Private Networks: Should They Face EU Regulation? And Does the Commission Know What They Are?

Main takeaways

1. In a recent paper, the European Commission hints at the idea of regulating what it calls “private networks” in the future
2. Yet, the Commission doesn’t seem to have a clear understanding what a private network entails – the concept spans a wide variety of very different networks in reality
3. Plenty of unanswered questions need to be addressed before a discussion about regulating private networks should even be considered

The European Commission’s recent white paper on network infrastructure makes several references to what it describes as “private networks”, with an indication that the Commission wants to apply greater regulatory controls to these networks. While most of the paper’s comments relate to cloud and internet companies’ internal (backbone) connectivity mechanisms, it also references others, such as private mobile networks. 

Given that private networks span a wide variety of types, with no single industry-wide definition, it is clear that much greater detail and precision is required for any meaningful discussion about regulation, irrespective of the intentions for possible future changes. 

This is especially important when considering matters such as security, given that the ‘threat surface’ depends on the technology and accessibility of a given network, as well as the cybersecurity competence and motivations of its operators. 

1. What are private networks exactly?

The term ‘private network’ is widely used in both telecoms and enterprise networking. At a broad level, it refers to a network system that has a closed user group (often within a single company), rather than offering publicly-available telecom services. There are many different deployment scenarios, ownership and operation models, and stakeholders around today.

Terminology and clear definitions are very important here, as the term ‘private network’ has various different meanings. Common uses of the term include the following six:

1. Enterprise private networks, also called wide area networks (WAN), link a company’s sites or data centres, for data exchange and/or voice connectivity. This may include owned (physical) and leased connections, as well as wholesale services. Usually the term also includes the active equipment, such as enterprise-grade routers and switches. These networks have evolved over decades and are commonplace in all parts of Europe’s economy.
2. Enterprise local area networks (LAN) are private on-premise networks run by companies. These are typically owned by the enterprise itself, and operated in-house by the IT department or outsourced to a specialist service provider. A company may have multiple sites, each with its own LAN, which are connected to each other via a private wide area network (WAN).
3. Internet backbone networks are internal networks operated by a telecom operator, cloud company, content delivery network (CDN), academic network, or specialist wholesale operator. They connect data centres and/or internet exchanges with peering points, such networks are national or international (including subsea).
4. Private mobile networks are part of a fast-growing sector covering cellular (4G/5G) networks operated by enterprises, or specialised service providers, connecting particular sites or areas. This happens separate from the normal public services provided by a mobile network operator (MNO). There are multiple technical and business models, but the common theme is access only by ‘closed user groups’.
5. Virtual private networks (VPN) cover a range of options by which portions of public networks are isolated in software, to create a secure partition or virtual domain only accessible to certain users.
6. Network as a Service (NaaS) is a broader category of managed/virtual networks, either fixed or mobile, provided to enterprises as a dedicated service, but with lower needs for an IT department to implement and operate in-house.

There is another added layer of complexity here: some private networks are actually multi-user/multi-tenant. For instance, a private 5G network at an airport might have separate user groups, such as airline staff, fuel companies, caterers, baggage management teams, and security personnel. And implicitly, an internet backbone will effectively be carrying traffic to and from many third-party end users and applications. 

Problematically, the Commission’s white paper discusses none of this, nor does it highlight which type(s) of private networks it actually proposes to regulate. The emphasis of the Commission seems to be on an arbitrary subset of internet backbones, but – to add to the confusion – there is also a footnote referencing Amazon AWS’ private mobile networks (although it is not currently selling such services in Europe) and comments about NaaS.

2. What is covered in the white paper?

The first mention of private networks is in footnote 23 of section 2.2, which references NaaS offers provided by Amazon AWS and Google Cloud for enterprise private wireless networks, which are based on 4G or 5G mobile technology. However, at present, hyperscale cloud companies are not major players in Europe for private cellular NaaS.

