The European Union’s ongoing debate on how best to adequately frame and safeguard the secure implementation of 5G technology in EU and EU member state domestic legislation has reached the countries applying for accession to the European Union. The latest example is North Macedonia, which has proposed two new measures under its Electronic Communications Act that seek to restrict or exclude the use of equipment from so-called suppliers of telecommunications networks that are classified as “high risk.”
The North Macedonia proposals provide, first, a methodology for the risk assessment that allows the exclusion of suppliers in order to protect against national security risks and risks resulting from the presence of third-country suppliers in the supply chain. Second, the exclusion applies not only to suppliers of equipment for critical parts of the 5G network but also to suppliers of equipment for a wide range of parts of the fixed and mobile telecommunications networks, including previous generations, which are proposed in a draft list of critical components and sensitive parts.
North Macedonia is one of the NATO member states that signed a memorandum of understanding with the United States on the security of 5G technologies in October 2020, on the basis of which North Macedonia commits to work with “trusted” 5G network suppliers only. As a result, the proposed restrictions highlight the tension between compliance with EU law and principles, on the one hand, and political considerations, on the other hand.
Draft Bylaws on “High Risk” Suppliers for Critical Equipment and Sensitive Parts of Telecommunications Networks
In April 2021, the Assembly of North Macedonia adopted the amendments to the Law on Electronic Communications, which prescribe that a risk profile assessment should be carried out “periodically” by the National Center for Computer Incident Response, jointly with the North Macedonian Agency for Electronic Communications (AEC), of all relevant suppliers and manufacturers of critical network equipment at national level, based on the information provided by the network operators. In cases where, pursuant to the risk assessment, certain suppliers and manufacturers are considered as “high risk,” the AEC may impose obligations on the network operators to restrict or exclude such suppliers and manufacturers from the supply of equipment for critical components or sensitive parts of the network elements.
In August 2021, the AEC has published the draft texts of, first, the methodology for the risk assessment as well as, second, the list of sensitive parts of the network and of critical network components for which suppliers are subject to a risk assessment. The public consultation of these texts is ongoing and closes on September 3, 2021.
The new proposals come shortly after the AEC invited telecommunications operators to express their interest in participating in a planned auction for the allocation of frequencies for 5G networks in June 2021.
According to the draft methodology, four factors are to be taken into consideration when conducting the risk assessment; namely, whether the suppliers and network equipment providers
- are under the supervision of a foreign government without independent judicial control;
- have publicly available information about their founders and business partners, as well as their governing and managing bodies;
- support innovations and respect the copyrights and related rights as well as intellectual property rights; and
- are financed in a transparent manner, in accordance with the best practices for procurements, investments, and conclusion of contracts.
The draft list of critical components and sensitive parts of the electronic communications networks includes many parts and components across fixed and mobile communications networks of 5G and previous generation networks.
According to the drafts, the proposed measures are intended to protect network and equipment security and prevent dependency of the network operator on a single supplier. They are also designed to protect against a not further defined “risk of involving a third country in the supply chain of equipment for electronic communications networks” and, very generally, “risks to national security.”
Like other proposals for 5G network security and cybersecurity in other EU and non-EU member states, the main justification put forward by North Macedonia is national security and the need to protect critical infrastructure against influence from third-country governments.
Protecting National Security Under the Rules of EU Treaty Is Not Without Limits
While the protection of national security remains a prerogative of EU member states, member states are still required to respect and uphold the EU Treaty’s fundamental principles of transparency, legal certainty, and proportionality. These principles require that the risks for national security are precisely identified by a member state; that measures taken to protect these risks are based on clear, transparent, and objective criteria; and that any measures taken are strictly proportionate to the goal they intend to achieve.
The national security exception under the EU Treaty is therefore construed narrowly and is available only where there is a genuine and sufficiently serious threat affecting one of the fundamental interests of society.
In the case of the North Macedonian draft proposals, the nature of the risk for national security is not defined. Referring to a “risk of involving a third country in the supply chain” is also extremely broad and somewhat inadequate in light of international supply chains for all telecommunications network equipment suppliers and manufacturers around the world. However, where the risk is not properly defined or only referred to in generic terms, a measure cannot be suitable to protect against such risk.
The assessment criteria are also framed in very vague terms. It is unclear what “supervision” of a foreign government would ultimately entail and which information about “founders and business partners” would need to be public, as certain information will have to remain sensitive business information that cannot be disclosed to the general public, let alone competitors.
In any event, the new proposals are of overly broad application: they are not limited to 5G networks but cover a long list of parts of all (including existing) telecommunications networks and therefore have a de facto retroactive effect. No transition period seems to be provided, and no process is offered during which the supplier is offered to remedy possible technical deficiencies. In fact, the procedure and frequency of the risk assessment are entirely unclear.
As a consequence, the North Macedonian proposals deviate from the principles of transparency, legal certainty, nondiscrimination, and proportionality, which are fundamental principles of the EU Treaty and part of the applicable legislation in the field of telecommunications.
The EU Approach Is Objective, Risk-Based and Balanced
At the EU level, member states and the European Commission agreed to a joint EU toolbox of mitigating measures in January 2020. The EU toolbox sets out a joint approach based on “an objective assessment of identified risks and proportionate mitigating measures” to address security risks related to the rollout of 5G. Measures are to be taken based on a balanced mix of technical and nontechnical criteria, multivendor obligations, and measures avoiding dependencies. If measures go as far as the exclusion of certain suppliers due to their risk profile on this basis, this should generally be limited to the most critical and sensitive parts of the 5G networks.
The North Macedonian proposals refer to the European Union’s standardization body ETSI and the EU toolbox. However, a closer look reveals cherry-picking rather than adoption of the EU approach. The assessment criteria are exclusively nontechnical and cover previous generation networks that the European Union does not seek to address at all. Within the 5G networks, the draft list of components and sensitive areas goes far beyond the EU classification and defines all moderate and highly sensitive areas as “critical.”
In line with the fundamental principles of EU law, the European Commission and EU member states have endorsed a fully risk-driven approach, and member states are to act “in full respect of the openness of the EU Internal Market.” The North Macedonian draft proposals as they stand today deviate from the general principles of EU law as well as the joint approach agreed upon at the EU level. Only an objective, transparent, fair, and, in particular, proportionate regulation of 5G networks can safeguard national security against clearly identified risks in compliance with EU law.
EU member state measures have to address adequately identified security concerns and be proportionate to the objective they seek to attain. There are less restrictive and even more efficient ways to mitigate network security risks, such as the establishment of tightened general security standards and certification, strengthened interoperability requirements, flexible multivendor commitments from network operators, localization of production capacities, requirements with regard to local storage of particularly sensitive data, requirements to comply with locally applicable product safety standards, etc.
New technologies require prudent and flexible regulation, keeping pace with constant technological evolution without hindering it. Considering the tremendous benefits for businesses and consumers at stake, regulators must carefully calibrate any rules addressing security of 5G networks, so as to continue to promote technological excellence and attract strategically important investments.
It will be critical for the European Union to extend its harmonized approach toward cybersecurity to the accession countries and to guarantee that the good practice prevails: an independent European approach to 5G security that is both effective and proportionate to the specific risks at hand—today and tomorrow in an ever enlarged European Union.
 Law on Electronic Communications, Official Gazette of the Republic of Macedonia Nos. 9/2014, 188/2014, 44/2015, 193/2015, 11/2018, and 21/2018 and Official Gazette of the Republic of North Macedonia Nos. 98/2019, 153/2019, and 92/2021.
 European Commission, Secure 5G Networks, Questions and Answers on the EU Toolbox.