as a challenge for telecommunications law


One of the aims of the European Electronic Communications Code (EECC) is to promote the expansion of 5G networks. Does the existing legal framework still do justice to future, increased use of IoT (Internet of Things) applications in public networks? A guest contribution by RTR Managing Director Klaus M. Steinmaurer. 

In addition to the networking of things in the industry sector, networking is also taking place today in many of the processes in our daily lives and, as a result, the continuous improvement of available communication infrastructures has become crucially important. This is because IoT applications come in many different forms depending on the purpose they are intended to serve. They can be completely static, mobile or a combination of both. The EU and its Member States currently have no codified IoT law and there are no plans for such a system at present. The European Commission (EC) has, however, announced that it will examine the “legal framework for autonomous systems and IoT applications” in order to evaluate and promote the possibilities of IoT. The EC considers IoT – along with 5G communications, cloud computing, data technologies (also for big data) and cyber security – to be one of the five priority areas that constitute the basic technological building blocks of the digital single market. 

It is, however, still up for debate as to whether the current regulatory toolbox dating from the 1990s is sufficient as a basis for national legislation, and to what extent it has succeeded in providing sufficient remedies with the new European Electronic Communications Code (EECC). 

IoT and telecommunications law 

The EECC provides a cohesive framework for the regulation of electronic communications networks and services, associated facilities and services and certain aspects of terminal equipment. IoT is a cross-sectional matter, however it affects telecommunications law in particular, with the issue of spectrum use as well as the operation of IoT transmission services as communication services, the connectivity of IoT applications, and also the numbering and security of networks and services being particularly pertinent. The same applies to M2M – an electronic communications service – as for telecommunications law roaming in particular is still significant, as well as many other areas. 

5G C-Band Spectrum 

However, in the vast majority of cases, in addition to alternative technical solutions, it can be assumed that meaningful and, above all, widespread service provision requires the flexibility and mobility of a wireless public communications network. In particular, the 5G C(ore) band is characterized by a relatively high bandwidth combined with good propagation characteristics and is therefore very well suited for IoT networks that do not want to be just selectively available. The 5G technology was developed primarily for IoT. The allocation of these frequencies is subject to national regulatory authorities. The 26 GHz frequency range (millimeter waves) will also play a role in the future for specific local applications with only very short ranges but very large bandwidths. According to EU guidelines, at least 1 GHz of this band must be ready for allocation by the end of 2020. As the availability of these frequencies is comparatively unlimited, the allocation format to be chosen by law is still to be discussed. Austria is therefore still waiting for an allocation – in part due to a lack of identified current needs. 

Addressing for IoT applications 

Every IoT-capable device must be technically “addressable”, i.e. identifiable, in the electronic communications network (fixed and mobile) in order to route the transmission signals to the correct device. In order for it to be possible to have a network of up to one million objects per square kilometre with 5G in the future, it risks a bottleneck situation as a result of the expected number shortage. Number administration is also a fundamentally national task and therefore only becomes effective within the borders of a nation state. This, in turn, can lead to legal problems for IoT services that are cross-border in nature. In any case, the implementation of the EECC in all European Member States should facilitate access to the relevant numbering re- sources for IoT providers. 

Art. 93 to 97 EECC embed four fundamental principles that are essential for IoT. They explicitly state that ‘access to numbering resources on the basis of transparent, objective and non-discriminatory criteria is essential for undertakings to compete in the electronic communications sector. [...]’. In any event, numbering resources must be managed efficiently because of technical constraints. Although this principle is not new, it is helpful, as it is explicitly addressed in Articles 93(4), 94(1) and 94(5). In the future, Member States must also ensure the over-the-air provision of SIM card profiles in order to facilitate the change of provider (Art. 93 (6) EECC). 

In addition, according to Art. 93 (4) 1 EECC Member States must establish a regulatory framework for national authorities to make available a range of non-geographic numbers that can be used for the provision of electronic communications services other than interpersonal ones throughout the EU. This closes a legal gap for M2M applications and so, in principle, the EECC has succeeded in finding a future-proof solution for number resources in connection with future IoT services. Unfortunately, national implementation will have to wait a little longer. 

Security of networks and services in IoT 

In connection with IoT applications, additional threat scenarios arise which must be taken into account as part of the architecture and operation of such networks. Security is extremely important for the acceptance and marketability of IoT applications. The Network and Information Security Directive of 2016 was a first step towards general regulation. Currently, the 5G Network Security Toolbox published on 29.01.2020, which has already been partially implemented in Austria by the Network Security Ordinance of June 2020, must be taken into account. 

M2M as an electronic communications service 

M2M services are already widespread application examples for IoT services and come in various forms. The answer to the question of which relevant legal provisions under electronic communications law apply to IoT depends crucially on whether parts of an IoT service are legally regarded as “communications services” within the meaning of the EECC. If a communications service exists, it is subject ex lege to special regulations which do not apply to other services. 

For example, if special security regulations for services have to be observed, special data protection regulations or specific consumer protection regulations apply. Art. 2 no. 4 lit. c) EECC defines “electronic communications services” as “a service normally provided for remuneration via electronic communications networks, which – with a few exceptions – encompasses services consisting wholly or mainly in the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting.” 

M2M is thus subject to a concrete regulation expresses verbis in the EECC. The (technical) transmission of signals has already been regarded as a constitutive criterion for qualification as an electronic communications service. Recital 15 EECC also makes this clear and is very helpful for a legal assessment. In turn, remuneration can be quickly affirmed where a fee is payable for IoT services within the framework of a contractual relationship. However, the remuneration of the exchange of services is not lost even if the service is provided free of charge to the user or where the exchange of services is carried out either differently or by others (e.g., through advertising financing). Also “payment” with personal (person-related) data can be described as remuneration. For example, the recitals of the EECC clearly state that “the concept of remuneration should therefore encompass situations where the provider of a service requests and the end-user knowingly provides personal data within the meaning of Regulation (EU) 2016/679 or other data directly or indirectly to the provider.” 

Roaming and IoT 

Many business models based on IoT applications are mobility applications that often have to function not only within national borders but also globally. Roaming is therefore an essential part of the business model for cross-border IoT services. The regulation under Art. 6a of the Roaming Regulation, which has been in effect since 15 June 2017, has created a legal basis (“roam like at home”) in at least one major area – this also makes international IoT services possible. By enabling the extraterritorial use of numbers with the EECC, the development of pan-European services will be accelerated at the same time as the Roaming Regulation, however, further clarification is needed to specifically promote new innovative applications. 

The topics discussed here clearly only rep- resent a small part of the many legal issues which have to be faced by telecommunications law. It will have to be checked again and again in each individual case whether an IoT-specific regulation is necessary or whether the existing legal framework is sufficient. Experience to date shows that the second assumption is largely correct. The EECC 2018 and related EU legal acts (e.g., the 2017 Roaming Regulation) have already brought about noticeable developments. 

However, it remains to be seen how the relevant provisions of the EECC will be implemented in practice within the new TKG 2021. It would certainly be desirable to have legal clarification beyond the provisions in the EECC that connects with specific issues. From a regulatory perspective, IoT is in any case a central topic that we will deal with in detail in the future. 


Dr. KLAUS. M. STEINMAURER, MBA, Managing Director at RTR (Picture: APA-Fotoservice/Martin Hörmandinger)

My documents

Add page

There are currently no documents in your basket.