Apply for a voluntary IT security label

Source: BUS Rheinland-Pfalz

The Federal Office for Information Security (BSI) issues the IT security label for products on the consumer market. This applies, for example, to the following product categories:

Broadband routers,
e-mail services,
Smart consumer devices, including
- Smart television,
- Smart cameras,
- smart speakers,
- smart toys and
- Smart cleaning and garden robots;
Video conferencing services,
Mobile devices, for example
- smartphones and
- tablets

With the BSI product label, manufacturers and service providers have the opportunity to make the IT security features of their products transparent and thus stand out on the market. This provides consumers with guidance when purchasing IT products, as they are able to take cyber security aspects into account when making their purchase decision.

To obtain an IT security label, you must submit an application to the BSI. The application is voluntary. With the IT security mark, you show that your products meet certain security standards that have been issued or recognized by the BSI.

The IT security mark essentially consists of

an assurance from your company that your product or service meets certain IT security requirements for a specified period of time (manufacturer's declaration).
a BSI product information page with up-to-date security information. This informs consumers about the IT security features of your product or service.

If you receive approval from the BSI, use the IT security label on the product, packaging or online.

The BSI market surveillance authority can check whether your product actually fulfills the requirements for the IT security label on a random basis or on an ad hoc basis.

If the BSI identifies a deviation or security gap, you will be contacted. You will then be given the opportunity to rectify the identified deficiencies or security gaps. If the security gap is not rectified or is particularly critical, the BSI may additionally

publish security information on the product information page or
revoke the approval of the IT security label.

As a rule, IT security labels expire after 2 years. The BSI can specify a different period for individual product categories. As soon as the term has expired, the release of the IT security label is terminated.

The BSI concludes mutual recognition agreements with foreign state labels. These agreements make it possible to issue the mark in a simplified procedure. An overview of the existing recognition agreements can be found on the BSI website.

You can apply to use the IT security label for your product or service online via the federal portal or in writing by email or post.

Apply for the IT security label online:

First check your product for conformity with the security requirements of the relevant product category.
Go to the federal portal verwaltung.bund.de and complete the online application.
Upload the documents required for the respective product category and specified in the application.
Send the application to the Federal Office for Information Security (BSI) via the federal portal.
The BSI will check your application for completeness and request additional documents if necessary.
As soon as all documents have been submitted, you will receive a confirmation of receipt from the BSI.
The BSI will check the plausibility of the information and documents you have submitted.
You will receive a fee notice before the IT security label is approved.
Once you have paid the administrative fee, the BSI will issue you with the final approval of the IT security label in the form of an approval notice.
With the approval notice, the respective product information page is published and the individual IT security label is made available.
If the BSI considers rejecting the IT security label during the application review, you can comment on this before the decision is made.

Apply for the IT security label by e-mail and post:

First check your product for conformity with the security requirements of the relevant product category.
Go to the BSI website and download the application for the IT security label for your product category.
Complete the application on your computer and save the application without signing it.
Send the application with the other required documents by e-mail or De-Mail.
Print out the complete application documents without product images and sign the application.
Send the application and the associated documents to the BSI by post.
The remaining steps are identical to the online procedure.

Application deadline: You can apply for an extension of the validity period of the IT security label at the earliest 3 months and at the latest 6 weeks before the expiry date.

Period of Validity: 2 Years
The Federal Office for Information Security (BSI) may specify different terms for individual product categories. After this period, the BSI's release declaration expires. If an IT security specification applicable to the relevant product category is changed or declared invalid, you must update your manufacturer's declaration with a valid test basis. Otherwise the release expires after a period of 6 weeks.

Objection Deadline: 4 Weeks
You have the option of lodging an objection within 4 weeks of notification of the decision.

Apply for a voluntary IT security label

Process flow

Requirements

Which documents are required?

What are the fees?

What deadlines do I have to pay attention to?

Processing duration

Legal basis

Applications / forms

What else should I know?

Professionally released on