Skip to content

BSI Clarifies Reporting Obligations for Cyberattacks

The bottom line: The BSI clarifies reporting obligations for cyberattacks and establishes binding standards for organisations subject to reporting requirements in Germany.

The Federal Office for Information Security (BSI) has specified requirements for reporting cyberattacks, thereby providing clarity for critical infrastructure operators and other organisations subject to reporting obligations.

The BSI has made concrete requirements for reporting cyberattacks public and has thereby sharpened previous regulations and guidance documents. The clarifications concern both the scope of incidents to be reported as well as the deadlines and formats for reporting.

The requirements are part of the implementation of NIS2 and serve to harmonise incident reporting in Germany. They apply in particular to operators of critical infrastructure (KRITIS), providers of essential services, and other operators of digital services whose security incidents must be reported.

CISOs and IT directors must ensure that their organisations implement these updated requirements. This includes the timely detection of security incidents, their proper assessment, and timely reporting. The precise wording of the BSI clarifications is crucial for legally compliant processes in incident response and compliance management.


Source: news.google.com · Published 1 July 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.

Share on: