On 16 October 2019, the German telecommunications regulator Bundesnetzagentur has published a new draft catalogue (PDF) with security requirements under Sections 109 and 109a TKG (“Catalogue”).
The new Catalogue is not yet final; there is one last consultation period during which affected stakeholders can submit their views to the Bundesnetzagentur. It is unlikely, though, that the Bundesnetzagentur will make fundamental changes, and affected market participants should expect that the draft Catalogue published now will become binding shortly.
The Catalogue of the Bundesnetzagentur has the status of “soft law”, which means that it is an interpretation of binding statutory law by the Bundesnetzagentur. The Bundesnetzagentur has made clear that the contents of the Catalogue are meant as recommendations, and that companies can deviate from it if this is justified. The Bundesnetzagentur, however, also mentioned that it can audit the security measures of affected providers (or order that such an audit is carried out by an external auditor). If so, the Catalogue will be used as the basis of the audit. In practice, therefore, any deviations from the Catalogue should be carefully assessed and only be implemented if they are justified and necessary.
Some parts of the Catalogue will become binding due to a change of statutory law, which will likely be enacted in the course of the next months. The new law will likely determine the security recommendations for “increased risk” networks and services (more details below) as mandatory.
There is at this point no English version of the Catalogue available.
An overview of the IT Security Catalogue
The new Catalogue is, with some minor exceptions, a completely new draft. The new Catalogue is distinctly different from its predecessors. This is also underlined by the fact that the Bundesnetzagentur has chosen to name it “IT Security Catalogue 2.0”. Earlier updates had been designated with version numbers such as “1.2”.
The key components of the Catalogue are:
• After some introductory remarks (in Chapters 1 and 2), Chapter 3 provides a list of specific security measures recommended by the Bundesnetzagentur. The list of measures is extensive and includes, for example, vendor management, background checks of personnel, 2-factor authentication for access to sensitive information and systems, and Business Continuity Management.
• Chapter 4 comprises an explanation of all security-relevant laws of the German Telecommunications Act.
• Chapter 5 describes how the requirements should be implemented in practice, including an explanation of how a security concept should be drawn up and how a security officer should be enlisted and integrated into the business organization (both being mandatory for providers of publicly available telecommunications services and operators of public telecommunications networks). Chapter 5 also explains how to conduct the risk assessment of functions and network components.
• Chapter 6 lays down additional rules for the “transition phase”, which is the phase after the new Catalogue became applicable, but before the German administration is ready to certify security-critical network components (see below).
• Annex 1 contains precise requirements to network operators that are using the Internet Protocol (which nowadays means almost all network operators ). These operators are required to implement specific safeguards such as protection against DDOS attacks, IP Spoofing, transport encryption and a “Monitoring Infrastructure” (MI).
• Annex 2 stipulates specific requirements for public telecommunication networks with “high risk potential”. We explain these in more detail below.
The new framework for “increased risk” networks
The main reason for the initiative to draw up a new Catalogue had been public concerns and discussions over Chinese manufacturers, and the use of their components in the 5G mobile networks that are currently being built. As a reaction, the Bundesnetzagentur created Annex 2 of this Catalogue, which holds a list of security requirements that apply specifically to “networks with an increased risk potential”. The definition of these “increased risk potential” networks includes, most notably, all mobile networks who have more than 100,000 subscribers. In some cases, the requirements also include their suppliers, subcontractors and infrastructure providers.
Operators of networks with an “increased risk potential” have to implement five far-reaching organisational changes:
• Certification of critical key components: All components that are used for a “critical function” will have to be certified, either under the national certification regime of the Federal Office of Information Security (BSI), or through the European certification framework that has been created by the EU Cybersecurity Act (EU 2019/881). The Bundesnetzagentur will draw up a list of such critical functions and components and will publish it on 1 January 2020 at the latest. The Bundesnetzagentur is seeking comments which functions and components should be regarded as “critical”.
• “Assurance of trustworthiness” regime for suppliers: The operators must check all suppliers of critical key components (including importers and manufacturers) as to their trustworthiness. The suppliers also have to provide a “statement of trustworthiness” that stipulates several security-related warranties. The list of requirements to these statements is made up of 10 points and includes the obligation not to provide confidential data to third parties, including most importantly intelligence agencies. It also includes an obligation to inform the network operator if confidentiality cannot be guaranteed anymore. A manufacturer that is unable to ensure the confidentiality and security of its components in this regard will not be deemed “trustworthy” and its components will not be accepted as key components of “increased risk” networks in Germany.
• Ensuring product integrity through its entire delivery and life cycle: Network operators are obliged to minimise risks to the integrity and security of their products in all stages of the delivery and life cycle. They are, for example, explicitly required to avoid scenarios where products could be manipulated during delivery. Upon receipt, the network operators have to conduct an “acceptance test” to ensure the integrity of the product.
• Ongoing security monitoring: During their ongoing operation, the critical key components must be constantly monitored to detect anomalies and must be protected against manipulation. Access to these components is only allowed for specially trained staff members.
• Prohibition of “monocultures”: The Bundesnetzagentur explicitly prohibits building the core network and the radio access network out of components from only one manufacturer. Network operators are required to ensure both the variety and redundancy of their network components so that major disruptions can be avoided and handled through backup solutions that are maintained as a “hot standby”.
The above obligations apply to the entire supply chain. In consequence, not only the manufacturers of the critical components have to meet these requirements, but also their subcontractors.
The Catalogue is currently subject to one last public consultation. This consultation period ends on 13 November 2019. The Bundesnetzagentur will likely publish the final Catalogue shortly thereafter. It will become valid and binding (as “soft law”) immediately after publication. In that regard, the Catalogue also comprises some rules for the transitional period in which components cannot already be certified (see below).
There are, in parallel, ongoing efforts to enact a reform of the German Telecommunications Act that would make some parts of the Catalogue (at least Annex 2) mandatory for the affected network operators. The draft of this new law is not yet public, but it will likely be published and enacted during the next few months.
Further, the Bundesnetzagentur and the Federal Office of IT Security (BSI) are currently working with high priority on finalising two further cornerstones of the new system: The certification infrastructure and the “List of Critical Functions and Components”. Both are not available as of now but are expected to come through shortly.