Reporting duties

Article 33 GDPR

• Addressees: Controllers for the purposes of data protection law
• Official reporting portals: Competent data protection authorities
• Time limit: Without undue delay, but not later than 72 hours after having become aware of the personal data breach

Section 8b(4) German Act on the Federal Office of Information Security (BSIG)

• Addressees: Operators of critical infrastructures
• Official reporting portal: Federal Office for Information Security (BSI)
• Time limit: Without undue delay

Section 8c(3) German Act on the Federal Office of Information Security

• Addressees: Providers of digital services
• Official reporting portal: Federal Office for Information Security
• Time limit: Without undue delay

Section 8f(7) and (8) German Act on the Federal Office of Information Security

• Addressees: Companies of special public interest
• Official reporting portal: Federal Office for Information Security (BSI)
• Time limit: Without undue delay (currently only mandatory for incidents at companies of special public interest)

Section 32 Draft Regulations of the Federal Office for Information Security (BISG-RegE) [not yet in force]

• Addressees: Particularly important facilities and important facilities
• Official reporting portal: Federal Office for Information Security (BSI)
• Time limit: Without undue delay

Section 168 German Telecommunications Act (TKG)

• Addressees: Operators of public telecommunications networks and providers of publicly accessible telecommunications services
• Official reporting portals: Federal Network Agency (BNetzA) and Federal Office for Information Security
• Time limit: Without undue delay

Section 169 German Telecommunications Act

• Addressees: Providers of publicly accessible telecommunications services
• Official reporting portals: Federal Network Agency and Federal Commissioner for Data Protection and Freedom of Information (BfDI) (both in German)
• Time limit: Without undue delay

Section 11(1c) German Electricity and Gas Supply Act (EnWG)

• Addressees: Operators of power networks
• Official reporting portal: Federal Office for Information Security
• Time limit: Without undue delay

Section 6 German Nuclear Safety Officer and Reporting Ordinance (AtSMV) and section 44b German Nuclear Power Act (AtG)

• Addressees: Various licence holders (nuclear power plant operators)
• Official reporting portals: Federal Office for Information Security and other nuclear regulators
• Time limit: Without undue delay

Section 24(1)(19) German Banking Act (KWG)

• Addressees: Credit institutions
• Official reporting portals: Federal Financial Supervisory Authority (BaFin) and Deutsche Bundesbank
• Time limit: Without undue delay

Section 54 German Payment Services Supervision Act (ZAG)

• Addressees: Payment providers
• Official reporting portal: Federal Financial Supervisory Authority
• Time limit: Without undue delay

Article 19(1) DORA

• Addressees: Institutions in the financial sector
• Official reporting portal: Federal Financial Supervisory Authority
• Time limit: Without undue delay

Section 329 Book V of the German Social Code (SGB V)

• Addressees: National Digital Health Agency “Gematik” and Component and service providers as well as application providers
• Official reporting portals: Gematik: Federal Office for Information Security; Service providers: Gematik
• Time limit: Without undue delay

Delegated Regulation 2022/1645

• Addressees: a) Companies in the aviation industry; b) Production organisations, development organisations; c) Aerodrome operators, apron management service providers
• Official reporting portal: Federal Office for Information Security
• Time limit: Without undue delay

Implementing Regulation (EU) 2023/203

• Addressees: CAMOs, ATOs, ATCO TOS and other entities in the aviation industry
• Official reporting portal: Federal Office for Information Security
• Time limit: Without undue delay