Companies in the special public interest (UBI)

Icon Information Security, © NESEC GmbH

Companies in the special public interest (UBI or UNBÖFI) are companies that are particularly critical or particularly important to the state due to their business activities or company size. These companies were also included in the BSI Act in 2021 under the IT Security Act 2.0 and are subject to additional obligations.

However, different regulations apply to operators of critical infrastructures and companies in the special public interest, e.g. regarding necessary certifications or when incidents must be reported to the BSI.

What are companies in the special public interest?

Companies in the special public interest are companies that are associated with special risks but are not covered by the KRITIS Regulation.

Section 2 BSIG defines three categories:

  • UBI 1: Companies that manufacture or develop goods in accordance with Section 60(1)(1) and (3) of the Foreign Trade and Payments Ordinance. These are primarily companies from the defence technology sector, e.g. manufacturers of weapons, ammunition and armaments, but also armoured vehicles, chemical irritants, explosives and electronic components for warfare, as well as manufacturers of products with IT security functions for processing classified government information
  • UBI 2: Companies that are among the largest companies in Germany in terms of their domestic value added and are therefore of considerable economic importance for the Federal Republic of Germany
  • UBI 3: Operators of an upper-tier operating area as defined by the Hazardous Incident Ordinance. This includes, in particular, companies that store large quantities of hazardous substances, e.g. explosives, flammable, toxic or water-polluting substances, but also various other chemicals listed in the Major Accidents Ordinance.

Typically, companies know if they fall into one of these categories, but not every company is aware that this also entails obligations under the BSIG.

What are the consequences?

This does not result in any particularly extensive obligations for UBI, especially category 1.

  1. Obligation to register and appoint a contact point by May 1, 2023 (Section 8f (5) BSIG)
  2. Obligation to submit a self-declaration on IT security by May 1, 2023 and then every 2 years (Section 8f (1) nos. 1 to 3)
  3. Obligation to report significant IT security incidents/malfunctions and IT security incidents/malfunctions with a significant impact on value creation from May 1, 2023 (Section 8f (7) BSIG)

The content of the self-declaration must include a maturity assessment of the ISMS as well as information on IT security certifications and other IT security audits and reviews in the last 2 years. A template is available from the BSI. There are no thresholds for the application of Section 8f, i.e. small and micro-enterprises are also affected. If the deadline is missed or reports are not submitted correctly or completely, fines of up to € 500,000 may be imposed.

However, beyond the self-declaration, there is currently no obligation to carry out audits or inspections or to obtain certain certifications.

Further information can be found in the FAQ on companies in the special public interest of the BSI.

Our Service

We support you with the introduction of an ISMS in your company and the creation of the security guideline as well as the various guidelines and concepts.

We support you in registering with the BSI and take over communication with the BSI in the event of queries. We prepare IT security incidents for reporting to the BSI and handle communication with the BSI.