Logo Bayernportal
Home > Procedures

IT security; registration of a contact point for notifications as an operator

If you operate a Critical Infrastructure, you must name a point of contact to the Federal Office for Information Security that can be reached at any time.

Online services

Online services

  • Melde- und Informationsportal des Bundesamts für Sicherheit in der Informationstechnik (BSI)
    The reporting and information portal of the German Federal Office for Information Security (BSI) offers you the possibility to designate a contact point online for submitting reports as well as for sending information to the BSI. In order to submit a report, a contact point must first be registered with the BSI. After successful registration, extensive information is available in the download area, including a sample notification form and instructions on how to submit a notification, so that established and trusted notification channels are available to you in the event of a reportable incident. A hardware token sent by the BSI is used as the means of authentication in the reporting and information portal.

Responsible for you

Bundesamt für Sicherheit in der Informationstechnik - KRITIS-Büro

Street address

Godesberger Allee 87
53175 Bonn

Postal address

Postfach 200363

53133 Bonn

Mehr zur Behörde

Procedure details

Critical infrastructures are organizations and facilities that are of high importance for the functioning of the community and whose failure or impairment would result in significant supply bottlenecks or threats to public safety.

If you operate a Critical Infrastructure as defined by law, you must, among other things, provide the Federal Office for Information Security (BSI) with a contact point where you can be reached at all times. The BSI will send you various information to this address, for example IT security warnings and situation information.

As a rule, the BSI sends information during normal business hours. In exceptional cases, urgent warnings are also possible outside normal business hours, i.e. on public holidays, weekends or at night.

You must designate a point of contact if your organization operates Critical Infrastructure, which means:

  • You belong to one of the following sectors:
    • Energy
    • Water
    • Food
    • Information technology and telecommunications
    • Health
    • Finance and insurance
    • Transport and traffic
  • In these sectors, they provide services to the general public, the failure or impairment of which would lead to significant supply shortages or threats to public safety (critical services).
  • You reach or exceed certain thresholds applicable per sector and for the respective facilities. For example, if your facilities can generate a certain amount of energy or they extract a certain amount of water.

  • Required Documents

    As a rule, you do not need to submit any additional documentation.

You can designate the contact point via the BSI reporting and information portal:

  • Call up the BSI's reporting and information portal.
    • If your organization is already registered, you can log in via "Login".
    • If not, you can start the registration process by clicking "Register". You will then receive the access data by mail.
  • Completely fill out the form to designate a contact point.
  • Then fill out an "Attachment 2" for each of your infrastructures.
  • You can then check your data again and submit it.
  • After submitting, you can save your form as a PDF file. Print out the form, sign it and send it to the BSI's KRITIS office.
  • The BSI will check your registration.
  • You will receive confirmation of your registration by e-mail, as well as further information and documents by mail once the registration is complete.
  • If you have any questions about the registration process, you can contact the BSI's KRITIS office. For technical questions about the reporting portal, please contact the reporting office at the National IT Situation Center.

Note: If you do not designate a contact point, the BSI can carry out the registration itself and inform the responsible federal supervisory authority.

The BSI does not charge for the designation of the contact point.

As soon as they are deemed to be a critical infrastructure operator for the first time or again, you must designate a point of contact no later than the next following business day.

The processing of your report usually takes 1 to 2 weeks.

When you complete "Attachment 2", you are not declaring that you are a Critical Infrastructure Operator. Use "Annex 2" even if you think that you are not covered by the regulations. The BSI will make the appropriate classification.

  • Objection
  • You can usually file an objection with the Federal Office against an administrative act of the Federal Office with which you do not agree. This is also indicated in the instructions on legal remedies at the end of the decision.
  • In the appeal procedure, the Federal Office will once again review the decision it has made, taking into account the arguments you have put forward for redress before legal proceedings.
  • Action before the administrative court: In principle, an action before the court is only possible once you have received an objection notice in response to your objection.

Status: 09.03.2025
Editorially responsible for prodecure description: Bundesministerium des Innern
Source: Federal Portal