the new role of regulators - example iot ecosystems · iot services and low security hardware may...
TRANSCRIPT
The new Role of
Regulators -
Example IoT
Ecosystems
Detecon International,
Zagreb, 03.12. 2019
Funded by the European Union
01 Future Telco
02 Telco NRAs role in IoT Ecosystems
03 Regulatory Challenges
04 Regulatory Approaches
Table of Content
3
Fundamental Changes
Four Forces drive the 2nd
wave of digitization:
Technology
Customer
Society
Politics & Regulation
Future Telco
2nd
Wave
Internet Platforms
under Pressure
(“BAADD”)
Connectedness and
ComputeSecurity, Individuality
& Convenience
Globalization,
Protectionism,
Regulation
4
A 2nd wave of digitization competition builds new momentum.
Meta Level View
“Calm Water”
TelCos own control
points
Market barriers
Stable revenues
“WWW - Wild Wild West”
TelCos partially losing control of end-customer
Little regulatory boundaries for internet players
Internet giants tremendously successful on service layer, developing unprecedented worldwide reach
Softwarization further lowers traditional industry boundaries
“Regulated Race for Gigabit Societies”
Welfare of nations depends on Gigabit readiness
Security, public control, ethical aspects will gain relevance
Technologies and business models become subject of industrial politics
Internet and data driven business will be regulated (data protection, privacy, anti trust, tax, sector specific regulation)
1st Wave 2nd WaveiPhone
2007 2018
5
Players and Directions
Players’ strategic directions determine the Telco framework.
Many OTTs will enter into
the traditional Telco carrier
business
Telcos without own
network will consolidate or
vanish
Corporates may become
own Telcos
Vendors change their role
Integrate connectivity
Concentrate on platform services
Concentrate on platform services
Consolidate with others,vanish
Build own connec-tivity & solutions
Rely on carriers
Offer connectivity & solutions directly
to customers
Rely on carriers
Bypass Carrier with own API based
Eco-Systems
Rely on carriers
Digital Infra Provider Network Centric Digital Service Provider
Eco-System OTT
Corporates
Single Purpose OTT Reseller/MVNO
Trad. Vendors New Vendors
Telcos
6
Telco Provider
Two main target pictures
exist:
• Digital Infrastructure
Provider
• Network Centric Digital
Service Provider
Portfolio structure follows
the providers position on
the value chain
From pure infrastructure
portfolio to digital service
portfolio
Digital
Infrastructure
Provider
Network Centric
Digital Service
Provider
Physical
Sites
Frequency
License
Data Centers/
IaaS
DevOps
CI/CD
Net-
work
API
Platform
IDM
& BI
Partner
Services
Own
Services
BSS
functions
Touch-
points
Core Telco PlusCore Telco
“Infrastructure”
portfolio
Connectivity Services
Services
Voice
Internet access
VPN
Leased Line
..
Bandwidth
“Digital Network”
portfolio
“Digital Service” portfolio -
example automotive
Quality Options
Reliability
Speed
…
Security Options
Network
monetization
Ecosystem
platforms
02Telco NRAs role in
IoT Ecosystems
8Funded by the European Union
The role of NRAs is becoming complicated in an increasingly complex Telco sector where the boundaries between industries are blurring.
Telco NRAs role in IoT Ecosystems
Traditional Role of NRAs in old Market Structure New Role of NRAs in current Market Structure
Telco sector a national monopoly with one dominant fixed line
carrier and few service providers
Clearly defined separate network specialized on one dominant
service (voice telephony), basically a consumer product
High public share in the sector, stable growth, low innovation rate
Communications traffic and assets concentrated on one country
Telco sector consisting of many global fixed, mobile, satellite,
virtual, private networks with shifted market boundaries and
millions of service providers
Networks/platforms clearly separated from service level, voice a
special case of data, telecom a necessary input to all industries
Small public share in the sector, volatile growth, strong innovation
Traffic routed globally, many stakeholders multinationals
Regulatory focusasymmetric (monopoly), ex ante, national, retail markets
Regulatory focussymmetric (horizontal), ex post, international, wholesale
markets
9Funded by the European Union
Global SIM and HW-manufacturers
Delivery of IoT Services
Hardware &
Data sourcingConnectivity Interoperability
Security /
Privacy
Data
Management
Computing
resourcesAnalytics
Gather / Generate data for the applications and services
Transport the data through various connectivity media through to aggregation
Manage connectivity, aggregate data streams
Manage security of application and users, manage privacy
Enable vertical and horizontal application development and operations
Create value from the data that the IoT provides
Store, protect and process data while guaranteeing its accuracy, accessibility, reliability and timeliness
Sensors, camera, user phones, cars, positioning device...
