EU 5G regulations – Impacts on operators, cloud providers and private networks

5G is a new generation of telecommunication. 5G was designed to serve many new business cases using virtualization and cloud technologies. The usage of those technologies provides verticals such as factories, health care, automotive, smart cities and infrastructure with new edge computing services, scalability of infrastructure, flexibility of deployments, low latency, and massive IoT support. 

Classic public mobile network operators enter into relationships with major cloud providers. The cloud providers allow operators to improve their network performance, optimize their costs and provide resilience, scalability, and high availability. 

On the other hand, cloud providers see 5G networks as a new domain to expand into. They provide a wide array of services not only to mobile network operators, but also to factories and other verticals that want to run a private 5G network. In some cases, cloud providers even provide fully operational private 5G networks as a managed service.  Mobile network vendors also enter into relationships with cloud providers or provide their own cloud to operators and private networks. They even offer managed services which can entail even remote SIM provisioning and may not even require a classical mobile network operator. 

We currently see a major change in the 5G ecosystem landscape as the classical players take on new roles or cooperate with new partners. Previously clear-cut roles become blurry with the arrival of private networks and the cloud. The following are the key players in this new 5G ecosystem and their potential relationships:

The flexibility of 5G allows a wide range of business arrangements between a vertical, a mobile network operator and a cloud provider. Vendors may even take on the role of a cloud provider or operating a mobile network. Below is an example where a cloud provider would provide their services e.g., Edge, Network Functions, or IaaS to a private factory and to a public mobile operator. The public mobile operator would provide the spectrum license to the private factory network and enable roaming and mobility to the delivery fleet and the sales personnel of the factory.

5G is entering into every aspect of our lives and becoming a critical component of our society and infrastructure. For that reason, mobile network operators and vendors have recently been under scrutiny of the regulators and governments. 

The European Union Agency for Cybersecurity (ENISA) has received a mandate to improve the cyber security of Europa. In that context ENISA performed a wide threat analysis. This threat analysis served as a foundation for a wide range of documents to secure 5G mobile networks. They impact on every aspect of mobile networks. Those documents guide the member states in defining their own 5G regulations. A deeper discussion and details can be found in the following articles “The Impact of Securing European 5G Mobile Networks” and “Compliance for 5G and Telecommunication Cloud in Europe “. 

In the 5G ecosystem we have vendors, mobile operators, cloud providers and private networks. While the regulations and the ENISA documents impose many requirements on the security of the networks, they do not consider how those requirements are split between partners in different business arrangements and what is the responsibility split. 

For example, a factory that connects their production environment and the related sensors using 5G and the use for the core network such as a cloud provider would they fall under the ENISA 5G Toolbox requirements? The answer to that is not clear cut. The answer depends on the criticality of the factory to the country, would this private 5G network connect to a public network and other aspects.  

The situation and obligations for each party may change, if the cloud provider offers 5G as a fully managed service (including subscription and SIM management) and the factory would be a “normal consumer customer”? We must ponder such questions as, at what point does a vendor or cloud provider turn “de-facto” into an operator and meet the compliance requirements posed by the EU and local regulations?  

If the factory in our example would set-up a guest access for visitors on each of their sites and allow their salespersons to “roam” between their own and the public network, would this change the obligations of the factory owner as they would now use the public network and provide public services? While this sounds like splitting hairs, these scenarios are not far-fetched and can be considered common arrangements.

Would (like in the scenario above) the factory become an operator from a regulatory point of view? Below we describe a typical business arrangement in more detail:

In this example, the responsibility between the private factory network, cloud providers and public mobile operators is often shared. Many questions must be resolved on a very detailed level. While the cloud provider can provide many tools e.g., for access security, only the operator knows who his partners are and populate the authorization lists or to perform any firewall layer matching, the mobile operator, and the private factory network need information from the cloud providers “lower layers”. 

The applicability of different regulations and guidelines depends strongly on the definitions of the telecommunication service, the operator, and criticality to the society. Even within the European Union there are subtle differences for example with respect to private networks and criticality.  This responsibility split requires matching the regulations to concrete technical elements and business arrangements.  

For companies that operate internationally the situation is even more complex, for some countries the situation is quite developed, others still struggle with the basic concepts. This was one reason why we see that now the NIS2 Directive tries to harmonize the cybersecurity approach on a high level in the EU. Still some countries will have even stricter regulations for mobile operators, cloud providers and private networks. The situation is very similar to the introduction of GPDR. While in private Germany was being most sensitive, we see that for the security of critical communication infrastructure Finland takes a leading role due to geopolitical and historical reasons.

On a practical level, defining the clear scope of the provided services and the responsibilities of each party is the first important step. This allows the mapping of those against locally applicable regulations and then the compliance needs of each party can be identified. There are cases where the regulation will impact on private networks and cloud providers and not only on operators. 

The opportunities 5G provides for businesses brings along responsibilities for security compliance. Due to flexibility many different scenarios are possible, we can assist you in identifying your compliance needs and guide you through them. This allows you to ensure the security of your own infrastructure and to provide assurance to high-value customers that they are in the right hands.