Catalogue of requirements in accordance with § 109(6) of the Telecommunications Act [Telekommunikationsgesetz – TKG]: catalogue of security requirements for operating telecommunications and data processing systems, and for processing personal data, version 2.0
Communication from the Commission - TRIS/(2020) 02910
Directive (EU) 2015/1535
Translation of the message 001
No abre el plazo - Nezahajuje odklady - Fristerne indledes ikke - Kein Fristbeginn - Viivituste perioodi ei avata - Καμμία έναρξη προθεσμίας - Does not open the delays - N'ouvre pas de délais - Non fa decorrere la mora - Neietekmē atlikšanu - Atidėjimai nepradedami - Nem nyitja meg a késéseket - Ma’ jiftaħx il-perijodi ta’ dawmien - Geen termijnbegin - Nie otwiera opóźnień - Não inicia o prazo - Neotvorí oneskorenia - Ne uvaja zamud - Määräaika ei ala tästä - Inleder ingen frist - Не се предвижда период на прекъсване - Nu deschide perioadele de stagnare - Nu deschide perioadele de stagnare.
1. Structured Information Line
MSG 002 IND 2020 0496 D EN 04-08-2020 D NOTIF
2. Member State
3. Department Responsible
Bundesministerium für Wirtschaft und Energie, Referat E C 2, 11019 Berlin,
Tel.: +49-30-2014-6353, Fax: +49-30-2014-5379, E-Mail: firstname.lastname@example.org;
3. Originating Department
Bundesministerium für Wirtschaft und Energie, Referat VI A 2, 53107 Bonn,
Tel.: 0049-228-99615-3229, E-Mail: BUERO-VIA2@bmwi.bund.de
Bundesnetzagentur für Elektrizität, Gas,Telekommunikation, Post und Eisenbahnen
4. Notification Number
2020/0496/D - V00T
Catalogue of requirements in accordance with § 109(6) of the Telecommunications Act [Telekommunikationsgesetz – TKG]: catalogue of security requirements for operating telecommunications and data processing systems, and for processing personal data, version 2.0
6. Products Concerned
Description of technical precautions and other measures to guarantee a high standard of data security and data quality, to guarantee confidentiality and to ensure a sufficiently high availability of public telecommunications networks and publicly accessible telecommunications services.
7. Notification Under Another Act
8. Main Content
The catalogue of requirements describes technical precautions and other measures to guarantee a high standard of data security and data protection, to guarantee telecommunications confidentiality and to ensure a sufficiently high availability of public telecommunications networks and publicly accessible telecommunications services. Additional security requirements are defined and additional protective measures are described, in particular for network components with an increased risk potential. Here, the network components with an increased risk potential stem from the ‘List of critical functions for public telecommunications networks and services with an increased risk potential (supplement to Annex 2 to the catalogue of security requirements)’ published jointly by the Federal Office for Information Security and the Federal Network Agency. In this regards, a particularly essential component is the ‘security certification’ through a recognised body. For this purpose, the Federal Office for Information Security will issue a Technical Guideline with the title ‘Certification of telecommunication components’.
9. Brief Statement of Grounds
In accordance with § 109(6) of the Telecommunications Act (TKG), the catalogue of requirements must be drawn up by the Federal Network Agency in agreement with the Federal Office for Information Security and the Federal Commissioner for Data Protection and Freedom of Information in order to ensure necessary technical precautions and other measures to safeguard data protection and telecommunications confidentiality (§ 109(1) TKG) and guarantee adequate technical measures and other measures to protect against interference with significant adverse effects or to manage risks to the security of telecommunications services and networks (§ 109(2) TKG).
10. Reference Documents - Basic Texts
Reference(s) to basic text(s): Telecommunications Act of 22 June 2004 (Federal Law Gazette I, p. 1190), as last amended by Article 319 of the Ordinance of 19 June 2020 (Federal Law Gazette I, p. 1328).
11. Invocation of the Emergency Procedure
12. Grounds for the Emergency
14. Fiscal measures
15. Impact assessment
16. TBT and SPS aspects
No - the draft is neither a technical regulation nor a conformity assessment.
No - the draft has no significant impact on international trade.
No - the draft has no significant impact on international trade.
No - the draft is neither a sanitary nor phytosanitary measure
Contact point Directive (EU) 2015/1535
Fax: +32 229 98043
The TRIS website makes it easy for you or your organization to share your views on any given notification.
Due to the end of standstill we are currently not accepting any further contributions for this notification via the website.
eco main criticism of the notified draft security catalogue according to § 109 (6) TKG to the EU Commission – Notification No. 2020/496/D
The Bundesnetzagentur (German Federal Network Agency - BNetzA) has issued the draft security catalogue in agreement with the Bundesamt für Sicherheit in der Informationstechnik (German Federal Office for Information Security - BSI) and submitted it to the EU Commission for notification. The catalogue shall set the security requirements for the operation of telecommunications and data processing systems as well as for the processing of personal data, and the establishment of security concepts are to be based on the catalogue.
eco and its member companies share with the competent authorities the interest in improving and strengthening the IT security of telecommunications networks and services. In the context of the notification procedure, we would like to express our main criticisms regarding the draft submitted in terms of the compatibility of the security catalogue with European law and principles. In addition, we would like to refer to our detailed opinion on the draft for a security catalogue.
§ No legal certainty due to planned changes
I. a. § 109 TKG is to be amended. Paragraph 6 of this regulation is to be the legal basis for the notified draft. The regulation is to be amended in such a way that it forms a regulatory complex together with the future BSI Act, a future general decree of the Federal Ministry of the Interior (details on written guarantee), the future list of BNetzA/BSI (draft in national consultation) and a future technical guideline (TG) of the BSI (for list and TG see no. 8 of the Notification Message). This planned regulatory complex will create significant legal and planning uncertainty for the providers concerned. This constitutes an unjustified encroachment of the freedom to conduct a business under Article 16 of the EU Charter of Fundamental Rights.
eco considers that it is possible that the application of the notified draft will not be in accordance with the Cyber Security Act (CSA), EU Regulation 2019/881. The BNetzA and the BSI have a very wide scope for interpretation and application outside the CSA. In addition, global and international standards, such as 3GPP, are not taken sufficiently into account.
