Germany and Austria: Forerunners of 5G security measures?

The subject of cyber security of 5G networks is currently on the discussions table in all European countries. Preliminary steps for the implementation of 5G network security measures should have been completed by 30 April, according to the timetable initially proposed by the European Commission[1]. Subsequently, a joint report was to be released by each state on the implementation of these measures.

[1] Available at https://ec.europa.eu/commission/presscorner/detail/en/IP_20_123 (visited on 02.07.2020).

Considering that cyber security is treated as part of national security, and according to art. 4 para. (2) of the Treaty on European Union[1] “national security remains the sole responsibility of each state“, the rules proposed by the EU Toolbox aim to coordinate measures implemented at national level in the European Union[2]. As is well-known, the document prepared by the NIS Cooperation Group proposes both strategic and technical measures to limit cyber security risks.

Regarding the strategic measures, the EU Toolbox mentions that some states have implemented these measures and others are preparing similar legislation, context in which coordination between Member States or coordination at European Union level would be beneficial[3].

The scope of this article is to provide a brief analysis of the measures to be implemented or that are already implemented by means of various normative acts in other European countries, given that Romania is expected to follow the example of other countries in the process of aligning the laws with the requirements contained in EU Toolbox.

On 21 May 2020, an interinstitutional working group was set up in Romania to draw up a report on the implementation of the key measures identified in the EU Toolbox for effective risk mitigation and ensuring 5G network security[4]. This working group has not yet made public its work in this area.

However, at European Union level, countries such as Germany and Austria have already proposed tools to implement these measures in national legislation to effectively mitigate risks and ensure the security of 5G networks.

Thus, the Federal Agency for Electricity, Gas, Telecommunications, Post and Rail Transport in Germany has adopted the Catalog of Security Requirements for the Operation of Telecommunication and Data Processing Systems and for the Processing of Personal Data[5] (“Catalog of Security Requirements”), which also gives an important role to communications operators in ensuring network security.

The main provisions of the Catalog of Security Requirements for the Operation of Telecommunication and Data Processing Systems and for the Processing of Personal Data require operators to adopt:

1. security measures regarding employees;
2. physical security of equipment and networks measures (such as measures on access control and information systems access);
3. measures to communicate and report security incidents;
4. monitoring and testing procedures, including emergency drills;
5. security measures for the protection of personal data;
6. measures for guarantying the integrity and availability of network and information systems

In addition, the Catalog of Security Requirements also mentions operators’ obligation in relation with:

1. the use certified critical components;
2. security monitoring;
3. comply with the principle of net neutrality;
4. place cryptographic and key management mechanisms;
5. certification of components for performing critical functions;
6. certification of the credibility of producers and suppliers.

Germany has proposed an interesting instrument for certificating the credibility of producers and suppliers. The German rules provide that for the verification of the credibility of the manufacturer, suppliers will fill in a statement of confidence which minimum content is established by the above-mentioned normative act, but, which can be supplemented with certain criteria by operators.

Also, the Catalog of Security Requirements for the Operation of Telecommunication and Data Processing Systems and for the Processing of Personal Data identifies another possible method of verifying operators and suppliers, leaving the Federal Agency for Electricity, Gas, Telecommunications, Post and Rail Transport in Germany the possibility of ordering audits by independent qualified body or by a competent national authority, according to the provisions of art. 109 para. (7) of the TKG[6].

The draft regulation on minimum security obligations of electronic communications network operators was also debated in Austria on 24 April 2020 by the Telecommunications Regulatory Authority – Rundfunk und Telekom Regulierungs-GmbH (RTR) – (“Regulatory Authority“)[7].

The draft ordinance proposed in Austria establishes (a) a common set of rules applicable to all telecommunications networks; and (b) particular obligations for operators to protect the security of 5G networks.

Among the rules established for operators, the most relevant include:

1. the obligation to notify a security incident that has a significant impact on the security of the communications network;
2. the obligation to design and implement a security policy that ensures an adequate level of security in relation to existing risks;
3. a set of obligations for 5G network operators with more than 100,000 users, such as:

• to regularly submit an audit report;
• to submit a declaration of conformity attesting to the observance of international standards such as 3GPP, expressly mentioned in the annex of this order;
• to ensure the operation of the network operations center and the security operations center in the European Union;
• to effectively monitor all critical components and sensitive parts of 5G networks through the network operations center and the security operations center;
• to prevent unauthorized change of networks or components;
• to ensure the physical protection of the critical and sensitive components of 5G networks;
• restrict access to competent and qualified personnel, previously subject to security checks;
• use of appropriate tools to ensure software integrity when operating software updates;
• to establish a strategy to ensure the provision of infrastructure by several providers, including by taking into account technical constraints and interoperability requirements in different parts of other 5G networks.

Like the security measures imposed on personal data controllers[8] and those provided for in the European Electronic Communications Code[9], the Austrian authority emphasizes that operators must take into account the “state of the art” standard that the information security policy will include at least:

• risk management measures;
• security measures regarding employees;
• physical security measures;
• monitoring, auditing and testing.

From Austrian Regulatory Authority point of view, the implementation of a provider evaluation mechanism in relation to the criteria set out in the EU Toolbox requires another legal basis, namely the passing of another regulation by the competent authorities. On the matter of several suppliers’ strategy, the draft Austrian ordinance mentions avoiding or limiting the dependence on a supplier considered risky.

The measures described above, adopted or in the process of being adopted in the two European countries, aim to establish transparent and objective criteria for the verification of participants in the 5G equipment market.

