BSI TR-03109-6 v2.0: what gateway administrators must meet from 2027
It is worth being clear about what changes and what does not. The duty to be certified follows from Section 25 MsbG and has applied for years, with around 47 gateway administrators already certified. Version 2.0 only renews the benchmark against which that duty is audited, with the first major revision since 2015. This is also a different question from the plant-side duties: the article on direct marketing and remote control via the SMGW looks at how generation plants are steered over the gateway, whereas this piece is about the security and certification of the gateway administrator itself. It is equally separate from the IT security catalogue that binds network operators and critical infrastructure, a distinction we set out below. Note: GWA is the gateway administrator, MSB is the metering point operator.
TR-03109-6 is the BSI technical guideline for the administration of the smart meter gateway. It defines the minimum information-security requirements that the gateway administrator (GWA) must meet and how they are implemented through an information security management system (ISMS). The GWA operates the gateway technically, with configuration, key management, updates and monitoring, and is either the metering point operator (MSB) itself or a company it commissions. Version 2.0, published in December 2025, is the first major revision since version 1.0 of 2015. It is not a new certification obligation: that obligation already follows from Section 25 MsbG, complemented by the technical guidelines under Section 22 MsbG, and around 47 gateway administrators are already certified. What version 2.0 changes is the benchmark, with four focal points: first-time requirements for remote workplaces, clearer rules on service-provider involvement, better auditability, and stronger alignment with ISO 27001. The proof of compliance is an ISO 27001 certificate on an IT-Grundschutz basis or a native ISO/IEC 27001 certification with a reference to the guideline, valid for three years with annual surveillance audits and an audit report to the BSI. On the timeline, version 2.0 is applicable from publication, becomes binding from 1 January 2027 with the next new or recertification, and runs alongside version 1.0 until 31 December 2028, so there is no hard cutover for everyone. The GWA duty under Section 25 MsbG sits next to, but apart from, the IT security catalogue under Section 11 EnWG, which binds network operators to an ISMS under ISO 27001 and ISO 27019; a municipal utility can need both. Whoever checks the next recertification date, adapts the home-office concept, prepares service-provider contracts and ISMS documentation, and books an audit slot early is on the front foot.
What TR-03109-6 regulates and who the gateway administrator is
The gateway administrator is the security-critical control point of the smart meter rollout. The technical guideline TR-03109-6 sets out which information security it must maintain.
TR-03109-6 defines the minimum information-security requirements for the gateway administrator (GWA). These are not abstract goals but concrete requirements that the GWA implements through an information security management system, with assets, protection objectives and minimum measures. The guideline is the benchmark against which the GWA is later certified, so it sets the bar that the security organisation has to clear.
The GWA operates the smart meter gateway technically and administers it centrally. That covers the configuration of the devices, the key management for the cryptographic material, the rollout of updates and the ongoing monitoring of the gateways in the field. It is the role that holds the keys to the metering infrastructure, which is exactly why its security is regulated so tightly.
The gateway administrator can be the metering point operator (MSB) itself or a company that the MSB commissions to run the administration. In both cases the role carries the same duties under the guideline, so an MSB that outsources the GWA function does not outsource the responsibility for getting the security right. The choice between running the role in-house and buying it in is one of the central make-or-buy questions in the rollout.
What version 2.0 changes
Version 2.0 is not a new obligation but a new benchmark. After ten years the BSI modernises the requirements and brings them into line with how the role is actually run today.
The first version of TR-03109-6 dates from 2015. Version 2.0, published in December 2025, is the first major revision since then, and a decade of operating experience flows into it. It does not change who must be certified or why, only what the audit looks at, which is why it matters to read it as an update of the benchmark rather than as a new duty. The revision concentrates on four focal points:
- Remote workplaces: for the first time the guideline sets requirements for remote workplaces, that is, home office for GWA staff, an arrangement that barely existed when version 1.0 was written but is now common.
- Service-provider involvement: clearer rules on how external service providers may be involved in the administration, which matters because so many MSB outsource part or all of the GWA function.
- Auditability: better auditability through more concrete documentation and control requirements, so that what the ISMS does can be checked more directly.
- ISO 27001 alignment: stronger alignment with ISO 27001, which eases the path for organisations that already run an ISO 27001 management system.
Taken together, these four points raise the bar without inventing a new procedure. An organisation that already holds a certificate keeps the same legal duty under Section 25 MsbG; it simply has to meet the updated requirements at its next audit. The practical work is therefore a gap analysis from version 1.0 to version 2.0, and it pays to start that early.
The certification obligation under Section 25 MsbG
The duty to be certified is not new. Whoever wants to act as a gateway administrator needs a valid certificate, otherwise they may not administer the gateways at all.
The legal basis is Section 25 MsbG, the metering point operation act, complemented by the technical guidelines under Section 22 MsbG. Section 25 sets the obligation, the technical guidelines fill it with the concrete security requirements, and TR-03109-6 is the central one of those guidelines for the gateway administration. The obligation and the benchmark therefore come from two different places in the law, which is one reason updating the benchmark does not touch the obligation.
The proof of compliance can be delivered in two ways. The first is an ISO 27001 certificate on an IT-Grundschutz basis, the BSI methodology, and the second is a native ISO/IEC 27001 certification that carries a reference to the technical guideline and so picks up the TR minimum requirements. In both cases the certificate confirms that the GWA runs an ISMS that reflects the requirements of TR-03109-6.
