The Federal Network Agency (Bundesnetzagentur) has published a new draft of the Catalogue of Security Requirements pursuant to section 167 Telecommunications Act (Telekommunikationsgesetz, “TKG”). The catalogue sets out the technical and organisational measures that telecommunications providers must take to ensure that their networks and services are secure. Manufacturers, network operator associations and service provider associations are invited to submit comments by 16 January 2026.
Background
The Bundesnetzagentur has launched the consultation process for its new draft of the Catalogue of Security Requirements drawn up pursuant to section 167(1) TKG (full text available at Katalog von Sicherheitsanforderungen (German only)). The catalogue was prepared in coordination with the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) and the Federal Commissioner for Data Protection and Freedom of Information. The new draft aims to protect the integrity of information and communication systems against a range of threats by bringing the security standards laid down in the catalogue in line with the state of the art.
The catalogue forms the basis for both the security concept to be drawn up under section 166(1) TKG and the technical precautions and other measures required under section 165(1) and (2) TKG, making the new draft particularly important for operators of public telecommunications networks and providers of publicly accessible telecommunications services.
Key messages, relevant legislation and practical implications
The draft contains a number of significant changes compared to the security catalogue in force since 29 April 2020, including:
Extended target group: Following the redefinition of the term “telecommunications services”, the draft also requires number-independent interpersonal telecommunications services to implement technical precautions and other measures to safeguard telecommunications confidentiality and prevent the unauthorised disclosure of personal data.
Risk-based security requirements: The current applicable general security measures for telecommunications networks and services will be replaced by requirements based on risk classification. To this end, the draft provides for companies to be assigned to different categories depending on their risk potential (“normal”, “elevated”, “increased”). The classification will be based on the company’s key figures (number of employees, annual turnover/balance sheet total) and the nature of the telecommunications services it provides.
Technical measures for 5G networks: The new draft adds specific requirements for the operation of 5G networks. 5G networks are also to be included in the “increased risk potential” category, which will itself necessitate more stringent security measures.
Updating the list of critical functions: The standalone List of Critical Functions for Public Telecommunications Networks and Services with an Increased Risk Potential will be updated and integrated into the new security catalogue.
Conclusion: Use the opportunity to comment
The new draft Catalogue of Security Requirements pursuant to section 167(1) TKG puts risk classification front and centre when determining the security requirements to be met by telecommunications networks and services. Companies with increased risk potential – especially 5G network and critical systems operators – will likely face significantly expanded requirements.
The Bundesnetzagentur has launched the consultation process for both the new draft security catalogue and the draft of the list of critical functions. Manufacturers, associations of operators of public telecommunications networks and associations of providers of publicly available telecommunications services may submit their comments in writing or by e-mail by 16 January 2026, and should use this opportunity to suggest adjustments that will benefit them in practice. Further information is available at Bundesnetzagentur - Konsultation (German only).
Forward
