Government to exclude 'high-risk' companies from 5G network

The proposed legislation will enable certain parts of the 5G network or infrastructure to be designated as “critical” for the State and allow the minister to ban high-risk companies from working in those areas.

Last November, the British Government announced that Chinese company Huawei would be banned from the UK 5G telecoms infrastructure.

This was because of fears within the British Government of suspected links with the authoritarian Chinese state and claims Chinese intelligence agencies could gain access to 5G networks – claims rejected by the company.

Ireland’s current electronic communications infrastructure is largely based on 4G mobile networks and fixed broadband but many operators provide 5G networks.

A statement issued by the Department of Communications does not refer to any specific companies – similar to the stance taken by the European Commission and the EU cybersecurity Body ENISA – and only refers to companies generally that might pose a risk.

The department statement said the Government had agreed on a number of measures to enhance the security of electronic communications, including 5G networks.

It said the Government had endorsed the ‘EU 5G Security Toolbox’ as the framework by which Ireland will secure its next-generation electronic communications networks.

The EU toolbox was published in January 2020 and is a coordinated European approach based on a common set of measures, aimed at mitigating the main cybersecurity risks of 5G networks.

While private operators are largely responsible for the secure rollout of 5G, member states are responsible for national security and network security is considered of strategic importance to the EU.

The Government announced the publication for consultation of the Electronic Communications Security Measures (ECSMs) – a detailed set of technical and organisational measures that providers of public electronic communications networks and publicly available electronic communications services will be required to implement.

It said this requirement would “secure” the electronic communications infrastructure within the State.

The statement said: “The Government also announced that it plans to introduce primary legislation which would allow the Minister of the Environment, Climate and Communications to assess the risk profile of providers of electronic communications network equipment and, if required, to designate certain vendors as being high-risk.

“The legislation will also provide for certain parts of electronic communications networks to be designated as being critical and certain powers which would ensure that high-risk vendors would not be used in our critical electronic communications networks," it said.

It added: “No decision has been taken on individual vendors. Any assessment will follow clear objective criteria, such as those recommended in the EU 5G Security Toolbox, and follow a defined process set out in the legislation.” 

It said the legislation would be drafted in consultation with relevant departments and agencies, and a regulatory impact assessment and consultation process would be conducted in early 2022.

For the past year, the department, through the National Cyber Security Centre, has been working closely with industry to produce a detailed set of security measures which aim to address many of the technical security concerns highlighted through the European risk assessment process.