BNetzA launches consultation on new IT security catalogue

The catalogue, which is a key instrument for ensuring the security of telecommunications networks and services in Germany, defines binding technical and organisational measures that operators of public networks and providers of publicly available telecommunications services must implement to protect their systems against attacks, manipulation and failures.

As digitisation accelerates, telco networks are becoming an increasingly attractive target for cyberattacks that can disrupt not only the operation of individual services, but also shut down entire sectors of the economy as well as public institutions. With the introduction of 5G, the complexity of networks is also increasing: functions like network slicing and edge computing lead to additional exposures to attackers. At the same time, dependence on resilient and secure networks is growing, whether for Industry 4.0, critical healthcare applications or everyday consumer use. The revised catalogue is intended to ensure that protective measures keep pace with these developments.

The new draft (version 2025-10) contains several key changes. The key amendments are the following:

1. Graded security measures:

In the future, requirements will be classified according to three risk levels: normal, elevated and increased risk. This differentiation ensures that the measures are better adapted to the actual threat level and do not apply across the board to all networks.

2. Consideration of 5G networks:

The catalogue now includes specific requirements for the operation of 5G mobile networks. It also includes an updated list of critical functions that are particularly relevant to network security, such as core network components and control elements.

3. Introduction of a proportionality test:

Before the measures are issued as binding administrative acts, they are reviewed to ensure that they are appropriate and practicable. This is to prevent companies from being disproportionately burdened without any real gain in security.

The catalogue is binding in accordance with Section 167 of the Telecommunications Act (TKG). It serves as a benchmark for the technical precautions and other measures pursuant to Section 165 of the TKG. It also forms the benchmark against which the BNetzA assesses the security concepts of the telecommunications network operators and telecommunications service providers. These documents are mandatory; the operators and providers are required to draw them up in accordance with Section 166 of the TKG.

How the consultation works: Manufacturers, network operators and industry associations can submit comments on the draft until 19 December 2025.

These comments must:

• be written in German,
• be submitted as a PDF file (with copy and print functions enabled),
• include a redacted version if trade or business secrets are affected, as well as a list of reasons for the redactions.

Comments can be submitted in either written or electronic form to the Federal Network Agency; Federal Network Agency, Division 217, An der Trift 40, 66123 Saarbrücken (217.Postfach@bnetza.de). Once the consultation period has ended, the Federal Network Agency will evaluate the comments received and issue the final catalogue as a binding order.

Meanwhile, the underlying law is already being revised again. The German Act that implements the NIS2 Directive was adopted by the German Federal Parliament on 13 November and will enter into force soon. This law will again change the legal security requirements to telco network operators and services providers in Germany. Further changes to the security catalogue are therefore to be expected.

We provide comprehensive advice on the legally compliant implementation of the new regulatory requirements, including the revised security requirements under the Telecommunications Act (TKG), as well as on all questions relating to telecommunications law. Dr. Simon Assion and Martin Lose from our team will be happy to provide you with personal advice.