Navigation and service

BSI - Federal Office for Information Security (Link to homepage)

Public 5G Networks

Security of national cellular networks

The legislator has recognised the need for higher safety criteria in the mobile sector and will implement them in the construction of the German 5G networks from 2020. At the same time, recognised certificates are mandatory for the security-relevant components of a mobile network. As the national cyber security authority, the BSI is responsible for testing critical network components to prove their objective security properties.

The legal basis for this is provided by the German Telecommunications Act (Telekommunikationsgesetz - TKG): On the one hand, § 165 TKG anchors the certification requirement for security-relevant components. On the other hand, § 167 TKG stipulates that the Bundesnetzagentur, in consultation with the BSI and the Federal Commissioner for Data Protection and Freedom of Information, shall draw up a catalogue of security requirements (Katalog von Sicherheitsanforderungen). This catalogue will be binding for operators of 5G infrastructures and will be continuously adapted to technical developments.

Technical Guideline "Security in Telecommunications Infrastructure’" (BSI-TR)

With the IT Security Act 2.0 (IT-Sicherheitsgesetz 2.0 - IT-SiG 2.0), certification of 5G network components has become a legal requirement in Germany. The TKG regulates the certification requirement in §165 (4).

The catalogue of security requirements (Katalog von Sicherheitsanforderungen) drawn up by the Bundesnetzagentur in consultation with the BSI and the Federal Commissioner for Data Protection and Freedom of Information in accordance with § 167 TKG regulates the details of the implementation of the certification obligation. Thus, starting from 01.01.2026, critical components must be certified before their first use in public 5G networks.The certification schemes to be used for this purpose as well as the respective areas of application and requirements are regulated by the BSI's Technical Guideline TR-03163 "Security in Telecommunications Infrastructures". The Common Criteria, NESAS CCS-GI and BSZ schemes are available for the certification of critical 5G components.

5G standardisation and certification: International committee work of the BSI

Security in 5G networks is subject to both national regulation through the TKG and European regulation. The Cybersecurity Act (CSA) specifies certification as a possible voluntary measure as long as member states do not make it mandatory through their own national legislation. Germany has opted for the mandatory route and has legally anchored the certification of 5G network components in the TKG with the IT-SiG 2.0.

In order to represent German security interests at the European level, the BSI is active in the relevant EU committees on 5G and helps to shape the European implementation of regulations. One of the most important bodies is currently the working group at ENISA for the creation of a European 5G cybersecurity certification scheme (EU 5G Scheme). Experts from industry and the European authorities are working there on the future scheme for the certification of 5G components. The work of the experts is monitored by the 5G working group at the European Commission and the ECCG with with representatives from each Member State.

In addition to participating in EU regulatory working groups at the European Commission and ENISA, the BSI is also involved in the standardisation of 5G and 6G technologies in order to consider security by design from the outset. To this end, the BSI participates in the industry committees of the GSMA and 3GPP as well as in the technical standardisation committees of ETSI and CEN/CENELEC. At ETSI, the BSI is currently involved in the standardisation of Open RAN with a focus on security aspects.

As a member of the GSMA, the BSI also networks at international level to represent security interests. Recently, the BSI has also been active in industry bodies with its own contributions in order share the experience of the German certification scheme NESAS Cybersecurity Certification Scheme - German Implementation (NESAS CCS-GI).

Private 5G networks

Companies that are classified as KRITIS and are subject to the regulations of the BSI-KritisV can independently operate private 5G networks. These private 5G networks are typically only classified as critical if they are involved in processes that are required to provide the critical service according to the BSI-KritisV. In this case, the requirements of §8a BSIG (BSI Act - BSIG) must be implemented. In all other usage scenarios, it is a private 5G network that is not subject to regulation. In this case, the IT-Grundschutz profile "IT-Grundschutz-Profil zur Absicherung von 5G-Campusnetzen" can be used to secure the 5G network.

For more information on securing private 5G networks, follow the link: Securing private 5G networks

More on the topic

5G for consumers Eine Hand benutzt ein Handy auf dem "5G" steht. Im Hintergrund sind Piktogramme mit unterschiedlichen Anwendungsgebieten zu sehen z.B. Wlan
5G for companies and organisations Eine Stadtleben, welches im Schriftzug von "5G" stattfindet.

Links and downloads

Publications of the BSI

The Technical Guideline TR-03163: Security in Telecommunications Infrastructures and the associated annex can be found under the following links:
Technical Guideline BSI TR-03163: Security in Telecommunications Infrastructures
BSI TR-03163 Annex A: Guidance for Choosing a Certification Scheme and Approved Requirements Documents

The study on the Open-RAN risk analysis can be found under the following link:
Open-RAN risk analysis

The IT-Grundschutz profile for securing private 5G networks and the associated user-defined module can be found under the following links in German:
IT-Grundschutz-Profil zur Absicherung von 5G-Campusnetzen - Betrieb durch einen externen Dienstleister
Benutzerdefinierter Baustein INF.bd.1 Ortsveränderliche Einhausung für IT-Systeme

Publications of the BNetzA

The catalogue of security requirements (Katalog von Sicherheitsanforderungen) published by the Bundesnetzagentur can be accessed via the following link:
Katalog von Sicherheitsanforderungen

The list of critical functions (Liste der kritischen Funktionen) published by the Bundesnetzagentur can be accessed via the following link:
Liste der kritischen Funktionen für öffentliche Telekommunikationsnetze und -dienste mit erhöhtem Gefährdungspotenzial

Laws, directives and regulations

The Telecommunications Act (Telekommunikationsgesetz - TKG) can be accessed via the following link:
Telekommunikationsgesetz

The EU Cybersecurity Act can be found at the following link:
EU Cyber Security Act

The EU Network and Information Security Directive (NIS Directive) can be accessed at the following link:
EU Network and Information Security Directive (NIS Directive)
Implementing Act of the NIS Directive

News

The following list shows press releases and short announcements of the BSI of the last 360 days with reference to the topics 5G and 6G.

List of press releases
Date title
30.08.2023 5G-Sicherheit: BSI eröffnet 5G/6G Security Lab am Standort Freital
15.12.2023 BSI veröffentlicht Aktualisierung des IT-Grundschutz-Profils für die Absicherung von 5G-Campusnetzen
26.04.2024 Girls' Day 2024 im BSI
30.04.2024 BSI-Standort Freital - öffentliche Schlüsselübergabe für das Dienstgebäude Hüttenstraße
31.05.2024 5G Sicherheit: Studie zeigt Risiken von Management- und Orchestrierungssystemen auf

Similar topics

Back to Other regulated companies