Cybersecurity for Telecommunications

Telecommunications networks are the foundation on which all other critical infrastructure depends: energy supply, healthcare, financial services, and public administration all rely in their digital operation on reliable telecommunications connectivity. A large-scale telco outage would cascade across all these sectors. This explains why telecommunications companies receive particular regulatory attention within the critical infrastructure domain.

At the same time, telco companies are attractive attack targets themselves: interception against high-profile users, manipulation of routing infrastructure (BGP hijacking), abuse of SS7 protocol vulnerabilities for location tracking and communications surveillance, and DDoS attacks against core network infrastructure are documented attack patterns that have been used against telco operators.

Security requirements for telco companies reflect this special responsibility: German telecommunications law (TKG) sets specific requirements for security concepts and their review by the Federal Network Agency (BNetzA); NIS2 classifies telco providers as essential entities; and the KRITIS-Dachgesetz further tightens physical and logical security requirements for network infrastructure.

The German Telecommunications Act 2021 obligates in §166 all operators of public telecommunications networks and services to prepare and maintain a security concept. This concept must describe the technical and organisational measures securing the telco infrastructure and must be submitted to the BNetzA on request. It must be updated whenever significant infrastructure changes occur.

The security concept under §166 TKG must describe concrete measures to ensure availability, integrity, authenticity, and confidentiality. This covers network architecture and redundancy concepts, physical access security for network nodes and data centres, logical access controls and identity management, measures against interception and manipulation, and incident response processes for telco incidents.

Special requirements apply to the use of components from certain manufacturers classified as potential security risks. §165 TKG regulates security requirements for the use of critical components and requires manufacturer declarations and reviews by recognised bodies. This applies in particular to core network components and management systems where the manufacturer could have privileged access.

NIS2 classifies telecommunications providers as essential entities and obligates them to implement Art. 21 requirements — risk analyses, incident response, business continuity, supply chain security, cryptography, and reporting obligations. These requirements overlap substantially with TKG §166 obligations but are formulated in a different structure and terminology.

Requirements from TKG and NIS2 can be efficiently addressed in a consolidated documentation. We develop security concepts and ISMS structures that satisfy both the TKG security concept and NIS2 evidence obligations — with a single, consistent documentation structure rather than two separate compliance projects.

For telco companies also classified as KRITIS operators, BSI Act and KRITIS-Dachgesetz requirements are added. We guide these companies through the complete regulatory landscape, coordinate all requirements, and accompany BSI audits and BNetzA reviews. Our goal is a compliance programme that is sustainable and economically viable — not one that ties up resources in redundant documentation.