German Federal Network Agency publishes key elements of additional security requirements for telecom networks & data processing systems

German Federal Network Agency publishes key elements of additional security requirements for telecom networks and data processing systems.

The German Federal Network Agency has published on March 8, 2019 - in the light of new developments in technology (such as 5G) and public concerns about adequate security - key elements of additional security requirements for telecommunications networks and services.

These key elements shall apply to all network operators and service providers, irrespective of the technology they employ.

Key elements of additional security requirements

In particular, for operators of public telecommunications networks with a high potential threat, security requirements are to be specified that must be complied with when determining the appropriate technical measures or other safeguards.

The following additional security requirements are planned:

  • Systems may only be sourced from “trustworthy” suppliers whose compliance with national security regulations and provisions for the secrecy of telecommunications and for data protection is assured.
  • Network traffic must be regularly and constantly monitored for any abnormality and, if there is any cause for concern, appropriate protection measures must be taken.
  • Security-related network and system components (critical key components) may only be used if they have been certified by the Federal Office for Information Security (BSI) and undergone IT security checks by a BSI-approved testing body.
  • Critical key components may only be sourced from “trustworthy” suppliers/manufacturers.
  • Security-related network and system components (critical key components) may only be used following an appropriate acceptance test upon supply and must be subjected to regular and ongoing security tests.
  • Only trained professionals may be employed in security-related areas.
  • Proof must be provided that the hardware tested for the selected, security-related components and the source code at the end of the supply chain are actually deployed in the products used.
  • When planning and building the network, "monocultures" must be avoided by using network and system components from different manufacturers.
  • Where system-related processes are outsourced, only professionally competent, reliable and “trustworthy” contractors may be selected.
  • Adequate redundancy must be available for critical, security-related network and system components (critical key components).

The BSI and the Federal Network Agency will define by mutual agreement components that are “security-related” and as such considered to be “critical key components”. The security requirements will be drawn up also in agreement with the Federal Commissioner for Data Protection and Freedom of Information (BfDI).

The publication of the aforementioned key elements shall provide manufacturers, associations of public telecommunications network operators and associations of providers of publicly accessible telecommunications services with an opportunity to comment on them.

A draft of the new (concrete) security requirements is planned for spring 2019. The Bundesnetzagentur will publish the final requirements once manufacturers and the above-mentioned associations have been given the opportunity to comment on the draft catalogue of requirements, as laid down in law, and the European notification procedure has been carried out.

For questions on this topic please refer to Christopher Götz.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.