Bundesnetzagentur publishes catalogue of security requirements for telecommunications networks

Consultation of the list of critical functions

Year of issue 2020
Date of issue 2020.08.11

The Bundesnetzagentur today published the current draft of the catalogue of security requirements for operating telecommunications and data processing systems and for processing personal data. The catalogue has been drawn up in agreement with the Federal Office for Information Security (BSI) and the Federal Commissioner for Data Protection and Freedom of Information (BfDI).

At the same time, the Bundesnetzagentur is initiating a consultation to draft a list of critical functions.

“The 5G mobile communication standard is an essential technological basis for successful digitisation. A prerequisite for this is achieving the right balance of information security as part of a comprehensive risk management. To this end, we - as the federal cyber security authority - have created the new security catalogue together with the Bundesnetzagentur and the Federal Commissioner for Data Protection and ensured that modern, powerful and secure 5G networks can be installed and operated,” said Arne Schönbohm, President of the BSI.

“It is important to protect the integrity of information and communications systems against threats and to create the highest security standards. To do this, critical functions for telecommunications networks and services should have an especially high level of protection," said Dr. Wilhelm Eschweiler, Vice President of the Bundesnetzagentur.

Catalogue of security requirements

The catalogue of security requirements applies for the operators of telecommunications networks and data processing systems and for the processing of personal data. It is the foundation for the security concept and for the technical arrangements to be made and the other measures to be taken to increase the security of the networks and services.
The catalogue specifically provides for:
critical components to be certified;

  • declarations of trustworthiness to be obtained from manufacturers and system suppliers;
  • product integrity to be ensured;
  • security monitoring to be introduced;
  • only trained and qualified personnel to be employed in security-related areas;
  • sufficient redundancy to be available; and
  • the avoidance of monocultures.

The catalogue will now be notified to the European Commission. Changes may be made until this process is concluded. After the notification the catalogue will also be available in English.

Consultation of the list of critical functions

Against this background, the Bundesnetzagentur is initiating a consultation today to draft a list of critical functions.
The catalogue contains additional security requirements for public telecommunications networks and services with a high level of risk. In this connection a list of critical functions is to be created for infrastructures with a high level of risk. These critical functions will be listed in a document jointly drawn up with the BSI.
In the future, the list of critical functions is to be continually updated and amended. Results of international analyses, for example from the European Union Agency for Cybersecurity (ENISA) or the Body of European Regulators for Electronic Communications (BEREC), were and are taken into account.

The following functions are considered critical:

  • subscriber management and cryptographic mechanisms (if a network component)
  • cross network interfaces
  • managed network services
  • Network Functions Virtualisation Management and Network Orchestration (MANO), as well as virtualisation
  • management systems and other support systems
  • transport and information-flow control
  • lawful interception

The catalogue of security requirements (Version 2.0) and the provisional list of critical functions have been published on the Bundesnetzagentur website at www.bundesnetzagentur.de/criticalfunctions

Responses to the list of critical functions must be submitted by 30.09.2020

Press release (pdf / 356 KB)

Mastodon