In section 2.3 on “Challenges of achieving scale in EU connectivity services”, the following comment is made by the European Commission: “Even if cloud providers run large (backbone) electronic communications networks, these networks are exempt from parts of the electronic communications regulatory framework, notably in the area of access regulation and dispute resolution.”

Section 2.3.4 of the white paper on “Convergence and level playing field” expands on this point. It comments: “large cloud providers operate their own backbone networks and data centres and hand over the traffic deep into the networks of public electronic communication network operators. Consequently, traffic transits mostly on private networks, which are largely unregulated, rather than on public ones.” 

What this refers to is the practice of specialised internet companies (or sometimes enterprises) connecting to public networks at various points closer to users, compared to the typical telecom operator practice of just using one or two centralised internet exchange or peering points. (Note: a later article in this series will cover interconnect in more depth).

Finally, section 3.2.2. on the “Scope of application” of regulatory instruments continues this theme: “Currently, an end-user sends or receives data that “travel” via different networks or network segments (ranging e.g. from submarine cables to local access networks) and that are subject to different applicable rules. It is difficult to justify the rationale for such difference in the applicable rules (for instance, as regards lawful interception).”

3. Should private networks face regulation? If so, for what exactly?

Let us leave aside the definitional vagueness about private networks that plagues the European Commission’s observations for a moment. Allow me to exemplify the problem with the white paper’s thinking about cloud/internet backbones and access. Because networks can be different in many ways – ownership, control, access by the general public, strategic importance, and location/route. 

Given the use of the word “travel” by the Commission, a good analogy is the concept of multi-modal transport for freight, or integrated transport systems for passengers. While these are certainly important and useful trends, nobody suggests a ‘level playing field’ is appropriate for laws and regulations placed on trucks, trains and container ships that move goods, nor for buses, bicycles and trams that are all used to transport people. 

There may be certain standards such as container sizes, or prohibitions on alcohol consumed by drivers, but that does not imply broad commonality in regulation. Instead, there is recognition of the importance of hub locations, as well as physical and virtual mechanisms for making interchange smoother. 

Suggesting that a light van should have the same safety-inspection regime as a freight train would be ridiculous. So would insisting that a motorbike rider’s training and licence should be the same as a bus driver’s.

It is also unclear what particular new rules are being suggested by the Commission here. The paper variously references “access regulation and dispute resolution” and also lawful interception, again without details of how, or to which networks, they might apply.

Considering internet backbones, these are not access (last-mile) networks for which wholesale access regulations would apply. There is significant competition in long-haul networks, both at an infrastructure level and in leased or bitstream services. 

This is how the internet works internally – there are many networks connecting a given user to a given resource (or server), which interconnect in a complex mesh at multiple locations. Essentially, all of those backbones are in some sense ‘private’ – even the telcos’ own transport infrastructure.

It is also important to recognise that the vast bulk of traffic on cloud providers’ internal private networks is internal to the cloud itself – for instance, replication of data between data centres, or connecting between software processing and data storage. Anecdotally, perhaps only 10% of traffic actually relates to servicing customer downloads or uploads, although hard figures are difficult to source.

Many private or backbone networks do not onboard extra commercial tenants, or even have the technical and charging/billing platforms to support them. It is also unclear what types of dispute are reported or envisaged – something that would be necessary in order to understand how and where they are best resolved.

These private network connections actually have a number of benefits for both users and access-network telco operators. Indeed, they reduce the load on public networks’ own internal transport infrastructure, which otherwise would have to carry all traffic to and from central exchange points. They improve speed and capacity for end-user connections, by reducing the number of ‘hops’ that data needs to take, and by storing often-used content in local caches to reduce repeated transfers.  

Private network connections also enable operators to offer new services such as specialised ‘cloud on-ramps’ for businesses, which bypass potentially-congested parts of the public network, and can be used to enhance network security and reliability. They do this by enabling internet companies to perform tasks such as load-balancing, or spotting malicious attacks like distributed denial-of-service efforts.

