Message 001
Communication from the Commission - TRIS/(2023) 3739
Directive (EU) 2015/1535
Notification: 2023/0761/ES
Notification of a draft text from a Member State
Notification – Notification – Notifzierung – Нотификация – Oznámení – Notifikation – Γνωστοποίηση – Notificación – Teavitamine – Ilmoitus – Obavijest – Bejelentés – Notifica – Pranešimas – Paziņojums – Notifika – Kennisgeving – Zawiadomienie – Notificação – Notificare – Oznámenie – Obvestilo – Anmälan – Fógra a thabhairt
Does not open the delays - N'ouvre pas de délai - Kein Fristbeginn - Не се предвижда период на прекъсване - Nezahajuje prodlení - Fristerne indledes ikke - Καμμία έναρξη προθεσμίας - No abre el plazo - Viivituste perioodi ei avata - Määräaika ei ala tästä - Ne otvara razdoblje kašnjenja - Nem nyitja meg a késéseket - Non fa decorrere la mora - Atidėjimai nepradedami - Atlikšanas laikposms nesākas - Ma jiftaħx il-perijodi ta’ dewmien - Geen termijnbegin - Nie otwiera opóźnień - Não inicia o prazo - Nu deschide perioadele de stagnare - Nezačína oneskorenia - Ne uvaja zamud - Inleder ingen frist - Ní osclaíonn sé na moilleanna
MSG: 20233739.EN
1. MSG 001 IND 2023 0761 ES EN 29-12-2023 ES NOTIF
2. Spain
3A. Subdirección de Asuntos Industriales, Energéticos, de Transportes, Comunicaciones y de Medioambiente
D.G. de Mercado Interior y otras Políticas Comunitarias
Ministerio de Asuntos Exteriores, UE y Cooperación
3B. Secretaría de Estado de Telecomunicaciones e Infraestructuras Digitales.
Secretaría General de Telecomunicaciones y Ordenación de los Servicios de Comunicación Audiovisual.
Subdirección General de Ordenación de las Telecomunicaciones.
Ministerio de Transformación Digital
4. 2023/0761/ES - V00T - TELECOMS
5. ROYAL DECREE APPROVING THE NATIONAL SECURITY SCHEME FOR 5G NETWORKS AND SERVICES
6. 5G electronic communications networks and services
Telecommunications equipment.
7.
8. The regulation consists of an explanatory part, a single article approving the ENS5G (National Security Scheme for 5G), two additional provisions and 4 final provisions.
The ENS5G to be approved consists of 33 articles divided into eight chapters and three annexes.
The explanatory memorandum explains the reasons behind the adoption of the regulation and the articles of the Royal Decree-Law that are being developed.
The single article approves the National Security Scheme for 5G networks and services.
The first additional provision states that the Government, by Royal Decree, on the proposal of the Ministry of Digital Transformation, following a report by the National Security Council, shall review the National Security Scheme for 5G networks and services when circumstances so require and, in any case, every four years.
The second additional provision states that Royal Decree-Law 7/2022 of 29 March 2022 and the ENS5G shall apply to generations of electronic communications after the fifth generation while there is no specific regulation for these.
The first final provision on title of competence states that the Royal Decree and the scheme it approves are issued under the provisions of Article 149(1)(21) and Article 149(1)(29) of the Spanish Constitution, which confer on the State, respectively, exclusive competence in matters of the general system of telecommunications and in matters of public safety.
The second final provision declares Law 11/2022 of 28 June 2022 on General Telecommunications, and its implementing regulations, to be of supplementary application, and states that in all matters not regulated in said legislation, Royal Decree-Law 12/2018 of 7 September 2018 on the security of networks and information systems and Law 8/2011 of 28 April 2011 establishing measures for the protection of critical infrastructure, as well as their respective implementing regulations, shall be of supplementary application.
The third final provision on regulatory development enables the head of the Ministry of Digital Transformation to develop the provisions of this Royal Decree and the scheme that it approves, and to modify by Order the contents of the annexes according to the evolution of technological progress, the approval of new technical standards and certification schemes for telecommunications equipment and connected products, and the development of different configurations and technical parameters of 5G networks and services and future generations of electronic communications.
