Pandora’s Box: Profiling of high-risk suppliers

Date: 
Wednesday, 10 March 2021
Autoren: 

Profiling of high-risk suppliers – a controversial proposal of a completely new concept for the assessment of market participants in new TKG draft

Just before Christmas, the Federal Government presented the overdue draft of a new Telecommunications Act (TKG). Among other things, the provisions of the European Electronic Communications Code (Directive (EU) 2018/1972) are to be transposed into national law. In the round of adjustments and new regulations, one area of regulation stands out in particular: Section 44a of the TKG introduces a regime for the qualification of high-risk suppliers that was not part of the European Electronic Communications Code or previously known to the Austrian legal system in this form. The Minister of Agriculture is to classify manufacturers and service providers for network components as high-risk suppliers for reasons of national security by means of a notice and, as a last consequence, be able to exclude them from the market. The background to the regulation is to ensure network security and safeguard critical infrastructure. These protection goals are absolutely relevant. However, the specific regulation is overreaching and legally questionable for several reasons:

According to the proposal of the Federal Government, the classification as a high-risk supplier is not based on concrete actions of the manufacturers or concerns about components. Rather, the qualification is to be based solely on a probability assessment of possible third-party effects/influences. At its core is the assessment of whether an affected manufacturer or service provider is potentially unable to comply with relevant EU standards, or is unable to do so on an ongoing basis. However, the objects of protection are not even defined in more detail. The criteria that are to specify potential harmful effects are insufficiently defined and do not provide sufficient clarity.

Where does the problem lie specifically?

For the classification as a high-risk supplier, it is irrelevant whether the supplier has actually taken measures that violate EU standards and endanger national security. The classification and possible consequence of market exclusion is rather set purely based on an ex-ante assessment of probabilities. Thus, the profiling is non-objective and represents a massive encroachment on the fundamental rights of the persons concerned, further market players and ultimately the entire market. All the more, such a far-reaching measure would have to comply with the principles of the rule of law, such as the requirement of certainty and objectivity. However, the current draft law does not come close to meeting this requirement.

1. Unclear terminology

In accordance with Art 18 of the Austrian Constitution (B-VG), laws must be clear and sufficiently defined. However, the current proposal is far from this. Instead, high-risk suppliers are assessed solely based on undefined criteria. For example, it is even unclear what is meant by the protected good "reasons of national security" in the first place. The criteria relevant for market exclusion, such as the potential of "influence by governmental organizations" or the "possibility of exerting influence through legislative acts", "the ability to exert pressure", “general standard of rule of law in third countries” as well as "certain characteristics in the ownership structure of the manufacturer that make it possible to exert influence", are widely open to interpretation and intransparent, and therefore too vague in terms of Art 18 B-VG. They do not allow even a rudimentary objective assessment and do not provide suitable guidelines for decision-making by users of the law. As a result, it is unpredictable which behavior can lead to a high-risk classification.

2. Unobjective and discriminatory criteria

The proposed regime opens the door to discrimination against manufacturers/providers from third countries. The proposed assessment criteria are mainly linked to the origin of the supplier or manufacturer and disregard objectively verifiable aspects such as safety measures taken. As a result, the focus of the regulation lies on manufacturers and service providers of network components from abroad and is thereby discriminatory[1]. However, due to the unclear terms it is not even ensured that manufacturers or service providers who actually violate EU regulations are covered and considered as high risk vendor.

3. No technical criteria

Upon closer examination, even the supposedly more "technical" standards, which can be found in the catalog of criteria of § 44a subsection 3 TKG, do not live up to their name. For example, it remains completely open under which conditions "too little control over one's own supply chain" can exist, or which products and services are specifically included in the assessment (cf. paragraph 1). In any case, "all products and services provided" is too overreaching and not justified.

The reference to possibly non-existing security or data protection agreements between the EU and third countries (paragraph 4) is also not within the sphere of the manufacturers or service providers concerned and tells nothing about compliance with corresponding standards. The criterion is also blatantly overreached: There are almost no agreements with any countries worldwide – are they all to be excluded or is the standard of measurement different at the end of the day, depending on whether the provider's country of domicile is (politically) comfortable or not?