§ Breach of the EU Single Market Principle
eco sees the requirements of Annex 2 of the security catalogue as representing a breach of the freedom to provide services in accordance with Art. 62, Art. 53(1) TFEU, specified in greater detail by Directive 2006/123/EC. The strict requirements of BNetzA represent very high obligations for 5G providers who operate or plan to operate across the EU to purchase technical components in accordance with German requirements, although other Member States impose different requirements. The products and services of the German 5G network operators would become more expensive throughout Europe, as companies are in fact forced to install and use components in their telecommunications infrastructures throughout Europe that meet German security requirements. This also distorts competition, as 5G providers from other EU Member States with significantly lower security requirements can offer their services at significantly reduced rates. A factual justification of this indirect discrimination is not apparent, as the requirements of BNetzA exceed the necessary measure.
§ Impact of international trade not sufficiently taken into account
Contrary to the national authorities’ assessment, the draft submitted violates the Agreement on Technical Barriers to Trade Agreement, see No. 16 Notification Communication. It is a protectionist measure whereby manufacturers are excluded from the German market in the event that the specifications of the catalogue and its systems are not complied with. The scheme is based on presumptions regarding certain producers and no actual evidence. Principles of the rule of law require that conjecture cannot be the basis for the withdrawal of trust, especially geostrategic, commercial, geopolitical, foreign policy, or other political considerations, which are all extraneous to the topic.
§ Declaration of trustworthiness infringes General Principles of EU law
Terms such as third parties, security authorities, confidential information are too indeterminate. Some points cannot be signed or guaranteed by any manufacturer, and are therefore legally impossible. This is an infringement in the freedom to conduct a business that goes beyond what is absolutely necessary. The requirements are also not in line with the objectives of the planned E-Evidence Regulation. However, Member States are also obligated to respect the Effet Utile, if they can foresee that national rules are incompatible with an EU regulation that has already adopted concrete forms, as e-evidence has done. In this case, the EU Member States are obliged to take the forthcoming regulation into utmost account.
§ Breach of notification obligation or national law
The List of the BNetzA/BSI and Technical Guideline of the BSI are either a legal part of the Security Catalogue (administrative act in the form of the General Decree), in which case, there would be at least one legal basis with § 109 (6) TKG, and they should have been notified. As this was not done, the BNetzA would, in this case, have infringed the TRIS-Directive EU/2015/1535. However, if both are not legal part of the security catalogue, there is no legal basis for either of them, either in EU or national law. This is a clear violation. In this case, the EU Commission is required to request Germany to amend or withdraw the notified draft. Otherwise, the TRIS procedure would be conducted ad absurdum. It would have to be carried out again after the draft has been repealed. The adoption by the EU-Commission of a draft manifestly contrary to national law would also not correspond to the Effet Utile pursuant to Art. 4 (3) TEU with regard to Directive EU/2015/1535.
§ Protection of confidence not guaranteed
There is no sufficient legal basis in EU or German law for the obligation to remove individual components from the network (2.4 of the draft, p. 66), if the certification is subsequently withdrawn on the basis of an official decision. Such a legal basis would also have to comply with the Parliament’s reservation of intervention. Furthermore, it remains open how to grant legal protection to affected network operators if they are to be obliged to replace individual components, should the certification of the component cease after installation. The network operators are not the addressees of the certification obligation, but the manufacturers. The decisions that could lead to the elimination of certification are also not readily accessible to network operators. The comprehensibility of the administrative action of the certifying authority is also open, because often intelligence information that is inaccessible to the authority is likely to play a role. In addition, this is an interference in the ownership of the network operator, for which the operator has given no cause and is not responsible. For this purpose, the network operator concerned must be compensated by the State, as in the case of an equal measure of expropriation. Such a compensation rule has not yet been provided for.
§ Hearing did not take place
There has been no hearing for the draft notified here. The only hearing that has taken place was on a draft security catalogue, held in autumn 2019. However, that draft differed in substantial ways and to a considerable extent from the notified draft. Therefore, there was no consultation on the draft submitted for notification before it was notified. This constitutes a violation of Article 41 (2) lit. a) of the EU Charter of Fundamental Rights.
§ Longer implementation deadlines offered for OTT providers
With the implementation of the EECC into national law, it is already foreseeable that the number of parties subject to obligations with regard to the security requirements as set out in § 109 paragraphs 6, 4, 2 and 1 TKG is going to increase significantly, e.g. to OTT providers. The BNetzA grants traditional telecommunications companies one year from the publication of the catalogue, e.g. on page 65. This deadline is aimed at traditional telecommunications companies that already have practical experience and knowledge regarding security requirements. On the other hand, this does not apply to the OTT providers facing their first obligation in this regard. The predetermined security requirements are complex, comprehensive and difficult to implement. Accordingly, the OTT providers must first develop a sufficient understanding of the technical requirements and develop a corresponding implementation concept which is adapted to their individual requirements and circumstances. This requires an appropriate deadline for implementation. We propose a deadline until 31.12.2025, as on page 65 of the notified draft. In the opinion of the eco, this requires the principle of proportionality in accordance with Article 52 (1) sentence 2 of the EU Charter of Fundamental Rights.
About eco: With over 1,100 member companies, eco is the largest Internet industry association in Europe. Since 1995 eco has been instrumental in shaping the Internet, fostering new technologies, forming framework conditions, and representing the interests of members in politics and international committees. eco’s key topics are the reliability and strengthening of digital infrastructure, IT security, and trust, ethics, and self-regulation. That is why eco advocates for a free, technologically-neutral, and high-performance Internet.
Bitkom views concerning the catalogue of security requirements for the operation of telecommunications and data processing systems and for the processing of personal data – pursuant to § 109 of the Telecommunications Act (TKG) Version 2.0
On August 4, 2020, the German Federal Network Agency submitted an amended security catalogue for notification to the European Commission. As Bitkom, we actively contributed to the comments on the security catalogue with our statement of November 18, 2019. However, the results of the consultation at that time were not included to the necessary extent in the security catalog now submitted for notification. While on the one hand it is to be welcomed that important political processes have been initiated, on the other hand it is to be regretted that the industry has not been given the chance to provide further feedback. In its current version, the security catalogue still has some unclear wording and is therefore, in fact, difficult to subsume. This is problematic because the appendix, due to its legal construction, appears almost like a law, since the network operators are ultimately restricted in their choice of contract partners. Consequently, there is an internal market relevance of the present catalogue that cannot be dismissed out of hand and which must now be considered at European level. For this reason, we would like to emphasize our perspective and position at the European level as well. The document is in line with our German position of November last year. In addition, the Annex (page 14) selectively addresses certain amendments of the current version of the catalogue. In general, Bitkom proposes and promotes the unified application of comparable criteria across the common market. Bitkom wishes to emphasize that individual national pockets of regulation should not be created to circumvent the common market. Bitkom therefore promotes a unified approach in the EU.
