With the enactment, on 30 June 2017, of the First Regulation amending the German Regulation on Determining Critical Infrastructures (BSI-KritisV), governed by the Act on the Federal Office for Information Security (BSI Act), DENIC eG comes under the German IT Security Act, within the scope of the “Authoritative Name Servers” systems category.

This fundamentally results in the following requirements:

• Report to the Federal Office for Information Security (BSI) any IT security incident that is foreseeable or has actually occurred and that is both considered highly critical and related to the provision of the critical service.

• Take appropriate organisational and technical precautions according to the state of the art.

• Undergo regular and independent audits to verify that the organisational and technical precautions to protect the critical service are complied with.

• Provide evidence to the BSI regarding the due implementation of the organisational and technical precautions.

According to the regulation, these measures are aimed at providing further protection in the future, on a still broader scale, against risks and threats with regard to both organisational and technical aspects of the name service for .de, which is critical for the operation of the German Internet.

With the implementation of business continuity and information security management systems in compliance with the applicable standards and their certification pursuant to ISO 22301:2012 BCMS and ISO/IEC 27001:2013 ISMS international standards, DENIC has taken considerable efforts, over the past years, in hardening its systems and processes and thus essentially meets the new requirements already today.