The fourth final provision provides that the regulation shall enter into force on the day following its publication in the ‘Official State Gazette’.
As regards the content of the ENS5G, which is approved:
Article 1 states that the Regulation is issued in implementation of Royal Decree-Law 7/2022 of 29 March 2022, in particular, in application of Chapter IV thereof.
Article 2 refers to the objectives of the regulation, which have already been analysed.
Article 3 states that the definitions laid down in Royal Decree-Law 7/2022 of 29 March 2022, Law 11/2022 of 28 June 2022 on General Telecommunications and the European Electronic Communications Code shall be used.
Article 4 provides that the Regulation shall apply to 5G operators, 5G suppliers and 5G corporate users who have rights to use the public radio domain to install, deploy or operate a 5G private network or to provide 5G services for professional purposes or self-provision.
Article 5 identifies the minimum elements, infrastructure and resources that make up a 5G electronic communications network, referring to Annex I for their detailed description. It also sets out the critical elements of a 5G network, which must be located, as a general rule, in national territory (including possible exceptions).
Article 6 refers to the comprehensive treatment of security in accordance with international Community and national legislation which has been approved or which may be approved, requiring obliged parties to carry out, by means of a holistic method, an analysis of the vulnerabilities, threats and risks affecting them as economic agents and of the various components, as well as an adequate and comprehensive management of those risks through the use of techniques and measures that are appropriate to achieve their mitigation or elimination and to achieve the ultimate objective of secure use and operation of 5G networks and services.
Article 7 stresses that risk analysis and management is an essential part of the security process, and should be an ongoing activity that is continuously updated.
Article 8 refers to ongoing monitoring and periodic reassessment.
Article 9 states that the risk analysis at national level is as set out in Annex II and has been carried out taking into account various elements such as information collected from obliged parties, the examination of vulnerabilities linked to the supply chain of 5G networks and services, the assessment of the degree of dependence of suppliers, the risk of interruption of supply due to economic, corporate or commercial circumstances affecting suppliers or the assessment of the effectiveness of the security measures applied.
Article 10 on risk management at national level states that the criteria, requirements, conditions and deadlines for obliged parties to design and implement risk mitigation techniques and measures are those set out in Annex III.
Article 11 develops the provisions of Article 14 of Royal Decree-Law 7/2022 of 29 March 2022 in relation to the procedure and aspects to be assessed by the Council of Ministers for the classification of suppliers as high risk and the elements to be taken into account when ordering the possible replacement of the equipment, products and services provided by those suppliers. Likewise, in accordance with the provisions of the aforementioned Royal Decree-Law, it is stated that high-risk suppliers whose telecommunications equipment, hardware, software or ancillary services provided are used solely and exclusively in 5G private networks or for the provision of 5G services under self-provision are classified as medium-risk suppliers.
Article 12 on the determination of locations where equipment of suppliers classified as high risk may not be installed states that the National Security Council, following a report by the Ministry of Digital Transformation, may determine the locations, areas and centres where equipment of suppliers classified as high risk may not be installed. For the installation, modification or adaptation of radio stations that provide coverage to these locations, areas and centres, 5G operators must request authorisation from the Ministry of Digital Transformation.
Article 13 obliges 5G operators to design a supply chain diversification strategy and to have transmission equipment in the access network that is provided by at least two different suppliers. It also provides criteria to be taken into account by the Council of Ministers, in order to decide whether it is possible to maintain a single supplier if the number of suppliers is reduced as a result of mergers. In addition, it states the assumptions and procedure by which the Ministry of Digital Transformation can modify the supply chain diversification strategy of a 5G operator.
Article 14 focuses on the risk analysis to be carried out by 5G operators in relation to all the elements, infrastructure and resources of the network in Annex I, lists the factors to be taken into account, and obliges operators to collect from their suppliers the security practices and measures adopted in the products and services they have supplied to them and to include a prioritisation and hierarchy of risks according to certain parameters that are also listed. By 1 October 2024, 5G operators must submit a risk analysis, and every 2 years thereafter.
