GSM-R outage halts German rail network after switch replacement error
A software fault during a planned network switch replacement triggered a nationwide GSM-R outage on the night of Tuesday, June 23, 2026, halting train services and affecting thousands of passengers.
Planned switch replacement caused system failure
The national rail operator said the outage began after technicians installed a replacement network switch within the GSM-R rail radio infrastructure. The new hardware triggered an unexpected software error that prevented the affected node from operating normally. Because the fault did not generate an automatic alarm, the system did not transition to its redundant counterpart as designed.
Automatic failover did not trigger after software fault
Germany’s GSM-R network is built with layered redundancy so that a malfunction should be absorbed by a parallel system or a public mobile fallback. In this case the automatic failover did not engage because the exchanged switch failed silently, the operator said. That absence of an automated alert forced staff to carry out a manual switchover to restore communications.
Cybersecurity checks delayed recovery operations
Before performing the manual changeover, engineers had to rule out a cyberattack, a precaution that added time to the recovery process. Officials told staff to follow incident-response protocols, including verification of system integrity, before altering routing or switching to backup systems. The additional validation was intended to protect network security but extended the period during which train radio services remained offline.
Service resumed roughly two hours after outage began
Rail radio functionality returned at about 00:30 local time, roughly two hours after the initial failure was detected, and train movements were able to restart. Operators worked to clear affected services and communicate with stranded passengers while drivers and dispatch centres coordinated movements under restored communications. Authorities estimate that thousands of travellers experienced delays or disruptions during the outage window.
DB InfraGo announces immediate operational safeguards
DB InfraGo, the state-owned infrastructure company, said it has implemented a set of immediate measures to prevent a recurrence. Planned component swaps will be paused until the manufacturer supplies a corrected software version for the switch. In addition, maintenance work on the system will be restricted to a four-hour nightly window between 00:00 and 04:00 and limited to inactive subsystems to reduce operational risk.
Infrastructure modernization remains a priority according to executives
Philipp Nagl, head of DB InfraGo, reiterated that modernization of the railway digital backbone is essential and that the GSM-R network is currently undergoing an upgrade to improve resilience. He noted the challenges of operating a 20-plus-year-old standard that remains the European norm for railway communications. Nagl and company statements stressed that replacement with the Future Railway Mobile Communication System, FRMCS, is not expected to be widely deployable for at least another decade.
Redundancy layers worked but silent error exposed a gap
Officials emphasised that the network’s redundant elements — twin systems and a fallback over public mobile networks — were functioning correctly during the incident. The problem lay in the failure to detect and signal the switch software fault, which prevented automatic transition between redundant systems. Rail industry critics pointed to the episode as an example of how ageing components and legacy signalling protocols can introduce systemic vulnerabilities.
The outage prompted political and sector criticism focused on long-term underinvestment in the rail network’s digital infrastructure, with stakeholders calling for accelerated rollout of modern communications standards. Rail unions and transport associations highlighted passenger safety and service reliability as priorities that require sustained funding and a clear replacement roadmap for GSM-R.
Rail operators say they will conduct a formal incident review to establish a full timeline and to recommend technical and procedural changes. The review will examine why the automatic alarm did not fire, how verification procedures can be streamlined without compromising security, and what additional monitoring or software safeguards are needed. Manufacturers and third-party vendors involved with the switch replacement have been notified and asked to support corrective actions.
The incident underscores the dependence of modern rail operations on resilient communications and the complexity of maintaining legacy systems while preparing for future standards. Operators have pledged to share findings publicly and to accelerate resilience measures as part of ongoing digitalisation efforts.