Without naming relevant standards, no conclusion can be drawn from the wording "insufficient extent of the manufacturer's ability to ensure continuous supply". It is completely open what is to be subsumed under this. It does not list factors that would determine the level of an insufficient capacity. The according Explanatory Remarks refer to obstacles due to national or international sanctions. However, a legal user cannot be reasonably certain that only objectively justified and non-discriminatory factors will be considered when assessing this criterion. Moreover, all relevant component manufacturers depend on global sourcing and supply chains. The fact that manufacturing cannot be done entirely in-house does not per se allow any conclusions to be drawn on the applied safety standard, nor does it automatically lead to consequences for the security of network components.

Moreover, the catalog of criteria proposed in para 3 is not exhaustive, but a mere declarative list of characteristics. This gives the authority an enormous amount of discretion, which cannot be assessed by market participants and does not allow for well-founded decisions. This contradicts the principle of the rule of law.

Furthermore, profiling of high-risk suppliers currently applies to the whole network infrastructure without focusing on categories or functions of network components. This is an overreaching implementation of the underlying EU requirements. A look at the approach to network cybersecurity followed in Germany shows a more sensible model: There, the focus is exclusively on critical components and the assessment is based on technical criteria.

Following the Austrian legislative draft, decisions by the Minister shall be issued on the recommendation of the "Advisory Board for Security in Electronic Communication Networks". However, the majority of this board will be politicians. It is obvious that this could lead to decisions being made based on political rather than factual and technology-oriented arguments.

Who bears the risk?

The consequences of being classified as a high-risk supplier are far-reaching and affect the entire market. If a provider is excluded, this will not only affect it, but all telecommunications providers, as well as their customers: The threat of exclusion of individual providers alone will lead to greater market concentration. As such, no network provider can afford to rely on a supplier who may later no longer be opportune. This would lead to the telecom company being left without maintained systems overnight and having to switch to another partner at short notice. Without a clear legal basis with unambiguous and defined technical criteria of possible security-relevant network elements, the risk of qualification as a high-risk supplier is thus transferred to the operators. As a matter of fact, the present, overreaching legislative proposal alone has already – out of an abundance of caution - lead to an exclusion of suppliers in ongoing procurement processes for network components. However, experience shows that the monopolistic structures that inevitably follow in view of the already very narrow market lead to rising costs, which are passed on to end customers. Monopolistic structures are also hostile to innovation and thus lead to technical risks for the entire sector. This is counterproductive, especially with regard to the 5G network rollout.

The long-term effects of decisions must also not be overlooked: The life cycle of components can span up to 10-15 years. If a manufacturer is excluded from the market as a high-risk supplier during this period, network operators are left out in the cold: Even if components already installed do not have to be taken out of service, necessary system updates are no longer available. De facto, this therefore requires the removal of the affected parts. The two-year time limit on the notices is of little help here.

In view of the weaknesses of the legislative concept outlined above and the far-reaching consequences of an encroachment, it is consequently highly critical that the present draft lacks effective compensation provisions for suppliers wrongly qualified as high-risk suppliers.

What is to be done?

Given the intrusive nature of the high-risk supplier regime, particular care must be taken to ensure that the assessment criteria are objectively justified, proportionate and sufficiently determined. Only this will ensure that the new regime is applied non-discriminatory in a predictable and objective manner.

It would make sense to focus on the critical components and the compliance with the necessary technical requirements instead of classifying the company or its country of domicile based on definitions and parameters that cannot be objectified. Germany shows that an assessment of the risk profile based on technical criteria of the critical components is possible and useful. The necessary resources for the assessment must be expended if such far-reaching consequences as market exclusion are to be attached to it. If the authority lacks the know-how and corresponding capacities, it can still fall back on the German assessment instead of making critical decisions based on open and inappropriate criteria.

 

[1]    Several MEPs refer in a public letter directed to three EU-commissoners dated 10 February 2021 to "technological racism". See https://www.brusselstimes.com/wp-content/uploads/2020/09/Letter%20regarding%20implementation%20of%20communications%20technology%20in%20the%20%20EU.pdf