Bundesnetzagentur publishes key elements of additional security requirements for telecommunications networks

The Bundesnetzagentur has today published the key elements of its additional security requirements for telecommunications networks and services.

"We revise the security requirements on a regular basis in light of the current security situation and technological developments," explained Jochen Homann, Bundesnetzagentur President. "Security requirements apply to all network operators and service providers, irrespective of the technology they deploy. All networks, not just individual standards like 5G, are included."

Revision of security requirements

At present, the Bundesnetzagentur is revising the security requirements for the operation of telecommunications networks and data processing systems and for the processing of personal data. In particular, for operators of public telecommunications networks with a high potential threat, security requirements are to be specified that must be complied with when determining the appropriate technical measures or other safeguards.

The following additional security requirements are planned:

• Systems may only be sourced from trustworthy suppliers whose compliance with national security regulations and provisions for the secrecy of telecommunications and for data protection is assured.
• Network traffic must be regularly and constantly monitored for any abnormality and, if there is any cause for concern, appropriate protection measures must be taken.
• Security-related network and system components (critical key components) may only be used if they have have been certified by the Federal Office for Information Security (BSI) and undergone IT security checks by a BSI-approved testing body. Critical key components may only be sourced from trustworthy suppliers/manufacturers, ie those that can provide assurance of their trustworthiness.
• Security-related network and system components (critical key components) may only be used following an appropriate acceptance test upon supply and must be subjected to regular and ongoing security tests. The components that are security-related (critical key components) will be defined by the BSI and Bundesnetzagentur by mutual agreement.
• Only trained professionals may be employed in security-related areas.
• Proof must be provided that the hardware tested for the selected, security-related components and the source code at the end of the supply chain are actually deployed in the products used.
• When planning and building the network, "monocultures" must be avoided by using network and system components from different manufacturers.
• Where system-related processes are outsourced, only professionally competent, reliable and trustworthy contractors may be selected.
• Adequate redundancy must be available for critical, security-related network and system components (critical key components).

The publication of the key elements provides manufacturers, associations of public telecommunications network operators and associations of providers of publicly accessible telecommunications services with an opportunity to comment.

The security requirements are being drawn up in agreement with the BSI and the Federal Commissioner for Data Protection and Freedom of Information (BfDI). A draft of the new security requirements is planned for spring 2019. The Bundesnetzagentur will publish the final requirements once manufacturers and the above-mentioned associations have been given the opportunity to comment on the draft catalogue of requirements, as laid down in law, and the European notification procedure has been carried out.

Information on the current security requirements may be found on the Bundesnetzagentur website at www.bundesnetzagentur.de/sicherheitsanforderungen.

Press release (pdf / 36 KB)