A. General considerations
4G and 5G mobile communications and digital infrastructures in general are becoming the backbone of the digital economy, society and administration. The aim is to set up efficient, affordable and secure 5G networks in Germany as quickly as possible and to consolidate and upgrade 4G networks. The growing importance of communications networks for the functioning of our society means that more ambitious demands are being placed on communications infrastructure in every respect. At the same time, the debate on trustworthy infrastructures is also giving rise to further requirements for the shaping of Europe's digital sovereignty.
In order to achieve these goals, fair and innovation-stimulating competition with the same rules for the same services and offerings and the diversity of technologies and providers are essential so that, as intended, high-performance, affordable and secure 5G networks can be established in Germany as quickly as possible.
However, in order to satisfy the claim to sovereignty, in addition to the necessary speed of market development, policy-makers are called upon to design the legal framework and its implementation in such a way that the networks guarantee the highest possible level of security, including availability, at all times and cannot be compromised. As a general principle, all manufacturers - regardless of their products and offers and regardless of their origin - ideally have to apply at least the same product- and offer-specific test criteria, rules and procedures throughout Europe. At this point, we would also like to point out that a clear and technology-neutral approach that promotes the use of effective encryption must not, on the other hand, be thwarted by government activities to weaken encryption.
The legislator must also clearly address the requirements it imposes to ensure an appropriate level of IT security. Here, the Cybersecurity Act, the IT Security Act and the NIS Directive as a horizontal regulation play an important role. The discussion on § 109 TKG should also be seen in this context.
In principle, the following four principles must be observed:
1. Transparency is the basis for trust. This requires a cooperative approach with clearly defined rules for all sides. This lays the foundation not only to secure the respective product but also to strengthen the knowledge in the secure development life cycle for future products. All stakeholders should ensure that they are free from undue governmental influence and that they are in line with the standards and objectives of the OECD Principles of Corporate Governance.
2. Testing and certification: Innovation will secure tomorrow's prosperity. Innovation in the ICT sector is increasingly becoming the driving force behind economic and social development. Innovation-friendly regulation is crucial to this. The state should above all define the objectives and requirements of the proposed measures. A risk-based approach should be adopted. In the context of certification, mutual recognition should be established at least at European level. This, as well as the issue of transparency, implies that any verification of source code and other relevant materials required by the competent authorities should be carried out at a safe place in Europe under the control of the manufacturer. Germany, not least because of its economic strength, has a model function for states worldwide of which we should be aware.
3. Responsibility: Government bodies and those acting on behalf of governments, network operators and manufacturers each bear their share of responsibility for secure networks and must take all necessary measures in accordance with their respective roles and responsibilities. At the same time, users must be made aware of their contribution to the security, integrity and availability of data, and of the need to use encryption consistently, for example for critical data.
4. European Single Market: The European Single Market is a success story for economic development in Germany. Germany and the German economy have a vested interest in strengthening this internal market and sharing in its innovative strength. Therefore, any definition of security requirements, including the certification of components to be assessed as "critical", must take place within a European framework and the certification by national testing bodies based on this must be recognised throughout Europe. Going it alone at national level weakens economic development and slows down innovation.
These principles will make a decisive contribution to meeting the demand for secure communications networks.
B. Details of the draft version 2.0 security requirement catalogue
Bitkom welcomes the fact that the Federal Network Agency has published the update of the catalogue of security requirements pursuant to § 109 (6) of the Telecommunications Act (TKG) and that the approach described there implies that security requirements apply equally and in a technology-neutral way to all network operators, manufacturers and service providers. Proposed principles, such as permanent network operation monitoring, are already common practice today. The required avoidance of monocultures is also a reality today as part of the multi-vendor strategy of network operators. Furthermore, redundancies in the network are a suitable measure to increase its security.
The security of the networks has top priority. The idea of a comprehensive security architecture, as proposed by the Federal Network Agency, fits in with this. It would be desirable if such ideas could also be implemented throughout the EU. Germany should work towards this. Instead of special national routes with additional costs, efficiency gains in the European internal market could be raised. Moreover, it must also be clear that network operators alone are not responsible, but that manufacturers must also play their part.
1 Regarding 3 “Security requirements for the operation of telecommunications and data processing systems and for the processing of personal data”
1.1 Regarding 3.3.1 “Secure handling of sensitive data and information”
In the field of telecommunications, inventory data, and in particular traffic data, are highly sensitive data. They are subject to data protection and the protection of telecommunications secrecy. Regulations must therefore be established for the secure handling of such data and information. The following applies in particular:
· Implementation of appropriate organisational and technical precautions according to the state of the art,
· Implementation within the framework of a management system, e.g. information security management system (ISMS).
1.2 Regarding 3.3.2 “Physical and elementary protection requirements”
It identifies nine bullet points as the minimum number of measures to be implemented. These appear arbitrary and do not correspond to the basic logic of an ISMS with risk management, in which one determines which measures are to be followed and which are not. For this purpose, the economy or the scope of application of the respective operator is too heterogeneous to make general minimum statements. Here it is more suitable to refer to the existing security standards including the so-called state of the art and an ISMS, e.g. the BSI Grundschutz-Kompendium or ISO 27001.
These listings are to be found throughout the document, especially of course in section 3.3.
1.3 Regarding 3.3.4 “Access and access control on network and information systems”
In the past, "secured areas" were switching centres or IT server rooms which were protected by a central access, but inside were system cabinets without doors and further access protection. For these, the requirement from 3.3.4 is targeted. Today, on the other hand, there are more complex physical infrastructures, e.g. central computer centres, in which various protection requirements with different levels of protection are accommodated in common rooms. For adequate separation, there are separate cage areas for this purpose or at least separate locked server cabinets which are protected against unauthorised access by individual key or card systems. However, these safeguards are not separate "secure areas" but "secure technical installations" (as a more general term). Through a suitable security concept (24/7 security service, camera surveillance, etc.) it is nevertheless ensured in such environments that access is possible for persons with a legitimate interest.
