FAQ about regulating digital service providers - questions about the obligation to report
-
The European Commission has specified binding criteria for the assessment of security incidents. The wording of these criteria is as follows:
The service provided by a digital service provider was unavailable for more than 5,000,000 user-hours, whereby the term user-hour refers to the number of affected users in the Union for a duration of 60 minutes
The incident has resulted in a loss of integrity, authenticity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via a network and information system of the digital service provider affecting more than 100,000 users in the Union
The incident has created a risk to public safety, public security or of loss of life
The incident has caused material damage to at least one user in the Union where the damage caused to that user exceeds EUR 1,000,000.
Source: Article 4 of Commission Implementing Regulation (EU) 2018/151 of 30 January 2018
A security incident therefore has a 'significant impact' if at least one of these criteria is met.
-
The incident must be reported immediately after the significant security incident was detected, i.e. without undue delay. The following principle applies to initial reports: Speed must be given priority to completeness. This means that reports must be submitted even if not all of the required information is available. Any missing information can be reported to the BSI at a later point.
-
The rule for operators of critical infrastructure in Section 8b(4) of the Federal Office for Information Security Act applies analogously to the content of a report submitted to the BSI. The information relating to critical infrastructure shall be replaced by suitable information relating to the digital service.
Information on the disruption, possible cross-border consequences and the technical framework conditions, in particular the assumed or actual cause, the information technology concerned, the type of equipment or asset concerned as well as the critical service provided, and the impact of the disruption on this service.
Source: Section 8b(4) of the Federal Office for Information Security Act
There are currently no implementing acts of the European Commission stating anything to the contrary. On the obligation to report information page, we have prepared a template for you to make it easier to submit reports to the BSI.
-
No, reporting to the BSI only fulfils reporting obligations to the BSI.