TKG §166 Security Concept

The German Telecommunications Act (Telekommunikationsgesetz, TKG) of 2021 requires all operators of public telecommunications networks and services in Germany to prepare, maintain and submit a security concept to the regulatory authority. This obligation arises from §166 TKG, which defines the minimum requirements for technical and organisational security measures for telecommunications infrastructure.

All companies that operate publicly accessible telecommunications networks or provide publicly accessible telecommunications services are affected – from classic network operators and internet providers to companies providing voice or data services for third parties. The obligations apply regardless of company size, although the scope and depth of the security concept must reflect the specific infrastructure in question.

The security concept must be made available to the Bundesnetzagentur (BNetzA) on request and must be updated whenever significant changes are made to the telecommunications infrastructure. The authority can review the concept, request improvements and impose fines if the concept is missing or inadequate. It can also order security audits and on-site inspections.

The TKG §166 security concept must describe technical and organisational measures that protect the availability, integrity, authenticity and confidentiality of the telecommunications infrastructure and the data transmitted over it. This includes network architecture and redundancy concepts, physical security measures for network nodes and data centres, access controls and identity management, incident response procedures and contingency plans, and measures against eavesdropping and manipulation.

Special requirements apply to the use of components in critical infrastructure, particularly for core network components and when using suppliers classified as potentially high-risk. §165 TKG also regulates security requirements for the use of critical components, including the need for manufacturer declarations.

The obligations under §166 TKG overlap significantly with NIS2 requirements, which apply to telecommunications companies as important entities. Blackfort develops security concepts that meet both regulatory frameworks and avoids duplication through a consolidated documentation structure.

We begin with an analysis of your telecommunications infrastructure: which networks and services do you operate? Where are the critical nodes? Which third-party providers and suppliers are involved? On this basis, we create a security concept that accurately describes your actual infrastructure – not a generic template, but a document that will withstand a regulatory review.

The concept is tailored to the specific requirements of the Bundesnetzagentur. We know the authority's expectations from accompanying multiple TKG projects: what level of detail is required? Which formulations are viewed critically? Where is a description of measures sufficient, and where is proof of effectiveness expected? This practical knowledge significantly accelerates the process.

After preparation, we can accompany the submission to the Bundesnetzagentur, clarify any queries from the authority and support ongoing updates to the concept. For companies that already have a concept in place, we also offer review and update services – particularly in light of the new TKG 2021 and the NIS2 implementation context.

The Umsetzungserklärung (implementation declaration) is the central evidence document within the TKG §166 security concept framework. It demonstrates to the Bundesnetzagentur that the measures described in the concept have not merely been planned, but are actually implemented. The authority distinguishes between a conceptual document and evidence of operational effectiveness – a distinction that is frequently underestimated in initial submissions.

A complete security concept under TKG §166 covers ten subject areas: risk analysis and threat identification, legal requirements from TKG and data protection law, defined security objectives (confidentiality, integrity, availability), technical protection measures (encryption, firewall, patch management), organisational measures (access controls, awareness training, incident response), regular review and updates, contingency planning and incident response, monitoring and intrusion detection systems, training on the current threat landscape, and complete documentation and audit readiness.

In practice, the implementation declaration is the most common reason for improvement requests from the Bundesnetzagentur. Companies describe measures correctly but fail to evidence their actual implementation. Blackfort supports you not only in preparing the concept, but also in formulating an implementation declaration that will withstand regulatory scrutiny – including support during queries from the BNetzA and assistance during on-site inspections.