LawFlash

Securing 5G Networks in the EU: High-Risk Vendors or High-Risk Legislation?

June 04, 2020

The rollout of 5G networks is taking countries around the world to the next generation of technology. This new generation of networks will offer untapped opportunities for business and services for citizens in a vast variety of sectors, such as transport, energy, manufacturing, media, and health. In light of such a pivotal role of 5G networks for economy and society, network operators, suppliers, and governments are working on making these networks as advanced and as secure as possible.

Security concerns are a common reaction to technological innovation, in particular when essential infrastructures and services undergo significant transformation. On the other hand, new technologies require prudent and flexible regulation, keeping pace with constant technological evolution without hindering it. Considering the tremendous benefits for businesses and consumers at stake, regulators must carefully calibrate any rules addressing security of 5G networks so as to continue to promote technological excellence and attract strategically important investment.

The European Union (EU) has recently published its “toolbox”[1] for regulating 5G networks. While the toolbox acknowledges the need for a risk assessment of 5G equipment suppliers and the need for adopting mitigating measures by EU member states’ governments, the European Commission insists that the EU’s approach is risk-driven and that member states are to act “in full respect of the openness of the EU Internal Market.”[2]

Some European countries are trying to address security concerns by ex ante identification of individual so-called “High Risk Vendors” (HRVs) and to exclude or limit the use of equipment from these HRVs for all network operations in the country. However, such single purpose legislation is not truly addressing security concerns.

Excluding or limiting market access for 5G equipment suppliers on security grounds is a significant restriction of their business activity. Equally, it significantly restricts the freedom of 5G network operators to contract with the business partner of their choice negatively impacting the investment environment. And, of course, it has a direct negative impact on the entire mobile ecosystem including adversely impacting consumer demand for 5G services which, in turn, slows network deployment and job growth in the mobile marketplace.

The public security exception available under the EU Treaty usually is construed narrowly. It is available only where there is a genuine and sufficiently serious threat affecting one of the fundamental interests of society. The exclusion of some suppliers, but not others, would imply that the former are the sole relevant source of risk for 5G networks. This is inconceivable in light of global supply chains. Many suppliers are manufacturing outside the EU and many third-country governments are entertaining close links with manufacturers of key technology. In addition, many other sources of risk would remain unaddressed, such as poor technical quality, poor security features, lack of innovation, absence of supply chain reliability, and resilience.

Operating HRV lists to exclude certain suppliers against the rule of law, the principle of equal treatment, does not allow mitigation of security risks and impacts the investment environment negatively.

Single-purpose legislation singling out HRVs would turn the rule of law upside down. Legislation determines generally applicable standards, typically based on industry best practices like risk-driven analysis that has become a widely accepted analytical model of assessing and addressing cybersecurity risks, which apply industry-wide and not to specific companies.

The same security standards must apply consistently and systematically to all suppliers across the board in the same manner based on the fundamental equal treatment principle. At the same time, different risk mitigation solutions must be available for different security risk situations. Any other solution would not only be discriminatory but ineffective. Cybersecurity risks arise in a variety of contexts such that every company participating in the supply chain must evaluate relevant risks and engage in mitigation activities. Simply focusing on HRVs may provide the appearance of security to some but is profoundly ineffective and impractical given the complexities of the risk matrix applicable to 5G technologies. Furthermore, risk assessment in 5G networks has to be a dynamic and continuous process, in order to keep up and appropriately address specific risks, the nature of which constantly evolve in an ever-changing technological ecosystem. Therefore, in order to enhance effectively overall security, regulators should instead prioritize tailored, process-based solutions instead of blanket exclusions.

The principle of technological neutrality further limits the freedom of EU member state regulators to exclude specific companies to the benefit of others in the area of 5G technology. The principle preserves the freedom of individuals and organizations to choose appropriate technology for their needs. Importantly, technology neutrality preserves important individual freedoms and liberties allowing operators and users to select technology that meets their needs. Categorical exclusion of HRVs erodes important values that underlie liberal democracies and economies by restricting operators and users from exercising choice as to the devices and services they would otherwise like to access.

EU member states also have to comply with the general principle of proportionality. This means that member state measures have to address adequately identified security concerns. They would have to demonstrate that no equally efficient means are at their disposal to counter the specific security risks identified. This is certainly not the case: less restrictive and more efficient ways to mitigate security risks include, for example, the establishment of tightened general security standards and verification, ideally through common standards at EU level, strengthened interoperability requirements, flexibly multivendor commitments from network operators, localization of production capacities, requirements with regard to local storage of particularly sensitive data, requirements to comply with locally applicable product safety standards, as well as access control and permission management for different network layers.

Last but not least, restricting the commercial freedom of equipment suppliers and network operators will disincentivize investment into advanced 5G networks in the EU and negatively impact quality and innovation. Ultimately, this would also run counter to the EU Commission’s objective of rolling out the most advanced 5G networks in the EU, in full respect of the openness of the EU Internal Market. Moreover, it would have a global impact as the economies of scale necessary to manufacture equipment that enables 5G networks and technologies means that categorical exclusion of certain companies from the EU will result in adversely impacting the timing of the global rollout of 5G services.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Washington, DC
Andrew Lipman

Brussels/Paris
Christina Renner



[1] Cybersecurity of 5G networks EU Toolbox of risk mitigating measures, January 2020.

[2] European Commission, “Secure 5G Networks, Questions and Answers On The EU Toolbox.”