Key Points
- On July 24, the European Commission
(EC) published an updated report (
the “Report”) on the progress made by member states
in implementing measures aimed at addressing the national security
risks and mitigation strategies related to the rollout of 5G within
the EU (known as the “5G Toolkit”).
- By way of background, the objective
of the 5G Toolkit is to set out a coordinated European approach
based on a common set of measures aimed at mitigating the main
national security risks to 5G networks that were identified in the
EU coordinated
risk assessment report. The Report finds that many of the
member states are only at an early stage in terms of introducing
the more impactful legal national security and trade defense
measures.
- However, the EC is pushing this
agenda very hard. We would therefore encourage clients in the
telecoms sector (equipment suppliers, network operators, etc.) to
develop a holistic legal strategy to both understand the
legislative developments occurring at both a central EC level and
within member states, and also to identify trade policy
opportunities for their voice to be heard on what could be legal
measures that impact their business greatly.
Top-Level Findings
The Report notes that all member states have started a process
to review and strengthen security measures applicable to 5G
networks. For each of the 5G Toolkit measures, the Report reviews
progress made since the Toolkit adoption, showing what has already
been done and identifying areas where measures have not been
implemented so far. The Report notes that, generally speaking,
member states have made particular progress in the following
areas:
- The powers of national regulatory
authorities to regulate 5G security have been or are in the process
of being reinforced in a large majority of member states, including
powers to regulate the procurement of network equipment and
services by operators.
- Measures aimed at restricting the
involvement of suppliers based on their risk profile are already in
place in a few member states and at an advanced stage of
preparation in many others. The Report calls on other member states
to further advance and complete this process in the coming months.
With regards to the precise scope of these restrictions, the Report
highlights the importance of looking at the network as a whole and
addressing core network elements as well as other critical and
highly sensitive elements, including management functions and the
radio access network, and of imposing restrictions on other key
assets, such as defined geographical areas, government or other
critical entities. For those operators having already contracted
with a high-risk vendor, transition periods should be put in
place.
- Network security and resilience requirements for mobile operators are being reviewed in a majority of member states. The Report stresses the importance of ensuring that these requirements are strengthened, that they follow the latest state-of-the-art practices and that their implementation by operators is effectively audited and enforced.
Outstanding Concerns
Supply Chain Dependency
The 5G Toolkit recommends that each member state adopts a multivendor strategy to avoid or limit any major dependency on a single supplier (or suppliers with a similar risk profile), especially those deemed to be high risk. The Report finds that progress is urgently needed to mitigate the risk of member state dependency on single suppliers, as well as suppliers that are deemed to be high risk. The Report finds that there is a high degree of dependency in six countries and a medium level in eight. In addition, the Report finds that the 14 member states reported as medium/high are exposed to high-risk suppliers. Many member states mention that it is not possible to mandate a multivendor strategy under their existing legislation, so legal changes are needed. Moreover, the Report notes that further analysis is required in many member states to identify the appropriate legal basis to impose obligations in terms of diversification of suppliers.
Screening of Foreign Direct Investment
One of the key recommendations to member states is to build upon on the EU's Foreign Direct Investment (FDI) Regulation screening mechanism to improve the monitoring of FDI investments across the 5G supply chain (e.g., through a mapping of key 5G assets, the use of monitoring tools and exploring specific guidelines) to better detect foreign investments in the 5G supply chain that may pose a national security threat. Member states have identified that FDI screening mechanisms will be a key measure in both mitigating against the risk of single supplier dependency and as an essential tool to identify key assets to reduce risks to national security. The Report states that changes in ownership due to FDI movements along the 5G supply chain have the potential to increase national security risks overnight.
The Report notes that the COVID-19 pandemic adds to the urgency of implementing effective FDI review mechanisms due to the exposure to perceived hostile actor investment in times of economic challenges. However, only 13 member states have introduced national FDI screening mechanisms, which is somewhat surprising given that member states are expected to implement an FDI screening framework as of October 2020. Moreover, the EU is yet to assess whether the FDI frameworks that are in place adequately address the other risks detailed within the 5G Toolkit. However, the Report flags that there does still appear to be implementation gaps such as legislation not covering the entire 5G supply chain or progress in legislation being dependent on progress in other 5G Toolkit areas, such as the more precise definition of assets.
Issues to Watch
The EC will continue to work with member states to monitor the
implementation of the 5G Toolkit to ensure its effective and
consistent application. The EC will also promote the alignment of
national approaches. By October 1, 2020, member states, in
cooperation with the EC, are to assess the implementation and
effectiveness of measures to determine whether there is need for
further action. As things progress, companies will need to be
increasingly alert to the following:
- Increasing FDI scrutiny: The Report
highlights the increasing pressure on those member states that are
yet to implement FDI review mechanisms before the EU FDI Regulation
comes into force on October 11, 2020. As such, we can anticipate
that there will be a flurry of regulatory activity to introduce FDI
mechanisms that could impact deals within Q4 2020 and into Q1 2021.
We have already seen member states implement FDI regimes almost
overnight that have impacted deals, which have leveraged the EU FDI
Regulation criteria for review (namely the involvement of critical
and dual use technologies, access to sensitive information and the
control of critical material supply chains). As such, investment
within Europe is likely to face growing friction (and confusion)
over the next 12 months as member states bring new FDI screening
mechanisms online. Businesses will therefore need to understand how
these individual FDI regimes work, and how they could be impacted
in each instance.
- Member state measures: The Report
emphasizes the risks to member states in terms of being overly
reliant on one supplier for 5G capability, especially if that
supplier is deemed to be high risk. There are a number of ways in
which this could play out going forward within individual member
states. In immediate terms, it is likely to impact individual
member state procurement decisions around who is both permitted and
awarded contracts within the 5G supply chain. We also anticipate
that certain member states are likely to adopt
"blocklists" for high-risk vendors, as well as developing
lists of assets to be protected. It is critical that network
operators and equipment suppliers understand what legal measures
and policy positions each relevant member state is taking, so that
it can develop strategies to deal with them.
- EC initiatives: The EU has emphasized the need to develop a “sovereign” 5G capability, which will see a number of developments at a federal/EC level. For example, the EC has noted that it is exploring the possibility of using trade defense instruments to reduce the dumping and subsidies of technology used within the 5G supply chain. In a similar vein, we also understand that considerations are being given under the recast dual-use regulation proposals to include certain 5G technologies within a unilateral “emerging technologies” category. In addition, it is likely that the EU will amend rules on public procurement to ensure that due consideration is given to security aspects when awarding public contracts, as well as through EU funding programs. Finally, we also anticipate that the EC will develop legal measures across the regulatory spectrum to both encourage and protect the growth of a European 5G capability.
Originally published by Akin Gump, August 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.