Huawei's amparo against 5G cybersecurity measures deniedAmparo de Huawei contra medidas de ciberseguridad 5G declarado sin lugar

(…) V. Regarding the specific case: In the sub lite, the claimant indicates that [Name 002]. is prepared to participate in the public tender (licitación pública) that ICE will open to implement and operate 5G IMT technology in its networks, given that it is one of the main providers of that technology in this country. It points out that, on August 31, 2023, the Executive Branch enacted and published in La Gaceta the “Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher,” which contains provisions that expressly prevent its represented company from participating in that public competition. It notes that the President of the Republic, the Minister of Science, Innovation, Technology and Telecommunications, and the Executive President of ICE have publicly stated that the enactment of the cited regulation was done with the specific purpose of preventing the participation of companies of various nationalities, especially those of Chinese origin, in the tender procedures aimed at obtaining and operating 5G IMT and higher telecommunications technology for the networks of the respondent institute. It adds that, at 4:20 p.m. on September 5, 2023, its represented company received an email from Huberth Valverde Batista, contracts administrator of ICE, with a questionnaire regarding compliance with the Cybersecurity Regulation No. 44196-MSP-MICITT. It adds that in said communication, they were granted a period of four business days to provide the information. It asserts that the questionnaire is an exact copy of the requirements of the aforementioned regulation, which is direct proof of the imminent publication of the tender and the impact on its represented company, since it will be unable to participate. It states that the foregoing corresponds to the market study required by the Public Procurement Law (Ley de Contratación Pública), prior to the publication of the tender specifications (pliego de condiciones). It mentions that the president of ICE stated that by the end of September he would put the acquisition of 5G Mobile telecommunications technology out to public tender and that they would apply the requirements demanded in the ‘Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher.’ It affirms that the President of the Republic has declared that the enactment of the regulation aimed to prevent the participation of companies of diverse origins in the upcoming public competitions that ICE and SUTEL will open for the acquisition of 5G Mobile telecommunications technology. It adds that the foregoing was ratified by the minister of MICITT. It maintains that the direct and manifest risk faced by its represented company is more than obvious. It asserts that there is a certain, real, effective, and imminent threat, almost at the execution stage, which violates the rights of its represented company. It mentions that the competition that ICE will open will prevent [Name 002]. from participating due to its Chinese origin. It asserts that the company cannot be blamed for the fact that the Government of the People's Republic of China, within its sovereign powers, did not sign the Budapest Convention. It adds that such an instrument was published 18 years before 5G technology was launched on the market, so it is impossible that any of its considerations were related to it. It states that the evaluation factor is outdated and is not directly related to cybersecurity; furthermore, it violates the “principle of technological impartiality” embodied in Chapter XIII of CAFTA. It considers it discriminatory that its represented company is prevented from participating due to a decision by the Chinese government. It maintains that the only way to avoid the transgression of the constitutional rights of free competition, equal participation, and non-discrimination is by suspending the competition, since if it were to materialize, it would cause its represented company an irreversible injury of impossible reparation, as well as reputational damages. It states that ICE's threat to launch a public tender in which it will apply article 10) subsections c), d), e) and f) and numeral 11 of the aforementioned regulation implies a clear violation of the fundamental rights to free concurrence in public procurement and equal treatment of bidders, since the tender specifications will prevent the participation of its represented company in the public procurement. It argues that, pursuant to constitutional article 33, no natural or legal person may be discriminated against for any reason (sex, religious beliefs, ideology, nationality, etc.); however, its represented company is discriminated against both for its ideology and for its nationality. It alleges that it is discriminatory to admit only companies from countries that have signed the Budapest Convention, since this does not strictly refer to cybersecurity issues but focuses on the punishment of computer crimes including: fraud, intellectual property infringements, distribution and possession of child pornography, computer forgery, among others, to apply a common criminal policy among states. It adds that another characteristic of that instrument is international cooperation, an aspect that facilitates the investigation of cyber offenses and which is relevant due to the characteristics of computer crimes and the possibility that they may be committed outside the borders of a country, but with an impact on a specific territory. It explains that discrimination means granting different treatment based on unjust or arbitrary inequalities that are contrary to the principle of equality before the law. It points out that the prohibition of discrimination covers the interdiction of doing so for any personal or social circumstance; that is, any differentiation that lacks objective and reasonable justification can be classified as discriminatory. It formulates the following request: “1.- That my represented company cannot be prevented from participating in the aforementioned public tender by introducing clauses of impossible fulfillment for it, because this violates the fundamental rights to free competition, equal treatment, and the prohibition of discrimination exclusively for ideological and nationality reasons. 2.- That once ICE is notified of the impossibility of moving forward with the public tender so many times cited, this amparo be converted into an unconstitutionality action so that several norms of the challenged Regulation can be eliminated from the legal system and, therefore, cannot be applied in any present or future tender.” In subsequent writings, the legal representative of the plaintiff points out that on November 9, 2023, the ‘TENDER SPECIFICATIONS FOR THE ACQUISITION OF: GT-ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ACCORDING TO DEMAND’ was published, which contains requirements of impossible fulfillment for his represented company because its parent company is located in the People's Republic of China. In addition, compliance is imposed with the aspects alluding to the management and mitigation of risks contained in the ‘Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher,’ as well as the standards contemplated therein. He asserts that the foregoing violates the rights of his represented company to free competition and equal participation in public competitions and to not be discriminated against based on the origin of the company. He adds that his represented company cannot comply with section 3 “CiberSeguridad RAN-CORE Móvil 5G,” which excludes Huawei from the competition by requiring: “‘3. 5G MOBILE RAN-CORE CYBERSECURITY SECTION. 3.1. The bidder must comply with all aspects relating to the management and mitigation of risks contained in the Costa Rica Cybersecurity Regulation No. 44196-MSP-MICITT, when planning, designing, and implementing their technical offer, for which they must provide, together with the offer, the risk management and mitigation plan in accordance with the aforementioned regulations. 3.2. The bidder must submit a sworn statement indicating that they comply with the adoption of the following cybersecurity standards:

3.3. In accordance with article 10 of the Costa Rica Cybersecurity Regulation No. 44196-MSP-MICITT, which indicates that a single supplier for hardware and software in critical network elements cannot be used, ICE may not award the Mobile CORE (items 3 and 4) and the mobile access network (items 1 and 2) to the same bidder. In the event that the bid participates for the Mobile CORE (items 3 and 4) and the mobile access network (items I and 2) and meets all technical, financial, and legal aspects and ranks first in price for all the mentioned items, ICE will award only items I and 2 (mobile access network) to this bidder, and items 3 and 4 (Mobile Core) will be awarded to the second-place bidder in price, in order not to have a single supplier for hardware and software in critical network elements, the foregoing in compliance with article 10 of the Costa Rica Cybersecurity Regulation No. 44196-MSP-MICITT. 3.4. The bidder must submit a sworn statement indicating that its headquarters are in a country that has expressed its consent to be bound by compliance with the Convention on Cybercrime (Budapest Convention). For which it must attach supporting documentation. ICE reserves the right to verify the validity (sic) of the information provided. 3.5. The bidder must submit a sworn statement indicating whether or not the factory headquarters is susceptible to pressure from a foreign government by regulatory provision or official public policy of said foreign government, in relation to the location or execution of its operations. 3.6. The bidder must submit a sworn statement indicating whether it is based in a country, or in any way, is subject to the direction of a foreign government with established laws or practices that may require it to share the information of end users of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests.’ He states that they filed an objection appeal (recurso de objeción); however, the arguments related to the mentioned section were rejected. He maintains that, based on the foregoing, discrimination against the plaintiff due to its nationality was configured.

From the study of the case file, it has been proven that the company [Name 002]. with legal identification number [Value 001] is registered in the National Registry of Costa Rica. In Supplement No. 166 to La Gaceta No. 159 of August 31, 2023, Executive Decree No. 44196-MSP-MICITT was published, by which the ‘Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher’ was issued. On September 5, 2023, the Telecommunications Management of ICE, through the Contract Administration Area, sent Huawei, Nokia, Ericsson, GBM Costa Rica, and Rakuten an electronic communication with the following inquiries: “Good afternoon: In view of the regulation issued regarding (sic) the issue of cybersecurity for 5G technology in Costa Rica, we request (sic) you indicate compliance with the following points by your represented company, this for the purpose of conducting a market study: 1. The supplier may comply with all aspects relating to the management and mitigation of risks contained in this regulation, when planning, designing, and implementing its technical offer. 2. Indicate compliance with the following cybersecurity standards:

