• What is the IT Security Label?

  The IT Security Label is a voluntary label for consumer IT products. It offers manufacturers the opportunity to meet consumers' increasing need for information by making the security features of their products and services easily recognisable by means of a BSI label and thus highlighting these products on the market. Transparent IT security is more and more in the awareness of consumers, it is increasingly a selling point.

  The IT Security Label bases on a manufacturer's declaration of conformity of a product to a norm, a standard, an industry-agreed IT security specification or a Technical Guideline. That means it includes the manufacturer’s assurance that a product was tested in accordance with the applicable standard in the respective product category and that it meets all IT security requirements of this standard. The BSI checks the manufacturer's declaration for completeness and plausibility. There is no in-depth examination as with BSI certifications, for example.

  In a follow-up process, the market surveillance checks samples randomly or upon occasion to control whether the manufacturer fulfils the declared properties of the labelled product for the duration of the IT Security Label. Since it is a consumer label, the IT Security Label links to a dynamic information on the BSI website. There, the BSI provides transparent information on the security features of the product and references to current security information such as available updates after the BSI has become aware of vulnerabilities.

• What are the advantages of the IT Security Label?

  With the increasing digitalisation of society, consumers are becoming more and more aware of IT security. Security aspects are already taken into account during the purchase decision and are thus increasingly a sales argument.

  The IT Security Label offers manufacturers the opportunity to meet consumers' need for information by making the security features of their IT products easily recognisable by means of a BSI label and thus highlighting their product in particular.

  In addition, the IT Security Label is intended to contribute to raising consumer awareness and thus to an increased awareness of IT security in general. With the IT Security Label, manufacturers can show customers that the topic is important to them and increase the attractiveness of their products.

• How long is the awarded IT Security Label valid?

  The IT Security Label is usually valid for two years. The BSI can set different durations for individual product categories. After this period, the BSI's declaration of approval expires. At the earliest three months and at the latest six weeks before the end of the term, an existing IT Security Label may be extended seamlessly with a follow-up application.

• How is the label for the IT Security Label designed?

  Pursuant to § 9c Section 2 BSIG, the IT Security Label consists of the manufacturer's declaration and the dynamic information component. The label contains a QR code and a short link that leads to a BSI webpage. There, information on the product, the duration of the IT Security Label and current security information is provided, such as updates after vulnerabilities have become known to the BSI.

  

• What are the terms and conditions of use for manufacturers?

  The Federal Office for Information Security provides the IT Security Label electronically. The manufacturer shall affix the label on the product or its packaging. Furthermore, the manufacturer may use the IT Security Label in electronic form, especially if it is not possible, for physical reasons, to affix it. If the release of the IT Security Label is revoked or expires, the manufacturer must ensure that no further products will be manufactured or brought to market using the IT Security Label. Labelled products in stock may still be sold.

• Is the IT Security Label mandatory for manufacturers of corresponding IT products?

  The IT Security Label is voluntary. It offers manufacturers the opportunity to meet consumers' increasing need for information by making the security features of their IT products easily recognisable by means of a BSI label and thus highlighting their product in particular. IT security is more and more in the awareness of consumers and is thus increasingly a selling point.

• How do I apply for an IT Security Label for my product?

  To obtain the IT Security Label, you have to submit an application to the BSI. An application is only possible in those product categories defined by the BSI. If you cannot assign your product directly, please contact contact us.

  Please use our online application tool via the Federal Portal, it’s the easiest and most convenient way of applying for an IT Security Label.

• What’s shall I do in case I cannot use the online application via the Federal Portal?

  In cases where you may not use the online application tool or your intended product category is not yet digitally available, please use the offline application material and hand in your application by mail.

• What does the BSI check when I apply and how long does it take to receive the IT Security Label?

  We check, with respect to the technical requirements, if the application is complete and the information provided is plausible. A regular period of six weeks applies for the examination of the application documents, unless a different examination period has been specified for the respective product category.

• In which cases does the BSI reject an application for the IT Security Label?

  The application can be rejected if there are indications that the product or the software delivered with the product contains known security vulnerabilities, products of the manufacturer have already been subject of a warning or information according to §§ 7, 7a of the BSIG or have been affected by measures according to § 9c para. 8 BSIG.

  Likewise, we may reject the application if the plausibility check cannot be carried out successfully. Irrespective of the documents submitted, the BSI may also refuse the IT Security Label if there are serious doubts about the manufacturer's declaration.

• What does the application and award of the IT Security Label cost?

  The BSI charges an administrative fee for the processing of the application according to the time spent on the examination (§ 9c para. 5 BSIG). The Special Fee Ordinance of the Federal Ministry of the Interior and Community (BMI-BGebV) regulates the corresponding details. The administrative fee incurred is significantly lower than that of a certification.

• How can standards for new product categories be recognized?

  For this purpose, the author i.e. an industry association or other body, must submit an application for recognition of a standard. The BSI then assesses whether the proposed standard meets the requirements. Recognition is only granted for a limited period of time.

• What obligations go hand in hand with the issued IT Security Label?

