The Federal Network Agency has today published the current draft of the catalogue of security requirements for the operation of telecommunications and data processing systems as well as for the processing of personal data for consultation. The catalogue was prepared jointly with the Federal Office for Information Security and the Federal Commissioner for Data Protection and Freedom of Information.
At the same time, the Federal Network Agency is launching a consultation on the draft of a list of critical functions.
“It is important to protect the integrity of information and communications systems against threats. That is why we have reviewed the security standards for telecommunications networks and services and want to further develop them together with the market,” said Klaus Müller, President of the Federal Network Agency.
Catalogue of security requirements
The catalogue of security requirements applies to operators of telecommunications and data processing systems as well as to the processing of personal data. It forms the basis for the security concept and for the technical precautions and other measures to be taken to increase the security of networks and services.
Compared with the previous version of the security catalogue (2021), so-called risk potential categories have been introduced. These relate to the significance of telecommunications networks and services. They are linked to specific protection objectives or measures, each of which must be implemented.
While the requirements for the normal risk potential must be met by all public telecommunications network operators and service providers, the elevated risk potential category includes networks and services of greater importance to the public interest. The high risk potential category ultimately comprises companies of outstanding importance to the public interest.
The classification of companies into the risk potential categories is based on company performance indicators. In the future, companies must implement more far-reaching obligations appropriate to their respective risk potential. This includes, for example, risk management as well as the security of data, systems, and facilities.
The list of critical functions has been integrated into the catalogue of security requirements. Measures for the configuration of the 5G network are also specified. These are intended to ensure secure network operation.
The draft catalogue of security requirements is available on the Federal Network Agency’s website at: www.bundesnetzagentur.de/sicherheitsanforderungen.
Manufacturers, associations of telecommunications network operators, and associations of publicly accessible telecommunications service providers may submit comments until December 19, 2025.
