TKG §166 Security Concept

The German Telecommunications Act (Telekommunikationsgesetz, TKG) of 2021 requires all operators of public telecommunications networks and services in Germany to prepare, maintain and submit a security concept to the regulatory authority. This obligation arises from §166 TKG, which defines the minimum requirements for technical and organisational security measures for telecommunications infrastructure.

All companies that operate publicly accessible telecommunications networks or provide publicly accessible telecommunications services are affected – from classic network operators and internet providers to companies providing voice or data services for third parties. The obligations apply regardless of company size, although the scope and depth of the security concept must reflect the specific infrastructure in question.

The security concept must be made available to the Bundesnetzagentur (BNetzA) on request and must be updated whenever significant changes are made to the telecommunications infrastructure. The authority can review the concept, request improvements and impose fines if the concept is missing or inadequate. It can also order security audits and on-site inspections.

The 2021 TKG reform completely restructured the German Telecommunications Act. §109 TKG in its previous version – the central provision for technical protection measures at telecommunications companies – no longer exists in that form. When the new TKG came into force on 1 December 2021, the obligations from old §109 TKG were transferred into new §166 TKG. The core requirement remained the same: operators of public telecommunications networks and services must prepare, maintain and submit a security concept to the Bundesnetzagentur on request.

In terms of content, however, the reform tightened and clarified the requirements. §166 TKG 2021 explicitly mandates the protection objectives of availability, integrity, authenticity and confidentiality – more clearly than the old §109 TKG. The reform also added new rules for critical components in §165 TKG and stricter incident reporting obligations in §167 TKG. Anyone who previously had a concept under the old §109 TKG must check whether it meets the requirements of the new §166 TKG 2021.

For companies with a §109 TKG concept dating from before 2021, a targeted gap analysis against the new requirements is recommended. Blackfort Technology offers both the preparation of new concepts under §166 TKG and the revision of existing §109 TKG concepts – with a focus on the innovations of the TKG 2021 and integration with NIS2 requirements.

The TKG §166 security concept must describe technical and organisational measures that protect the availability, integrity, authenticity and confidentiality of the telecommunications infrastructure and the data transmitted over it. This includes network architecture and redundancy concepts, physical security measures for network nodes and data centres, access controls and identity management, incident response procedures and contingency plans, and measures against eavesdropping and manipulation.

Special requirements apply to the use of components in critical infrastructure, particularly for core network components and when using suppliers classified as potentially high-risk. §165 TKG also regulates security requirements for the use of critical components, including the need for manufacturer declarations.

The obligations under §166 TKG overlap significantly with NIS2 requirements, which apply to telecommunications companies as important entities. Blackfort develops security concepts that meet both regulatory frameworks and avoids duplication through a consolidated documentation structure.

We begin with an analysis of your telecommunications infrastructure: which networks and services do you operate? Where are the critical nodes? Which third-party providers and suppliers are involved? On this basis, we create a security concept that accurately describes your actual infrastructure – not a generic template, but a document that will withstand a regulatory review.

The concept is tailored to the specific requirements of the Bundesnetzagentur. We know the authority's expectations from accompanying multiple TKG projects: what level of detail is required? Which formulations are viewed critically? Where is a description of measures sufficient, and where is proof of effectiveness expected? This practical knowledge significantly accelerates the process.

After preparation, we can accompany the submission to the Bundesnetzagentur, clarify any queries from the authority and support ongoing updates to the concept. For companies that already have a concept in place, we also offer review and update services – particularly in light of the new TKG 2021 and the NIS2 implementation context.

The Umsetzungserklärung (implementation declaration) is the central evidence document within the TKG §166 security concept framework. It demonstrates to the Bundesnetzagentur that the measures described in the concept have not merely been planned, but are actually implemented. The authority distinguishes between a conceptual document and evidence of operational effectiveness – a distinction that is frequently underestimated in initial submissions.

A complete security concept under TKG §166 covers ten subject areas: risk analysis and threat identification, legal requirements from TKG and data protection law, defined security objectives (confidentiality, integrity, availability), technical protection measures (encryption, firewall, patch management), organisational measures (access controls, awareness training, incident response), regular review and updates, contingency planning and incident response, monitoring and intrusion detection systems, training on the current threat landscape, and complete documentation and audit readiness.

In practice, the implementation declaration is the most common reason for improvement requests from the Bundesnetzagentur. Companies describe measures correctly but fail to evidence their actual implementation. Blackfort supports you not only in preparing the concept, but also in formulating an implementation declaration that will withstand regulatory scrutiny – including support during queries from the BNetzA and assistance during on-site inspections.