SIM Report: New IT security law in Germany solidifies tougher EU stance towards Huawei’s role in developing 5G

SIM Report: Western & northern europe, issue 8

On 23 April, lawmakers passed the new IT Security Law 2.0, which restricts the involvement of ‘untrustworthy’ suppliers in developing 5G technology. The new law also introduces a requirement for telecommunications operators to notify the government when contracts for 5G components are signed and gives the government more powers to block them for national security purposes. Once the government is informed of a contract to acquire new 5G components, the interior ministry will have between two and four months to assess the deal and determine whether it meets national security criteria. 

Through the new rules, Germany moves closer to other European countries such as France and the UK on introducing more robust regulations for 5G technology. In 2020, the French government introduced a new law allowing ANSSI, the cybersecurity agency, to block contracts between Huawei and telecommunications firms. The UK has taken a tougher stance, announcing that UK-based telecommunications firms will be prevented from installing new 5G equipment made by Chinese technology firm Huawei after September 2021. Under current plans, UK officials are focused on ‘combating high-risk vendors’ and seek ‘the complete removal of Huawei equipment from our 5G networks no later than 2027’. Firms that fail to comply could face major fines. Varying levels of restrictions on Huawei are a reflection of how aligned countries are with the US on defence and security issues as well as their susceptibility to diplomatic pressure from Washington. Germany initially took a more pro-business approach, taking into account warnings from the business community that a complete ban on Huawei as a 5G supplier would delay the EU-wide rollout of the technology. 

A notable part of the law is that the interior ministry will have more power than other ministries such as the economy ministry when it comes to blocking 5G contracts. Component manufacturers will also need to provide a ‘declaration of trustworthiness’, with new thresholds being introduced to meet this criterion. One significant point of contention among political figures was reaching a conclusion on the best way to assess the trustworthiness of a vendor. 

In addition to the 5G national security issue, the new legislation is aimed at providing a strong legislative basis for German authorities to strengthen their response to cyberattacks, cybercrimes, and cyber espionage. The Federal Office for Information Security (BSI) will operate with an expanded mandate. This includes screening and technical inspection of IT products in the market, and the authority to request inventory data from telecommunications service providers to potentially identify targets or victims of cyber-attacks.  

The legislation comes amid increased scrutiny and growing debate on the role non-EU corporate interests should have when it comes to critical national infrastructure and sensitive technologies. As is the case in most fellow EU countries, the legislation does not mention Huawei by name but clearly carries significant implications for the China-based technology firms. The legislative text threatens to leave several German mobile telecommunications firms exposed, many of which have a long-standing relationship with Huawei; for example, Deutsche Telekom had held advanced talks with Huawei for it to become the telecommunications operator’s main supplier for 5G but put the negotiations on hold for political reasons.

A key element in enforcing the legislation, however, will be the political mood in Berlin, particularly the position of the next government that will determined in a federal election in September. The legislation represents a harder line than previous proposals amid criticism over Chancellor Angela Merkel’s ostensibly soft stance on the issue. In recent months Chancellor Merkel has intensified her government’s outreach with China through regular communications with senior Chinese leaders and bilateral meetings. Merkel remains strongly in favour of the EU-China Comprehensive Agreement on Investment (CAI) but has also raised the importance for China to meet international a labour standards.

In effect, the new IT legislation is indicative of efforts by the government to walk a tight political tightrope in seeking to balance diverging views between those advocating a hardline towards Huawei and others calling for a more moderate stance. The election of Merkel ally Armin Laschet as new leader of the ruling Christian Democratic Union (CDU) party in January and his possible election as Germany’s next chancellor means that Germany’s policy towards continuing to pursue close economic relations with China is unlikely to radically change despite the introduction of tougher IT legislation.


NORWAY: Government prevention of engine maker sale to Russian firm illustrates heightened political risks 

Open Source Intelligence Review