Dear Members,

I would never have thought that “getting out of the pandemic” could be conceptually more challenging than the unforeseen, tough entry into 2020 – but today I stand corrected. I almost feel like I’ve whirled into a shallow pool below a waterslide – like taking a wild ride and then suddenly braking, standing up, taking a breath and jumping quickly out of the way as the lifeguard yells from the edge about the next player coming right on my heels.

Think of the following: Several months of arduous hybrid meetings, the rollback of unfinished digitalisation processes, the almost obsessive insistence on physical presence, combined with the involuntary abandonment of working from home: this has led to tensions for companies and administrations. While one corner of society or even entire countries like Belgium are fine-tuning permanent concepts of working from home and the 4-day workweek, at the other end, we hear “be back in the office by Monday or pretend to work somewhere else” and similar acts of faith directed at employees. Mandatory masks and a distance of one and a half metres in the conference room, but being right beside others without masks at the stand-up tables during the lunch break? Been there, done that. Mandatory vaccination boosters? Lifting of restrictions despite high incidence rates? Was that the case? What does a path back to “normality” look like, what can it look like? And what does this “new normal” actually look like?

At the end of the year, the only enduring effects of digitalisation turned out to be video conferencing, reduced travel and the increased use of collaboration software. When I rolled out my first video conferencing service in 1998, I didn’t realise that it would take a pandemic to achieve the breakthrough. Oh yes, and of course cloud services. They’re all cloud services now. Just not in the SMEs. Or in the public administration sector.

While I’m on the subject of public administration in Germany: Five years of the Online Access Act together with the associated simplifications during the pandemic seem to be not even remotely sufficient to implement the 575 legally defined online services – the implementation of which was supposed to be completed by the end of 2022. Formalities such as personal submissions and signatures or even the lack of payment connections in the “specialised procedures” of the German federal states and municipalities are further hampering the process. Identification and signature via state-used identity cards? Not a chance, even though this could have potentially provided the eID project with the missing “killer app”. Today, we are trying out the use of the online ID function with property owners in the context of property tax, which has the highest usage rates of online identification via the ID card since the beginning of the procedure – and most recently also with the energy flat rate for students. In short: For “new” procedures, we can do it, while the conversion of “existing procedures” continues.

Which brings us to the digital projects of the new German federal government: the fact that administrative services will be digitalised “with the help of state digital identities” by 2025 is one of six “particularly important” central points of the “new” Digital Strategy. I read this as “we are postponing the goals of the Online Access Act from 1 January 2023 to 31 December 2025”, but acknowledge that public administration digitalisation in the federal system has its very own pitfalls. It would certainly be helpful to have a little more continuity in the German Federal Ministry of the Interior (BMI) and its specialist department, which has for some time had an unnaturally high turnover.

Other points of this strategy include, for example, the availability of fibre optics for 50 per cent of households, the electronic medical record and the e-prescription, or the plan to establish an equal-opportunity, barrier-free educational ecosystem as an offer for all phases of life – here, too, the federal stumbling blocks are already foreseeable, as recently strikingly exemplified in the pandemic, much to the detriment of the affected children and young people.

The residual goals of creating a modern legal framework for the utilisation and networking of data are to be welcomed, as is the abstract goal that Germany should advocate for an Internet as a free, democratising space with a global, digital order based on human rights, at both European and international levels. The former has so far failed because of veritable application scenarios; the latter due to the tension between the goals of the AA and those of the German Federal Ministry of the Interior (BMI).

Goals that are directly relevant to the eco Association’s Board are those of the German Federal Ministry for Digital and Transport (BMDV) and the German “Digital Minister”, who published the new edition of the Gigabit Strategy in July 2022. The noble goal: “By the year 2030, there should be nationwide fibre-optic connections right into homes plus the most up-to-date mobile communications standard everywhere where people live, work or travel”. In terms of content, aside from some perennial issues such as the simplification of approval procedures and the establishment of new installation techniques, there are primarily two new approaches: The German Gigabit Land Register, which aspires to consolidate all relevant information on the planning of infrastructure roll-out and on the current and future level of coverage in the sphere of telecommunications in an information portal, and the shift in fixed network funding to a procedure supported by a nationwide potential analysis. The “potential” of a region serves as an indicator of its own economic ability for the development of its fibre-optic networks, and is intended to subsequently reflect the potential funding requirements of the region.

