On Wednesday, the Federal Network Agency, together with the Federal Office for Information Security (BSI) and the data protection officer, tied down the catalog of security requirements for critical IT infrastructures. The catalog largely corresponds to the already known draft. The authority has also revised the list of critical functions, which the network operators can use to identify the components that will be subject to mandatory certification in the future.
The revised security catalog applies to operators of telecommunications and data processing systems as well as to the processing of personal data. “These specifications achieve a very high level of technological security,” said BSI President Arne Schönbohm. The catalog contains detailed guidelines on how network operators should monitor the integrity and security of their systems and how they should react in the event of incidents. “The new requirements secure the telecommunications networks and protect them against threats,” explained chief regulator Jochen Homann. The authority had already submitted the draft last year.
Focus on Chinese suppliers
Against the background of the debate about the security of the 5G networks, these usual requirements were expanded in order to secure the network infrastructure against feared access by foreign governments or intelligence services. The focus is on the Chinese suppliers Huawei and ZTE, which are said to have too close a connection to the Chinese government. The legal basis is therefore also called “Lex Huawei”.
On the basis of the second IT Security Act and the new Telecommunications Act (TKG) that will come into force on December 1, 2021, the Federal Network Agency defines general requirements for the operation of critical or data protection-relevant services. This includes general security precautions for operating systems and processes as well as precautions to maintain telecommunications secrecy and the protection of customer data. With regard to the debate about Huawei, the requirements for the trustworthiness of suppliers and the required assurances are also important.
“Increased risk potential”
With the Catalog of security requirements operators of public telecommunications networks are classified for the first time as companies with an increased risk potential. For them, the Federal Network Agency is now defining the criteria according to which critical components must in future be tested by a recognized institution and certified by the BSI. Which components these are can be seen from the revised List of critical functions determine. The radio network is now also mentioned, but the section on “Lawful Interception” has been deleted from the draft.
The critical functions in the core network include authentication, session management, roaming and data transport as well as access policy management. In addition, the management and orchestration of virtualized network functions are affected, which is likely to be important with regard to the commitment of network operators to Open RAN. On the radio side, the Federal Network Agency only lists “5G-RAN management” as a critical function. What exactly is to be understood by this and which components fall under the certification obligation will then probably emerge in the implementation.
The rules apply from January 1, 2026 to all newly commissioned components. Until then there is a transition period. New components that are put into operation by then must be certified by the deadline at the latest, as soon as two comparable certified products are available from different manufacturers, even earlier. If a component does not receive certification or loses it, it must be replaced by 2025. No subsequent certification is required for existing components that are no longer being installed.