With the imminent rollout of new 5G mobile networks, the European Union (EU) and its member states are looking to adequately frame and safeguard the secure implementation of this new key technology. On top of that, foreign countries are also trying to influence EU member states in their approach toward cybersecurity, which seems to have led some member states to act against positions jointly endorsed at the EU level and even to violate fundamental principles of EU law.
A recent illustration is the legislative proposal currently under consultation in Romania. The draft law “on the adoption of measures relating to information and communication infrastructures of national interests and the conditions for the implementation of 5G networks” seemingly transposes a memorandum of understanding between Romania and the United States, pursuant to which Romania seems to have ceded to requests from the United States to keep certain Chinese suppliers out of the EU 5G telecoms market.
The proposal intends to create a prior authorization requirement for manufacturers of, among others, telecommunications “infrastructures of national interests as well as 5G networks.” The approval would be granted only to manufacturers that (1) are not controlled by a foreign government in the absence of an independent legal system, (2) have a transparent shareholding structure, (3) have no history of unethical corporate conduct, and (4) are subject to a legal system that requires transparent corporate practices. The objective of the approval mechanism is to eliminate what is broadly identified in the proposal as “risks to national security and/or national defense.”
The actual risk that the draft law seeks to prevent is not defined further and the criteria for assessment of the authorization request are kept vague at this point. The Romanian prime minister is to decide further to an assent of the Supreme Council of National Defense (CSAT) “based on assessments from the perspective of risks, threats and vulnerabilities to national security and/or national defense.” As a corollary, network operators will not be allowed to use technology, software, or equipment from manufacturers that are not authorized pursuant to the law, and technology, software, or equipment currently in use from such manufacturers may only be used for another five years.
While the protection of national security remains a prerogative of EU member states, member states are still required to respect and uphold the EU Treaty’s fundamental principles of transparency, legal certainty, and proportionality. These principles require that the risks for national security are precisely identified by a member state; that measures taken to protect these risks are based on clear, transparent, and objective criteria; and that any measures taken are proportionate to the goal they intend to achieve.
The public security exception available under the EU Treaty usually is construed narrowly. It is available only where there is a genuine and sufficiently serious threat affecting one of the fundamental interests of society.
In this case, the risks for the network are not defined, the criteria for assessing an authorization request are kept vague, and the request for authorization requires a declaration from applicants, which exclusively relates to political considerations and is not based on any technical criteria. This renders the decision-making process rather opaque, complicating the understanding of manufacturers as well as their possibility to appeal a decision. Furthermore, the scope of application of the law is broad: the authorization procedure applies not only to the entire 5G network, but also to 3G and 4G networks, all of which are defined as infrastructures “of national interest.”
As a consequence, the Romanian draft law deviates from the principles of transparency, legal certainty, nondiscrimination, and proportionality, which are fundamental principles of the EU Treaty and applicable legislation in the field of telecommunication.
At the EU level, member states and the European Commission agreed to a joint EU toolbox of mitigating measures in January 2020. The EU toolbox sets out a joint approach based on “an objective assessment of identified risks and proportionate mitigating measures” to address security risks related to the rollout of 5G. Measures are to be taken based on a balanced mix of technical and nontechnical criteria, multivendor obligations, and measures avoiding dependencies. If measures go as far as the exclusion of certain operators due to their risk profile on this basis, this should generally be limited to the most critical and sensitive parts of the 5G network.
Against this backdrop, other member states have thus chosen less restrictive means to protect the security of their 5G networks in the interest of national security.
The German government, for example, has embraced an approach in line with EU principles and with the EU toolbox. It recently adopted a Catalogue of Security Requirements for the Operation of Telecommunication and Data Processing Systems and for the Processing of Personal Data. This catalogue imposes various duties on network operators including setting up measures for guaranteeing the integrity of network and information systems, compliance with the principle of technological neutrality, adoption of measures for the protection of personal data, and the use of certified critical components. Operators are also required to certify that their suppliers comply with these requirements as well.
The catalogue of requirements describes technical precautions and other measures to guarantee a high standard of data security and data protection, to guarantee telecommunications confidentiality, and to ensure a sufficiently high availability of public telecommunications networks and publicly accessible telecommunications services. Additional security requirements are defined and additional protective measures are specific to network components with an increased risk potential. The list of network components with an increased risk potential, which is annexed to the catalogue, is additionally put out to public consultation. An essential component of the German proposal is the technical “security certification” through a recognized body. For this purpose, the Federal Office for Information Security will issue a further technical guideline with the title “Certification of telecommunication components.” This is in line with the European Commission’s position to promote joint technical criteria and joint certification as well as technological neutrality across Europe.
Last but not least, the German proposal also foresees self-declarations of reliability and trustworthiness from operators.
As a result, a system like the German proposal ensures that the 5G networks are not subject to undue interference by foreign entities, while maintaining objective, fair, and nondiscriminatory access to their 5G networks. A similar balanced approach has been followed by a few more countries, while other countries are still pondering the issues.
In line with fundamental principles of EU law, the European Commission and member states have endorsed a fully risk-driven approach, and member states are to act “in full respect of the openness of the EU Internal Market.” The Romanian draft law as it stands today deviates from the general principles of EU law as well as the joint approach agreed upon at the EU level.
However, only an objective, transparent, fair, and, in particular, proportionate regulation of 5G networks can safeguard national security against clearly identified risks at the member state level, in compliance with EU law.
Member state measures have to address adequately identified security concerns and be proportionate to the objective they seek to attain. In this case, however, less restrictive and more efficient ways than the draft Romanian proposal are available to mitigate security risks. These include, for example, the establishment of tightened general security standards and verification, ideally through common standards at the EU level, strengthened interoperability requirements, flexibly multivendor commitments from network operators, localization of production capacities, requirements with regard to local storage of particularly sensitive data, and requirements to comply with locally applicable product safety standards, as well as access control and permission management for different network layers.
New technologies require prudent and flexible regulation, keeping pace with constant technological evolution without hindering it. Considering the tremendous benefits for businesses and consumers at stake, regulators must carefully calibrate any rules addressing the security of 5G networks so as to continue to promote technological excellence and attract strategically important investments. It will be critical for the European Commission to ensure a harmonized approach toward cybersecurity throughout the EU and to guarantee that the good practice prevails: an independent European approach to 5G security that is both effective and proportionate to the specific risks at hand.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
 Proposal Article 4.
 Most recent draft published August 11, 2020.
 List of critical functions for public telecommunications networks and services with an increased risk potential (supplement to Annex 2 to the catalogue of security requirements), published jointly by the Federal Office for Information Security and the Federal Network Agency.
 European Commission, Secure 5G Networks, Questions and Answers on the EU Toolbox.