Where will I find accessible legal information?
DZP's media centre.
12.11.2020
Authors:The subject of this analysis is to examine how, from legal perspective, strategic issues have been addressed in a document entitled Cybersecurity of 5G networks. EU Toolbox of risk mitigating measures (ETRM) which was adopted and published by the NIS Cooperation Group (NCG) in January 2020. In the context of this publication, strategic issues should be understood as risks of this nature as well as measures to mitigate them. The analysis of the above document in this respect is necessary for four reasons.
First, it helps assess the scope of permitted actions in the selection and application of the strategic mitigation measures identified in the ETRM (see points 2.1. – 2.3. below), which EU Member States will take when managing two strategic risk scenarios (i.e. state interference through 5G supply chain and dependency on any single supplier within individual networks or lack of diversity on a nation-wide basis), which are also referred to in the ETRM. Second, the need to present this issue also results from the fact that during the public discussion on a number of decisions of individual EU Member States regarding the management of these strategic risk scenarios there has been no mention that these decisions had their source precisely in the ETRM. Third, it is very rarely emphasised that the adoption of the ETRM document, and thus each risk management–related decision it contains, was preceded by the adoption of a number of political but also analytical EU documents and statements including:
Consequently, particular attention should be paid to the fact that the provisions of the ETRM were adopted with the political support of such EU bodies as the European Council, which defines the European Union’s overall political direction and priorities and comprises the heads of state or government of the EU Member States. This means that all actions currently taken by individual Member States to manage the strategic risk scenarios described above are very often only a consequence of the findings made jointly – within the EU – in the ETRM. Fourth, the analysis in this area also aims to show that the vast majority of EU Member States’ actions that are currently being taken do not apply to risk scenarios of a technical nature, but a strategic one. For this reason, the arguments of a technical nature presented by suppliers cannot be the only ones raised (e.g. rguments regarding the cybersecurity of certain products will not solve the problem of their producer’s dependence on the government of a given country). Fifth and finally, the purpose of this analysis is also to indicate the difficulties that individual EU Member States may encounter while implementing the ETRM provisions and the weakness of some proposals resulting from the ETRM.
All actions currently taken by individual Member States to manage the strategic risk scenarios described above are very often only a consequence of the findings made jointly – within the EU – in the ETRM.
NIS Cooperation Group
In order to analyse the ETRM in this respect, the first thing to do is to explain the nature of the activities of the strategic cooperation group that adopted the above document, i.e. NIS Cooperation Group. The NCG was established on the basis of art. 11 paragraph 1 of the NIS Directive (Directive (EU) 2016/1148) in order to:
Moreover, the NCG works according the EC Implementing Decision of 1 February 2017 and follows its own rules of procedure. According to these two documents, the decisions of the Group shall be taken by consensus, unless otherwise provided for in the EC Implementing Decision of 1 February 2017. What is important, the NCG is composed of representatives of the EU Member States, the European Commission (EC) and EU Agency for Cybersecurity (ENISA). The NCG’s tasks have been precisely indicated in art. 11 paragraph 3 of the NIS Directives, among them “exchanging best practice between Member States and, in collaboration with ENISA, assisting Member States in building capacity to ensure the security of network and information systems” (Article 11, paragraph 3(c) of the NIS Directive). NCG has published over eight working documents such as: Reference document on security measures for Operators of Essential Services (CG Publication 01/2018); Reference document on Incident Notification for Operators of Essential Services (CG Publication 02/2018); EU coordinated risk assessment of the cybersecurity of 5G networks (Report, 9 October 2019) and CG Publication 02/2020 – Report on Member States’ progress in implementing the EU Toolbox on 5G Cybersecurity.
The full article is available in The European Cybersecurity Journal (ECJ).
From 25 May 2018 the General Data Protection Regulation (GDPR) applies in Poland and other European Union countries. We would therefore like to give you several details on the subject of how DZP processes personal data.
The administrator of the personal data is Domański Zakrzewski Palinka Sp.k. (“DZP”; address: Rondo ONZ 1, 00-124 Warszawa). Data are processed for contact purposes and to impart information on changes to provisions and authority practices and on other issues, including events concerning day-to-day legal, economic and cultural issues, inter alia, by sending DZP newsletters. The above is carried out on the basis of legitimate interests, i.e. in accordance with art. 6(1)(f) of the GDPR. Data can also be processed where necessary for the conclusion or performance of a contract and for compliance with a legal obligation to which DZP is subject, i.e. pursuant to art. 6(1)(b) and (c) of the GDPR. Data can be transferred to entities with whose help DZP achieves the indicated aims, including entities maintaining IT infrastructure. Giving data is voluntary and in contractual relations is a requirement for concluding and performing a contract. It is possible to object to data processing, request access to, rectification and erasure of personal data or restriction of processing and data portability. Data are kept until an objection is made, and in contractual relations – throughout the term of the contract and thereafter for a period specified in provisions on archiving and limitations period for claims. Anyone has the right to file a complaint with the President of the Personal Data Protection Office. Questions concerning privacy at DZP can be sent to DZP’s Data Protection Inspector, Macieja Maciejewskiego, at: iod@dzp.pl.
New rules on cookies: Domański Zakrzewski Palinka sp.k., as the service provider of the www.dzp.pl website, stores and accesses cookies, i.e. small text information fles sent by a web server and stored on your hard drive, or other data storage medium of a user, for the purposes of: proper functioning of the www.dzp.pl website, confguring the www.dzp.pl website, security and reliability of the www.dzp.pl website, session monitoring, providing advertisements, personalization of the displayed information to the user, or analysis, statistics, research and website trafc auditing.
You can specify the conditions for storage of or access to cookies via your browser settings. Consent to the storage of or access to cookies by Domański Zakrzewski Palinka sp.k. on your device, is acknowledged by the settings of the browser installed on your device. For more information, see our cookie policy.