The certificate is valid for three years, with annual surveillance audits in between and an audit report submitted to the BSI. This is a continuous regime, not a one-time hurdle: the GWA has to keep the ISMS in shape and demonstrate it every year. Around 47 gateway administrators are currently certified in Germany, which gives a sense of how concentrated the role is across the market.
Deadlines and the transition from version 1.0 to version 2.0
There is no hard cutover for everyone. Version 2.0 takes effect with the next certification, so the relevant date hangs on the individual cycle of each gateway administrator.
Version 2.0 was published in December 2025 and is applicable from publication. From that point it is the current version of the guideline, but being published is not the same as being binding for every certificate already in force. The transition is deliberately phased so that existing certificates are not invalidated overnight.
The benchmark becomes binding from 1 January 2027 with the next new or recertification. In practice this means that whoever recertifies in 2027 is audited against version 2.0, while a certificate that was issued under version 1.0 and is not yet due for renewal continues to run on the older benchmark. Version 1.0 remains valid in parallel until 31 December 2028, which is the outer limit of the transition.
So the timing is individual rather than collective. There is no single switchover date on which all gateway administrators move to version 2.0 at once; instead each one moves with its own recertification, somewhere in the window between 2027 and the end of 2028. Knowing the exact next recertification date is therefore the first thing an organisation needs in order to plan the gap analysis and the audit.
Distinction from the IT security catalogue and the challenges
The GWA duty and the network-operator ISMS are often confused. They are two separate sets of duties, and the new requirements hit small operators particularly hard.
Section 25 MsbG and TR-03109-6 bind the gateway administrator and concern the security of the smart meter gateway. The IT security catalogue under Section 11 EnWG is a different instrument: it binds network operators to run an information security management system under ISO 27001 and ISO 27019. The two address different roles, the GWA on one side and the network operator on the other, even though both turn on an ISMS.
The practical consequence is that the duties can stack. A municipal utility that is both a network operator and a metering point operator may need both sets of proof at once: the network-operator ISMS under the IT security catalogue and the gateway-administrator certification under Section 25 MsbG. Reading one duty as a substitute for the other is a common and expensive mistake, because the audits, the scopes and the references differ.
On top of this comes the cost of the tightened version 2.0 requirements. The new rules on remote workplaces, service-provider involvement and auditability raise the effort, and that effort falls hardest on small metering point operators, which can push them toward outsourcing the GWA function or consolidating it with a larger provider. There is also a capacity risk: with limited audit capacity in the market, a wave of recertifications from 2027 onward can become a bottleneck, which is another reason to book early. The broader policy direction here, including the push to roll out smart metering faster, is set out in the article on the smart meter rollout.
What companies should do now
Whoever knows the next certification date can steer the effort rather than be steered by it. The gap analysis from version 1.0 to version 2.0 should begin now, alongside the related grid-side duties covered in the article on the control box and Section 14a grid control.
- Check the next recertification date. Establish exactly when the current certificate is due for renewal, because from 2027 the next new or recertification is audited against version 2.0, and the date decides how much time is left for the gap analysis.
- Adapt the home-office and remote concept. Bring the remote-workplace arrangements for GWA staff into line with the new requirements, since version 2.0 addresses home office for the first time and this is where many existing setups will have gaps.
- Prepare service-provider contracts and ISMS documentation. Review the contracts with external service providers and the ISMS documentation against the higher auditability requirements, so that the controls can be demonstrated cleanly at the next audit.
- Book an audit slot early and review make-or-buy. Secure an audit slot in good time before any capacity bottleneck from 2027, and use the moment to revisit whether to run the GWA function in-house or buy it in.
Further reading
Frequently asked questions
TR-03109-6 is the technical guideline of the BSI for the administration of the smart meter gateway. It defines the minimum information-security requirements that the gateway administrator (GWA) must meet, and how those requirements are implemented through an information security management system. The guideline is the benchmark against which the GWA is certified under Section 25 MsbG.
No. The certification obligation already exists under Section 25 MsbG and has applied for years; around 47 gateway administrators are already certified. Version 2.0 does not create a new duty, it only updates the requirements, the benchmark, against which the existing duty is audited. The first major revision since 2015 brings new rules on remote workplaces, service-provider involvement, auditability and ISO 27001 alignment.
Version 2.0 was published in December 2025 and is applicable from publication. It becomes binding from 1 January 2027 with the next new or recertification, so whoever recertifies in 2027 is already audited against version 2.0. Version 1.0 remains valid in parallel until 31 December 2028. There is no hard cutover for everyone on a single date.
The gateway administrator must be certified under Section 25 MsbG before it may operate the smart meter gateway. The GWA is either the metering point operator (MSB) itself or a company it commissions to run the administration. The proof is a BSI certificate on an IT-Grundschutz basis or a native ISO/IEC 27001 certification with a reference to the technical guideline, valid for three years with annual surveillance audits.
Section 25 MsbG and TR-03109-6 bind the gateway administrator and concern the security of the smart meter gateway. The IT security catalogue under Section 11 EnWG binds network operators to an information security management system under ISO 27001 and ISO 27019. These are two separate sets of duties, and a municipal utility that is both network operator and metering point operator may need both certifications at once.