Government's IT Commissioner of the Council of the Federal Government's IT Commissioner is resolved, which occurs in its place by the Federal Government certain successor. The approval of the Board of the IT officer can be replaced by agreement of all federal ministries. The Council of IT officers without substitution resolves, the agreement of all federal ministries takes place his consent.

§ 13 reporting obligations (1) the Federal Agency shall inform the Ministry of the Interior on its activities.
(2) the information referred to in paragraph 1 is also informing the public through the Federal Ministry of the Interior about threats to the security in information technology, which is carried out at least once a year in a summary report. Section 7, paragraph 1, sentence 3 and 4 shall apply accordingly.

(§ Any person is 14 fine rules (1), who intentionally or negligently a 1 contrary to § 8a paragraph 1 sentence 1 in conjunction with a legal regulation according to § 10 paragraph 1 sentence 1 there called precaution not, incorrectly, incompletely or not timely hits, 2. an enforceable order according to section 8a (3) sentence 4 a) number 1 or b) contravenes paragraph 2, 3. contrary to article 8 a b paragraph 3 sentence 1 in conjunction with a legal regulation according to § 10 paragraph 1 sentence 1 point of contact not or names not in time or 4. contrary to article 8 is a b paragraph 4 sentence 1 number 2 message does not, incorrectly, incompletely or not in time.
(2) the offence may in the cases of paragraph 1 paragraph 2 point (b) a fine of up to one hundred thousand euros, in other cases of paragraph 1 with a fine punishable up to fifty thousand euro.
(3) administrative authority the Federal Office is number 1 of the code of administrative offences within the meaning of article 36, paragraph 1.