Article 15 on risk analysis by 5G suppliers requires the analysis of the risks of telecommunications equipment, hardware and software and ancillary services involved in the functioning or operation of 5G networks or in the provision of 5G services, and the provision of said analysis to the Ministry upon request. In the case of suppliers classified as high risk or medium risk, the analysis shall be submitted within 6 months of that classification and every 2 years thereafter.
Article 16 on risk analysis by 5G corporate users requires this risk analysis to be provided to the Ministry of Digital Transformation, when such users are required to do so.
Article 17 allows the Ministry of Digital Transformation to collect from the obliged parties the information necessary for the risk analysis and classifies the failure to provide such information within 15 working days as a serious infringement. The information is considered confidential and may not be used for a purpose other than the fulfilment of the objectives and obligations established in Royal Decree-Law 7/2022 of 29 March 2022, in the ENS5G and in the acts that are issued in implementation of both provisions.
Article 18 proclaims the general duty of all obliged parties to manage security risks.
Article 19 focuses on security management by 5G operators, listing obligations for all operators (such as to adopt contingency plans and measures, to comply with European standards or technical specifications and certification schemes, to undergo a security audit at their own cost, or to require their suppliers to comply with security standards) and additional obligations for those operators that own or operate critical elements of a 5G public network (such as prohibitions on the use of equipment from high-risk suppliers in critical network elements or in certain locations, areas and centres). 5G operators must submit to the Ministry of Digital Transformation a description of the technical and organisational measures designed and implemented to manage and mitigate risks by 1 October 2024 and every 2 years thereafter. In addition, 5G operators that own or operate critical elements of a 5G public network must submit to the Ministry of Digital Transformation a supply chain diversification strategy by 1 October 2024 and thereafter each time this is subject to modification. Information on the state of implementation of this strategy must be submitted by 1 October of each year.
Article 20 on security management by 5G suppliers contains a list of obligations, including carrying out a security audit of their equipment, products and services, providing information on possible interferences by third parties in the design, operation and functioning of their equipment, products and services, and collaborating with 5G operators and 5G corporate users by providing information and certifying compliance with standards and certifications. 5G suppliers must prepare a report on technical and organisational measures designed and implemented to manage and mitigate risks and provide said report to the Ministry upon request. In the case of suppliers classified as high risk or medium risk, the report shall be submitted within 6 months of that classification and every 2 years thereafter.
Article 21 on security management by 5G corporate users states that these may not use in the critical network elements telecommunications equipment, transmission systems, switching or routing equipment and other resources, which allow the transport of signals, hardware, software or ancillary services from suppliers that have been classified as medium risk. In addition, the users must provide to the Ministry of Digital Transformation, upon request, a description of the technical and organisational measures designed and implemented to manage and mitigate risks.
Article 22 on security management by public administrations states that, for reasons of national security, in the installation, deployment and operation of 5G networks, whether public or private, or the provision of 5G services, whether publicly available or for self-provision, public administrations may not use equipment, products and services provided by high-risk or medium-risk suppliers.
Article 23 states that, in compliance with the obligations laid down in the previous articles, the obliged parties shall take into account and apply that which is established in Royal Decree-Law 7/2022 of 29 March 2022, in the ENS5G and in the acts that are issued in implementation of both provisions.
Article 24 allows the Ministry of Digital Transformation to collect from the obliged parties the information necessary for risk management and classifies the failure to provide such information within 15 working days as a serious infringement. The information is considered confidential and may not be used for a purpose other than the fulfilment of the objectives and obligations established in Royal Decree-Law 7/2022 of 29 March 2022, in the ENS5G and in the acts that are issued in implementation of both provisions.
Article 25 states that all obliged parties, as well as public administrations, manufacturers, importers, distributors and those who place on the market and sell terminal equipment and devices to connect to a 5G network and to be able to provide 5G services must cooperate and submit the information required for modification and implementation of the ENS5G.
Article 26 states that, by Order of the head of the Ministry of Digital Transformation, the use of a specific piece of equipment, system, programme or service may be made subject to prior certification under Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on cybersecurity, or under certification schemes and technical standards for the certification of 5G equipment and products that may be approved at European or international level.
Article 27 states that the Regulation applies without prejudice to foreign investment and competition law.
