BSI may criticize security concept as "conspicuous"

The state evaluation of IT products is a double-edged sword for software providers: while positive certifications promote sales, critical reports from cybersecurity authorities can shake a company's market position. A recent decision by the Cologne Administrative Court (File No.: 1 L 3105/25) dated December 2nd now clarifies that companies can only defend themselves against such impending publications in extreme exceptional cases in advance.

In the proceedings, a company that also manufactures software took action against the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI). According to the decision now published, the Bonn authority investigated the security architecture of certain products as part of the "E.W." project and objected to it. The 1st Chamber ruled that a software manufacturer cannot simply demand the cessation of a planned official product evaluation. The fact that such a warning could have negative market repercussions did not change this.

The dispute arose from the planned final report, in which the BSI described the security concept of the affected products as "conspicuous" and attested to their failure to meet usual security expectations. The affected company felt unlawfully put in the pillory and feared irreversible reputational damage.

Counter-statements remain possible

With an urgent application for preventive legal protection, the manufacturer wanted to force the authority not to publish these findings – even before the report appeared at all. However, the Administrative Court emphasized, in line with established legal opinion, that preventive legal protection under Section 123 of the Administrative Court Code (VwGO) must remain the exception. In principle, the VwGO relies on subsequent legal protection to preserve the separation of powers. An intervention in official action before its execution is only justified if the affected party cannot be expected to wait. This would be the case, for example, if irreversible facts were created.

In this case, according to the Cologne judges, there was no such qualified need for legal protection: the potential disadvantages were not to be classified as irreparable for the software provider.

IT lawyer Jens Ferner evaluates the decision as trend-setting for the industry: "The publication of official security evaluations can be existential for software providers. But not every warning justifies a preventive court intervention" – this decision clearly shows. Those who want to challenge state product evaluations must prove that the publication causes "irreparable damage – for example, through targeted pillorying or irrefutable misrepresentations."

The court pointed out that an institution could restore lost trust through its own counter-statements. This could include press releases or updated evaluations. Unlike food law warnings, which often have irreversible effects, technical product evaluations are considered more dynamic. Furthermore, the report was not prominently placed but was part of a comprehensive investigation.

The Kaspersky case rings a bell

Ferner considers the legal embedding to be noteworthy: Since December, the implementation of the NIS2 Directive has been in force, which now explicitly regulates official warnings in Section 13 of the BSI Act (BSIG). Official warnings will have to be measured against this new legal basis in the future. However, the decision shows that courts do not prematurely block official information policies as long as they remain within the scope of the statutory mandate. The balance between consumer protection and entrepreneurial freedom therefore continues to be a matter of individual cases.

According to product details, the company anonymized as "C." in the proceedings could be the Velbert-based company BKS, a subsidiary of the Gretsch-Unitas Group (GU). This is suggested by the product names "G. U." and "A." mentioned in the decision, which suggest a direct connection to the brand name and the Gemos Access access control system. If a traditional company for general security technology on its way to becoming a provider of digital ecosystems has indeed come into the BSI's focus due to software-based protection concepts. This would also underscore the growing importance of IT security in classic building automation.

In 2022, the dispute over a BSI warning against the use of antivirus software from the Russian manufacturer Kaspersky dragged on for some time. The Higher Administrative Court of North Rhine-Westphalia ruled at the time that the notice had been lawful. It rejected the company's appeal against a corresponding urgent application by the Cologne Administrative Court.

(mma)