Obligation for UBI 3 in accordance with Section 8f (8) of the BSI Act (BSIG)

In the case of UBI 3 (hazardous incident UBI), i.e.

• operators of an upper-tier establishment as defined in the applicable version of the Hazardous Incident Ordinance or
• operators that are equivalent to these in accordance with Section 1 (2) of the Hazardous Incident Ordinance

there has been an obligation to report the following since 1 November 2021:

1. faults regarding the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes which have resulted in a hazardous incident according to the applicable version of the Hazardous Incident Ordinance,
2. material faults regarding the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes which may result in a hazardous incident according to the applicable version of the Hazardous Incident Ordinance.

Obligation for UBI 1 in accordance with Section 8f (7) of the BSIG since 1 May 2023

In the case of UBI 1 (AWV UBI), i.e.

• companies that manufacture or develop goods in accordance with Section 60 (1) No. 1 and No. 3 of the applicable version of the Foreign Trade and Payments Ordinance (AWV), this includes companies that operate in the area of weapons, munitions and military goods or in the area of products with an IT security function that are used for processing classified state information or components of such products that are vital to the IT security function

there is a voluntary option for reporting and, from 1 May 2023, an obligation to report the following:

1. faults regarding the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes which have resulted in a failure or material impairment in creating value,
2. material faults regarding the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes which may result in a failure or material impairment in creating value.

We answer frequently asked questions about the reporting of security incidents in the obligation to report section of our FAQ.

Reporting a fault

IT/OT faults in hazardous incident UBI (UBI 3) are reported to the central reporting office of the National IT Situation Centre at the BSI. The mailbox meldungen-ubi@bsi.bund.de has been set up for hazardous incident UBI (UBI 3) reports.

The report must contain:

1. information on the fault
2. information on the basic technical conditions, especially those relating to the suspected or actual cause
3. details of the information technology affected and the type of equipment or system affected

All the information required for a report is requested in the reporting forms below.

Encrypted communications

Wherever possible, security incidents should be reported to the mailbox meldungen-ubi@bsi.bund.de in encrypted format. This can be achieved via S/MIME or PGP.

S/MIME

For S/MIME-encrypted e-mail communications, please use the relevant certificates in the zipped file. The ZIP file contains these certificates:

• Root certificate for PKI administration:
  CN=PCA-1-Verwaltung-20,O=PKI-1-Verwaltung,C=DE
• IVBB certificate:
  CN=CA IVBB Deutsche Telekom AG 20,OU=Bund,O=PKI-1-Verwaltung,C=DE
• Certificate meldungen-ubi@bsi.bund.de:
  CN=GRP: Meldestelle UBI,OU=BSI,O=Bund,C=DE
• sha2_fpr:
  F8:AD:9B:6D:4D:8A:F2:E5:4C:D9:BA:E6:71:69:02:C7:77:82:E0:69:6F:0A:1C:5D:13:83:AD:4B:57:08:2C:A1
• sha1_fpr:
  C8:7E:8E:C4:EA:E1:F1:5A:56:75:5B:B2:54:F9:C4:D9:4C:D7:3C:76
• md5_fpr:
  F6:65:16:EF:C3:EA:93:51:41:92:2E:B0:08:C8:BF:77

Valid until: 2027-10-08 23:59:59

PGP

For PGP-encrypted e-mail communications with the mailbox meldungen-ubi@bsi.bund.de please use this PGP key:

Expires: 11 August 2025, 10:38
Fingerprint: B425FE5B7554E237AA4046C321E8948C581E5A46

Form for report

You can use the form below to report a security incident. The PDF and Office versions contain the same content (downloads are in german language).

Meldung gemäß § 8f BSIG für Unternehmen im besonderen öffentlichen Interesse

Meldung gemäß § 8f BSIG für Unternehmen im besonderen öffentlichen Interesse (docx-Format)

Reportable IT/OT faults must be reported immediately. Speed must be prioritised over completeness. This means that the content of the form does not need to be entirely complete when the report is first submitted; any missing information can be added later by submitting a subsequent report.

Please note that the new obligation to submit reports to the BSI does not constitute a release from any other obligations to submit reports to other authorities.

Data privacy

The BSI will process and store the data and information collected solely in order to fulfil its legally mandated tasks. This applies in particular to the competences covered by Section 8f (8) of the BSIG and Section 8e of the BSIG.

If your report contains personal data, please note the Privacy Policy issued by the BSI.

It is not usually necessary to provide any personal data when reporting an IT/OT fault or security incident to the BSI. Wherever possible, a job title or department contact should be given as the contact details to use in case of any queries. This not only helps with data privacy, it also makes it easier to reach someone who can provide support. If you have provided contact details for an individual instead, please notify them of the data protection information given above.