Financial Crime World

Here is the converted article text in markdown format:

Reporting Obligations under German Law

Germany has specific reporting obligations with respect to incidents or potential incidents under various laws. Here, we outline these obligations, including the circumstances that trigger them, the regulatory authorities responsible for receiving reports, and the types of information required to be reported.

Triggering Circumstances

There are several circumstances that trigger a reporting obligation:

  • Cases of significant Incidents: An essential or important entity subject to NIS2 must report this to the competent authority designated by the national implementation act.
  • Operators of critical infrastructures: Must notify certain incidents regarding the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes immediately to the BSI under Sec. 8b of the BSIG.
  • Financial entities under DORA: Must classify incidents and report major ICT-related incidents (Article 17 et seq.) to the relevant competent authority.
  • Controllers: Must notify personal data breaches to the competent Data Protection Authority under Article 33 of the GDPR.

Regulatory Authorities

The following authorities are responsible for receiving reports:

  • Competent authority designated by the national implementation act
  • BSI (Bundesamt für Sicherheit in der Informationstechnik)
  • Relevant competent authority (for financial entities under DORA)
  • Data Protection Authority

Nature and Scope of Information Required

The following types of information are typically required:

  • Details of the Incident: Including cause, affected systems, components or processes.
  • Technical framework: Including cross-border effects and effects on critical services.

Exceptions and Exemptions

Yes, there are some exceptions and exemptions:

  • Security breach is unlikely to result in a high risk to the rights and freedoms of the data subject
  • Operators of critical infrastructures may not be required to report incidents if they can demonstrate that they have taken all necessary measures to prevent or mitigate the effects of the incident.