2 Regarding Annex 2: Further security requirements for operators of networks with increased risk potential
2.1 Preliminary remark
In order to strengthen the establishment of the European (Digital) Single Market and the development of cross-border 5G-based applications, European rather than national approaches should be increasingly targeted. Instead of the planned declaration of trustworthiness, a binding Europe-wide Cybersecurity Scheme for 5G network components based on the EU Cybersecurity Act is therefore needed. In addition, the implications of the IT Security Act 2.0 for the current procedure must be taken into account vice versa.
The aim of the revision of the catalogue of requirements, as well as of further initiatives such as the TKG amendment for the implementation of the European Code of Electronic Communications or the current revision of the IT Security Act, must be to create legal certainty for the telecommunications industry and at the same time to involve the companies, which for their part are indispensable for more secure infrastructure equipment. At the same time, general political questions must not and cannot be answered by technical-regulatory definitions of requirements, nor can they be answered by companies operating in the private sector.
The envisaged procedure provides for two pillars: technical verification and trustworthiness. In addition to the technical inspection of components, the assessment of the trustworthiness of manufacturers should also be a state task and must not be delegated. Neither the draft of the security catalogue according to §109 TKG nor the TKG can fulfil this task, since only operators, but not suppliers, are addressed. A corresponding legal basis, which, among other things, regulates the appropriate allocation of responsibility, must be created.
In order to avoid legal uncertainty among operators, it must also be clarified how the security and trustworthiness of third parties can be verified and guaranteed. The regulator must answer the question of which further processes he is triggering with this.
2.2 Regarding 1. Field of application
The definition of the scope of application or the definition of "increased risk potential" for the determination of the addressees of the further security requirements mentioned below lacks concrete criteria for the determination - apart from the mobile network operators obviously covered. In the interests of legal certainty for the network operators and service providers concerned, more specific information should be provided here.
Furthermore, we would like to point out that the scope of application of the security catalogue must also be considered in a broader context:
1. The scope of application of the TKG and the security catalogue according to §109 TKG is mainly directed at the operators. At the same time, security requires a cooperative approach with obligations and allocation of responsibilities for all actors.
2. The maintenance and strengthening of harmonised regulations between the EU Member States requires a European approach with at least European, if not global standards. Otherwise the harmonisation achieved so far will weaken competition and security. Nevertheless, we welcome the intention to pursue the further development of the security requirements as quickly as possible if a German further development does not lead to a special path but to a coordinated and exemplary European solution.
2.3 Regarding 2. Certification of critical components
First of all, it needs to be clarified together with industry which network and system components are classified as "critical". A complete evaluation of the catalogue cannot be made without such a determination. Furthermore, it must be clarified how an assurance of trustworthiness is to be provided in a suitable manner and in a legally secure manner.
This and a certification of critical components should at least refer to European, ideally international, recognised standards and take existing bodies into account as far as possible. The regulation and, in particular, a possible certification should not lead to a detached national special solution that delays the introduction of 5G in Germany and burdens it with additional costs.
Furthermore, we would like to point out that network and system components are subject to a high development dynamic. Testing and certification procedures must not constitute a bottleneck and, especially in the event of staff shortages in the testing and certification bodies, must not lead to a delayed deployment of critical components. Especially software-technical adaptations that include security-critical components must be introduced promptly. Here, European or international IT management standards could serve as a template to prioritise the audit effort in a risk-oriented way or to keep the effort in an appropriate frame - the goal cannot be that every update leads to a re-certification.
Bitkom therefore welcomes the fact that the catalogue provides for a broader base of test centres to be certified by the BSI in order to effectively counteract possible bottlenecks on the part of the authorities. Corresponding security checks by test centres certified by the BSI are provided for under §2 para. 7 of the BSI Act: Certification within the meaning of this Act is the determination by a certification body that a product, process, system, protection profile (security certification), person (personal certification) or IT security service provider meets certain requirements. Test procedures for "critical" components should be carried out at a safe place in Europe under the control of the manufacturer.
In this context it should be noted that a framework for mutual recognition within Europe is necessary to ensure scalability, effectiveness and efficiency. Approval authorities should be designated which apply a mandatory, robust test method – such as BSI and ANSSI. Without this, each country will be able to repeat tests at high cost and will not be able to meet the requirements for timely testing of new technologies. The BSI law provides the means for such mutual recognition in the European context. §9(7) clarifies that in principle "security certificates issued by other recognised certification bodies from the European Union area are recognised by the Federal Office".
From our point of view, a certification of critical components must be based on European or global standards, since standardisation also takes place at supranational level. Here we welcome the reference to Regulation (EU) 2019/881 (Cybersecurity Act) of 27.06.2019, which introduced a uniform European framework for cyber security certification, in which the recognition of European schemes for cyber security certification is regulated. With regard to the participation of manufacturers, associations of operators of public telecommunications networks and associations of providers of publicly available telecommunications services, Annex 2, point 2.3, refers to the opportunity for comments.
Bitkom recommends active participation by industry in the preparation and updating of the document in order to be able to submit proposals or submissions. In the course of this active participation, the components to be recorded should be identified and named in a uniform manner for the industry.
In order to ensure the operation and further development of new technologies (e.g. the 5G mobile network), we consider it useful to specify the present draft in such a way that exceptions and special cases are taken into account. For example, 5G technology will require software updates at short intervals. Here it should be defined which category of software updates must be subject to recertification or re-testing. From our point of view a certification of every software update is not reasonable and cannot be reproduced in operation. We also see a considerable influence on the availability of resources of the BSI. In general, we believe that, in addition to the standard certification process for exceptional or emergency cases, there should be the possibility of an alternative, accelerated testing/certification procedure, which, for example, enables the operation of a critical component at short notice and provides for a parallel or downstream testing/certification procedure.
Furthermore, it should be clarified how to deal with critical components of existing technologies (e.g. 2G/3G). From Bitkom's point of view, a certification obligation can only extend to newly commissioned system components and cannot have any retroactive effect.
