Out-Law News 2 min. read
13 Sep 2023, 8:57 am
Germany’s Federal Ministry of the Interior and Home Affairs (BMI) has begun a review of the use of components from certain tech suppliers in 5G mobile networks, based on cyber security concerns.
The move comes ahead of changes from the Federal Network Agency, which will require certification of safety-relevant ‘critical components’ with effect from 1 January 2026. The review will consider the use of components from ‘high risk’ suppliers, as classified by the European Commission in June 2023.
According to telecoms expert Rebecca Trampe-Berger of Pinsent Masons, the Federal Network Agency has not indicated that certification will be required for components already in operation by the time the rule change comes into force in 2026.
“The use of existing components from certain tech suppliers is under examination, as these suppliers have been specially classified by the European Commission,” she said. “It remains to be seen to what extent this classification will change the permissive approach that the administration responsible for network security in Germany has shown so far.”
Details of the BMI’s review emerged in an answer by the federal government (12-page / 337KB PDF) to a formal enquiry by the CDU/CSU parliamentary group last month. The review, which will complete shortly, is being carried out under section 9b para. 4 of the German Act on the Federal Office for Information Security (BSIG), which allows the prohibition of individual components under certain circumstances.
“The general exclusion of certain suppliers is not provided for by the legal regulations, especially the German Telecommunications Act (TKG) or the BSIG,” said Trampe-Berger. “Indeed, section 9b para. 4 BSIG allows the prohibition of ‘a component’ under certain conditions, but any affected component would then have to be determined in each individual case, as the continued use of ‘this component’ would have to expectedly impair the public order or security of the Federal Republic of Germany.”
“Only in ‘severe cases of a manufacturer's lack of trustworthiness’ the use of all critical components from this manufacturer may be prohibited pursuant to section 9b para. 7 BSIG. For the detailed requirements of such cases, section 9b para. 7 BSIG refers to section 9b para. 5 BSIG, which in turn requires certain cases of specific breaches of duty on the part of the manufacturer concerned,” she said.
Trampe-Berger added: “Against this background, it is remarkable that the BMI states in its answer to the formal enquiry that for examinations pursuant to section 9b BSIG, ‘the primary focus lies on a security policy prognosis’ which would also include, in addition to the trustworthiness of the manufacturer under section 9b para. 5 BSIG, the non-technical security policy aspects mentioned in section 9b para. 2 BSIG, e.g. the security policy objectives of the Federal Republic of Germany, the EU or the North Atlantic Treaty, state controlling influence on the manufacturer or participation of the manufacturer in activities that have or had a negative impact on public order or security.”
“Only section 9b para. 4 sentence 2 BSIG refers to such security policy aspects, so that these – assuming they existed – could at most be cited for a prohibition of specific components. The use of all critical components from a manufacturer, on the other hand, could not be justified in this way, because the relevant section 9b para. 7 BSIG does not refer to security policy aspects. This differentiated system of section 9b BSIG also does not indicate an overall primary focus on a security policy prognosis. Otherwise, the interests of the affected companies will also have to be taken into account in the context of an examination", she said.
"This applies in particular with regard to a constitutionally mandatory balancing according to the principle of proportionality, according to which a prohibition must be suitable, necessary and appropriate,” she added.
In its communication of June 2023, the European Commission urged member states to avoid the use of mobile networks with components from certain suppliers for their internal communication in the future and not to build up mobile networks or services that rely on equipment from these suppliers.