FTTH Council Europe calls for impact assessment and proportionate approach in EU Cybersecurity Act proposal
The FTTH Council Europe supports stronger security and resilience in Europe’s telecom network and services market and understands that the proposed Cybersecurity Act (CSA) is part of the broader strategy aimed at guaranteeing Europe’s strategic autonomy and security and is willing to cooperate with European Institutions to achieve this objective.
To this end, the FTTH Counci lEurope requires that a full assessment of the scale of the intervention needed to achieve the security and resilience goals is performed and discussed with relevant stakeholders, before the final approval of the decision. The proposal, as presently designed, generates uncertainty and can have negative consequences for the fixed sector’s ability to finance investment and therefore the ability to reach its DDPP targets.
The FTTH Council Europe shares the objective to de-risk critical ICT supply chains from entities established in or controlled by entities from countries posing cybersecurity concerns (high-risk suppliers) and to reduce critical dependencies by developing a coherent and effective framework at EU level to address ICT supply chain security risks.
At the same time, the FTTH Council Europe acknowledges that Europe is at an early stage of the discussion on the CSA regarding the management of potential high-risk suppliers in fixed networks. There is a lack of in-depth assessment regarding the risk and the impacts of the proposed measures. Such risks and impacts should be clarified before decisions are taken. For example, in the case of mobile operators, the impact assessment estimates the equipment lifetimes, the duration and scale of any ‘rip and replace’ and the overall costs which would be incurred. In the case of fixed networks there is no comparable assessment.
In particular, since key ICT assets of fixed network cited in Annex II make reference to very large parts of the fixed networks, including different kind of equipment (i.e. in the Access Networks we have OLT, ONT, ODTR, fibre optic cables, etc…). The FTTH Council Europe believes it is necessary to better understand which is the perceived level of risk associated with different equipment categories in each part/function of the networks, to assess the existence of alternative providers able to provide substitute products and to evaluate the timing and costs of possible “Rip & Replace” policies for different equipment types.
Such an assessment should support a proportionate approach, considering short term “Rip & Replace” obligations only for riskier equipment types and introducing long term “Rip & Replace” or prohibition of buying new equipment for equipment entailing lower risk levels. The impact of the proposed policy on the ability to invest together with the risks of market distortion deriving from different usage of equipment from high risk vendors should also be assessed.
Taking into account potential alternatives and understanding the dynamic effects of the proposed policies on business costs and the operations of telecom operators is in our view essential to strike the right balance in the proposed Regulation.
The CSA reform must secure networks without undermining Europe’s Digital Decade targets which themselves contribute to Europe’s security and resilience. Fixed operators cannot absorb an unknown and unquantified “rip and replace” obligation with inadequate preparation and without the necessary mechanisms to fund the cost of systemic decisions, on top of existing investment and regulatory pressures.
Policy makers are aware that fibre networks are long-lived, capital-intensive assets with deployment cycles measured in decades. It is important for the industry to understand what equipment may be covered by which type of obligation over which time frame. Vendor-level designations that trigger broad mandatory replacement obligations, create a level of regulatory and investment uncertainty that is particularly acute for FTTH operators, whose business models depend on predictable regulatory treatment and stable supply chains.
The FTTH Council Europe considers that Europe needs to avoid a situation where the ‘High Risk’ vendor designation becomes a moving target. This implies the need to focus the analysis on underlying persistent systemic threats and guarantee a fair treatment to the vendors during the analysis. Regulatory uncertainty deriving from multiple cycles of potential rip and replace would make fixed networks very difficult to finance.
At a time when capital for telecoms infrastructure deployment and operation is already under pressure, the proposal as put forward effectively shifts all cost and execution risk onto operators because there is no EU‑wide reimbursement or risk‑sharing mechanism. The FTTH Council believes that whatever policy that requires the replacement of already installed equipment with equivalent equipment from other providers, should foresee mechanisms to fund those costs.
The FTTH Council Europe calls on the Commission and the co-legislators to gather more evidence and conduct a proper impact assessment on the risks, costs and consequences for fixed network operators, including the full analysis of the different remedies that are proportionate to the risks, before proceeding with the CSA reform for fixed networks.
The FTTH Council Europe is ready to cooperate with European institutions in order to identify appropriate ways to practically implement the CSA and mechanisms to offset the costs of adequate levels of security and resilience of European fixed networks, which can ensure that the Digital Decade targets can still be met and competition is not distorted.