The deployment of 5G networks in Brazil is subject to GSI Rule 4 (Instrução Normativa 4), which establishes minimum cybersecurity requirements applicable to this technology in Brazil. This rule, issued by Brazil’s Institutional Security Office (GSI) on March 26, 2020, applies to the manufacturing, functioning and operation of telecommunications networks with a view of strengthening the protection of [Brazilian] society and national institutions with respect to the risk of vulnerabilities and backdoors in 5G technology systems.
The provisions of Brazil`s General Telecommunications Act (Lei Geral de Telecomunicações – LGT) will come into play as well. Under the LGT, it is incumbent on Anatel to issue rules and standards regarding telecommunications equipment, including rules aimed at compatibility, integrated operation and interconnectivity of networks. Anatel is also responsible for regulating and supervising telecommunication product certification.
Under its broad authority, Anatel regularly issues rules to suppliers and operators in relation, respectively, to marketing and use of telecommunications equipment. Anatel has issued, for instance, general rules in relation to the entire certification and homologation system; as well as specific rules regarding certain types or families of products.
Given this broad array of competences, key aspects of cybersecurity requirements in Brazil established by GSI Rule 4 will need to be subject to Anatel rules as well. GSI Rule 4 was issued in March, so it is fair to assume that the relevant work is underway. That said, to this date Anatel has not set in motion the relevant public consultation, as required under the LGT for the establishment of rules of this kind.
Because the requirements to be issued by Anatel (in parallel to those issued by GSI under Rule 4) tend to impact costs of network deployment – and, therefore, the price operators will be willing to offer for the relevant frequencies – they should ideally take effect prior to the submission of proposals by operators under the upcoming 5G auction. Ultimately, therefore, this will affect the 5G spectrum bidding schedule.
GSI Rule 4 also requires operators to submit systems to be used in their 5G networks to external auditing that ensure their cybersecurity. Again, this aspect warrants the issuance of rules by Anatel, as it regards the rendering of telecommunication services (article 19, IV of LGT). (For instance, Anatel issued rules requiring third party auditing of the collection and payment of certain telecommunications services). This, too, should be subject to public consultation; and the resulting rules should ideally be in force in time for the 5G auction.
GSI Rule 4 also establishes a new requirement regarding the purchase of equipment, which tends to materially impact the competitive dynamics of the 5G auction. Under Rule 4, service providers shall sub-contract different suppliers from one another, so that at least two 5G network providers within the same geographic region must use equipment manufactured by different suppliers.
It follows that the first service provider buying its network equipment will have an advantage over its competitors, as it will be able to choose from equipment offered by the full range of potential suppliers. The practicalities of this requirement are bound to be complex – all the more so because some of the service providers operating in Brazil work under (globally) centralized procurement procedures. As each competitor will need to have access to information as to what suppliers are still open for each relevant geographic region, this rule tends to entail significant practical difficulties.
GSI Rule 4 is bound to have an impact on the upcoming 5G auction in material ways. It now remains to be seen how Anatel regulations will address the issues covered by GSI under its comprehensive regulation.
Author: Amadeu Castro, of Agrippa Consult. Former executive secretary of telecom watchdog Anatel and, until August last, head for Brazil at GSMA LatAm