In this context, the question must also be clarified what happens if certification is subsequently withdrawn, e.g. due to non-availability of software updates. Who bears the costs of this?
In general, we welcome the acceptance and consideration of international standards and analyses such as ENISA or BEREC, in particular in developing and updating the list of "critical functions and components". We also welcome the procedure to define the critical components in accordance with the definition of critical functions that the components serve. This is helpful, as the resilience of the overall system is indicated by favorable results related to security. Basic standard functions need not be considered as critical functions.
Critical components must be clearly identifiable. Undifferentiated designations, as currently used in part in the BSI-KritisV, are not precise enough. We propose to involve operators of telecommunication networks and services in the definition and to form a joint working group of authorities and telecommunication companies under the leadership of the BNetzA or to use the sector working group telecommunications (BAK TK) in the UP KRITIS.
In Annex 2, point 2.2, the operators of telecommunications services will also be given the opportunity to submit comments. Here we expect not only the possibility to submit comments but also the possibility to participate in the preparation and consideration of our submissions.
In terms of transitional regulation, the legal basis must be created so that the manufacturer/supplier of these components initiates the certification process at an early stage in the same way as for new components. It has to be taken into account that, starting from the operator, this is not possible within the framework of existing contracts and can thus represent a considerable risk factor for the maintenance of operation.
2.4 Regarding 3. Trustworthiness of manufacturers and suppliers
Manufacturers and suppliers are already making a major contribution to a secure network infrastructure. We support the fact that the present draft according to section 3 provides for this responsibility to be certified in writing in accordance with the requirements listed here.
The trustworthiness of a manufacturer/supplier is likely to be determined primarily by the quality of a transparent and open information policy which a manufacturer/supplier displays with regard to the implementation of the above-mentioned regulations and laws, as well as corresponding knowledge and experience from the past. Also in the context of trustworthiness it remains open what happens if a supplier loses his trustworthiness although his technology is already part of the infrastructure. Clear responsibilities, exit scenarios and transitional periods must provide legal certainty.
If a manufacturer/supplier already in use is deprived of its trustworthiness, it must be ensured that the burden of proof for the reason for the deprivation is not placed on the network operator, but on a state institution/authority, ideally at European level. This includes, for example, possible corrections of the network and the restoration of security in this operational network.
In order to remove the legal asymmetry between technical certification and the declaration of trustworthiness, it is necessary that the assessment of trustworthiness is also carried out by independent governmental bodies. Leaving the evaluation of trustworthiness to the network operators releases the state from the obligation to make such a political and factual evaluation.
2.4.1 On point 4:
Here the obligations of manufacturers should be clarified. The present version leads to an unsolvable situation and contradicts, for example, the approach of the EU Commission to enable European law enforcement and judicial authorities to secure electronic evidence under the E-Evidence Directive.
2.4.2 On point 10:
Here the term "immediately" should be further clarified. It is necessary that manufacturers inform all customers or users about security risks in good time and at the same time and thus on an equal footing. Notifying operators before a vulnerability has been prioritised by the vendor in terms of importance, impact and exploitability, and allowed to be repaired, worked around or contained, would result in a less secure situation.
2.5 To 4. Product integrity
Newly procured critical components are subject to testing and certification by the BSI. In this respect, we generally assume that the delivery condition of hardware or software corresponds to the tested and certified condition.
With regard to the named critical phases of the life cycle of a component, we support the obligation of the manufacturers to integrate technical methods/procedures for testing product integrity into the product and to document the approach for carrying out the verification to the operator in a suitable manner. We also welcome the further obligations of the manufacturers to cooperate, which, however, must be clearly anchored in the regulations, including the necessary protective measures. We welcome the development of such an approach, but point out that such a complex instrument will require several years of development.
Similarly serious are the effects on the existing processes customary in the industry with regard to delivery, storage, commissioning and retirement, which would have to be completely redeveloped and would also have to be reflected in the existing contractual relationships. Especially against the background that certification/testing, coupled with the control mechanisms listed here, represents a preventive control which guarantees the use of integral products and would thus be preferable from a risk perspective.
In cooperation with trustworthy suppliers/manufacturers, it should rather be assumed that the critical components certified by the BSI are used precisely in the tested and certified hardware and software combination. A further obligation to provide evidence does not appear practicable in the application. In order to ensure that the software running on the network infrastructure corresponds to that supplied by the manufacturer, the concept of binary equivalence is a fundamental test. This is a challenge – it is necessary to consider whether the vendor must provide the tools to allow the operator to independently verify this.
The cycle, content and form of the periodic security reviews must be defined, ideally with longer intervals for critical components compared to particularly critical components (cf. redundancy requirement). Any form of additional acceptance tests and regular security reviews tie up new resources at the obligated companies. The specifications for this should therefore follow the principle of appropriateness of the TKG. The content and form of the acceptance tests should also be coordinated with the test contents for BSI certification so that the focus is only on those points for acceptance which have not already been checked.
In principle, there are doubts about the appropriateness (cf. § 109 (2) TKG) and feasibility of this requirement due to the complexity and diversity of the network and system components and the development dynamics in the different technologies.
2.6 Regarding 5. Security requirements during operation
2.6.1 Regarding 5.1. Security monitoring
This requirement focuses on all types of internal and external monitoring to detect attacks or errors. In principle, network traffic via the network and system components is already being monitored for abnormalities. It must be specified which special features an MI (monitoring infrastructure) has. Sector-specific specifications already exist for this. It should be noted that detection must be implemented according to the type of fault or attack, e.g. communication of infected terminals, use of hacked telephone systems and calls from foreign or fake infrastructure components.
The legal requirements for the protection of telecommunications secrecy in particular are likely to make it difficult in practice to detect unauthorised and targeted taps of communications data when concealment techniques are used. For this reason, the MI now demanded appear in part to be difficult to implement and disproportionate. It would make more sense to have security monitoring which is oriented towards the protection goals. In principle, it must also be ensured that no state tasks are delegated to the operators within the scope of monitoring.
2.7 Regarding 6. Instructed specialist personnel
Since the version here clarifies for which type of qualified personnel this requirement is to apply (to maintain the operation of the critical components), we suggest to introduce the requirement in Appendix 2 item 6 as basic conditions in a role profile.
It is also to be described in more detail for which legal requirements there is an obligation to provide verification, who is obliged to provide the verification and to whom the verification is to be submitted. In this context, a more precise, specified definition of sanctions is also necessary.
