Sprache ändern DE


Security concept according to § 166 TKG (German Telecommunications Act)

Network operators and service providers are obliged on the basis of the German Telecommunications Act (TKG) to take technical and organisational precautions

  • to protect personal data and the secrecy of telecommunications
  • to protect the telecommunications infrastructure against interference and risks
  • to guarantee the availability of telecommunications services

and to describe them conceptually. This is done in accordance with § 166 TKG as a so-called security concept. This security concept must be submitted to the Federal Network Agency (BNetzA) for review or can be requested by the BNetzA for review. In the event of violations of this obligation, the obligation to report, as well as violations of telecommunications secrecy or the protection of personal data, you can be charged with high fines, which must be avoided.

We have many years of proven expertise in this area for successfully obtaining BNetzA-consent. Due to our structured approach to the creation of a security concept, the effort for you is very low.

The requirements of the Telecommunications Act mentioned above are also further specified by the BNetzA in a so-called catalogue of security requirements. In the latest edition, a "clear and defined organisational and operational structure" is required to achieve the protection goals (see above). This means that in addition to the actual security concept, the organisation of the company must also be professionally regulated. With our sample organisational concept, we can offer you as a network operator or service provider quick and uncomplicated solutions.


If required, we will be happy to support you in setting up or updating your security concept and in implementing the further requirements of the BNetzA.

Do you still have questions? We will be happy to answer all your questions on the subject of security concepts.


Below you will find some further following explanations:

On the German telecommunications market there are four important obligations for the providers of telecommunications services. These are the:

  • Obligation to notify the Federal Network Agency (BNetzA).
  • Obligation to appoint a security officer
  • Obligation to set up and operate a security concept
  • Obligation to submit the security concept to the BNetzA.

For network operators, it can be generally stated that all of these obligations must be implemented. However, the situation is more differentiated for service providers. The new Telecommunications Act, which came into force on 01.12.2021, has redefined telecommunications services. Service providers who were classified as so-called "over-the-top providers" were previously not subject to the regulatory regime of the TKG. This article first deals with the obligations under §166 TKG (formerly §109 - Security Officer and Security Concept) and §165 (Technical and Organisational Protective Measures) as well as the obligation to notify the Federal Network Agency (BNetzA).

How is a telecommunications service defined? There are some important explanations on this in the new TKG:
In §3 Definitions it states:

(61) 'telecommunications services' means services normally provided for remuneration over telecommunications networks which, with the exception of services offering content over telecommunications networks and services or exercising editorial control over them, include the following services:

(a) Internet access services,
(b) interpersonal telecommunications services; and
(c) services consisting wholly or mainly in the transmission of signals, such as transmission services used for machine-to-machine communications and for broadcasting;

Further, this section states in paragraph 24 the following:
(24) 'interpersonal telecommunications service' means a service usually provided for remuneration which enables direct interpersonal and interactive exchange of information over telecommunications networks between a finite number of persons, the recipients being determined by the persons initiating or participating in the telecommunications; it does not include services which enable interpersonal and interactive telecommunications merely as a subsidiary ancillary function inextricably linked to another service;
Thus, as we understand it, telecommunications services include all Internet access services, all interpersonal telecommunications services that do not constitute a subordinate ancillary function, and certain signal transmission services.

Thus, there is no longer an exception for so-called "over-the-top services" such as e-mail services, which are essentially provided via the network of network operators who do not themselves act as service providers (as is the case, for example, with the google mail service).

The only exception is if the telecommunication service would be classified "as a secondary ancillary function inseparably linked to another service". This is the case, for example, if a chat service in an online game is offered as a secondary function and is inseparably linked to the main function, the game.
What obligations now apply to the providers of these telecommunications services with regard to the topics of notification obligation, security concept/security officer and submission obligation of the security concept to the BNetzA?

Security officer / security concept:
According to §166 TKG, the operator of a telecommunications network as well as the provider of a publicly accessible telecommunications service (see above) must, among other things, appoint a security officer and prepare a security concept.

Obligation to submit the security concept to the BNetzA:
Pursuant to § 166, this obligation is incumbent on network operators. Service providers must maintain a security concept and may be required by the BNetzA to submit it.

Obligation to notify the BNetzA:
The obligation to report the "commencement, change and termination of its activity as well as changes to its name or company, legal form and address" according to §5 TKG applies to all network operators as well as providers of telecommunications services "which are not number-independent interpersonal telecommunications services". Here again, network operators are addressed without exception, as well as certain service providers. The exception for service providers therefore applies to number-independent interpersonal telecommunications services, e.g. messenger services that operate independently of national/international numbering plans.