Potential Impact of 5G Regulations to Cloud Providers and Private Networks

5G enables many new business cases using cloud technologies. 5G was designed to serve the needs of verticals like factories, health care, automotive, smart cities and infrastructure. Edge computing, scalability, flexibility, low latency and many other features require the use of virtualization and the cloud.

Public mobile network operators enter relationships with cloud providers to enhance their offerings and to optimize their costs and improve their service offerings. Cloud providers see 5G networks as a new business field where they can provide their services to mobile operators, but also to factories and other verticals that want to run a private 5G network. In some cases, cloud providers even provide full operational private 5G networks as a managed service to verticals. The following are the key players and their potential relationships:

Vertical Private 5G Network Customers:

  • Deploys and uses a private 5G network
    • Potentially uses a cloud for OpenRAN, Core or Edge
    • Potentially provides “public” services to externals (BYOD, the general public)
    • Private Network could be operated by cloud providers or operators or by themselves
    • Could share infrastructure with mobile operators (coverage extension / mobility)

Cloud Providers:

  • Offers IaaS, Platform as a Service, Network Function as a Service, Communication as a Service (managed service), Edge as a Service to public mobile operators or private factory networks

Public Mobile Network Operators:

  • Provides communication services to private networks (OpenRAN, Core, Edge services, value added services)
    • Provides a service also to public users and potentially to vertical private 5G network customers
    • Provides licenses to private 5G networks

Telecommunication Vendors:

  • Produces network functions and provides hardware
    • Provides SIM provisioning services

There are a wide range of business arrangements that can take place between a vertical, a mobile network operator and a cloud provider. Vendors may even take the role of a cloud provider or operating a mobile network. Mobile network operators and vendors have recently been under the scrutiny of regulators and mobile networks.

The European Union Agency for Cybersecurity (ENISA) has performed a deep threat analysis and based on that published a wide range of documents that define 5G Security and outlines proper protection of 5G and network function virtualization infrastructure. Those are guiding the member states to define their own 5G regulations. Mobile communication became a critical service for our societies. The European Union is determined to improve the resilience of mobile networks in all its member states. This has deep technical, financial and operational impacts on mobile network operators and cloud providers. This deep regulation approach is new for mobile network operators who want to extend their business by offering 5G private networks. In addition, the mobile ecosystem and the roles of the players are changing. You can find a deeper discussion and details in the following articles “The Impact of Securing European 5G Mobile Networks” and “Compliance for 5G and Telecommunication Cloud in Europe “.

While there are many security requirements coming from regulators, it is not obvious how they affect the responsibility split between the parties. For example, a factory that connects their production environment and the related sensors using 5G and use for the core network a cloud provider would they fall under the ENISA 5G Toolbox requirements? Would the situation change, if the cloud provider offers 5G as a fully managed service and the factory would be a “normal customer”? When does the cloud provider turn into an operator? Would the cloud provider then be obliged to be compliant to ENISA 5G NFV Security and the 5G Guideline? If the factory is providing critical services to the society (e.g., power plants), does this change the situation?

Similar situations for the private 5G, if our factory now has a visitor center and allows guests to use their 5G network to connect to the internet. Would then the factory become an operator from a regulatory point of view? This example scenario is outlined below in more detail:

The applicability of different regulations and guidelines depends strongly on the individual definition of the telecommunication service, the operator, criticality to the society and if there are specific cloud provider security requirements in place. This responsibility split and the applicability of different regulations and compliance requirements is maturing right now. Even within the European Union there are subtle differences for example with respect to private networks and criticality.  While for some countries the situation is quite developed, others still struggle with the basic concepts. Defining the clear scope of the provided services and the responsibilities of each party is the first important step. This allows the mapping of those against the locally applicable regulation and then the compliance needs of each party can be identified. There are cases where the regulation will impact private networks and cloud providers and not only operators. In some cases, the cloud provider or private factory network owner may actually turn into an operator and fall under the scope of regulations traditionally only applicable to mobile network operators. No matter what the business is you are in, make sure you are following the regulations that apply to you when you are implementing 5G to your business.


Print Friendly, PDF & Email
Senior Manager - 5G Security Assurance at

Leave a Reply

Your email address will not be published. Required fields are marked *