Security & resilience of the networks

Given the advancing digitalization and the associated risks of cyberattacks, the technical protection of networks is gaining increasing importance. TThis is not only about the technical protection against attacks on network components and IT systems, but also about the physical protection of network infrastructures from threats both domestic and foreign, as well as from natural disasters or pandemics. A key objective is to both complicate potential attack opportunities and effectively respond to attacks, thereby strengthening the overall resilience of networks.

For this reason, BREKO established the Project Group on Cybersecurity, AI, and Data Protection in the spring of 2024, where we focus on current legal frameworks, resulting obligations, and implementation options.

FAQ

The Telecommunications Act (TKG) and the subsequent regulations from the Federal Network Agency (BNetzA) already require telecommunications companies to meet extensive security and resilience standards for their networks.

The implementation of the European NIS2 Directive will obligate a large number of telecommunications companies to meet additional cybersecurity requirements. In addition, operators of critical infrastructure will face further obligations in the future under the KRITIS framework law.

The prompt implementation of the Nis2 directive at national level is of great importance due to the increased cyber security requirements. The Federal Office for Information Security (BSI) has comprehensively considered the existing obligations of the telecommunications sector under the TKG in its latest drafts of the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2-UmsuCG), which, however, was not passed by the previous government, thereby avoiding potential double regulation. However, extensive changes between the individual drafts would have made early and comprehensive preparation for the affected companies more difficult. Furthermore, Section 41 of the NIS2-UmsuCG, concerning the use of critical components, would have needed urgent revision, as the economic risk of losing the manufacturer’s trustworthiness should not be solely imposed on telecommunications companies.

Every company operating in the telecommunications sector should immediately address the security of its networks and review any obligations under the TKG regarding cybersecurity requirements. Companies should also carry out the BSI’s “NIS-2 impact assessment”. Regardless of whether the company is directly affected, the possibility of obligation through a supply chain should also be examined.

In any case, at least one person within the company should be designated as responsible for cybersecurity and should monitor key developments related to the implementation of the NIS2 Directive. Management and employees should receive regular cyber security training

Documents

1. Stellungnahme: Nis2-UmsuCG Download (111 KB)
2. Stellungnahme: Nis2-UmsuCG Download (301 KB)
3. Stellungnahme: Nis2-UmsuCG Download (225 KB)
Positionspapier: RefE KritisDG 2023-01-24 Download (101 KB)
Positionspapier: KRITIS-DG 2023-08-23 Download (173 KB)

Your contact persons

Lisa Müller

Referentin für Recht & Regulierung

Lisa Müller
Benedikt Kind

Leiter Recht und Regulierungsgrundsätze

Benedikt Kind