Back in February 2023. The European Parliament at a briefing considered and signed
European Union Directive 2022/2555, better known as
NIS2, which aims to increase the level of cyber security in the Union. The main provisions of the directive include the following key aspects:
- Expanded coverage: NIS2 expands the categories of organizations covered by the directive. This now includes both "essential" and "vital" organizations. Essential organizations include energy companies, transportation services, banks, financial market infrastructure, healthcare, digital infrastructure and government agencies. Important organizations include postal services, the chemical industry, the food industry, medical device manufacturers and others.
- Mandatory minimum security controls: NIS2 requires all organizations to implement at least 10 basic security elements, including incident handling, supply chain security, use of cryptography, business continuity and basic cyber hygiene (such as multi-factor authentication and personnel training)(Infoblox Blog)(DataGuard).
- Cyber incident reporting: The directive establishes a tiered incident reporting system with strict deadlines. Organizations must report significant incidents to their CSIRT (computer incident response team) or competent authority within 24 hours of detecting an incident, followed by 72 hours for notification and, if necessary, interim reporting.
- Risk management: Organizations should regularly conduct risk assessments of their IT systems, identify potential threats and vulnerabilities, and take steps to mitigate them. This includes developing business continuity and incident recovery plans to minimize downtime and ensure continuity of critical services.
- Sanctions and Enforcement Measures: National authorities have the right to apply additional measures such as orders to suspend or restrict an organization's activities to protect the security of networks and information systems(DataGuard).
What does this mean in simple terms? It means that not every piece of equipment can now be provided by Internet Service Providers (ISPs) and telephone service providers, but only those that meet certain requirements and certifications.
And equipment from well-known Chinese companies, such as Huawei and ZTE, falls into this risk zone (although no documents mention the name of any country or company). In the context of equipment from Chinese companies, the main concerns are the security aspects of supply chains and the risks of using equipment and technology from countries outside the EU, including China. This threatens all already installed equipment of these Chinese brands. Entities deemed critical and important will be given seven years to remove such hardware or software. However, telecommunications entrepreneurs whose annual revenue from telecommunications activities in the previous fiscal year exceeded PLN 10 million will have to do so within four years - a provision that applies to equipment responsible for services critical to network security. The PLN 10 million revenue threshold has already been exceeded by many medium-sized local ISPs, which means that not only the largest telecom companies, such as those building 5G networks, will be subject to the regime.
Huawei and ZTE ban in the US
As you know, the United States has imposed a
ban on the use of network equipment from Chinese companies such as
Huawei and ZTE, this is due to national security measures. The U.S. Federal Communications Commission (FCC) decided to ban the licensing and use of these companies' equipment because they are considered a
threat to national security. The move was part of the implementation of the SAFE Equipment Act of 2021, which aims to prevent risks associated with the use of foreign equipment in critical infrastructure
(Federal Communications Commission).
Under the new regulations, U.S. companies must get
rid of equipment from Chinese companies that has been deemed a threat to national security. The measures include replacing existing equipment and banning its further purchase and use
(Orrick).
Impact on the European telecommunications market
Due to the unstable political situation in the world, when China is more inclined towards the East, many countries see their technologies as a threat from China, so they try to limit themselves to using Chinese equipment on critical infrastructure (for fear of espionage or sabotage ).
Spain has already provided more than €500 million in aid for the development of 5G networks in rural areas, but has said that some vendors deemed "high-risk" will be excluded from the program. Huawei's Spanish subsidiary has initiated a so-called. "administrative appeal," alleging that the exclusion of individual suppliers is "disproportionate," "politically motivated" and simply illegal.
As of June 2023. The European Commission has been putting pressure on EU countries, encouraging them to drop Huawei and ZTE equipment. At the same time, Germany and, to a lesser extent, Spain rely on equipment from some Chinese brands more than others in the EU, to the point that the EU considers it "unacceptable." Germany is already considering abandoning such equipment, and the Chinese embassy has stated that the PRC "will not remain indifferent" to such unfriendly moves.
In Spain, 38% of 5G networks as of December 2022 are built on Huawei equipment, and in Germany we're talking about 59% (17% in France and 51% in Italy). It is known that Huawei has already filed an appeal in Portugal against a decision banning local operators from using the company's equipment to build 5G networks.
What is ordinary for Internet users
What do all these trending buzzwords about cyber security mean for the average Internet user and what will change for them? Yes, basically nothing will change, all these regulations and amendments rest on the heads of Internet and communications providers. However, if the law goes into effect, and the provider doesn't change the equipment or simply isn't ready for it, your home Internet will probably disappear, your mobile Internet will disappear, and your 5G connection will be severed. And the worst part is that the average user won't be able to change anything; they will just have to wait for the operator to take the necessary action to quickly resolve the current situation. And if the operator doesn't have replacement equipment, the disconnection from communications and the Internet can last not only a few hours, but also several days or even months.
Summary
The European Union's NIS2 directive sets ambitious goals for improving cybersecurity by expanding the scope of organizations covered and establishing stringent security and reporting requirements. An important consequence of these measures is the tightening of requirements for equipment used by ISPs and telecommunications companies, which is particularly important in light of the current restrictions imposed on equipment from Chinese manufacturers such as Huawei and ZTE. These changes could significantly affect the structure of the telecommunications market in Europe, accelerating the modernization of network equipment and increasing the overall level of cyber resilience in strategically important industries. At the same time, the directive strengthens the European Union's position in the global cybersecurity arena, providing tighter control over the sources of potential threats and aligning security requirements with leading global standards.
The directive could also significantly affect ISP equipment in the Polish telecommunications market. ISPs and telecom operators hope that the Minister of Digitization will not try to stigmatize Chinese companies as high-risk providers, and that the regulations will only be a threat. However, it is always worth keeping in mind that politics and the international situation may push the Polish government to act even faster and make concrete decisions.