The reporting portal in the AWS cloud: Why, BSI?

The BSI's new reporting portal is here. It is intended as a central, legally mandated platform: for registering NIS2 entities as well as for receiving, processing, and coordinating reports – both from KRITIS companies that are obliged to do so and from other individuals. The portal receives sensitive data from Germany's most critical companies and must be used for this purpose.

An opinion by Tobias Glemser

Tobias Glemser is a BSI-certified penetration tester and Managing Director of secuvera GmbH. He has been working in cyber security for over 20 years. He is privately involved with OWASP, among others.

The security bubble is up in arms. The reason? The portal is operated by AWS. To put it plainly: No, this is not a sign of strengthening its own digital industry. And therefore, not a sign of what many understand by national digital sovereignty. There are plenty of alternatives on the German market. To fall back on "suitable infrastructure with state-of-the-art security features" as BSI President Claudia Plattner told heise online, is not enough.

Formally, everything is clean. The portal's privacy policy is transparent and detailed. However, when it states "This may result in the transfer of the IP address to the USA" and at the same time voluntary reports are to be made "easily and anonymously," I inwardly flinch. Does this really have to be? I don't think so. There are alternatives – see above.

Sovereign or Autarkic

To be fair: The BSI and its president have long distinguished between "digitally sovereign" and "digitally autarkic." International products should therefore be embeddable in such a way that "data leakage is technically impossible," as Ms. Plattner writes in the BSI Cybernation Blog on digital sovereignty. This is an understandable approach.

Why the first point of the dual strategy, strengthening the "EU market and its own digital industry," was not consistently pursued in the case of the portal, remains uncommented so far. Here, I urgently wish for a follow-up statement regarding the central and legally mandatory portal for KRITIS operators.

Technically, the implementation also raises questions, even if an analysis is naturally limited. For example, why the security.txt was not implemented in an RFC-compliant manner – after all, it's state-of-the-art, which the BSI itself recommends in its FAQs for handling vulnerabilities – is not clear to me. Furthermore, the Web Application Firewall (WAF) from AWS is apparently being used.

"Data leakage technically impossible"?

Typically, a WAF terminates the encrypted data stream so that it can analyze the content. This also applies to the incident report from a KRITIS company. How it is ensured under these conditions that "data leakage is technically impossible" is of burning interest to me as a computer scientist. The same applies to the persistence of data on AWS and its further processing in downstream specialist applications.

The existing portal MIP-2 is operated by Swiss IT Security Deutschland GmbH – at least in Swiss hands – and is expected to be available to KRITIS operators "probably even until December 31, 2026." Fun fact on the side: In the course of researching these lines, I found a classic web vulnerability in MIP-2. I preferred to report it PGP-encrypted via email rather than through the new portal. Only if I take care of it myself is it technically ensured that "data leakage remains technically impossible." A shame, really.

This commentary is the editorial for the new issue of iX 02/2026, available from January 22, 2026.

(mho)