Please enable javascript in your browser to view this site

Swedish regulator tightens network security requirements

The PTS introduced a risk assessment requirement prior to procurement of network equipment.

Background: Regulators around the world have placed network security under scrutiny in recent years, particularly with regard to the development of 5G, and to the allegations made by the US Government towards Chinese vendors that they may pose a security threat. Some countries have banned components from Huawei and ZTE; in Europe, the European Commission has promoted a risk-based approach leaving the matter largely to the discretion of individual member states. Sweden was one of the countries where a review of network security rules commenced during 2019, with a view to finalise it ahead of the next 5G auction (now scheduled for October 2020).

Stronger risk assessment requirements: On 1 March 2020, the regulator, the PTS introduced tighter rules on “operational security” for network operators. The main changes relate to four aspects – increased requirements for documentation, more thorough analysis of threats, additional safeguards in risk assessments, and clarifications around access and permissions. Operators have to retain documentation of their interactions with vendors and contractors for five years; they also have a duty to analyse risks communicated by the PTS to them, including risks related to ‘sabotage’. Risk assessment now applies to equipment and services that companies are about to purchase (in the past it only applied to what they had already contracted or bought). All requirements apply both to companies’ own personnel, and to external staff.

A more balanced stance compared to last year: The rules set by the PTS mirror the reform of security regulations which have taken place elsewhere in Europe (such as in Germany), without targeting specific operators. This is a more neutral approach compared to the stance initially taken by the Government on the matter. In March 2019, the Minister for Energy and Digital Development had announced legislation to exclude suppliers which do not ensure a sufficient level of security. It is understood that Swedish operators are currently using Huawei equipment in their access networks, including for recent 5G testing.