Select your location for location specific information:
If you operate a Critical Infrastructure, you must name a point of contact to the Federal Office for Information Security that can be reached at any time.
Critical infrastructures are organizations and facilities that are of high importance for the functioning of the community and whose failure or impairment would result in significant supply bottlenecks or threats to public safety.
If you operate a Critical Infrastructure as defined by law, you must, among other things, provide the Federal Office for Information Security (BSI) with a contact point where you can be reached at all times. The BSI will send you various information to this address, for example IT security warnings and situation information.
As a rule, the BSI sends information during normal business hours. In exceptional cases, urgent warnings are also possible outside normal business hours, i.e. on public holidays, weekends or at night.
You must designate a point of contact if your organization operates Critical Infrastructure, which means:
As a rule, you do not need to submit any additional documentation.
You can designate the contact point via the BSI reporting and information portal:
Note: If you do not designate a contact point, the BSI can carry out the registration itself and inform the responsible federal supervisory authority.
The BSI does not charge for the designation of the contact point.
As soon as they are deemed to be a critical infrastructure operator for the first time or again, you must designate a point of contact no later than the next following business day.
The processing of your report usually takes 1 to 2 weeks.
When you complete "Attachment 2", you are not declaring that you are a Critical Infrastructure Operator. Use "Annex 2" even if you think that you are not covered by the regulations. The BSI will make the appropriate classification.
If you would like to qualify in the field of IT security and prove your expertise, you can apply for certification under certain conditions.
If you operate critical infrastructures, you must prove that the security of your information technology corresponds to the state of the art. You must submit proof to the Federal Office for Information Security (BSI) every two years.
You can register with the BSI as a common higher-level contact point (GÜAS). After registration, you can act as a contact point for reports and security notices for operators of critical infrastructures that belong to the same sector.