WiFi, 2G, 3G, 4G, 5G, ADSL, ...
Mediation devices and platforms
Firewalls, policies Cloud platform BI and Big Data tools and platforms
Enterprise bus, identity management
Local MNO/ MVNOs MNO, MVNO, CSP, OEM
CSP CSP, OTT players Platform providers, OTT players
Specialized ICT
Example
Role
Players
The IoT value chain is an example where partnering between industries is key for successful delivery. Depth and content of regulation is challenged.
Telco NRAs role in IoT Ecosystems
TRA Regulatory Tasks
10Funded by the European Union
Communications services are becoming a core product of many non-Telco industries and thus the regulatory area of responsibility becomes unclear.
Telco NRAs role in IoT Ecosystems
Examples of Digital Services with a Telco component in end-to-end delivery
Modern ICT services are forcing NRAs to co-operate with other national and international public Regulatory Authorities.
Smart metering
Autonomous cars
Mobile payments
Remote health monitoring
Remote steered Drones
Utilities Regulators
Regulators for Traffic Safety
Financial Serv. Regulators
National Health Regulator
Air Security Regulators
Telco Regulatory Authority
11Funded by the European Union
In a future Industry 4.0 environment NRAs increasingly have to co-operate, partner, network and take initiative for evolutionary regulation.
Telco NRAs role in IoT Ecosystems
Other Vertical Regulatory Authorities Telecom National Regulatory Authority “Horizontal” National Legislation
Data privacy and security
Cybersecurity
Consumer protection (B2C and B2B),
including e-commerce and audiovisual
media
Contract law (e.g. M2M contracts, digital
signature, liabilities of intermediaries)
Competition law
Taxation (double taxation, tax avoidance)
Intellectual Property Rights / Copyrights
Education and inclusion in ICT
….
ICT Ecosystems
InitiativesCo-operation
Telecom Sectorenables
Spectrum, Numbering, Licensing
Standardization, Type approval
….
12Funded by the European Union
The structure of an NRA should be adapted by creating a horizontal “Digital Transformation Unit” and vertically responsible “Sector Units”.
Telco NRAs role in IoT Ecosystems
Organizational Improvements to adapt to Digital Transformation
Ministry for Digital
Transformation
Other Ministries
Parliament, Councils
etc. with the right to
introduce draft laws
Finance Sector
Regulator
Energy Sector
Regulator
...
ICT Sector
Expert Units
Digital
Transformation
Unit
Telecom
Regulatory
Authority
Other TRA
Units
ICT related Laws
Other Sector
Regulators
13Funded by the European Union
The autonomous car ecosystem is an example how the future co-operation between TRA, Traffic Regulation and Government Legislation has to work.
Regulatory Challenges
Example: Traffic Sectors Example: BNetzA (German NRA) Example: Government
Traffic Sector regulation in Germany
(2017) Traffic Infrastructure
Regulation:
Several roads opened for testing
autonomous driving, in particular
motorways in Bavaria and a city route in
Berlin. Further to come in other Federal
States
(2017) Automotive Sector: >52% of world
wide patents about autonomous driving
handed in by German Industry
Telco regulation in Germany
Spectrum: (2019) 300MHz of spectrum
3.4-3.7GHz bands have been auctioned
with strong coverage, latency and
throughput obligations (all roads).
Identifiers: (2016) permanent
extraterritorial use of national numbers for
M2M use allowed.
Roaming: (2017) EC decision to abolish
international roaming fees within EU
Legal development in Germany
2017: Ethical Commission releasing a
report with 20 recommendations on
guidelines for autonomous driving
including rules, if an accident cannot be
avoided.
2017: Minister for Traffic and Transport
introduced a change of the general
traffic law including possibility for
automated / autonomous driving
Many liability issues still unsolved, in
particular for artificial intelligence software
producers.
