Update Data Protection No. 104
The German Federal Network Agency activates “Lex Huawei”
The operators of fifth generation cell phone networks ("5G networks") with over 100,000 users must now report the use of “critical components” to the German Federal Ministry of the Interior (“BMI”) and are hoping that this specific type of use will not be prohibited. At the same time, the components may only be used – regardless of a vote by the BMI – if they have been certified.
These obligations have existed since the IT-Sicherheitsgesetz 2.0 [German IT Security Act 2.0] came into force on 27 May 2021. In practice, however, the corresponding regulation in Section 9b BSIG [Act on the Federal Office for Information Security] was only able to take effect after the German Federal Network Agency ("BNetzA") issued a definition of "critical components" by way of an ordinance.
The IT-Sicherheitsgesetz 2.0 generally stipulated increased security requirements for operators of public telecommunications networks and providers of public telecommunications services.
Even tougher requirements apply to operators of public telecommunications networks "with an increased risk potential" or with "over 100,000 users", as, above this threshold, such a network is considered to be a "critical infrastructure". In addition, according to the ordinance that has now been passed, the operation of a 5G network is, per se, a telecommunications network "with an increased risk potential".
After the United States – under the Trump administration – vehemently opposed the use of 5G hardware from the Chinese manufacturer Huawei (although cell phone companies would have liked to have used it and are indeed also using it to a considerable extent in current telecommunications networks), the German legislator also reacted by postponing the political decision regarding this issue to a future date. According to the new Section 9b BSIG, the use of "critical components" must be reported to the BMI, and the BMI can – after corresponding interdepartmental coordination – prohibit use insofar as the use of "critical components" entails a danger to public safety.
Operators of public telecommunications networks "with increased risk potential" (and according to the current state of the ordinance, these are only operators of a 5G network) may also only use critical components if they have been checked and certified by a recognized certification body (Section 109 para. 2 (4) TKG [German Telecommunications Act]).
The legislator handed the responsibility for defining the critical components for the telecommunications sector over to the German Federal Network Agency which has now made use of its new law.
II. Definition of the "critical component" in the BNetzA's catalog of security requirements
As part of the new "catalog of security requirements for the operation of telecommunication and data processing systems as well as for the processing of personal data" (in short: “Security Catalog 2.0”), the German Federal Network Agency published a “List of Critical Functions”. The List of Critical Functions was determined on the basis of state-of-the-art technology and was based on the implementation recommendations of the EU Toolbox.
Thus, all IT products (according to the BSIG, this term includes both software and hardware) that are used in a 5G network to fulfill the functions specified by the German Federal Network Agency are critical components to the extent that any malfunctions in these components could lead to a significant impairment of the functionality of the 5G network or endanger public safety.
For the purposes of this definition, according to the BNetzA, the following "core network functions" are considered to be critical:
- authentication, roaming and session management functions for end users;
- data transport functions for end-user facilities;
- access policy management, registration and authorization of network services;
- storage of end-user and network data;
- connection to third-party cellular networks.
These broad formulations show that a large number of the functions that software and hardware products can fulfill in 5G networks are now to be viewed as critical. Consequently, it can also be assumed that the software and hardware products that are used in 5G networks to fulfill these functions are critical components in their entirety. In addition, IT products that only partially fulfill the above-mentioned functions are also included (p. 3 of the List of Critical Functions).
Even if the List of Critical Functions does not specifically state so, a line should be drawn between IT products that are used directly to fulfill the functions (e.g. the respective software application for the above-mentioned functions) and IT products that are only used indirectly to fulfill the functions (the standard server's hardware and the operating system on which the special application runs). Otherwise, each individual component of the entire 5G infrastructure would have to be promptly declared a critical component with all the associated consequences that this would bring.
At the same time, the scope of the requirements goes much further than just the pure wireless network. A 5G network also uses the infrastructure elements of landline network operators to a considerable extent, without which the operation of a 5G network would not be possible – cellular antennas are or will be connected via fiber optic cables and communication traffic is transported and terminated via the fast landline network as a transport network. In addition, 5G network intelligence is usually integrated into the transport network with dedicated elements. In this respect, the specification already extends beyond the pure wireless network of 5G networks being set up by network operators.
III. Some exceptions possible in low risk situations
Several of the functions listed are classified as critical per se such as the aforementioned "storage of end-user and network data".
In the case of other functions, such as "5G-RAN management", the operator has the option of demonstrating and documenting that the corresponding functions or IT products do not have any increased criticality in their specific case. The corresponding justification must be recorded within the security concept, which, in turn, is checked by the BNetzA.
It is to be applauded that the German Federal Network Agency made use of its authorization to issue ordinances much earlier than expected and that it specified critical functions in more detail.
However, the description of the functions classified as critical by the German Federal Network Agency remains very broad. There is a risk of a loose interpretation of the terms, according to which a large number of the hardware and software elements of a 5G network can be classified as critical components. In contrast to the original objective of “Lex Huawei”, European and American manufacturers of IT products could now also be affected by the new regulations and security requirements. For security reasons, 5G network operators must now report the use of a large number of IT products to the German Federal Ministry of the Interior, attend to the manufacturer's guarantee declaration (see Section 9b para. 3 BSIG) and seek certification from independent certification bodies (see Section 109 para. 2 (4) TKG). This is a huge bureaucratic effort which is presumably disproportionate to the regulatory objective, which is difficult to achieve in practice.
It should also be noted that any necessary replacement of infrastructure is likely to have significant cost implications for network operators and associated legal issues regarding which party should bear the costs – the 5G network operator or, if applicable, the landline transport network operator.