Depending on the nature of the outsourced system-relevant processes, it must be noted that supplier/manufacturer-independent contractors can also be considered. However, it cannot be assumed that the operators of the outsourced processes are basically independent of the telecommunication companies. This is not the case, in particular, if the telecommunications company is located in Germany and is subject to obligations under the TKG and the contractor belongs to a group of companies.
It is questionable whether a contractor is automatically considered "reliable" or only if he is "trustworthy" in the sense of this regulation. This also requires clarification.
2.8 Regarding 7. Redundancies
For protection against disturbances or failures of critical components, the creation of redundancies is named as a possible preventive measure. Here, Bitkom welcomes the fact that the creation of redundancies is to be subject to an appropriate, company-internal risk assessment and is not demanded as a single measure for all critical components. A blanket demand would result in a not inconsiderable increase in operating expenses and maintenance costs.
2.9 Regarding 8. Diversity
Clarification is needed as to what the demand "for sufficient diversity by using network and system components from different manufacturers" refers to.
Basically, with the implied demand for a multi-supplier strategy, it should be noted that such a constellation leads to increased system complexity and thus to new sources of functional instability and security weaknesses. This means that a decision on the use of one or more manufacturers for the realisation of critical network functions requires a detailed consideration of functional, operational and security-related aspects and must be made separately in each individual case.
The network operators active on the market are already pursuing a "multi-vendor" strategy. By updating these operator strategies, the risk of unilateral dependencies can be avoided even in the 5G context. However, a multi-vendor strategy alone does not lead to more security. If the products of all vendors are not equally trustworthy, the logic of a risk-based approach may indeed lead to the opposite effect and limit the number of vendors available for sensitive parts of the network. The requirement for a "multi-vendor" approach in certain areas of architecture, such as the core packet network or parts thereof, could make implementation less secure and much more complex from an architectural and operational point of view. It would increase the number and expertise of skilled personnel that would be required to maintain the network - which is difficult in times of skill shortages - and increase operational costs. Moreover, it is already being implemented today.
In this context, we are also critical of the general requirement to use at least two manufacturers in the core/access network. In addition to operational problems resulting from the operation of network and system components from different manufacturers, we see risks for the secure operation of the network arising from such a rigid requirement. Practical experience shows that despite international standardisation, the configuration of different manufacturer components is complex and susceptible to faults.
The diversity distribution 1:2 according to number 8, however, seems arbitrary and does not meet the needs of functional network architecture planning. This division should be a guideline or recommendation. Moreover, in order to avoid monocultures in principle, the definition of a percentage is dispensable.
In principle, it should also be specified at this point whether these requirements refer exclusively to the use of components defined as critical or whether they cover all network and system components in a general way.
With regard to the already initiated notification at European level, we would like to explicitly emphasize that we, as Bitkom, advocate and support the uniform application of comparable criteria throughout the entire internal market. Individual national pockets of regulation should not be created to circumvent the common market. Bitkom therefore promotes a unified European approach.
Furthermore, we call for a comprehensive consultation of all applicable legislative projects and draft regulations. If this consultation were to be subdivided into artificially created smaller cells, or were not to include relevant parts of ancillary legislation – examples include section 109 of the German telecommunications act, the reform of the telecommunications act, and changes introduced through the IT security act – this will lead to an incomplete and perhaps skewed assessment of the legislative framework, leading to legal and investment uncertainties. This must be definitely avoided.
Planning, investment and legal security result from the interaction of a stringent and clear set of rules, sufficiently defined standards and the realization of a protection of confidence with regard to the use of certified components installed and approved by the authorities. So far, this interaction does not function to the required extent. Furthermore, the obligations to take risk-mitigation measures must correspond to the actual dangers for networks, services, providers and users.
Regarding 2. Certification of critical components
Certification of critical components must be based on European or global standards, since standardization also takes place at supranational level. Here we welcome the reference to Regulation (EU) 2019/881 (Cybersecurity Act). However, the amendment: “If no corresponding certification schemes are available, obligated network operators and service providers must temporarily take other suitable and appropriate technical precautions and other hazard prevention measures when using critical components” leaves room for interpretation and, hence, causes concerns of legal uncertainty. The current draft of the catalogue lacks a clear commitment to the use and acceptance of international standards.
Regarding 3. Trustworthiness of manufacturers and suppliers
Criterion 3 reads: “Obligation of the supply source to ensure, through organisational and legal measures, that confidential information from or about its customer(s) does not end up abroad at its own initiative or at the initiative of third parties or that foreign agencies in Germany become aware of it.” If interpreted literally, criterion 3 seems to be a data localization requirement. If this is indeed the case, it must be clearly stated as such, especially with regard to the European level and the unsolved question of whether such a requirement would be permissible at all – especially at the sub-legal level. In addition to this, the second half of the sentence refers to "foreign agencies in Germany". This suggests a reference to government data access, which also makes the relationship to criterion 4 questionable. This must be considered separately below. Bitkom advises that a renewal of section 92 of the German telecommunications act, as abolished in 2012, should not be intended. Cross-border processing of data will remain permissible in accordance with the generally applicable regulations, especially the GDPR. It is unlawful access by way of interference or outside lawful processing that must be safeguarded against.
Criterion 4 reads: “Assurance from the supply source that it is legally and actually able to refuse to disclose confidential information from or about its customers to third parties. In particular, at the time the declaration is made, there are no obligations to disclose such information to third parties or to make it available in any other way. This does not apply insofar as there are statutory disclosure requirements for law enforcement purposes, unless such disclosure obligations exist towards foreign intelligence or security authorities. In cases of doubt, the supply source must refer to the statutory disclosure obligation(s) before the declaration is submitted.” It refers to the disclosure obligations to foreign intelligence or security authorities. The wording potentially covers both data transfers to foreign authorities via mutual legal assistance and the proposed mechanisms of the planned EU E-Evidence Regulation. This ultimately means that no manufacturer can actually issue the guarantee under No. 4, because these mechanisms are ultimately mandatory legal obligations that cannot be waived. Especially the aspect of e-evidence is absolutely central in the course of the notification to the Commission, because this is ultimately a direct conflict between national law and (future) EU law. Furthermore, it should be noted that nowhere is it specifically specified who is a "third party" or "foreign" in the sense of this norm.
