Digital Networks Act cyber proposals threaten MVNOs, says expert

Amsterdam-based Jeroen Schouten of Pinsent Masons, who specialises in cyber, data and technology law, said the proposals, which are contained in a draft new Digital Networks Act (DNA) and draft revised Cybersecurity Act, pose an “existential threat” to mobile virtual network operators (MVNOs) operating in EU markets.

The proposals contained in the draft DNA are wide-ranging, but they include plans to establish a single EU authorisation and passporting regime for the provision of electronic communication networks and services.

Currently, providers seeking to operate across the EU must notify each national telecoms regulator in the countries they wish to operate in. They are then subject to the authorisation regimes in place in those jurisdictions.

The European Commission wants to change the current system in two main ways: first, by enabling providers to obtain EU-wide market access on the basis of a single notification; and second, by moving towards a more harmonised authorisation framework – it has proposed to limit the conditions that each EU member state can impose on providers seeking to operate in their national market.

One of the conditions that member states will be able to insist providers meet is compliance with cybersecurity rules – including ICT supply chain security requirements imposed under an updated EU Cybersecurity Act, which the Commission set out separate plans to reform last week.

Included in the plans to revise the Cybersecurity Act are proposals aimed at ensuring “European technological sovereignty”. Specifically, new restrictions are envisaged on the procurement from ‘high-risk suppliers’ of components for key ICT assets for critical infrastructure, including mobile communications networks. It further provides for the removal of such components from existing infrastructure within three years of the new Cybersecurity Act coming into force. The Commission classifies providers as high-risk based on the outcome of a structured risk assessment conducted under the revised Cybersecurity Act.

Full MVNOs that control 5G non-standalone and 5G standalone core network functions, as well as virtual network functions such as an integrated management system, are in scope of the new supply chain security requirements. If any core network function or virtual network function has been sourced from a supplier that the Commission has classified as high-risk under the Cybersecurity Act, the affected supplier components must be removed from the MVNO network and replaced with components provided by an alternative provider.

Under the plans, in the event of non-compliance and after “non-compliance remedial measures” have been exhausted, regulators would withdraw rights to provide networks and services under the updated general authorisation regime. In the worst-case scenario, an MVNO could be barred from providing services in the EU.

Schouten said that for providers of electronic communication networks, the proposals build on existing cybersecurity requirements in place under the 2019 Cybersecurity Act and the second Network and Information Security Directive (NIS2). Those existing rules, however, do not preclude the use of specific providers, assuming that an acceptable level of supply chain security is met by the provider. Guidelines have been developed on that issue (43-page / 2.6MB PDF) by the EU Agency for Cybersecurity (ENISA).

“The general principle of telecommunications law in the Netherlands and in the EU more generally is that you don't need a licence to operate – the regulatory system is one based on notification and the subsequent right to provide services, provided that is undertaken in line with the terms of the EU’s electronic communications code, as implemented by specific member states,” Schouten said.

“What the combination of the new DNA proposals and Cybersecurity Act requirements would do is impose an implicit licence requirement to the extent that providers of electronic communication networks do not adhere to the strengthened supply chain security requirements at the point they come into effect,” he said.

“These new requirements are likely to be particularly problematic for MVNOs owing to their legacy sourcing practices. They therefore pose an existential threat to their continued operation in EU markets – which has potential implications for competition in those markets. MVNOs should consequently identify the core network components and virtual network functions provided by suppliers that are at risk of being classified as high-risk suppliers by the Commission, and initiate contingency planning to ensure service continuity,” he said.