Germany: Security will remain a key focus in 2026 as well as clarification on 5G spectrum
Contacts
Senior Counsel
Germany
I am an experienced communications and data protection lawyer focusing on the communications sector.
Senior Associate
Germany
I am a senior associate in the Frankfurt Bird & Bird office, advising national and international companies on all regulatory and contractual aspects of information technology and telecommunications. This includes advising on strategic approaches to the authorities and representing clients in court.
Germany’s telecoms regulatory framework will continue to evolve in 2026, with several ongoing initiatives moving into their next phases. Adjustments to security requirements, NIS2 implementation steps, the critical infrastructures framework, and the redesign of spectrum allocation processes will each contribute to a gradually shifting compliance environment. While none of these developments represent abrupt change, they will require operators and service providers to stay attentive and adapt to incremental updates throughout the year.
Security concept BNetzA
In 2026, the Federal Network Agency (BNetzA) is expected to advance its overhaul of the security requirements for providers of telecommunications services and operators of telecommunications networks. It introduces more granular, risk‑based obligations for operators and tightens expectations around the protection of critical components. The revised framework is likely to align more closely with evolving EU cybersecurity standards and to set clearer requirements for technical safeguards, documentation, and cooperation with security authorities. See here for an overview of current draft. The deadline for submissions by industry associations (only) in the public consultation process has recently been extended to 16 January 2026.
NIS2 implementation
Throughout 2026, Germany’s implementation of the NIS2 Directive will continue to reshape the regulatory landscape, with a significantly expanded set of entities coming under oversight. Companies can expect stricter governance, risk‑management, and incident‑reporting as well as registration duties, accompanied by heightened accountability for senior management and more robust supply‑chain security expectations. The Federal Office for Information Security (BSI) has just launched the registration portal, and obligated entities must register the NIS2-relevant activities by 6 March 2026. Among others, providers of publicly available electronic communications services in Germany (independent of a branch office in Germany) and operators of public electronic communications networks must register with the BSI.
KRITIS‑DachG
In 2026, the KRITIS‑DachG (Critical Infrastructure Framework Act) is anticipated to become a central pillar of Germany’s critical‑infrastructure framework, establishing cross‑sector minimum standards that also apply to telecommunications. Operators will likely face new requirements for structured risk assessments, resilience measures, and reporting obligations, creating a more unified national regime that complements NIS2 and may impose additional operational duties on telecoms KRITIS operators.
Frequency proceedings
In 2026, BNetzA is expected to progress the redesign of the frequency allocation process following the court rulings on earlier 5G award rules. The authority will consult on and refine a new framework intended to provide transparency and planning certainty, while operators continue to navigate uncertainty around the future auction design, timing, and competitive conditions that will influence long‑term spectrum strategies. Currently, BNetzA is running a public consultation on the new frequency allocation process, and interested parties may submit their views by 12 January 2026.