03 Regulatory
Challenges
15Funded by the European Union
The worldwide revenue generated from IoT is expected to increase by 67 percent by 2022. However only a small part will use regulated spectrum.
Growth in revenue from IoT, worldwide (in USD million) Growth in revenue from IoT, by vertical (in USD million)
3,500,000
0
1,000,000
2,500,000
500,000
1,500,000
2,000,000
3,000,000
2,119,391
3,025,049
2018 2019 2020 2021 2022
2,726,245
1,816,343
2,426,539
+67%
1,500,000
500,000
3,000,000
1,000,000
2,000,000
2,500,000
3,500,000
0
211,852
20192018 2020 2021
633,088
204,086
454,796
2022
527,603
431,954
411,312
150,358
+14%
Connected Business
Connected Consumer Electronics
Connected Energy
Connected Health
Connected Home
Connected CitiesConnected Industry
Connected Car
Source: Machina Research, 2017
Regultory Challenges
16Funded by the European Union
Spectrum falls clearly under jurisdiction of Telecom NRAs. However, for
different IoT use cases different unregulated access technologies coexist.
Regulatory Challenges
RFIDNFC
DECT
IEEE802.15.46LoWPAN
Low
Ban
dwid
thLo
w P
ower
/C
ost
Hig
h B
andw
idth
/D
ecen
t Ene
rgy
Wide Area Local Area
QR
Wide Area / Cellular Local Concentrator
Wide Area Low Power Local Use (Low/No Power)
NB-IoT
Regulated
17Funded by the European Union
There are at least 12 different areas where regulation might play a significant role in developing the IoT markets.
Areas of regulatory focus in IoT markets
While some areas are
clearly in the responsibility
of the TRAs, others have to
be aligned with other
stakeholders and regulators
Regulatory Challenges
Coverage
04 Regulatory
Approaches
19
Regulatory Approaches
The general trend is to shift the regulation focus from infrastructure to cloud, OTTs and Artificial Intelligence.
Telco Infrastructure –
increase
consolidation options
Fixed
Further regulate only SMP wholesale
markets
Accept commercial arguments to push
fixed wholesale partnerships to lower
redundancy and increase RoI in fiber
Mobile
Set strong area coverage targets as a
shared industry target
push 5G network sharing / wholesale
mobile providers setup
Allow for corporate mobile networks
Bill&Keep principle
IT / Services –
increasing pressure
on OTTs
Cloud computing Other trends
EU Digital Single market “Supporting
cloud in Europe”
Data ownership
Liability
Standards, interoperability &
portability
OTT taxation (ASEAN)
First regulation idea on AI in EU
(EIT/JRC workshop)
GDPR enforcement
Increased attention on OTTs M&As
(after FB acquired Whatsapp)
Further commit to Open Internet in EU
20Funded by the European Union
There are three general regulatory principles that should be followed when regulating IoT services.
Regulatory Approaches
No compromise in
security and
privacy
No overregulation
Evolutionary
approaches
IoT services are a nascent industry that needs freedom to develop
Ex ante regulation only in exceptional cases, in particular specific telecom services license requirements
Unless specific challenges are appearing a policy of forbearance of new services may be recommended
Ex post regulation is a tool to correct unwanted developments
IoT services and low security hardware may be a gateway for espionage and sabotage
Security and privacy by design may be required for all imported and produced IoT devices (type approval)
Security development guidelines for software may be required
EU best practice GDPR requirements for all services including IoT
No overregulation does not necessarily mean to wait and do nothing for a TRA
New vertical services may be observed and followed up with an evolutionary approach to regulation along
use cases
For this the NRAs have to organize themselves in project groups together with other stakeholders (other
regulators, Ministries, industry,…)
21Funded by the European Union
Connectivity services in an IoT partnering network is typically provided by MNOs or MVNOs, if wide area mobile connectivity is required.
Regulatory Approaches
SIM card type / form factor
Data-, SMS-, Voice-services
Data volume (pooling), # of SMS, Voice
minutes
Roaming capabilities (countries, areas)
Local breakouts
Connectivity / Service portal required?
