Access Alert: German Parliament Toughens Up 5G Security Rules

Access Alert: German Parliament Toughens Up 5G Security Rules

Germany’s Bundestag Approves IT Security Law 2.0  

On 23 April, the Bundestag adopted the final version of its IT Security Law 2.0. The law is aimed at increasing the security of information technology systems and is based upon a draft agreed by the governing coalition in December 2020. The final version is significantly stricter than originally planned, both in terms of security considerations and enforcement powers. The new law grants additional control powers to the Interior Ministry and Federal Office for Information Security (BSI) in ensuring that IT and communications providers deemed ‘untrustworthy’ are kept in check. The law will be influential and will help determine the playing field for upcoming 5G roll-out in the country.

EU Implications  

Since the law makes control by a foreign government an exclusion factor, it aligns Germany with other European countries like France and the UK by limiting the role played by Huawei in national connectivity supply chains. Beyond strictly national considerations, security assessments under this new law will also need to encompass EU and NATO political security.  More generally, IT-security considerations and tech sovereignty issues have significant momentum in the EU. Meanwhile, leading tech stakeholders like ASML CEO Peter Wennink argue that isolating a player like China through tech export control will simply speed up Beijing’s own achievement of tech sovereignty.

Business Impact  

The final version of the IT Security Law 2.0 includes a number of reporting obligations for IT and telecom providers, as well as a renewed enforcement framework seeing greater proactiveness on the part of regulators.  

No ‘Hard Evidence’ Requirement

A key element making the law’s framework more stringent is the Bundestag’s amendment excluding the requirement of hard evidence for deliberations by the Interior Ministry to ban the use of a critical component. Rather,  ‘foreseeable impairments of public security and order’ will be sufficient ground for the exclusion of a telecom supplier.

Compliance  

Telecom operators installing a critical component from scratch, or finalising new contracts for critical 5G components, will have to notify to the Interior Ministry, which will have the power to authorise or reject it in up to four months’ time. The government can also request the removal of components that have already been installed. For their part, IT manufacturers will need to provide a ‘declaration of trustworthiness.’ This will be accompanied by a new uniform IT-security label for IT components.

Enforcement  

The Federal Office for Information Security (BSI) will be empowered to identify security shortcomings related to IT systems and public telecommunications networks. It will also monitor and analyse  relevant threats and cyberattack methods. The BSI has also been granted injunction powers vis-à-vis telecommunications and telemedia providers, as well as consumer-protection responsibilities in the field of IT security.

How Should Tech Companies Respond? 

Companies will need to ensure that existing infrastructure complies with new requirements under the IT Security Law 2.0, including by replacing ‘untrustworthy’ components already installed.  Regulators’ interpretation of the notion of ‘critical components’ will also be important in determining companies’ obligations during implementation.

The approval of this law marks the start of a regulatory phase in Germany whereby business opportunities are unlocked as a function of the political risk associated with them. As a result, IT providers headquartered in EU and NATO countries can be expected to enjoy a comparative advantage in satisfying the new IT security requirements.

Related Articles

Access Alert: Biden’s 100 Days Address Looks to Build Back Better Agenda

Access Alert: Biden’s 100 Days Address Looks to Build Back Better Agenda

On 28 April 2021, President Joe Biden marked the eve of his first 100 days in office with his first...

29 Apr 2021 Opinion
Access Partnership and ISOC Event Highlights: Wi-Fi 6 Opportunities for Mexico

Access Partnership and ISOC Event Highlights: Wi-Fi 6 Opportunities for Mexico

On Thursday 22nd April, Access Partnership and The Internet Society (ISOC) co-hosted the event “Wi-Fi 6: Prospects and Opportunities for...

27 Apr 2021 Opinion
Europe’s Bid to Regulate AI Worldwide

Europe’s Bid to Regulate AI Worldwide

On 21 April, the European Commission presented its proposal for a European regulatory approach to artificial intelligence, adopting a risk-based...

22 Apr 2021 Opinion
Guest Article: Tech Monitor’s Amy Borrett Highlights How Data Trust Gap Endangers Successful Digital Transformation

Guest Article: Tech Monitor’s Amy Borrett Highlights How Data Trust Gap Endangers Successful Digital Transformation

The Covid-19 pandemic has demonstrated the importance of data-driven digital transformation, but it has also exacerbated a trust gap with...

19 Apr 2021 Opinion