  The manufacturer is obliged to maintain the conformity of the product with the IT security requirements applicable to the product group for the whole duration of the granted IT Security Label. In addition, he must inform the BSI unsolicited in case the properties of the product, which has been declared compliant, change. This includes, among other things, disruptions to the information security of the product and security vulnerabilities. Furthermore, the manufacturer is obliged to immediately remedy any security vulnerabilities of which he becomes aware and to notify the BSI of the status of the measures taken to this end. When issued, the IT Security Label must also be affixed to the respective product or its outer packaging, provided the nature of the product makes this possible.

• Which cases lead to a revocation of the IT Security Label?

  The IT Security Label can be revoked in accordance with the provisions of § 9c para. 8 BSIG if the manufacturer's declaration has been violated or legal requirements are no longer met.

• How does market surveillance work for products bearing the IT Security Label?

  If products or services bear the IT Security Label, they are subject to supervision by the BSI from the time the label has been issued. Within this framework, the BSI can check whether the manufacturer actually complies with the assured requirements. For this purpose, the products may be tested on a random or ad hoc basis. If a product is found to deviate from the manufacturer's declaration, the BSI can act appropriately to protect consumer confidence in the IT Security Label. Measures can range from the provision of appropriate information to consumers to the revocation of the IT Security Label.

  As a rule, the manufacturers concerned are given a reasonable period of time to remedy the defects and restore the product to its warranted condition before measures are taken by the BSI.

• Who is the technical contact at the BSI for manufacturers who want to apply for an IT Security Label?

  Manufacturers who have technical questions about the application procedure can send an e-mail to it-sicherheitskennzeichen@bsi.bund.de.

• What is the legal fundament of the IT Security Label?

  With the Second Act to Increase the Security of Information Technology Systems, the so-called IT Security Act 2.0 (IT-SiG 2.0), the BSI was given the task of introducing a voluntary security label. For this purpose, the BSI Act (BSIG), which among other things regulates the tasks and responsibilities of the BSI, was amended accordingly. Details on the IT Security Label, in particular on the application procedure, are regulated by the Ordinance on the IT Security Label of the Federal Office for Information Security (BSI-ITSiKV).

• Is there an IT Security Label at European level?

  With the Cybersecurity Act (CSA), which came into force in June 2019, a certification framework exists in the EU, which in principle also opens up the possibility of a label for the pan-European Digital Single Market. However, there is currently no agreed IT Security Label at EU level. A European label may be based on existing, national labels such as the IT Security Label. The BSI plans to enable a transition of the German IT Security Label to a perspective European solution. Furthermore, the possible future recognition of equivalent foreign labels is currently under discussion.

• Are international labels recognised?

  It is possible to obtain approval for the use of an IT Security Label in a simplified procedure if a product has already received a foreign state label which is recognised by the BSI. Currently, on the basis of a bilateral recognition arrangement labels from the Cybersecurity Labelling Scheme of the Cybersecurity Agency of Singapore are recognised from level 2 onwards in the equivalent German product category "Smart Consumer Devices".

• Under which circumstances is a simplified application procedure possible?

  According to Section 6 BSI-ITSiKV, the Federal Office can waive the plausibility check if the BSI has issued a certificate under Section 9 of the BSIG for the same product based on the same test standard . In simple terms: If a product has already been certified by the BSI, it can go through a simplified procedure to obtain the IT Security Label based on the same test standard. Furthermore a simplified procedure is possible, for products with foreign state labels which are recognised by the BSI.

• Are further product categories planned?

  Yes, the BSI is always actively working on further product categories that are oriented towards the consumer market. Information on all currently available product categories can be found on the application page.

• Is it possible to apply for an IT Security Label for product variants?

  If the essential security features are identical for all product variants of a product, manufacturers and providers can apply for the IT Security Label for product variants. In this case, an application can be made for several variants of a product, however each product variant will receive its own IT Security Label.

• What security information is published on the product information page?

  On the product information page, the name of the product, the manufacturer or provider as well as the product images that you submit with the application are published.

  Furthermore, the page contains a status information which indicates whether

  • The BSI is currently aware of security vulnerabilities for this product,
  • Updates are being made available for it by the manufacturer or provider,
  • The label has expired or been withdrawn.

  In addition, the product information page can be used to find out,

  • when the IT security label was issued,
  • how long it is valid for and
  • on which technical basis (technical guideline, standard or norm) the IT security label is issued.

  Technical details about the respective product are not included. The system-relevant information that providers or manufacturers provide as part of the application process is also not published.

• How does the IT Security Labelling scheme differ from BSI certifications schemes?

  The IT Security Label is intended to help consumers obtaining information about basic security features of a product. In contrast to BSI certification schemes, the BSI does not carry out a technical test for the IT Security Label. The manufacturer himself checks whether his product complies with the technical requirements specified by the BSI, such as a technical guideline or a standard. In its manufacturer's declaration, it assures conformity and the provision of certain security-relevant updates.

  Only after issuance can the BSI Market Surveillance carry out checks, on an ad hoc or random basis, to determine whether the manufacturer is keeping his promise. Within this framework, a subsequent technical inspection can also be carried out. The costs of the IT Security Label are thus significantly lower than those of a certification.

IT Security Label