heise PlusAbo

Cybersecurity: BSI portal goes online – and uses AWS for it

The new BSI portal is intended to become a central point of contact for IT security in critical infrastructures. The choice of provider, AWS, is causing concern.

listen Print view
A man in a suit points with his index finger at a virtual eGovernment icon.

(Image: Cherdchai101 / Shutterstock.com)

6 min. read
By
Contents

The Federal Office for Information Security (BSI) has launched its new “BSI Portal,” which is now intended to be established as a central point of contact for those affected by federal IT security regulations. The president of the federal agency, Claudia Plattner, hopes for significant effects from the German implementation law for the EU's Network and Information Security Directive, which amended the BSI Act and significantly expanded the circle of those affected. NIS2 has been implemented comparatively quickly despite the change of government, and we are ready. “We're good to go,” Plattner told heise online. The revision of the old NIS Directive and its German implementation had previously taken years.

With the website, those obligated – estimated to be nearly 30,000 companies, authorities, and other institutions considered critical within the meaning of the law – will in the future only need one point of contact, a so-called “one-stop shop,” with the BSI Portal. In addition to the legally required registration, relevant information on applicable cybersecurity obligations will be available there. Further functional features will be added in the coming months. In particular, the exchange of real-time data is intended to increase awareness of acute incidents in the future and also reduce response times. So far, there is no central reporting portal in a standardized format from which anomalies could be clearly identified.

BSI relies on AWS for its portal

The choice of provider that the BSI is relying on for its portal is likely to cause concern and criticism: Amazon Web Services. “AWS offers a suitable infrastructure with state-of-the-art security features, which we have built upon,” says the BSI President when asked by heise online. The BSI Portal will also enable anonymous reporting of cybersecurity incidents and vulnerabilities; these two features will be usable without registration.

However, BSI President Claudia Plattner does not want the existence of a central BSI portal for NIS2-affected parties to be misunderstood. The BSI cannot be everywhere. “Will we be able to save the entire republic? No, not that,” she says in an interview with heise online. “Even if we can provide assistance, at the end of the day, companies have to look at what their IT looks like how their backups are made.” They have to roll up their sleeves themselves, Plattner believes.

Videos by heise

The NIS2 Directive and the regulations now incorporated into the BSI Act impose various obligations on operators of critical infrastructures, from internet providers and energy network operators to healthcare providers, waterworks, food manufacturers, or other relevant companies, as well as authorities. It does not specify exactly what needs to be done. “NIS2 doesn't say you have to have a patched Exchange server,” explains Plattner. Rather, the obligation is risk management that shows whether this is a problem for the company's own cybersecurity. The probability that an unpatched Exchange server is an issue is high, explains the BSI President. But that doesn't mean that such a patch is the one thing that needs to be done. However, NIS2 also brings revised reporting obligations for IT security incidents – the new portal is now intended to provide assistance with this as well.

Plattner hopes for managing director liability

If providers do not comply with the rules, fines of up to 10 million euros or two percent of annual turnover are now possible according to § 65 BSI Act. “People must be able to rely on it: a certain quota will be looked at – and at some point, everyone will be affected,” Plattner explains the approach of her authority.

However, the penalties possible under the NIS2 regime are not the most important factor, according to the BSI President, who has been in office since mid-2023. “The big lever is not us,” says Plattner. She expects a side effect of the NIS2 regulations on Directors and Officers (D&O) insurance. “The big lever is the liability of managing directors, executive boards, and supervisory boards,” says the BSI President, who spent at least a large part of her career in the business world herself. “If they cannot prove to their insurers that they have at least taken care of the basics, then, depending on the circumstances, personal liability issues may even arise that are not covered.”

BSI President hopes for a boost for the IT security industry

It remains to be seen to what extent the wording ultimately adopted by the federal legislator in the current § 38 BSI Act will actually be effective. However, it is already becoming apparent that the market for risk management and IT security training is gaining momentum. If it were up to the BSI President, this should not be the only effect of NIS2. “I have the hope and also the expectation that NIS2 will give us a proper push and that everything related to IT security services will grow in this country as well,” Plattner emphasizes to heise online. “Also simply because it is lucrative.”

(kbe)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten