The virtualisation of networks is disrupting the telecommunications industry. Physical hardware used in traditional telecommunications networks is being replaced by software, and virtual environments are being established in the cloud. In recent years, the industry has seen the rise of the virtualisation of telecommunications functionalities by Network Functions Virtualisation (NFV) and the use of software-defined networking (SDN) techniques. Both these technologies allow for certain functions of the network to become “software apps” and to run on the cloud through a centralised software instead of being developed in each part of hardware. These techniques facilitate more dynamic adjustments to networks and more flexibility on how the network is deployed, at a lower cost.
Policy and Regulatory Horizon
Like any developing technology, network virtualisation is slowly attracting regulatory attention. Some telecommunications rules may already be applicable to virtual network providers, where characteristics of a virtual network resemble the functions of a traditional telecommunications network. For instance, a virtual CDN provider (vCDN) is expected to be subject to similar regulations to a traditional CDN provider. While further rules on the virtualisation of networks may follow in the years to come, some regulatory frameworks may already be adjusted in 2021. A number of policy issues may arise from increasing regulatory attention to the virtualisation of networks.
Applicability of Telecommunications Network
In most jurisdictions, telecommunications licensing requirements apply to service providers that are responsible for the conveyancing of signals and the transmission of communications. Currently, the providers of virtual networks such as SDN and NFV do not transmit signals or communications per say or operate the telecommunications equipment that would define them as telecommunication network operators. However, a different regulatory approach may be applied in jurisdictions where the telecommunication regulatory framework is very broad and covers a wide range of providers, including cloud service providers. Additionally, virtualisation service providers may decide to take a more active role in the telecommunications value chain, for instance by including dedicated connection services for their customers. This would involve them in the provision of connectivity.
We should expect this new era of the virtual network to be recognised in telecommunications regulatory frameworks. This is already evident in the new European Electronic Communications Code (EECC) coming into force on 21 December 2020, which fundamentally reforms the European view of what comprises a telecom service from the conveying of signal to a broader three-part definition which includes software-based over-the-top communication services. The EECC underscores the importance of adjusting definitions to keep up with technological development in order to ensure technological neutrality and refers specifically to SD-WAN as an example of such technological development, without establishing specific rules on it. These are clear indications that virtualisation is attracting regulatory attention.
Security of Virtual Networks
With the dramatic scalability brought about by virtualisation comes significant security risks. The systemic nature of these risks means box-ticking compliance measures is likely to be less effective. The risk-based compliance approach evident in recent regulatory activity in the realm of network security shows that regulators are catching on to the broader impact on risk caused by virtualisation.
In Europe, we have seen significant regulatory activity in this area, with the introduction of several regulations and directives which provide baseline security requirements while leaving much of the burden of regulatory analysis to subjected parties. The NIS Directive is the first EU-wide legislation dedicated to cybersecurity and aimed at operators of essential and digital services. It covers multiple sectors, from energy, transport, banking and financial market infrastructure to health, water supply and digital infrastructure. Under the NIS Directive, cloud computing services must take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use to provide services. The NIS Directive definition of cloud computing covers all services which allow access to a scalable and elastic pool of shareable computing resources, and computing resources include resources such as networks. While this broad definition gives a somewhat blurred scope for European cybersecurity regulation, it means the framework will be responsive to the technological change brought about by the virtualisation of networks.
The broad and risk-based approach taken by the regulators when drawing up the NIS is also evident in the GDPR, leaving subjected parties with the task of interpreting regulatory criteria and weighing up risks when implementing security requirements. This demonstrates a clear effort on the part of regulators to write rules fit for purpose in an increasingly virtual ecosystem.
Net Neutrality Implications
The new software-based control over networks also enables network slicing, which gives control over logically separate data flows. Network slicing and other benefits of network virtualisation raise the issue of net neutrality, a matter that is still debated in some parts of the globe, including in the US. As the virtualisation of networks expands, policy discussion is necessary to reconcile the contradictory opinions in the industry on net neutrality rules in order to avoid hindering the deployment of virtualised networks.
Recommendations
- Policymakers can encourage innovation by providing a regulatory environment responsive to the agility virtualisation offers. This may be challenging, as new networks and services elude traditional definitions.
- Regulators are increasingly recognising that the solution to these challenges is more dynamic and principle-based regulation coupled with close and continual industry engagement.
- As the increase in virtualisation leads to significant regulatory activity, industry stakeholders should seize opportunities to shape regulation as it develops.