TIA in Europe: Cyber, Supply Chains, and Standards – Oh My!

Late last year, TIA’s Director of Global Policy, Patrick Lozada, traveled to Europe for meetings in Belgium, Berlin, and London with government officials to discuss the increasingly complex landscape around standards and supply chain security.

What he found was a common understanding that yesterday’s solutions don’t work for securing today’s networks. Across the board, countries are realizing that they must be more vigilant and ambitious in ensuring that networks can be trusted. The two countries have since conducted further negotiations under the umbrella of the Transatlantic Trade and Technology Council (TTC), and in December they agreed to jointly support trusted telecommunications projects in Latin America and Africa, explore ICT supplier diversification, discuss enhanced security for subsea cables, and more broadly cooperate on new and emerging technologies.

In Europe, the European Commission has been undergoing a multi-year process under the European Union’s Cybersecurity Act (EU Regulation 2019/881) to create a permanent agency called ENISA to regulate cybersecurity and establish a cybersecurity certification framework. The EU has also been and developing a “5G Security Toolbox” to help work with nation states to coordinate an approach to secure 5G networks, and they are working to extent the Commission’s regulatory authority through the proposed new Cyber Resilience Act (CRA).

While the U.S. and EU are both driving toward a stronger focus on cyber and supply chain security, the mechanisms by which they are doing so are different. Europe is much more focused on a regulatory approach, while the U.S. has focused more on partnerships between industry and government to support stronger security. Additionally, Europe’s focus on mandatory security standards is more prescriptive, and it has the potential to exclude some non-EU products and services. The EU also has a distinct perspective on OpenRAN, and its analysis of the security risks of OpenRAN is more critical than that of the United States.

Europe is also developing a distinct, and concerning, approach to standardization. Even as the U.S. and the EU have proposed further collaboration on standards development, the EU Commission has proposed a standards strategy that would exclude non-European companies from participating in certain standards development organizations and shift standards development toward more government control. U.S. companies would be the most significantly impacted by these changes, and in the context of a regulatory environment where standards are increasingly used to exclude products and services from the EU market – this is what is concerning.  Both sides have more to gain working together and supporting more robust trade and interoperability, something TIA expressed to interlocutors across the board.

Finally, policymakers in London are making ambitious strides to strengthen cybersecurity and enhance participation in the global standards ecosystem with new legislation such as the UK Telecommunications Security Act of 2021 and a 5G Diversification Strategy that is set to invest £250 million in secure and resilient telecoms supply chains. The UK also recently led a recent multi-country effort to set out technology principles for OpenRAN, and they are in the process of replacing equipment from untrusted vendors across the country as they deploy 5G.

In conclusion, while the U.S., EU, and the UK have different policy approaches on 5G, standards, and supply chain security; in general, TIA’s meetings with officials demonstrated that there are many areas of common interest. TIA continues to support the TTC, where we are involved with Working Group 1 on standards and Working Group 4 on secure supply chains, and we will continue to work to find the common ground with our European counterparts in these discussions.