The change made in the first sentence to specify mandatory monitoring infrastructures, away from “[…] to continuously identify and prevent threats” and towards “ […] in order to continuously identify, limit or remedy faults or errors in telecommunications systems”, apparently comes along with additional and more extensive tasks. What exactly is intended by the changed wording remains to be specified. Overall, the required mandatory monitoring infrastructures in their current form are difficult to implement. We still consider an alignment with the protection goals to be more sensible.
Regarding 8. Diversity
In general, it is to be welcomed that the catalogue explicitly refers to the use of open standards. Specifically, chapter 8 reads: “[components] should be independent of each other and not equally dependent on a third party. In particular, critical network functions and network elements should not depend on a single provider of critical components based on the network topology implemented.” Considering that individually certified products could use the same critical components without disclosing which third party components they depend on, this new regulation is difficult to comply with and one of the products or components may have to be replaced by administrative act.
eco Hauptkritik zum notifizierten Sicherheitskatalog-Entwurf gem. § 109 Abs. 6 TKG an die EU-Kommission – Ihr Zeichen 2020/496/D
Die Bundesnetzagentur hat den Entwurf eines Sicherheitskataloges erstellt und der EU-Kommission zur Notifizierung vorgelegt. Dieser soll die Sicherheitsanforderungen für das Betreiben von Telekommunikations- und Datenverarbeitungssystemen sowie für die Verarbeitung personenbezogener Daten vorgeben und ist bei der Erstellung von Sicherheitskonzepten zu Grunde zu legen.
eco und seine Mitgliedsunternehmen teilen mit den zuständigen Behörden das Interesse, die IT-Sicherheit von Telekommunikationsnetzen und -diensten zu verbessern und zu verstärken.
Im Rahmen des Notifizierungsverfahrens möchten wir zu dem vorgelegten Entwurf unsere Hauptkritikpunkte an der Vereinbarkeit des vorgelegten Sicherheitskatalogs mit europäischen Vorgaben und Grundsätzen darlegen. Ergänzend möchten wir auf unsere ausführliche Stellungnahme zu dem Entwurf für einen Sicherheitskatalog verweisen.
§ Keine Rechtssicherheit auf Grund geplanter Änderungen
Unter anderem soll § 109 TKG geändert werden. Dessen Absatz 6 ist Rechtsgrundlage für den notifizierten Entwurf. Die Norm soll dazu derart geändert werden, dass sie mit dem zukünftigen BSI-Gesetz, einer zukünftigen Allgemeinverfügung des Bundesministerium des Inneren (Garantieerklärung), der zukünftigen Liste der BNetzA (Entwurf in nationaler Konsultation) und BSI und einer zukünftigen Technischen Richtlinie (TR) des BSI einen Regelungskomplex bilden (vgl. zu Liste u. TR, Nr. 8 der Notifikationsmitteilung). Dieser noch ausstehende Reglungs-komplex ist mit einer erheblichen Rechts- und Planungsunsicherheit für die betroffenen Anbieter behaftet. Dies stellt einen ungerechtfertigten Eingriff in die unternehmerische Freiheit nach Art. 16 EU-Grundrechte-Charta dar.
Nach Ansicht des eco ist eine Anwendung des notifizierten Entwurfs, welche mit dem Cyber Security Act (CSA), EU-Verordnung 2019/881 nicht in Einklang steht, möglich. Die BNetzA und das BSI haben einen sehr weiten Auslegungs- und Anwendungsspielraum außerhalb des CSA. Zudem fehlt eine Anknüpfung an globale und internationale Standards, wie unter anderen 3GPP.
§ Verstoß gegen EU-Binnenmarktprinzip
eco sieht in den Auflagen der Anlage 2 des Sicherheitskataloges einen Verstoß gegen die Dienstleistungsfreiheit nach Art. 62 i. V. m. Art. 53 Abs. 1 AEUV, konkretisiert durch die Richtlinie 2006/123/EG. Die strengen Auflagen der BNetzA bedeuten derart hohe Auflagen für 5G-Anbieter, die EU-weit tätig sind bzw. dies planen, technische Komponenten entsprechend den deutschen Anforderungen einzukaufen, obwohl andere Mitgliedsstaaten andere Anforderungen stellen. Die Produkte und Dienste der deutschen 5G-Netzbetreiber würden europaweit teurer werden, da die Unternehmen faktisch gezwungen werden, europaweit in ihren TK-Infrastrukturen Komponenten einzusetzen und zu verwenden, welche den deutschen Sicherheitsanforderungen entsprächen. Dies führt außerdem zu einer Wettbewerbsverzerrung, da 5G-Anbieter aus anderen EU-Mitgliedsstaaten mit erheblich niedrigeren Sicherheitsanforderungen deutlich günstiger ihre Leistungen anbieten können. Eine sachliche Rechtfertigung dieser mittelbaren Diskriminierung ist nicht ersichtlich, da die Vorgaben der BNetzA das erforderliche Maß überschreiten.
§ Auswirkungen Internationaler Handel nicht hinreichend berücksichtigt
Der vorgelegte Entwurf verstößt entgegen der Einschätzung der vorlegenden Behörden gegen das Agreement on Technical Barriers to Trade-Übereinkommens, vgl. Nr. 16 Notifizierungsmitteilung. Es handelt sich um eine protektionistische Maßnahme, nach der Hersteller vom deutschen Markt ausgeschlossen werden, sofern die Vorgaben des Katalogs und seiner Anlagen nicht eingehalten werden. Anlass für die Regelungen sind Vermutungen gegenüber bestimmten Herstellern und keine tatsächlich belegten Beweise. Rechtsstaatliche Prinzipien gebieten, dass eben nicht Vermutungen Grundlage für den Entzug des Vertrauens sein können, erst recht nicht sachfremde geostrategische, handels-, geo-, außen- oder sonstige politischen Erwägungen.