The basic idea underlying this is that regions with a high potential for their own economically viable roll-out will experience their roll-out from the market on a self-economic basis, while areas with a low potential will receive subsidises to fund the roll-out. This means that, unlike in the past, the region’s own initiative will no longer be the main criterion. The potential analysis is to be updated in the future and renewed annually so that all regions can benefit from roll-out by approximately 2030.

The majority of our member companies have welcomed the resulting prioritisation of self-economic roll-out. This should put an end to the issue of overlapping existing or planned Internet networks with a subsidised regional project. But regarding this procedure, there’s an issue that is still unexplainable. For example, in 2025, if the notional national target of at least 50 per cent fibre optics has been achieved, district administrators are expected to “sell” to their voters that it will not be their district’s turn until perhaps 2028, and that it will then be included in the fibre-optic roll-out – and that, before then, neither a self-economic nor a subsidised roll-out can be expected. This would probably be tantamount to political suicide.

Shortly after the publication, on 17 October 2022 there was also a halt to funding without any prior notice, given that the funding pools were depleted; mainly due to the consolidated submission of funding applications in Baden-Württemberg. This standstill lasted until the start of the new programme on 3 April 2023, and the further outlook doesn’t look rosy: It is already foreseeable that the “new” funding level of around 3 billion Euro per year will be fully utilised for 2023 and the following years, despite the “potential analysis” filter.

The Ministry for Digitalisation is also home to the “Digital Strategy Germany Advisory Board”, which was established in November 2022 to primarily accompany the 18 “flagship projects” of the German Digital Strategy. At each of their meetings, the focus is set on two projects which are subject to evaluation. I am happy to report that eco is represented on the Advisory Board by our Managing Director Alexander Rabe.

In the context of the Digital Strategy, a factor which I find interesting is the parallel “monitoring” research project to assess the implementation status of the Digital Strategy: For the first time, the German federal government wants to use KPIs to measure itself and the effectiveness of its work in a comprehensible manner. The exact form this will take is still being worked out, but the “impact measurement” research project has already been started and commissioned.

In the course of 2022, there was a noticeable change in the way we interacted with our regulator, the German Federal Network Agency (BNetzA) – only very rarely have I been so struck by how the change of a top management position occurred in conjunction with a quasi-simultaneous new legal framework, as was the case in the transition from Jochen Homann to the former Head of the Federation of German Consumer Organisations (VZBV), Klaus Müller, and the new regulations of the German Telecommunications Act (TKG) and the German Telecommunications-Telemedia Protection Act (TTDSG). The focus of the organisation has thus clearly shifted towards consumer protection, which also aligns with the spirit of the new legal framework.

Consequently, ongoing topics in the dialogue with the German Federal Network Agency (BNetzA) were the interpretation and implementation of the claims for mitigation and the right to fast Internet derived from the new German Telecommunications Act (TKG). With regard to the former, the evaluation of the measurement campaigns of the broadband measurement as well as the calculation method of a potential mitigation were in particular dispute.With regard to the latter, questions concerned the obligated party, the technological neutrality of existing offers which take account satellite systems into account and, in particular, whether this individual right also applies to entire districts, new development areas, or regions with already agreed future fibre optic roll-out.

Between companies, a new chapter has also been opened by the national dispute resolution procedure in the new German Telecommunications Act (TKG), located at the Ruling Chamber 11 of the German Federal Network Agency (BNetzA). It is noteworthy that most of the proceedings are terminated by an agreement between the parties and a discontinuation of the proceedings without a ruling; also, the status of “suspension of proceedings” during a negotiation phase is more or less the normal state of affairs; the companies mostly try to avoid an actual ruling by the chamber.

