Bitkom attaches great importance to the security of 5G networks. Our members, including manufacturers and network operators, support measures that promote both the development of robust and secure networks and the dynamics of modern software development. Good certification systems should efficiently verify specified security requirements and document compliance. National solo efforts are to be avoided in the interests of the European single market.
Background and classification
Section 165 (4) of the TKG stipulates that critical components of telecommunications network operators with increased risk potential may only be used if they have been tested and certified by a recognised certification body before their first use. According to the BNetzA’s general ruling, this certification requirement will take effect from 1 January 2026 and will apply exclusively to operators of 5G mobile networks, since only these networks are currently considered to be telecommunications networks with an increased risk potential (increased criticality) based on the BNetzA’s catalogue of security requirements dated 29 April 2020. TR-03163 regulates the provision of evidence for critical components of public communication networks in accordance with § 165 (4) TKG. As one of the possible certification procedures, the BSI has presented the German implementation based on the GSMA’s ‘Network Equipment Security Assurance Scheme’ [NESAS] (so-called NESAS CCS-GI (NESAS Cybersecurity Certification Scheme – German Implementation)). In addition, Common Criteria and BSZ (accelerated security certification) are available. In Appendix A of TR-03163, three possible certification procedures are statically assigned to the individual 5G product categories. There is no provision for recognising existing product certifications that do not exactly match this static assignment table, which means that considerable additional work is required due to the need for further certification. This should be countered by an escape clause and the determination of equivalence of the different certifications. For product categories in which TR-03163 already defines technical requirements, critical components must be certified by 1 January 2026. For other products, for which the technical requirements have yet to be defined, a transition period of two years from the date of publication of the requirements applies. Bitkom calls for the best possible focus on an EU-wide certification scheme, which is difficult due to the narrow requirements of the law and the BNetzA order. The entry into force of the certification requirement should be postponed so that testing capacities can be further expanded and possible bottlenecks avoided. Any adjustments to the certification process that may be revealed in the course of possible trials should be carried out promptly by the relevant authorities so as not to hinder network modernisation and to prevent Germany from suffering any locational disadvantages.
Demands
1. No special national approach to certification
We welcome the fact that the BSI is basing the NESAS CCS-GI scheme on an internationally valid industry standard. It is understandable that NESAS had to be extended to include full certification for German regulation. However, Germany must not go its own special national way and thus jeopardise the goal of NESAS as a globally uniform framework. In the global market for mobile network components, it should be possible to use certification mechanisms that are recognised and applied worldwide. GSMA NESAS and 3GPP SCAS must be recognised in order to avoid special national treatment. The BSI should also continue to strive to implement a European scheme with EU5G, which can then replace NESAS CCS-GI. EU5G must pursue the goal of taking into account other European regulations such as the CRA. The other certification schemes and procedures mentioned in TR-03163 should be harmonised at the European and international level and applied to the 5G critical components that are internationally classified in the 5G EU toolbox. A harmonised approach reduces complexity, duplication of work, delays and effort for both manufacturers and mobile network operators. This enables smoother integration and innovation in the EU. A harmonised application should include mutual recognition of certifications, audits and other assessments by known and technically competent bodies such as GSMA and other relevant organisations.
2. Postponement of the introduction of mandatory certification to 01/01/2026
The general ruling of the Federal Network Agency of 13/06/2022 set 01/01/2026 as the implementation deadline for Section 165 (4) TKG. This path must be deviated from in the sense of a European solution, as mentioned in point 1. Otherwise, at least the decision made at the time must be reconsidered, taking into account existing contracts. In particular, the establishment of a forum involving all stakeholders, including 5G mobile network operators, industry partners, manufacturers and the German government, would recalibrate the requirements for functionalities and components. It is unclear how many products from the mobile operators’ various suppliers will be affected by the certification requirement. It therefore remains to be seen whether there is sufficient testing capacity on the market to meet the specified deadline. At present, only three NESAS CCS-GI testing centres are listed on the BSI website. There are no plans to allow manufacturers to use their own in-house testing laboratories for certification. A bottleneck in the available testing laboratories or a lack of certified components could result in 5G networks in Germany being technically ‘frozen’ at the status quo as of 31 December 2025. In light of this, there are doubts as to whether the specified implementation date is proportionate. This is because the legally stipulated certification requirement only in Germany would place a considerable burden on the mobile communications industry and on Germany as a centre of technology.
3. Take into account difficulties in the certification process and ensure competitiveness
a) Market launch of new products is significantly delayed:
The current national certification approach poses challenges for the efficient marketing, availability and use of 5G products in Germany. In today’s fast-paced technology environment, all manufacturers follow an agile development and delivery model (CI/CD) and regularly (usually every three months) deliver software updates (SW) for their 5G core network, as well as emergency and security patches. However, the current certification process poses a risk to this fast and continuous release cycle due to the long testing procedures. It is unclear how the certification process can be adapted to the speed of implementation of the release cycle. To do this, it is imperative that the certification approach be optimised and that the internationally audited development and provisioning processes of the manufacturers be used. To ensure this, Bitkom members will test the certification process in the near future in order to discuss any necessary process improvements with the BSI.
b) Certification process is too complex
The certification process proposed by the BSI (NESAS CCS-GI) is extremely complex and insufficiently tested, especially for 5G core networks that span multiple levels (application level, virtualisation level and provisioning level). For Tier-1 mobile network operators (MNOs), manufacturers usually only provide the application layer, while virtualisation and provisioning layers vary depending on the operator and are beyond the control of the manufacturers. NESAS CCS-GI unnecessarily requires that certain combinations of these layers be certified for each operator in similar execution environments. This can lead to a significant amount of duplication. We therefore propose limiting the scope of certification to the software product itself, with the virtualisation and provisioning layers being evaluated independently of each other.
c) 5G components would become unnecessarily more expensive, and so would consumer services.
The significant certification costs that arise from the national approach and its excessive complexity, and the fact that these costs are allocated exclusively to operators in the German market, would make the 5G components used noticeably more expensive for use in Germany. Providers would have to recoup these additional costs through higher consumer prices. Internationally coordinated harmonisation processes reduce costs for manufacturers and would not lead to higher costs only in Germany.
d) Avoiding bureaucracy and simplifying processes
In Bitkom’s view, the approaches chosen in the area of certification are generally only of limited practicality. We propose that the Federal Office for Information Security (BSI) assume full responsibility for the implementation and granting of certifications based on technical criteria in order to avoid unnecessary additional work and bureaucracy. The three demands mentioned above can be used to establish a balanced and practical certification approach that both meets international standards and ensures Germany’s competitiveness. Avoiding a national solo effort in certification and promoting harmonised approaches reduces complexity and costs for manufacturers and network operators and enables smoother integration of new technologies. Postponing the certification requirement creates the necessary time to further expand testing capacities and avoid possible bottlenecks. At the same time, the adaptation and simplification of the processes ensures that they are compatible with the agile development and provision models of the industry. Finally, a clearly defined, efficient certification process helps to reduce the costs for critical 5G components and keep services affordable for consumers. This significantly reduces the burden on all parties involved and promotes the competitiveness of the German economy.