Relevantly, the UK conducted a consultation into private networks only last year. While it concluded that “there was appetite for a range of future interventions” such as “guidance, education initiatives and ensuring adequate funding for innovation projects on security and resilience” it also noted that “private and public networks should continue to be treated differently due to their distinct security characteristics”.

It is clear from this work that private networks span a great variety of different sectors – not just cloud and content providers but also finance, energy, utilities, industrial, and various others. Many of these sectors have deep security expertise in house, and in some cases are able to pay for more, or higher-paid, cybersecurity specialists than the telecoms sector.

It would seem reasonable for the European Commission to review the UK consultation responses and conclusions, and perhaps first conduct a similar exercise to better understand the usage, definitions, and security aspects of private networks before starting any discussion on their possible regulation.

Conclusions – and questions for the Commission to answer

The European Commission’s brief comments about private networks in its recent white paper actually raise more questions than answers. The term itself is broad and undefined – which means that any regulation could apply to a very broad swathe of connectivity options that are used not just by cloud and tech companies but also other industry sectors, governments, academia, and critical infrastructure operators. 

Much recent discussion – and policy – on private networks is actually about local mobile 4G/5G networks, and not internet backbones. This means additional care is needed, not only because people are mixing up terminology, but also because a debate about local mobile networks should encompass adjacent themes such as spectrum licensing.

As with the findings of my first article, there is a fundamental contradiction here. In its paper, the Commission takes a well-known and understood part of the computing landscape, and then tries to re-imagine it as an integral and fully-converged part of the telecoms sector – and thus subject to the same regulatory rules and oversight as telecom operators, especially for access and wholesale services. 

That is a fundamentally flawed premise. Private data networks have connected data centres and computing resources for decades already – long before the rise of the public internet and the modern cloud and infrastructure-as-a-service markets. CDNs which “hand over the traffic deep into the networks of public electronic communication network operators” as described in the Commission’s white paper, have also been around for more than 25 years.

This means that the European Commission has important clarifications to make – and probably should conduct extra consultations and background research on a more tightly-defined set of issues – before its thinking on private networks can be given proper consideration. Important questions for the Commission to address include:

• There are many private networks unrelated to internet access and backbone connections – notably for major enterprises’ data traffic. Some, such as utility companies, privately operate their own physical fibre and other assets. There are also hundreds – and soon thousands or tens of thousands – of private 4G/5G mobile networks in operation across Europe. Are these also in scope of any proposed regulation the Commission is hinting at?
• A large amount of internet backbone traffic goes over academic networks and CDNs, as well as telcos’ own long-haul transport and backhaul routes. Would the same suggested regulatory arguments apply to these? If not, what are the precise definitions and boundaries proposed that would set them apart?
• For intra-cloud private networks and traffic, some data travels 10cm between two servers in the same rack, some travels 100m between servers in buildings on the same site, and some travels 10,000km between data centres on different continents. Functionally, these private networks are pretty much identical. What would be the distance threshold for any proposed regulatory scrutiny?
• What are the specific security concerns around private networks (of different types) that need to be considered as a result of the paper? Are any proposed regulatory changes relevant and proportionate, and are they already covered by other instruments, such as those concerned with subsea cables?

Until the Commission decides exactly what it means by “private networks” and what challenges it believes they pose, it remains entirely reasonable that different data-transport systems operate under different regulatory regimes. In physical transport regulations we don’t require radar on a bicycle, or passengers of a ship to wear a helmet either.

This guest article is part of a series about the European Commission’s white paper on network infrastructure, and the ongoing consultation (which runs until 30 June), by Dean Bubley, the Director of Disruptive Analysis. 

Bubley is an analyst, advisor and commentator on all aspects of telecoms technology and policy. His focus areas include 5G, 6G, spectrum, FTTP, enterprise/private networks, broadband competition, cloud, IoT, and indoor wireless systems. He is also @disruptivedean on X and writes frequent posts at linkedin.com/in/deanbubley/.