Setup of platform account
APN setup (public, private)
VPN setup
IP addresses
SIM Connectivity Management Network Operation Service
Network operation center (NOC) for
mobile & fixed line services
National / International WAN
Helpdesk services (2nd/3rd level)
Service assurance / incident
management
SLA monitoring
National application / licensing process
SIM card activation / deactivation
Data limit supervision
IP session monitoring
Roaming monitoring
SIM card ordering & shipping
SIM contract / tariff maintenance
SLA monitoring
Helpdesk services (1st level)
National service licenses, restrictive spectrum regulation, restrictions of permanent roaming and permanent use of foreign identifiers, retail price regulation as well as restrictive rules for data hosting are major regulatory bottlenecks for the
development of IoT solutions.
22Funded by the European Union
IoT Privacy policies need to carefully consider the Thing/Person correlation, having due regards to protection of personal information.
Asset tracking
Public Interest
Digital maps
The may be public interest debates for tracking people, or informing the location of people which over-rides the
right to privacy:
• Law enforcement/ anti-terrorism Hospital patients
• Mentally disabled Emergency/ Disaster assurance
• The European GPRD doesn’t cover tracking of assets, only people.
• Europe is considering an ePrivacy Regulation, which deals with location risks.
• An “informed consent” approach is being adopted.
"Privacy has already been a consideration for our products and services for a long time. Therefore, the
concepts of privacy by design and privacy by default are not new. However, the formal aspects of data
protection impact assessments are new requirements that have to be integrated into the product
development process”Philip Fabinger, global privacy counsel for HERE Technologies (owned by Audi, Daimler and BMW)
Regulatory Approaches
23
Regulatory Approaches
Communication SecurityWiFi, Bluetooth, NFC, Lora, ZigBee …
Physical Access SecurityDebug Interfaces (JTAG, IO, …)
OS SecuritySystem Level Software
Low-level Software SecurityFirmware, Drivers
Application & Data SecurityUser-Facing Software & Services
Regulators dealing with IoT Security (e.g. by certification) have to addressall attack surfaces of an IoT device.
Regulatory Bodies &Standard Development OrgsITU, National-level, ISO, ETSI …
24Funded by the European Union
Regulatory Approaches
Mission Critical IoT Services or those implemented in vital infrastructures may need to be regulated differently than others.
Special regulations for Mission Critical IoT services
General regulations (best practice)
Key features of the device involved in collecting data, sensor inputs (camera, microphone,…) and location identifiers shall be indicated on the device, its packaging and in the user documentation.
Device must have the capability for users to reset to factory standard
“Security and Privacy by Design” shall be incorporated in the device to protect against unauthorized usage.
Special regulations for mission critical IoT (best practice)
Mandatory Over the Air / remote provisioning of eSIMs of IoTdevices used for mission critical services has to be possible.
IoT service providers offering mission critical IoT services have to register with the TRA and obtain an IoT Service Registration Certificate.
Such service providers may be obliged to maintain subscriber information that may be transmitted to the TRA upon request (name, address, ID, device model and registration number, etc. e.g. for owners of drones)
ENISA recommendations for NRAs
Clarify liability among IoT actors.
Harmonize efforts on IoT security standards
Establish an IoT baseline for security interoperability
Design security development guidelines for software
Definition
Mission Critical IoT services means an IoT service that if fails may result in an adverse impact on health of individuals, safety and/or national security.
25Funded by the European Union
Pro-active role in formulationg “e-legislation”
Support vertical industries in the digital transformation process
Take a role in international harmonization and approximation of digital transformation
The future role of NRAs implies to extended pure Telco regulatory tasks to digital industries, improve human capital and introcuce new processes.
Summary
New Competences,
Responsibilities, Tasks and
Objectives for NRAs
Development of Human
Capital
Work Process
Cybersecurity, privacy, data security specialists
Vertical industry specialists as interface to other sector regulators
Technology specialists for pro-active impact assessment on regulation (AI, AR/VR, blockchain,
digital twins,…)
Project work organization with vertical end-to-end digital services stakeholders
Evolutionary approach to IoT regulation along use cases
Light touch regulation for emerging new technologies and services without compromise on security
Your contact!
Dr. Arnulf HeuermannDetecon International GmbHManaging Partner
Sternengasse 14-1650676 Cologne (Germany)Phone+49 221 9161 1550Mobile: +49 171 2254217
e-Mail: [email protected]