Skip to content

BSZ - discovered, explained

Fixed-time cybersecurity certification (BSZ)

Fast, plannable, less effort: the lightweight alternative to CC certification

With the Fixed-time cybersecurity certification (BSZ), you can prove the security statement of your IT product with an independent certificate. BSZ focusses on the security robustness of your IT product. Through a combination of evaluations and penetration tests, you objectively prove that your product fulfils the specified security performance.

What is Fixed-time cybersecurity certification (BSZ)?

The “Beschleunigte Sicherheitszertifizierung” (BSZ) enables manufacturers to prove the security statement of their IT product with an independent certificate. The objective confirmation ensures the highest possible level of trust in the IT device among end customers.

BSZ is a certification procedure of the German Federal Office for Information Security (BSI) and is based on a combination of conformity tests relating to the security performance of a product and penetration tests, which put the effectiveness of the technical security measures to the test.

Special features of the BSZ

  • Enables the objective confirmation of the security statement of an IT product through a certificate
  • Provides a significantly faster alternative to certification according to the Common Criteria (CC)
  • Reduces communication to a minimum, so that a certification test can be scheduled in advance
  • The BSZ certification scheme is compatible with the French CSPN & is recognised by the ANSSI

We will support you – no matter what

Get started at last!

We advise you


TÜV NORD IT Secure Communication I Berlin
Goal achieved?

We check that


TÜV Informationstechnik I Essen

Frequently Asked Questions (FAQ)

What you need to know about BSZ:

General network components and embedded IP networked devices:

  • IP based network routers
  • Embedded, networked industrial control devices
  • Mobile handhelds for special tasks (programming devices, scanners, etc.)

In the future, product categories with standardised specifications for technically comparable products are planned, which will also simplify the decision on the certifiability of specific products.

The security target (ST) describes the security functionality of the product to be evaluated, the interfaces, the threat model, the cryptographic mechanisms and the (expected) environment of the evaluation object. The document must be created by the applicant. This is the main basis for the subsequent evaluation.

The structure and specifications for the content of the ST are described in the AIS B1 document of the BSI can be found.

The final report is always prepared by our experts individually and in an easily understandable way (no automatic generation) and contains at least the following information:

  • Introduction: Brief description of the subject of the audit.
  • Management/Executive Summary: Summary of the results.
  • Risk assessment: Assignment of a risk level to each vulnerability (informative, low, medium, high or critical risk), which describes the criticality of the respective vulnerability.
  • Clear presentation: Clear presentation of all identified vulnerabilities in a table.
  • Detailed description of vulnerabilities, deviations & proof-of-concept: For each vulnerability, there is an individual description that describes exactly how the vulnerability was found and how it can be exploited by an attacker (proof-of-concept).
  • Evaluation of automated tests: The results of the automated tests are evaluated by the TÜVIT experts, checked for false positives and then summarised in the report.
  • Recommendation of measures to eliminate the vulnerability: For each vulnerability, there is a recommendation of measures to eliminate the vulnerability.
  • References: If available, we provide references to vulnerability databases (e.g. CVE).
  • Technical attachments : If available, further information and files on the tests carried out are provided as attachments, e.g. the raw results of the port and vulnerability scans.

The certification is valid for 2 years. During this time, the manufacturer undertakes to monitor the product for potential new security vulnerabilities and to provide corresponding updates.

  • Security Target (ST) document
  • Architecture overview (operating system, main components, libraries used)
  • Description of the update mechanism
  • Description of the cryptographic functionality (protocols, parameters, libraries)
  • Installation instructions for the product (Secure User Guide)