Federal Network Agency: Consultation on the draft catalogue of security requirements for telecommunications networks and services

On 3 November 2025, the Federal Network Agency published the draft security catalogue in accordance with Section 167 of the Telecommunications Act (TKG) and opened it for consultation. The consultation and draft can be accessed via the following link:  https://www.bundesnetzagentur.de/DE/Fachthemen/Telekommunikation/OeffentlicheSicherheit/KatalogSicherheitsanforderungen/Konsultation/start.html. 

Manufacturers, associations of network operators and associations of providers of publicly available telecommunications services can submit comments until 19 December 2025.

Background

In accordance with Section 167 of the German Telecommunications Act (TKG), the Federal Network Agency (BNetzA), in agreement with the Federal Office for Information Security (BSI) and the Federal Commissioner for Data Protection and Freedom of Information (BfDI), is required to lay down a catalogue of security requirements for the operation of telecommunications and data processing systems and the processing of personal data. The catalogue is intended to regulate in detail the security precautions and measures to be taken by telecommunications companies in accordance with Section 165 TKG, define the critical functions performed by critical components within the meaning of the BSI Act, and specify which telecommunications companies are to be classified as operators with increased risk potential. 

The catalogue shall be issued as a general ruling after consultation with experts. The currently applicable catalogue was published in 2020 under the TKG-2004, so that an adaptation to the current TKG-2021 and other legal developments is overdue.

Key contents of the draft

The draft document comprises 143 pages. It includes the explanatory considerations required for a general ruling under administrative law. 

Part A of the document contains the ruling and the overarching reasons for the general ruling (15 pages in total). Part B contains the draft catalogue (approximately 80 pages in total). For each point, specific reasons are also given, which make up more than half of the text. Part C (approximately 20 pages) contains an appendix with technical specifications for packet-switched networks.

The catalogue begins with a classification of telecommunications companies according to their criticality and risk potential. 

1. Companies with fewer than 10 employees or less than EUR 2 million in annual turnover or balance sheet total are considered to have a normal risk potential.
2. Providers with up to 50 employees or up to EUR 10 million in annual turnover/balance sheet total are considered providers with a raised risk potential.
3. Providers above these thresholds, as well as operators of public 5G mobile networks and operators of critical facilities in accordance with Directive (EU) 2022/2557 (Directive on the resilience of critical facilities), regardless of their size, have an increased risk potential.

The link to company size follows the NIS2 Directive, which defines all telecommunications companies as important and companies above the size thresholds specified in c) as essential entities.

When formulating the details of the technical precautions and other measures in the catalogue and in the annex, this classification is regularly used by specifying a basic standard of requirements under a), which is then supplemented by additional requirements under b) and c) in accordance with the increasing risk potential.

The catalogue devotes a separate section (approximately 30 pages) to special requirements for 5G mobile networks, which were already subject to special conditions under the previous law.

Unlike the current catalogue, the draft does not contain any specific requirements for drafting of the security concept in accordance with Section 166 (1) No. 3 TKG. This could make work easier, particularly for providers without their own network and smaller network operators without an increased risk potential.

Opportunity to comment

The draft is now subject to consultation with a deadline for comments of 19 December 2025. This consultation is aimed at manufacturers and associations of network operators and service providers, but not at individual telecommunications companies. This is in line with the provisions of Section 167 TKG, even if it seems odd that individual manufacturers are given the opportunity to comment, but the telecommunications companies affected by the catalogue are not. We therefore recommend telecommunications providers and network operators to raise any comments and concerns with their industry associations and to encourage them to submit comments. On the other hand, we expect that direct comments from network operators will also be accepted and not ignored. We are happy to provide support in this regard if required.

Implementation

After evaluating the consultation and notifying the EU Commission in accordance with Directive (EU) 2015/1535 (Directive on the provision of information in the field of technical regulations and rules on information society services), the catalogue will be issued and published by BNetzA as a general ruling. The requirements must then be implemented by the companies concerned within one year (Section 167 (2) TKG).