Progress towards the so-called fifth generation of mobile communications, or 5G, poses numerous challenges both technologically and legally. One indication of this is the process initiated with the Draft Bill on requirements to ensure the security of fifth generation electronic communications networks and services (the “Draft Bill”), which has already been submitted for public consultation and is currently in the process of being drawn up to then be presented before Parliament.
This Bill has been developed in response to the need to ensure trust in and the security of 5G networks, which, although they have certain comparative advantages over previous technologies, also involve certain risks arising from their technical specifications, creating new security challenges. The Draft Bill is intended to add to existing laws and regulations on both telecommunications and cybersecurity.
Specifically, the proposed text defines its purpose as establishing “security requirements for the deployment and operation of electronic communications networks and providing electronic communications services based on 5G technology”. It is therefore expected that the Draft Bill, once approved, will be applicable to the following market players:
- “operators”: understood as individuals or legal entities operating networks and providers of electronic communications services based in full or in part on 5G networks;
- “suppliers”: understood as software and hardware suppliers and service providers for the operation of 5G networks and services;
- “manufacturers”: understood as persons who place terminals and connected devices on the market; and
- “corporate users”: understood as those individuals or legal entities using or requesting 5G services that are not available to the public, for professional purposes;
We see the Draft Bill as being ambitious in nature, whereby it intends to establish obligations not only for telecommunications service operators, but also for those software or hardware sub-providers, and equipment and/or terminal manufacturers that aim to provide services through the operation of 5G.
The government is also expected to approve, by Royal Decree, the so-called “5G network and service security scheme”, which should address the most relevant aspects in terms of the vulnerabilities and risks of these types of networks and services.
This security scheme will serve, among other aspects, to assess the security measures implemented to mitigate the risks revealed in the corresponding analyses. This scheme will be reviewed every 6 years.
In this regard, the most important obligations proposed in the Draft Bill include the operators’ obligation to oversee the security practices of their sub-providers, which must be carried out at least every 2 years, as well as the obligation to establish a diversification strategy for these sub-providers. All of this must be reported on a regular basis to the Ministry of Economic Affairs and Digital Transformation.
It also contains various obligations applicable not only to 5G network operators, but also to suppliers or manufacturers;
- Obligations of a technical nature consisting of, among others, restrictions in relation to the location of certain network management and security centers, compliance with technical specifications or European certification schemes for products, services or systems), etc.;
- Audit and external control obligations that will apply to both operators and suppliers; and
- Obligations to implement contingency plans and measures should any incidents occur.
Finally, the Draft Bill sets out different types of infringements and penalties, which may range from a warning or fine of up to EUR 50,000 (for minor infringements) to a fine of up to EUR 20,000,000 (for serious infringements).
Author: Mònica Ferrer