UBI 1: Deadline for self-declaration on IT security expires on 1 May

Since 2021 , so-called companies of particular public interest (UBI) have been subject to the IT Security Act 2.0, which results in additional regulations for IT security. For companies in the “UBI 1” category, the deadline for submitting a self-declaration regarding IT security expires on May 1, 2023. This article explains what companies in this group must now do and what obligations companies in the other UBI groups must observe expires on 1 May.

Companies of particular public interest (UBI) according to the BSI expires on 1 May

I 2 companies are companies “that, based on their domestic value added, are among the largest companies in Germany and are therefore of considerable economic importance to the Federal Republic of Germany, or that are of key importance to such companies as suppliers due to their unique selling points.” The BSI also refers to this category as value-added UBI .  The BSI answers questions about this, such as the minimum turnover or number of employees required to qualify for UBI 2, on an FAQ page – although many answers are still open.

UBI 3 operators are “operators of an upper-class establishment within the meaning of the Major Accident Ordinance, as amended, india business fax list or equivalent to it pursuant to Section 1, Paragraph 2 of the Major Accident Ordinance.

Companies that are operators of critical infrastructures (KRITIS). According to the BSIG are subject to the provisions of the BSIG and not to those of UBI. A company cannot be both a KRITIS operator and a UBI. In corporate structures consisting one company can be a UBI while a sister company is a KRITIS operator. Furthermore, a company can fall into more than one UBI category – large defense companies, for example, even fall into all three categories. UBI are sometimes referred to as. Although they are not KRITIS companies, they are considered particularly worthy of protection in Germany with regard to IT security.

Legal obligations for UBI

Depending on the group, UBI companies will face new obligations in 2023 and 2024. The following legal obligations apply to UBI according to Section 8f of the Federal Office for Information Security Act (BSIG) :

1. The obligation to register or to designate a contact point (Section 8f Paragraph 5) applies to UBI 1 and UBI 2. For UBI 3, registration is voluntary (Section 8f Paragraph 6).
2. The obligation to report security incidents applies to UBI 1 and UBI 2 (Section 8f, Paragraph 7). UBI 3 users have been required to report certain security incidents since November 1, 2021, e.g., if they could lead to a disruption (Section 8f, Paragraph 8).
3. The obligation to provide a self-declaration on IT security (Section 8f Paragraph 1 Nos. 1 to 3) only applies to UBI 1 and UBI 2.

In particular, why is a website ‘taking too long to respond’ & how to fix companies in the UBI 1 and UBI 2 groups should pay. Attention to the obligation to provide self-declaration:

• UBI 1 companies , i.e. manufacturers/developers of goods within the meaning of Section 60 AWV, must submit a self-declaration and registration to the BSI by May 1, 2023 .
• For UBI 2 companies , i.e. companies of significant economic importance. The Federal Ministry of the Interior will issue a regulation specifying which companies fall into this group. No identification method has currently been established, but the criteria and thresholds could be based on the work of the. Monopolies Commission pursuant to Section 44 (1) of the German Act against Restraints of Competition (GWB). Therefore, there is no need for action for the time being .

Content of the self-declaration on IT security

The self-declaration consists of three parts:

1. IT security certifications of the last two years
2. Other IT security audits and reviews in the last two years
3. Information on the protection of particularly sensitive IT systems, albania business directory components and processes

Consequences of non-compliance with obligations

Failure to comply with various UBI obligations may result in a fine under the relevant articles of the BSIG.

1. In case of non-registration or late registration (Section 14 (2) No. 5 BSIG).
2. If a contact point is not appointed or is not appointed in a timely manner (Section 14 (2) No. 5 BSIG).