Germany is coming under fire for what critics say is a toothless move on tech regulation that opens it up to Chinese hacking.

The country's regulators released a new "security catalogue" Tuesday that would require telecom operators to identify critical parts of their networks and demand that suppliers of these parts sign up to a "no-spy clause."

Tech hawks, though, say that the new regulation lacks teeth and will in effect allow Chinese telecom company Huawei almost unhindered access to its telecom market. They argue it amounts to a huge setback for U.S. and European security services who are concerned about potential Chinese security threats to 5G networks from using the company — a charge it vigorously denies.

The U.S. is already signaling that the move could have serious implications for future intelligence-sharing between Berlin and Washington. "If there is technology that is untrusted is deployed in [German] 5G networks, then we’ll have to reassess how we share information with countries like Germany," said Rob Strayer, President Donald Trump's top envoy on cybersecurity, on Tuesday.

Tech hawks say that the new regulation lacks teeth and will in effect allow Huawei almost unhindered access to its telecom market.

U.S. security services fear Huawei's equipment can be easily misused by the Chinese state to spy on Western allies, and the company's increasing dominance also poses a strategic threat as it gobbles up competitors in the West.

Lacking teeth

Berlin's no-spy clause (technically a pledge of "trustworthiness" for suppliers of critical components and services) has attracted criticism for lacking real teeth. The pledge — which would affect Huawei, its smaller Chinese competitor ZTE as well as European competitors Ericsson and Nokia — does not include plans to verify if promises have been kept. Nor does it include enforcement measures against suppliers that fail to respect commitments.

"[It] reads great on paper, it ticks boxes on backdoors and compliance, but there's not a single word on enforcement and sanctions, not a single word on evaluation," said Jan-Peter Kleinhans, a researcher at the policy think tank Stiftung Neue Verantwortung that studies 5G security.

The security catalogue — which is still under review — comes as German Chancellor Angela Merkel in past months has walked a narrow line in its policies toward China, drawing criticism from the U.S. and European countries who argue that Berlin should take a tougher line over Hong Kong street protests and 5G security.

One senior Commission official who asked not to be named said that Germany's 5G security review undermines a recent move from EU officials and national cybersecurity officials, warning the telecom industry for foreign states' hacking efforts — a warning squarely backed by Germany's own intelligence service.

"It's awkward for the new German European Commission President-elect [Ursula von der Leyen]," the senior official added, as Berlin's position differs from the one carved out by the European Commission in past months.

Von der Leyen's plans include beefing up Europe's "technological sovereignty," including through public support for home-grown technology in strategic sectors like telecom. But the incoming Commission president is struggling to win parliamentary approval for a commissioner in that portfolio, after MEPs shot down French nominee Sylvie Goulard last week.

'Likely a self-certification scheme'

Germany's action on Huawei is particularly sensitive because the country has Europe's largest telecom market, dominated by giants Deutsche Telekom, Vodafone and Telefónica.

It's also arguably the most strategic market in Europe for Huawei, which is the largest supplier of telecom equipment in Germany and has signed huge 4G contracts with telecom giants in recent years.

In opting for a 5G no-spy clause, Germany is reusing a tool that has served in the past for public procurement acquisitions of technology. The tool was invented as a safeguard against spying in the wake of revelations by U.S. whistleblower Edward Snowden — and in past years already drew criticism for being very hard to enforce.

Germany is arguably the most strategic market in Europe for Huawei.

The original template for this particular no-spy clause, drafted by the country's Federal Office for Information Security (BSI), said that companies selling technology to the German government for use in "sensitive environments" should ensure that no confidential information is passed on to foreign countries, third parties or foreign services inside Germany.

It also said that suppliers should ensure the firm is "legally and effectively able not to disclose" confidential information to foreign intelligence, and that it uses "only particularly trustworthy employees" to provide services and develop products.

That template inspired the no-spy clause for 5G contracts in Tuesday's draft document. But regulators dropped key provisions that would have raised the bar for vendors to comply: The 5G no-spy clause does not include a pledge to allow on-site inspections; to release source code or design documentation for products; or to release financial information on shareholders and company accounts.

"Though the document makes a nod to the need for carriers to obtain documentation about the trustworthiness of suppliers, it remains unclear who would determine criteria for vendor trustworthiness," said Paul Triolo, head of technology policy at Eurasia Group, a think tank on geopolitics. "It would likely be a self-certification scheme."

Germany's critical parts of 5G networks would also have to pass checks by the BSI, who will have a strong role in certifying which kit is deemed safe to use.

This emphasis on certification — a thread running through the draft security catalogue — echoes what leading telecom companies have called for: To set objective European standards on cybersecurity that suppliers have to meet — regardless of their country of origin.

This emphasis on certification — a thread running through the draft security catalogue — echoes what leading telecom companies have called for.

"Unless it is crystal clear that there is some wrongdoing [by suppliers], I don't think [restrictions] should be handled operator by operator," Telefónica's Chairman and Chief Executive Officer José María Álvarez-Pallete told POLITICO in an interview published last week.

According to Kleinhans, "with this approach, even for critical components, Chinese vendors will be in."

The approach differs from other European governments' preference to vet specific contracts between operators and vendors based on national security concerns. Italy, France and others have put in place new mechanisms that give prime ministers, ministers and security services new power to block specific deals — as have Australia, Japan and other Western countries.

Jolt to Washington and EU

The German regulators' move also flies in the face of the United States' security agenda, which has focused on trying to persuade European countries to ban Huawei from selling 5G equipment.

In his briefing for journalists on Tuesday, Trump's cybersecurity envoy Strayer, listed criteria that the United States expects countries to use in picking trusted vendors: "Does that company have its headquarters in a country where there is rule of law and an independent judiciary in place? Does it have a transparent ownership structure? And does it have a history of ethical behavior?"

He added: "Those are questions that the company would need to answer for the country of Germany to make an assessment about its trustworthiness."

Germany's move also raises questions for the EU because it dodges issues identified in a joint risk-assessment on 5G security released last week.

European countries called out non-EU countries with offensive cyber programs, saying that state-backed hacking is the biggest risk to 5G security.

In particular, the document states that suppliers may be more risk-prone if there is a higher "likelihood of the supplier [of 5G network gear] being subject to interference from a non-EU country" through intelligence legislation, government control of a company's management or a lack of "democratic checks and balances in place" to counter such espionage attempts.

"Unless it is crystal clear that there is some wrongdoing [by suppliers], I don't think [restrictions] should be handled operator by operator" — José María Álvarez-Pallete, Telefónica's chairman and CEO

Germany's review glosses over such concerns. It "doesn't mention the security environment of the vendor," said Kleinhans. "It doesn't even hint at anything regarding rule of law, systemic trustworthiness issues or a vendor's country of origin."

Chinese equipment maker Huawei welcomed the German government's approach, saying it "create[s] a level-playing field for 5G network vendors."

A company spokesperson said the review would mean "advanced declarations and process-based inspections will be adopted, and all vendors are equally and fairly welcome to participate in the construction of 5G networks if they fulfill the security requirements."

The requirements are now up for public consultation until November 13.

This article is from POLITICO Pro: POLITICO’s premium policy service. To discover why thousands of professionals rely on Pro every day, email pro@politico.eu for a complimentary trial.