In another paper that we published we have raised some concerns on the compatibility of measures to exclude or restrict market access for competitors in the light of international obligations assumed by the European Union and the Member States[10].

Meanwhile, opinions have emerged in the public space in the sense that measures to limit or restrict equipment suppliers seem to infringe the principles set out in European and national telecommunications legislation, namely the principles of objectivity, transparency, proportionality and non-discrimination[11].

The two proposed regulations in Austria and Germany, however, prove that the EU Toolbox can be implemented while ensuring competition in the market for products and services for the construction and maintenance of 5G networks, as well as compliance with the principles listed above.

Thus, on the one hand, there are measures to prevent unauthorized access to networks, and on the other hand, rules are established for objective certification of equipment that would be incorporated into the telecommunications network, means which can provide a continuous assessment by the operators or authorities of the security of telecommunications networks.

In conclusion, the implementation of cyber security measures remains a matter for the Member States. However, in order to ensure a coordinated implementation and similar conditions for the implementation of 5G technology in the European Union, designed to create predictability, as well as to avoid market fragmentation, it would be preferable that normative acts enacted by states to contain measures similar to those already adopted or made known to the public for consultation in other countries.

In fact, the need to avoid market fragmentation by imposing restrictive administrative barriers was also emphasized by Thierry Breton, European Commissioner for the Internal Market, who stated that: “5G wireless networks are a pillar of Europe’s socio-economic development, as they will provide new services in the health and healthcare, energy, transport, education and many other fields. Their importance is even more obvious at the moment, as networks will play a key role in our recovery from the coronavirus crisis. Together with the Member States, we must pave the way for the timely introduction of 5G technology, without restrictive administrative barriers, which will bring significant demand from our industry and boost innovation and competitiveness at European level[12].”

Dragne & Asociatii

[1] Available at https://eur-lex.europa.eu/resource.html?uri=cellar:2bf140bf-a3f8-4ab2-b506-fd71826e6da6.0001.02/DOC_1&format=PDF (visited on 02.07.2020)

[2] Section 2 of the EU Toolbox – ” The objectives of this toolbox are to identify a possible common set of measures which are able to mitigate the maiun cybersecurity risks of 5G networks, as they have been identified in the EU coordinated risk assesment report, and to provide guidance for the selection of measures which should be prioritisided in mitigation plans at national and at Union level. It does this in order to create a robust framework of measures with a view to ensure an adequate level of cybersecurity of 5G networks accros the EU and coordinated approches among Member States”

[3] Section 5.1. of the EU Toolbox: „The implementation of the strategic measures may require specific legislation at national level in order to fully achieve the impact of the measures. Some Member States have already implemented legislation related to these strategic measures and others are preparing similar legislation. In the future, coordination between member States or at EU level may be beneficial in order to promote convergent approches.”.

[4] “Memorandum for the establishment of the 5G Working Group to identify key strategic and technical measures in the EU Toolbox for effective risk mitigation and security of 5G networks required to be implemented by Romania, respectively for the preparation of the report on their implementation at national level”, available at https://sgg.gov.ro/new/wp-content/uploads/2020/05/MEMO-6.pdf (visited on 02.07.2020).

[5] Available at https://www.bundesnetzagentur.de/DE/Sachgebiete/Telekommunikation/Unternehmen_Institutionen/Anbieterpflichten/OeffentlicheSicherheit/KatalogSicherheitsanforderungen/aktualisierung_sicherheitsanforderungen/aktualisierung_sicherheitsanforderungen-node.html;jsessionid=BA3A1C931ADD0B5FB15E3B85CE19A79E (visited on 02.07.2020)

[6] Telecommunications Act (Telekommunikationsgesetz, TKG)

[7] Available at https://www.rtr.at/de/inf/konsult_NSiV_2020 (visited on 02.07.2020).

[8] Article 25 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation): „Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”

[9] art. 40 point 1 of Directive (EU) 2018/1972 of the European Parliament and of The Council of 11 December 2018 establishing the European Electronic Communications Code

[10] Ion Dragne, Alexandru Dragne, Dragne & Asociatii „Compatibility of 5G cyber security measures with free tradei”, 2020, available at https://www.universuljuridic.ro/compatibilitatea-masurilor-pentru-siguranta-cibernetica-a-sistemului-5g-cu-libertatea-comertului/ (visited on 02.07.2020), also avilable at https://www.dragne.ro/compatibility-of-5g-cyber-security-measures-with-free-trade/

[11] Alina Popescu, Cristina Crețu, Maravela, Popescu şi Asociaţii: „Legal challenges in implementing the 5G EU toolbox and potential damaging effects on electronic communication providers and consumers” available at  https://financialintelligence.ro/maravela-popescu-si-asociatii-provocari-juridice-in-implementarea-setului-comun-de-instrumente-5g-si-posibile-efecte-prejudiciabile-asupra-furnizorilor-de-comunicatii-electronice-si-asupra-consumato/ (visited on 02.07.2020) also avilable at https://rlw.juridice.ro/17323/legal-challenges-in-implementing-the-5g-eu-toolbox-and-potential-damaging-effects-on-electronic-communication-providers-and-consumers.html (visited on 02.07.2020).

[12] Available at https://www.euractiv.ro/eu-elections-2019/noi-reguli-pentru-simplificarea-instalarii-retelelor-5g-in-ue-ce-s-a-discutat-in-senatul-romaniei-19745 (visited on 02.07.2020).