Independent of all funding and dispute resolution, the market is endeavouring to transition from the monopoly-based copper market to the pluralistic fibre market in the format of the Gigabit Forum based at the German Federal Network Agency (BNetzA). In a series of project groups, solutions are to be agreed upon regarding products and processes, interfaces, building connections and in-house networks, right through to issues surrounding the future decommissioning of copper networks from 2025. A special focus is on Open Access, which is intended to increase the utilisation of existing networks as an alternative to the construction of several parallel networks and to avoid an over-structure. eco accompanies these processes by participating in the project groups themselves as well as in the Steering Committee and the High-Level Forum of the market participants’ boards.

The new German Telecommunications Act (TKG) has also brought changes to the public security sector: For a large number of companies, the new version in Section 170 of the TKG and Section 174 of the TKG in conjunction with the likewise new 8.1 “Technical Guideline for implementing legal measures for telecommunications surveillance and information disclosure” (TR-TKÜ) made it mandatory to create a formalised email interface. In addition, the previously relatively informal collection of data in companies’ own networks must also be documented separately according to services within the framework of derivation concepts.

Events that were less laudable and retrospectively unsustainable were those concerning the house leadership of the German Federal Office for Information Security (BSI), whose president Arne Schönbohm was dismissed from his duties as of 18 October 2022. The trigger was a report by ZDF Magazin Royale on 7 October 2022 referring to the association “Cyber-Sicherheitsrat Deutschland e.V.” (Cybersecurity Council Germany), of which he was the founder and Chair until his appointment in 2016. Regardless of one’s opinion of Schönbohm, this situation had already been reported on in the context of his appointment to the BSI in 2016 and, later in 2019 by “Die Zeit” and the magazine “Kontraste”, no new information was revealed. The action of the German Federal Ministry of the Interior’s management was therefore surprising for insiders; apparently, in 2022, any connections to companies in the Russian influence sphere were assessed much more critically than was the case in 2016 or 2019 – the wind of change at work. Schönbohm and his positions were well-known to us, but it remains to be seen as to how his successor Claudia Plattner will position herself on critical cybersecurity issues and what changes this will entail for BSI policy.

Of course, no report on 2022 can be complete without addressing the Ukraine war and its consequences for network operations in Germany. The primary focus was and still is on cybersecurity: specifically, the question of whether we are sufficiently and effectively protected against cyberspace attacks. The initial answer: while the number of attacks in the area of central government as well as on media institutions, journals and online services have increased significantly, the degree of attacks against infrastructure facilities, network operators and the like have not risen outside the normal growth rates. In other words, those who have always been in the focus of attackers and need to protect their systems have noticed little of note; on the other hand, those who are only now turning their focus to cybersecurity are overwhelmed by the sheer number of real and “perceived” attacks. Combine this with known hacks and data leaks as well as the call for “capability building” in the military complex, and there seems to be a massive need for action on the part of the government – the industry is mostly already one step ahead and is working on automated systems for attack detection, and the German Federal Network Agency (BNetzA) has also conducted several workshops with operators on this complex topic.

The cyber threat situation resulting from the Ukraine war, combined with efforts to improve the response to natural disasters such as the German Ahr Valley flooding, led to the demand for the resilience of critical Internet and services. In the summer of 2022, this resulted in a resilience paper by the German Federal Network Agency (BNetzA), with eco playing a fundamental role in its preparation. As a result, in December 2022, the German federal government adopted key points for a “KRITIS Umbrella Act” (KRITIS-DG). It is expected to be adopted before the end of 2023, with a focus on the physical protection of critical infrastructures.

Naturally, all regulations in this field must be in line with the European regulations, and these were also worked on extensively in 2022. On 14 December 2022, the European Critical Entities Resilience Directive (CER) was published: this is to be transposed into national law by autumn 2024 and is also reflected in the German KRITIS Umbrella Act (KRITIS-DG). What is even more prominent is the EU NIS2 Directive, which was published on 27 December 2022 after tough negotiations. It must be transposed into national law by autumn 2024 and is reflected in the KRITIS-DG. It, too, must be transposed into national law by no later than 17 October 2024. This will most likely take place in 2023 through the German “NIS2 Transposition and Cybersecurity Strengthening Act” (NIS2UmsuCG), which will make a renewed adjustment to the German Federal Office for Information Security (BSI) Act and other laws and adapt the regulations from the IT Security Act 2.0 (IT-SIG 2.0). Only drafts have been presented so far, but one thing is certain: strengthening the cybersecurity of companies and institutions is both fundamental and necessary – in this respect, the goal is the right one. We now have to come to an agreement with the legislator on the approach and the limits. Whether it is really appropriate to have a direct leap from barely 2,000 to almost 30,000 critical and major companies – as estimated and planned by the German Federal Ministry of the Interior (BMI) – must in any case be discussed.

