In the last two years, we have seen a steady increase in cyber crimes by nation states, criminals, and other malicious actors. The European Union (EU) and its agency European Union Agency for Cybersecurity (ENISA) have as key elements on their agenda to improve the resilience of critical infrastructure to protect the European citizens.
In 2018 the Network and Information Systems Directive (NIS directive) came into force and was quickly implemented by all member states. The goal is to improve the security and resilience of the member states ”essential services” and ”digital service” providers. The definition of such was left to the member states and found often ambiguous. Also, the threat landscape has changed till then and the political climate is different. The NIS directive focused on:
Original NIS services
Digital infrastructure providers included for example Internet Exchange Points (IXP), DNS (Domain Name Server) service providers and TLD (Top-Level Domain). Digital service providers were not that strictly regulated and for example had to identify themselves if they fell under the directive.
The NIS directive was of little concern to mobile network operators, except if they provided a private network to an essential service provider or acted as a digital infrastructure provider. But not only the exact definitions were left to the member states, also the penalties varied widely.
The extension of the NIS directive the Network and Information Systems Directive (NIS2) was proposed by the European Commission in December 2020. In May 2022, the proposed directive obtained provisional approval from the EU Parliament and EU members. The NIS2 directive takes a much wider view on what companies have a heavy reliance on IT systems and could have a serious impact on a country's economy and society if they were compromised. Many shortcomings of the NIS directive have been remedied and definitions and penalties are now harmonised throughout Europe. The NIS2 directive extended their scope and added as essential:
Extended scope of essential services in NIS2
The scope of ”digital infrastructure” service has been extended substantially in NIS2 and now covers:
- Internet Exchange Point providers
- DNS service providers
- TLD name registries
- Cloud computing service providers
- Data centre service providers
- Content delivery network providers
- Trust service providers
- Providers of public electronic communications
Mobile Network operators are now explicitly covered under ”Providers of public electronic communications networks or services”. Cloud service providers were ”upgraded” to essential services and both now fall into the ”Digital infrastructure” category. Small service providers are excluded from the NIS2 directive, but most firms in both essential and important sectors will be covered, giving NIS2 far wider scope than its predecessor NIS.
NIS2 therefore directly applies to mobile operators for their public services. If we look at the full 5G ecosystem, then mobile operators often utilise public cloud providers or use the cloud of a vendor, hence part of the technical requirements and compliance can be demanded from their cloud provider.
On the other hand, if a mobile network operator offers a private network to a company that provides essential services, then the mobile network operator has to prove compliance to NIS2 for the services he is offering to that essential service company. Considering the list of essential services is quite large, it is quite likely that a private network customer has to comply with the NIS2 directive. The compliance inheritance goes through the whole digital supply chain.
What does the NIS2 directive bring to operators?
NIS2 puts strong emphasis on risk management and cooperation between companies and governments, but also between the EU member states. For mobile network operators the NIS2 directive explicitly mentions the 5G Toolbox as a foundation. In addition, it refers to sector specific guidelines. Those guidelines are drafted by ENISA, for example the 5G NFV Security guideline and the 5G Security Control Matrix. The 5G Toolbox and its technical “checklist” the 5G Security Control Matrix should be seen as the essential compliance starting points for mobile operators. It defines strategic measures, which are for the member states' regulators and technical measures (TM) for the mobile operator. Below the technical measures categories of the 5G Toolbox:
Technical Measures – 5G Toolbox
Those technical measures are outlined in more detail in the ENISA 5G Toolbox document and the 5G Supplement guideline. The ENISA 5G NFV Security guideline can be seen as a detailed deep dive for the Technical Measure 4 (TM4). The 5G Toolboxes uses a risk management approach and requires technical/logical, administrative and physical controls not only for the mobile network operator, but takes the whole supply chain into account. The 5G Security Control Matrix dives even deeper into the technical requirements and controls. This kind of depth of regulation of the mobile networks and its operations is new for mobile network operators, but not for cloud providers. Many cloud providers are used to stringent security requirements and compliance demands coming from their military or government customers. Some of those cloud providers are even offering mobile network related services and it is likely that they will challenge the classical mobile ecosystem. How to apply the ”tools” ENISA has provided to the private network case and how to interpret NIS2 for operators depends on the specific deployment and topology of the use case and requires deep technical know-how.
The NIS2 directive's impact on the mobile industry can be compared with the impact of the General Data Protection Regulation (GDPR). In terms of penalties it harmonises the member state specific penalties of its predecessor and states:
Member States shall ensure that infringements of the obligations laid down in Article 18 or Article 20 shall, in accordance with paragraphs 2 and 3 of this Article, be subject to administrative fines of a maximum of at least 10,000,000 EUR or up to 2% of the total worldwide annual turnover of the undertaking to which the essential or important entity belongs in the preceding financial year, whichever is higher.
While the NIS2 is not yet member state law, we saw with the original NIS directive, that member states implemented it quite quickly. In the current political climate, we expect that the NIS2 directive will find its way into local regulation quickly. Some countries e.g., Finland have already references in their regulations to the 5G Toolbox, which is explicitly mentioned by the NIS2 directive for the telecommunication sector.
Summary
NIS2 will impact mobile network operators directly and as a demand from their private network customers. Mobile operators can demand compliance from their public cloud providers or their cloud providing vendors. The directive will have similar impacts as the GDPR and is enforced with fines up to 2% of the total worldwide annual turnover. The 5G Toolbox and the 5G Security Control Matrix are the key starting point for the NIS2 compliance for mobile network operators, but need customization for their specific deployment. We assist mobile network operators, cloud providers and private network owners with their compliance needs. Please contact us for further information.
