Main entrance of the Federal Office for Information Security (BSI)

What is the Federal Office for Information Security (BSI)?

The BSI, one of the world's most important cybersecurity think tanks, is located in Germany. The agency's experts are responsible for protecting Germany's IT infrastructure.

Security lock


BSI: a definition

The BSI deals with IT security issues for public administration as well as for companies and private users. As an upper federal authority, the BSI pursues the self-defined goal of maintaining cybersecurity "through prevention, detection and response for the state, the economy and society". Since its founding in 1991, the agency has also established itself as a center of excellence for all matters related to cybersecurity. Today, the BSI has more than 1,400 employees, the majority of whom work at its headquarters in Bonn, Germany.



Who works at the BSI?

The agency employs most specialists in the fields of computer science, physics and mathematics. Divided into eight independent departments and again subdivided into specialist areas, the BSI's teams of experts concentrate on all facets of cyber security. These include the areas of hardware and software, IT management, operations and cyber security for citizens. The most hotly debated topics at present include the secure expansion of the 5G mobile communications standard, artificial intelligence and the protection of critical infrastructures (KRITIS).


What are the tasks of the BSI? 

The responsibilities of the federal authority are specifically defined in the Act of the Federal Office for Information Security (BSI Act). The BSI is primarily responsible for the IT security of public administration, private industry and end users in Germany. To this end, the authority is divided into specialized departments that cover different technology and operate various portals, as well as performing advisory functions. Here are several of the BSI's key protection goals, initiatives and organizations:


The BSI's core mission is to protect the federal government's IT infrastructure. Its experts are constantly working to secure the networks against new attack vectors. The primary goal is to secure digital communications and protect sensitive data records. Critical government secrets must not fall into the wrong hands under any circumstances. In the event of an emergency, human lives depend directly on the protection of this data - for example, if it involves classified military information on Bundeswehr or NATO missions.


The National Cyber Defense Center (Cyber-AZ) is a cooperative platform located directly on the premises of the BSI in Bonn. There, the state security authorities work together for improved coordination of protection and defense measures in the event of IT security incidents. Even in the event of a crisis, the German government's ability to act is to be ensured. In addition to the BSI, the platform includes the Federal Office for the Protection of the Constitution (BfV), the Federal Office of Civil Protection and Disaster Assistance (BBK), the Federal Criminal Police Office (BKA), the Federal Intelligence Service (BND), the Federal Police Headquarters and, for the Bundeswehr, the Federal Office for Military Counterintelligence (BAMAD) and the Cyber and Information Space Command (KdoCIR) - the Customs Criminal Investigation Office (ZKA) and the Federal Financial Supervisory Authority (BaFin) are also included as associated agencies.


The BSI initiative was founded in 2012 in cooperation with the industry association Bitkom. The Alliance for Cyber Security (ACS) sees itself as an association of all major players in information security in Germany. The initiative currently involves 6,700 companies, public authorities and other institutions. Its objective is the active exchange of experience on the digital threat situation. To this end, expert contributions are continuously shared via the ACS network. In addition, events are held on an ongoing basis to share industry-relevant best practices on the topic of cybersecurity.


UP KRITIS is a public-private cooperation between operators of critical infrastructures, their associations and the relevant government agencies such as the BSI. The latter provides all participating organizations with situation information and alerts on IT and OT (Operational Technology) security. UP KRITIS itself is organized into committees and working groups for the different KRITIS branches. The aim of the cooperation is to sustainably increase the resilience of critical infrastructures.


The authority operates the "BSI for Citizens" platform specifically for the security needs of end users. There, the BSI team publishes recommendations and guides for the secure use of digital systems in private environments. Users also receive warnings about critical security vulnerabilities in operating systems and programs on PCs, tablets and smartphones. Further questions about cybersecurity can be answered by BSI experts via a service hotline, which is available for inquiries on weekdays.


In addition, the BSI has positioned itself as a partner organization and expert advisor for the federal government, the states and other administrative segments. The expert teams support public authorities, for example, in setting up, operating, maintaining and securing their IT infrastructure. However, the BSI's expertise also benefits the business community. By defining established minimum standards, best-practice models and mandatory regulations, the authority provides a guideline for the secure digitization of large and small organizations.


How does the BSI protect critical infrastructures? 

The IT Security Act binds operators of critical infrastructures (KRITIS) to the BSI via a legal framework. For example, there is a legal obligation for KRITIS operators to regularly demonstrate the security of their IT infrastructure to the BSI. Furthermore, the BSI is also the central reporting point for KRITIS. If there are significant disruptions in IT, these must be communicated to the federal authority. Conversely, the BSI is responsible for collecting relevant information for cybersecurity in the KRITIS sector, evaluating it and forwarding it to the affected operators in the event of a potential threat situation. Furthermore, via the cooperation in UP KRITIS, operators of critical infrastructures have a possibility for the coordinated exchange of security-relevant data.

Security lettering


What is IT-Grundschutz?

Furthermore, with the IT-Grundschutz catalog, the BSI defines a series of security measures that are intended to support authorities and companies in establishing reliable protection standards. The set of rules includes technical measures as well as organizational and personnel requirements. For example, the requirements for basic IT protection include a detailed IT structure analysis to document the existing infrastructure and the associated processes. The BSI confirms the successful implementation of basic protection together with the introduction of an information security management system (ISMS) by awarding the ISO 27001 certificate based on IT basic protection. The certificate serves as proof that the confidentiality, availability and integrity of all information in the respective company are ensured by suitable technical and organizational measures.



How does the IT-SiG 2.0 expand the BSI's powers?

The revised version of the IT Security Act (IT-SiG 2.0) gives the BSI several new powers, giving the agency a more active role overall in combating cyber incidents. For example, the BSI is now authorized to exercise control and audit powers over the federal administration. Furthermore, the BSI is to be involved at an early stage in major digitization projects of the federal government in the future.

In addition, the IT Security Act 2.0 allows the BSI to access log data for the purpose of defending against threats to the federal government's communications technology. This data will be stored for twelve months for these purposes. The active use of port scans and the setting up of honeypots to identify security vulnerabilities, malware and cyberattacks are also among the powers added. The aim is to identify dangers to telecommunications companies and providers at an early stage and, if necessary, to remedy them (oneself).


BSI: What you need to know 

The Federal Office for Information Security (BSI) is a German federal authority whose responsibilities cover securing the digital infrastructure of the state, the economy and society in Germany. To this end, the BSI acts as a national think tank for all areas of cybersecurity, develops best practices and certificates for defending against cyberattacks and increasing IT resilience, and acts as a central reporting point for cyber incidents. To do justice to this broad range of tasks, the authority is divided into different, subject-specific committees and working groups in which more than 1,400 employees are active. In addition, BSI organizes various platforms and initiatives such as the Alliance for Cyber Security, UP KRITIS or BSI for Citizens, which are active in dedicated subject areas and aim to protect digital systems and build sustainable resilience.

Myra Security is also involved in the Alliance for Cyber Security in close collaboration with BSI. In addition, Myra technology is certified to the BSI standard ISO 27001 based on IT-Grundschutz. Furthermore, as one of the leading providers, we meet all 37 criteria of the BSI for qualified KRITIS security service providers.

Learn more about our certifications

Frequently asked questions about the BSI