Article 28 on terminal equipment provides that the manufacture, import, distribution, placing on the market and selling of terminal equipment and devices to connect to a 5G network and to be able to provide 5G services shall be conditional on compliance with the security requirements for digital products and the applicable essential requirements related to cybersecurity, adopted in accordance with European legislation, in particular in relation to the protection of personal data, privacy and protection against fraud.
Article 29 refers to the international cooperation to be developed by the Ministry of Digital Transformation, in particular at the level of the European Union.
Article 30 refers to the competence of the Ministry of Digital Transformation for the implementation of the ENS5G. The Ministry should coordinate with the other bodies responsible for cybersecurity and critical infrastructure to ensure consistent implementation of the ENS5G.
Article 31 breaks down the powers for the implementation of the ENS5G that correspond to the Ministry of Digital Transformation, including, for example, the development, specification and detail of the content of the ENS5G, the carrying out of audits to verify and monitor compliance with the obligations imposed, and the granting of public aid.
Article 32 attributes to the Ministry of Digital Transformation all the powers of the inspection function.
Article 33 on the penalty system refers to the provisions of Articles 30 and 31 of Royal Decree-Law 7/2022 of 29 March 2022.
Annex I describes the elements, infrastructure and resources that make up a 5G network.
Annex II contains the risk analysis at national level.
Annex III sets out risk management at national level.
9. Fifth generation or 5G mobile communications are a new paradigm of electronic communications with great transformative potential for the benefit of society and the economy, as they open up the possibility of incorporating new functionalities that will have a great impact such as network computing and they allow for the creation of virtual networks, offering low latency and providing high added value services in areas such as medicine, transport and energy.
Therefore, both the European Union and Spain are promoting the rapid deployment of 5G networks and the implementation of projects demonstrating their usefulness for different sectors through the provision of 5G services.
5G networks and services have comparative security advantages over previous generations. However, they also present specific risks arising, for example, from their more complex, open and disaggregated network architecture, and from their ability to transport huge volumes of information and to enable the simultaneous interaction of multiple people and things. Their interconnection with other networks and the transnational nature of many of the threats have an impact on their security, and the foreseeable widespread use of these networks for essential economic and societal functions will increase the potential impact of the security incidents they suffer.
These new specific security risks of 5G mobile communications were addressed in regulatory terms through Royal Decree-Law 7/2022 of 29 March 2022 on requirements to ensure the security of fifth generation electronic communications networks and services, which fully incorporates European Commission Recommendation (EU) 2019/534 of 26 March 2019 Cybersecurity of 5G networks, as well as the recommendations that the European Commission’s Communication of 29 January 2020 on Secure 5G deployment in the EU - Implementing the EU toolbox (COM/2020/50 final) provided Member States with regard to the use of this toolbox.
The aforementioned Royal Decree-Law 7/2022 of 29 March 2022, provides for its regulatory development through the National Security Scheme for 5G networks and services (ENS5G).
In accordance with Article 5(3) of the aforementioned Royal Decree-Law, the ENS5G shall carry out a comprehensive treatment of the security of 5G networks and services, taking into account the contributions to the reach of each agent of the 5G value chain, as well as the regulations, recommendations and technical standards of the European Union, the International Telecommunication Union (ITU) and other international organisations, in order to guarantee the ultimate objective of secure use and operation of 5G networks and services in Spain.
For its part, Article 20 of the Royal Decree-Law provides that, in order to ensure the continued and secure functioning of the 5G network and services, the ENS5G shall carry out a risk analysis at national level on the security of 5G networks and services, and shall identify, specify and develop measures to mitigate and manage the risks analysed.
Finally, in accordance with Article 21 of the Royal Decree-Law, the ENS5G shall be approved by the Government, by Royal Decree, on the proposal of the Ministry of Digital Transformation, following a report by the National Security Council.
This Regulation approves the ENS5G, developing the provisions of Royal Decree-Law 7/2022 of 29 March 2022 on requirements to guarantee the security of fifth generation electronic communications networks and services.
10. References to basic texts:
11. No
12.
13. No
14. No
15. Yes
16.
TBT aspects: No
SPS aspects: No
**********
European Commission
Contact point Directive (EU) 2015/1535
email: grow-dir2015-1535-central@ec.europa.eu
