2021 will not only be the year of the vaccine but also the year of cybersecurity. On January 14, the public consultation period of the draft of the 5G cybersecurity draft that was made public by the Ministry of Economic Affairs and Digital Transformation last December ended. A few days later, Royal Decree 43/2021 was approved, which develops Royal Decree-Law 12/2018 on security of networks and information systems (which transposed the NIS Directive in Spain) and the context will be completed with the expiration, next June 2021, of the transitional periods and measures of the European Cybersecurity Regulation.
Precisely, the European Commission has just request to the European Cybersecurity Agency ENISA to develop a cybersecurity certification scheme for the new 5G networks in line with the European Cybersecurity Regulation.
Being 5G not only a new generation of mobile technology but one of the fundamental pillars to accelerate the digital transformation of society and the economy, it is crucial that the future Spanish law on 5G cybersecurity focuses, as has been done in Germany , in the purely technical measures that reinforce security in the operation of 5G networks, bearing in mind the European certification scheme, and leave geopolitical and commercial policy issues to the foreign and commercial policy instruments available to the Executive . It is commendable that the Preliminary Draft is committed to a sufficiently diversified supplier market, but this must imply that operators have full sovereignty when choosing their 5G suppliers without restrictions, including 5G core and radio, and avoiding any market share limit. .
And it is that the limitations on the freedom of business that can be carried out, such as the risk assessment of individual suppliers through "profiling" methods, not only technical ones referred to in article 11, carry a potential risk that its regulatory development or practical application by the Spanish Administration is focused on geopolitical issues instead of on the laudable objective of cybersecurity of 5G networks and the promotion of a sufficiently diversified supplier market, be they European, Chinese or any other nationality.
Spain has a unique opportunity to demonstrate that it is "digital sovereign" and accelerate the implementation of its 5G networks, which are so necessary for the digital transformation and overcoming the crisis, if it opts for the measures identified in the European Toolbox that support mandatory certification schemes. and facilities for the inspection and audit of all the elements that are installed in the 5G networks, are manufactured by whoever manufactures them and have their nationality. These measures seem more efficient in dealing with cyber risks than other more technically and legally questionable measures, such as the categorization of providers as "high risk" or even their exclusion from certain areas of 5G. This could not only violate the free movement of goods and services, the freedom of business and the principle of non-discrimination, but also cause serious economic damage and costs to mobile operators, as well as delay the deployment of 5G networks, as shown by the analyzes from UK consultancy Oxford Economics.
We would all love for Spain to have its own vaccine and to be sovereign and autonomous, but in a globalized world and with global supply chains "things are what they are." Health has opened the door to the Russian Sputnik V vaccine as long as Europe authorizes it "we will enthusiastically receive any vaccine that has the authorization of the European Medicines Agency, that is the only margin," said Minister Darias. In terms of 5G cybersecurity, Spain must have a similar vision and not close doors to any supplier, regardless of their nationality, provided that, yes, it complies with the European certification schemes, which will be the best vaccine against cyberattacks.
This article was first published by Expansión (08/02/21)
© Javier Fernandez-Samaniego, 2021
Partner director. SAMANIEGO Law.