3. That the offered solution is not from a single supplier regarding hardware and software. Understood as Hardware and Software Suppliers: Entities that provide services or active equipment to the subjects included in article 2 of this regulation. This category includes: i) manufacturers of telecommunications equipment; and ii) other external suppliers, such as cloud infrastructure providers, system integrators, security and maintenance contractors, and transmission equipment manufacturers, when these are responsible for configuring and integrating the active equipment and software of the solution. 4. Indicate if its headquarters are in a country that has expressed its consent to be bound by compliance with the Convention on Cybercrime (Budapest Convention). 5. Whether or not the supplier is susceptible to pressure from a foreign government by regulatory provision or official public policy of said foreign government, in relation to the location or execution of its operations. 6. Indicate if it is based in a country, or in any way, is subject to the direction of a foreign government with established laws or practices that may require it to share the information of end users of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests. The required information must be responded to by the next September 8, 2023.” On September 11, 2023, from the address <[email protected]>, the following was sent to the email <[email protected]>: “Dear Huberth, I hope you are very well. Through this medium, I allow myself to respond to the inquiries sent last September 5. 1. The supplier may comply with all aspects relating to the management and mitigation of risks contained in this regulation, when planning, designing, and implementing its technical offer. Huawei has the capacity to comply with all the technical and security requirements defined, standardized, adopted, and tested by the industry, regarding the Design, Implementation, and Operation of mobile networks (3G, 4G, and 5G). 2. Indicate compliance with the following cybersecurity standards:

Table No.1

3. That the offered solution is not from a single supplier regarding hardware and software. Understood as Hardware and Software Suppliers: Entities that provide services or active equipment to the subjects included in article 2 of this regulation. This category includes: i) manufacturers of telecommunications equipment; and ii) other external suppliers, such as cloud infrastructure providers, system integrators, security and maintenance contractors, and transmission equipment manufacturers, when these are responsible for configuring and integrating the active equipment and software of the solution. Given that the wording of the article, to which this question refers, lends itself to interpretations, we recommend that it be clarified with the relevant instances which of the following types of diversity they are considering: a) Horizontal, which indicates two manufacturers in the same network layer (Access, Core, etc.). For example, assigning the mobile access (RAN) of one region to one manufacturer and in another region to another manufacturer. b) Hybrid (sic), which indicates having manufacturers for the Hardware and others for the software in each network layer. 4. Indicate if its headquarters are in a country that has expressed its consent to be bound by compliance with the Convention on Cybercrime (Budapest Convention). [Name 002], is a company incorporated under the laws of the Republic of Costa Rica, our global manufacturing headquarters is in China. 5. Whether (sic) the supplier is or is not susceptible to pressure from a foreign government by regulatory provision or official public policy of said foreign government, in relation to the location or execution of its operations. Huawei is an independent private company. The operation, decision-making, and management of Huawei are not controlled by any government or third parties. 6. Indicate if it is based in a country, or in any way, is subject to the direction of a foreign government with established laws or practices that may require it to share the information of end users of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests. Huawei is an independent private company. The operation, decision-making, and management of Huawei are not controlled by any government or third parties. Additionally, our line of business is the supply of Telecommunications equipment and its installation. The telecommunications service provider is the one who manages User data. I remain at your service for any comment or additional inquiry.” The director of the General 5G Program of the Infrastructure and Spectrum Planning Directorate of the Telecommunications Management of ICE, in internal technical report 9191-1520-2023 of October 6, 2023, recorded: “1. Executive Decree No. 44196-MSP-MICITT called “Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher” issued by the Presidency of the Republic, the Minister of Public Security, and the Minister of Science, Innovation, Technology and Telecommunications, as previously mentioned, came into effect on August 31, 2023. (See Annex No. 1)” 2. This Regulation, as indicated in article 1, “has the purpose of establishing cybersecurity measures to guarantee the safe use and exploitation, with the safeguarding of people's privacy, of networks and telecommunications services based on fifth-generation mobile technology (5G) and higher.” Likewise, article 2 establishes the following: (See Annex No. 1) “Article 2—Scope of application. The active operation of networks and services based on fifth-generation mobile technology (5G) and higher is subject to this regulation, by natural or legal persons, public or private, national or foreign, that operate networks or provide telecommunications services based on fifth-generation mobile technology (5G) and higher that originate, terminate, or transit through the national territory, excepting the operation of private telecommunications networks. In the case of public procurement processes aimed at enabling networks and services based on fifth-generation mobile technology (5G) and higher, as well as active technological equipment necessary for their deployment, for the use and exploitation of the radioelectric spectrum, the Administration or contracting entity must adopt suitable mechanisms to verify that potential bidders have considered all aspects relating to the management and mitigation of risks contained in this regulation, when planning, designing, and implementing their technical offer. In the event of being awarded the contract, the provisions of this regulation shall be mandatory during the operation of the networks and provision of services based on fifth-generation mobile technology (5G) or higher.” (The highlighting, with the exception of the article title, is provided). 3. Given the entry into force of said Regulation, mandatory for operators and providers of telecommunications services, on September 5, 2023, the Telecommunications Management of ICE, through the Contract Administration Area, and for the purposes of a market study, sent to potential interested parties (Huawei, Nokia, Ericsson, GBM Costa Rica, and Rakuten) an electronic communication with the following wording and inquiries: (See Annex No. 2) “Good afternoon: In view of the regulation issued regarding (sic) the issue of cybersecurity for 5G technology in Costa Rica, we request (sic) you indicate compliance with the following points by your represented company, this for the purpose of conducting a market study: 1. The supplier may comply with all aspects relating to the management and mitigation of risks contained in this regulation, when planning, designing, and implementing its technical offer. 2. Indicate compliance with the following cybersecurity standards:

