[co-author: Cassandra Padget, Trainee Solicitor]
- On July 24, the European Commission (EC) published an updated report (the “Report”) on the progress made by member states in implementing measures aimed at addressing the national security risks and mitigation strategies related to the rollout of 5G within the EU (known as the “5G Toolkit”).
- By way of background, the objective of the 5G Toolkit is to set out a coordinated European approach based on a common set of measures aimed at mitigating the main national security risks to 5G networks that were identified in the EU coordinated risk assessment report. The Report finds that many of the member states are only at an early stage in terms of introducing the more impactful legal national security and trade defense measures.
- However, the EC is pushing this agenda very hard. We would therefore encourage clients in the telecoms sector (equipment suppliers, network operators, etc.) to develop a holistic legal strategy to both understand the legislative developments occurring at both a central EC level and within member states, and also to identify trade policy opportunities for their voice to be heard on what could be legal measures that impact their business greatly.
The Report notes that all member states have started a process to review and strengthen security measures applicable to 5G networks. For each of the 5G Toolkit measures, the Report reviews progress made since the Toolkit adoption, showing what has already been done and identifying areas where measures have not been implemented so far. The Report notes that, generally speaking, member states have made particular progress in the following areas:
- The powers of national regulatory authorities to regulate 5G security have been or are in the process of being reinforced in a large majority of member states, including powers to regulate the procurement of network equipment and services by operators.
- Measures aimed at restricting the involvement of suppliers based on their risk profile are already in place in a few member states and at an advanced stage of preparation in many others. The Report calls on other member states to further advance and complete this process in the coming months. With regards to the precise scope of these restrictions, the Report highlights the importance of looking at the network as a whole and addressing core network elements as well as other critical and highly sensitive elements, including management functions and the radio access network, and of imposing restrictions on other key assets, such as defined geographical areas, government or other critical entities. For those operators having already contracted with a high-risk vendor, transition periods should be put in place.
- Network security and resilience requirements for mobile operators are being reviewed in a majority of member states. The Report stresses the importance of ensuring that these requirements are strengthened, that they follow the latest state-of-the-art practices and that their implementation by operators is effectively audited and enforced.
Supply Chain Dependency
The 5G Toolkit recommends that each member state adopts a multivendor strategy to avoid or limit any major dependency on a single supplier (or suppliers with a similar risk profile), especially those deemed to be high risk. The Report finds that progress is urgently needed to mitigate the risk of member state dependency on single suppliers, as well as suppliers that are deemed to be high risk. The Report finds that there is a high degree of dependency in six countries and a medium level in eight. In addition, the Report finds that the 14 member states reported as medium/high are exposed to high-risk suppliers. Many member states mention that it is not possible to mandate a multivendor strategy under their existing legislation, so legal changes are needed. Moreover, the Report notes that further analysis is required in many member states to identify the appropriate legal basis to impose obligations in terms of diversification of suppliers.
Screening of Foreign Direct Investment
One of the key recommendations to member states is to build upon on the EU’s Foreign Direct Investment (FDI) Regulation screening mechanism to improve the monitoring of FDI investments across the 5G supply chain (e.g., through a mapping of key 5G assets, the use of monitoring tools and exploring specific guidelines) to better detect foreign investments in the 5G supply chain that may pose a national security threat. Member states have identified that FDI screening mechanisms will be a key measure in both mitigating against the risk of single supplier dependency and as an essential tool to identify key assets to reduce risks to national security. The Report states that changes in ownership due to FDI movements along the 5G supply chain have the potential to increase national security risks overnight.
The Report notes that the COVID-19 pandemic adds to the urgency of implementing effective FDI review mechanisms due to the exposure to perceived hostile actor investment in times of economic challenges. However, only 13 member states have introduced national FDI screening mechanisms, which is somewhat surprising given that member states are expected to implement an FDI screening framework as of October 2020. Moreover, the EU is yet to assess whether the FDI frameworks that are in place adequately address the other risks detailed within the 5G Toolkit. However, the Report flags that there does still appear to be implementation gaps such as legislation not covering the entire 5G supply chain or progress in legislation being dependent on progress in other 5G Toolkit areas, such as the more precise definition of assets.
Issues to Watch
The EC will continue to work with member states to monitor the implementation of the 5G Toolkit to ensure its effective and consistent application. The EC will also promote the alignment of national approaches. By October 1, 2020, member states, in cooperation with the EC, are to assess the implementation and effectiveness of measures to determine whether there is need for further action. As things progress, companies will need to be increasingly alert to the following:
- Increasing FDI scrutiny: The Report highlights the increasing pressure on those member states that are yet to implement FDI review mechanisms before the EU FDI Regulation comes into force on October 11, 2020. As such, we can anticipate that there will be a flurry of regulatory activity to introduce FDI mechanisms that could impact deals within Q4 2020 and into Q1 2021. We have already seen member states implement FDI regimes almost overnight that have impacted deals, which have leveraged the EU FDI Regulation criteria for review (namely the involvement of critical and dual use technologies, access to sensitive information and the control of critical material supply chains). As such, investment within Europe is likely to face growing friction (and confusion) over the next 12 months as member states bring new FDI screening mechanisms online. Businesses will therefore need to understand how these individual FDI regimes work, and how they could be impacted in each instance.
- Member state measures: The Report emphasizes the risks to member states in terms of being overly reliant on one supplier for 5G capability, especially if that supplier is deemed to be high risk. There are a number of ways in which this could play out going forward within individual member states. In immediate terms, it is likely to impact individual member state procurement decisions around who is both permitted and awarded contracts within the 5G supply chain. We also anticipate that certain member states are likely to adopt "blocklists" for high-risk vendors, as well as developing lists of assets to be protected. It is critical that network operators and equipment suppliers understand what legal measures and policy positions each relevant member state is taking, so that it can develop strategies to deal with them.
- EC initiatives: The EU has emphasized the need to develop a “sovereign” 5G capability, which will see a number of developments at a federal/EC level. For example, the EC has noted that it is exploring the possibility of using trade defense instruments to reduce the dumping and subsidies of technology used within the 5G supply chain. In a similar vein, we also understand that considerations are being given under the recast dual-use regulation proposals to include certain 5G technologies within a unilateral “emerging technologies” category. In addition, it is likely that the EU will amend rules on public procurement to ensure that due consideration is given to security aspects when awarding public contracts, as well as through EU funding programs. Finally, we also anticipate that the EC will develop legal measures across the regulatory spectrum to both encourage and protect the growth of a European 5G capability.