As a result of the European Commission’s endorsement on 29 January 2020, the toolbox – a set of cybersecurity measures for the upcoming 5th generation of mobile telephony (5G) – became “soft law” in the EU. The member states were asked to hastily implement a vague piece of legislation and they were also pushed into making de facto trade policy that should be an exclusive responsibility of the EU. The issue was further complicated by a constitutional right-to-private-property dilemma embedded into the toolbox. It soon became evident that national implementations of the toolbox are quite diverse, which motivates our key question: Is Finland a best practice case in this context and could it – at least in part – serve as a model for the other EU countries?
On 7 December 2020, the Parliament of Finland approved a law allowing authorities to ban a network device on grounds of serious national security concerns. The law outlines an institutional setup isolating political and other aspirations from cybersecurity, which is seen as a technical matter. Even though the administrative process is collaborative and aggregates expertise of various stakeholders, power and responsibility resides with one authority (Traficom) that is also the foremost technical expert on the matter. The law confines administrative actions to the most central parts of the national infrastructure. It operates at the level of a device and does not permit banning “high risk vendors” outright. A process initiated by the authority can lead to the removal of a device, but only as a last resort. If so, the owner is entitled to a full compensation by the state.
The Finnish model attends both to principles of good administration and to fundamental legal doctrines. The administrative process is transparent, and actions are grounded on objective evidence. In case of an unresolvable conflict, there is a path of legal recourse. All these feats are achieved with reasonably low administrative costs.
The Finnish implementation of the toolbox corresponds to what the ITU identifies as the final and the most desired stage of ICT regulation: it is collaborative, exploits synergies across sectors, and pools the expertise of diverse stakeholders. Other countries are well-advised to imitate these aspects of the Finnish implementation. There are, however, two preconditions for pursuing a similar solution: first, at least the responsible public agency must possess reasonably deep technical expertise; second, there must be sufficient willingness to cooperate among the involved public and private parties.