The regulations from the European Critical Entities Resilience Directive (CER) and NIS2 are supplemented by the “Cyber Resilience Act” (CRA), which was presented in draft form on 15 September 2022 and is intended to regulate the cybersecurity of all products with online components. In line with the German Federal Ministry of the Interior (BMI), which has been pursuing this approach for quite some time, there are plans for an update obligation over several years as well as labelling with a de facto seal of approval, which will presumably involve an extended version of the CE mark. In addition, there is an obligation to list the applied software components (“Software Bill of Material”, SBOM), and for all devices with increased protection needs, an external audit by an accredited testing body is required. According to the European Commission’s plans, the CRA is to be adopted before the end of 2023 and will then apply immediately to all Member States.

To note two higher network levels: the “Digital Services Act” published on 17 October 2022 (DSA, the EU regulation on a Single Market for digital services) and the “Digital Markets Act” published on 12 October 2022 (DMA, the EU regulation for the regulation of gatekeepers). These intervene in the market structure, the specific form of the transposition, and the technical requirements for the transposition of the protection obligations, especially when it comes down to the national German Network Enforcement Act (NetzDG). These factors are currently still under analysis.

Furthermore, the negotiations on the “Data Act” (the EU regulation on the handling of data from devices/IoT devices) and the negotiations on the “E-Evidence Regulation” (cross-border data access for law enforcement agencies) were still ongoing at the end of the year. Both of these will only be concluded in the course of 2023. In the field of E-Evidence, it must unfortunately be assumed that all providers of electronic services will be comprehensively subject to legal obligations, with no resolution of the conflicts arising from the different legal areas.

At least the “manual” requests are now off the table, and all requests are electronically signed and managed via a central system (e-codex). For all queries that go beyond mere identification of the user, electronic confirmation by the country of residence is now required before the data is released.

The proposals for combatting CSAM content as well as the proposed client-side scanning on users’ end devices – a proposal which eco emphatically rejects – were controversially discussed both via eco’s active participation and in a series of its own events. Irrespective of the legal and technical questions, given the inadequate handling of already known and reported incidents and the insufficient systems of the responsible agencies to handle the number of cases already occurring today, we simply see no need for further extended access rights and the associated further increase in reports to a multiple of the current cases.

Last but not least, a topic that must be mentioned at this point – also because of the massive demand for resources in 2022 – is that of the so-called “fair share”, which is the planned cost sharing (or “network toll”) of content providers for using network infrastructure. The topic is currently being investigated by the EU Commission, BEREC, the German Federal Network Agency (BNetzA), the German Federal Ministry of Economic Affairs and Energy (BMWI) and a multitude of other interest groups. eco also published a short study on this at the end of 2022.

Since eco serves as the meeting ground for the various stakeholders – both the proponents and the opponents of the proposal are predominantly members of the association – it is extremely difficult to form a position. This was different in the past, as eco always had a clear position on the topic that was dealt with a total of four times since 1995; however, under the current circumstances, this position is controversial.

For our subsidiary DE-CIX Group AG, as an operator of public Internet Exchanges, the proposals for “fair share” jeopardise its entire model of open peering between network operators. DE-CIX, as one of the world’s most important operators which decisively shapes the market segment, would likely be severely affected by the proposed change in Internet payment flows.

As a result, before taking a further position, we at eco will first await a concrete proposal from the Commission following the analysis of the consultation launched at the beginning of 2023.

As you can see, the monitoring of the variety of topics in 2022 alone was a challenge in many respects; details on the individual processes can be found in the reports of the working groups and the statements of the Law & Regulations division.

Yours

Klaus Landefeld
Vice Chair of the eco Board
eco Board Member for Infrastructure & Networks