§ Vertrauenswürdigkeitserklärung verstößt gegen europäische Rechtsgrundsätze
Begriffe wie Dritte, Sicherheitsbehörden, vertrauliche Informationen sind zu unbestimmt. Einige Punkten können von keinem Hersteller unterzeichnet bzw. zugesichert werden, da rechtlich unmöglich. Dies ist ein Eingriff in die unternehmerische Freiheit, der über das absolut erforderliche Maß hinausgeht. Die Vorgaben stehen auch nicht mit den Zielen der geplanten E-Evidence-VO in Einklang. Mitgliedsstaaten sind jedoch auch an den Effet Utile gehalten, wenn sie absehen können, das nationale Vorschriften mit einer EU-Verordnung, die bereits so konkrete Formen wie die E-Evidence angenommen hat, nicht vereinbar sind. Dann obliegt den EU-Staaten diese kommende Verordnung weitestgehend zu berücksichtigen.
§ Verstoß gegen Notifizierungspflicht oder nationales Recht
Liste der BNetzA/BSI und Technische Richtlinie des BSI sind entweder rechtlicher Bestandteil des Sicherheitskataloges (Verwaltungsakt in Form der Allgemeinverfügung). Dann gäbe es zumindest eine Rechtsgrundlage mit § 109 Abs. 6 TKG. Dann hätten sie notifiziert werden müssen. Da dies nicht erfolgt ist, hätte die BNetzA gegen die TRIS-RL EU/2015/1535 verstoßen.
Sind beide aber nicht Bestandteil des Sicherheitskataloges, gibt es keine Rechtsgrundlagen für beides, weder im EU- noch im nationalen Recht. Das ist ein offensichtlicher Verstoß. In diesem Fall ist EU-Kommission gehalten, Deutschland aufzufordern den notifizierten Entwurf zu ändern oder zurück zu ziehen. Sonst würde das TRIS-Verfahren ad absurdum geführt. Es müsste nach Aufhebung des Entwurfs erneut durchgeführt werden. Die Annahme eines offensichtlich gegen nationales Recht verstoßenden Entwurfes durch die EU-Kommission entspräche auch nicht dem Effet Utile nach Art. 4 Abs. 3 EUV in Bezug auf die Richtlinie EU/2015/1535.
§ Vertrauensschutz nicht gewährleistet
Für die Verpflichtung einzelne Komponenten aus dem Netz entfernen zu müssen (2.4 des Entwurfs, S. 66), falls die Zertifizierung auf Grund behördlicher Entscheidung nachträglich entzogen wird, existiert weder im EU- noch im deutschen Recht eine ausreichende Rechtsgrundlage. Eine solche Rechtsgrundlage müsste zudem ob ihrer Eingriffsintensität den Parlamentsvorbehalt erfüllen. Offen bleibt zudem, wie betroffenen Netzbetreibern Rechtsschutz gewährt wird, wenn sie zur Ersetzung einzelner Komponenten verpflichtet sein sollen, sollte nach Einbau die Zertifizierung der Komponente entfallen. Die Netzbetreiber sind nicht Adressat der Zertifizierungspflicht, sondern die Hersteller. Die Entscheidungen, die zum Wegfall einer Zertifizierung führen könnten, sind den Netzbetreibern auch nicht ohne weiteres zugänglich. Die Nachvollziehbarkeit des Verwaltungshandelns der zertifizierenden Behörde ist auch offen. Denn oft dürften geheimdienstliche Informationen eine Rolle spielen, die der Behörde nicht zugänglich sind. Darüber hinaus ist dies ein Eingriff in das Eigentum des Netzbetreibers für das er keinen Anlass gegeben hat und nicht in seiner Verantwortung liegt. Dafür ist der betroffene Netzbetreiber durch den Staat zu entschädigen, wie bei einem enteignungsgleichen Eingriff. Eine solche Ent-schädigungsregel ist bisher nicht vorgesehen.
§ Anhörung nicht erfolgt
Der hier notifizierte Entwurf wurde nicht angehört. Es wurde lediglich eine Anhörung zu einem Entwurf des Sicherheitskataloges im Herbst 2019 durchgeführt. Dieser unterschied sich jedoch wesentlich und in erheblichem Umfang vom notifizierten Entwurf. Der zur Notifizierung vorgelegte Entwurf ist daher nicht angehört worden, bevor er notifiziert wurde. Dies stellt einen Verstoß gegen Art. 41 Abs. 2 lit. a) der EU-Grundrechtecharta dar.
§ Längere Umsetzungsfristen für OTT-Anbieter geboten
Mit Umsetzung des EECC ins nationale Recht ist bereits absehbar, dass der Kreis der Verpflichteten hinsichtlich der Sicherheitsanforderungen im Sinne von § 109 Absätze 6, 4, 2 und 1 TKG deutlich ausgeweitet wird, bspw. auf OTT-Anbieter. Die BNetzA gewährt klassischen Telekommunikationsunternehmen eine Jahresfrist ab Veröffentlichung des Katalogs, bspw. auf S. 65. Diese Frist richtet sich an klassische Telekommunikationsunternehmen, die bereits über praktische Erfahrung und Wissen und mit den Sicherheitsanforderungen verfügen. Demgegenüber trifft dies auf die erstmalig verpflichteten OTT-Anbieter nicht zu. Die vorgegebenen Sicherheitsanforderungen sind komplex, umfangreich und diffizil zu implementieren. Entsprechend müssen sie sich entsprechend zunächst ein ausreichendes Verständnis der technischen Anforderungen erarbeiten und darauf aufbauend ein entsprechendes Umsetzungskonzept, das auf ihre individuellen Anforderungen und Gegebenheiten abgestimmt ist, entwickeln. Dies erfordert eine angemessene Umsetzungsfrist. Wir schlagen eine Frist bis zum 31.12.2025 vor, wie auch auf S. 65 des notifizierten Entwurfs. Nach Auffassung des eco gebietet das der Grundsatz der Verhältnismäßigkeit nach Art. 52 Abs. 1 S. 2 EU-Grundrechte-Charta.
Über eco: Mit über 1.100 Mitgliedsunternehmen ist eco der größte Verband der Internetwirtschaft in Europa. Seit 1995 gestaltet eco maßgeblich das Internet, fördert neue Technologien, formt Rahmenbedingungen und vertritt die Interessen seiner Mitglieder gegenüber der Politik und in internationalen Gremien. Leitthemen sind Zuverlässigkeit und Stärkung der digitalen Infrastruktur, IT-Sicherheit und Vertrauen sowie Ethik und Selbstregulierung. Deshalb setzt sich eco für ein freies, technikneutrales und leistungsstarkes Internet ein.