3. That the offered solution is not from a single supplier regarding hardware and software. Understood as Hardware and Software Suppliers: Entities that provide services or active equipment to the subjects included in article 2 of this regulation. This category includes: i) manufacturers of telecommunications equipment; and ii) other external suppliers, such as cloud infrastructure providers, system integrators, security and maintenance contractors, and transmission equipment manufacturers, when these are responsible for configuring and integrating the active equipment and software of the solution. 4. Indicate if its headquarters are in a country that has expressed its consent to be bound by compliance with the Convention on Cybercrime (Budapest Convention). 5. Whether or not the supplier is susceptible to pressure from a foreign government by regulatory provision or official public policy of said foreign government, in relation to the location or execution of its operations. 6. Indicate if it is based in a country, or in any way, is subject to the direction of a foreign government with established laws or practices that may require it to share the information of end users of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests. The required information must be responded to by the next September 8, 2023.” 4. On September 8, 2023, at 12:24 p.m., via email, Mr. Juan Carlos Blanco Infante of the company NOKIA responded to the inquiries made, as demonstrated in Annex No. 3 of the Technical Report, for which confidentiality is requested given that said data is protected under agreements that safeguard this type of information. 5. On September 8, 2023, at 3:46 p.m., via email, Mr. Mustafa Syed of the company Rakuten responded to the inquiries made, as demonstrated in Annex No. 4 of the Technical Report, for which confidentiality is requested given that said data is protected under agreements that safeguard this type of information. 6.

On September 8, 2023, at 6:29 p.m. via email, Mr. Neil Baute of the company Ericsson responded to the inquiries made, as demonstrated in Technical Report Annex No. 5, for which confidentiality is requested given that such data is protected by agreements that safeguard this type of information. 7. On September 8, 2023, via official letter UL-2023-0460, Mr. Eduardo Blanco González of the company GBM de Costa Rica, responded to the inquiries made, as demonstrated in Technical Report Annex No. 6, for which confidentiality is requested given that such data is protected by agreements that safeguard this type of information. 8. On September 11, 2023, Mr. Marcel Aguilar Sandoval of the company Huawei Tecnologies (sic) Costa Rica, responded to the inquiries made, as demonstrated in Technical Report Annex No. 7, for which confidentiality is requested given that such data is protected by agreements that safeguard this type of information. 9. Regarding the responses of Huawei Tecnologies (sic) Costa Rica, as the Honorable Constitutional Chamber will be able to verify, there is no evidence that said company had any kind of disagreement with what was consulted. (See Technical Report Annex No. 7). 10. To date, what ICE has carried out is a market study, in accordance with Article 85 of the Regulation to the General Law of Public Procurement, with the potential suppliers of 5G telecommunications network technology, to verify market conditions and check their compliance in cybersecurity matters, pursuant to the provisions of the aforementioned Decree; that is, there is currently no publication of a set of conditions for a specific tender, as provided by the General Law of Public Procurement. (…) • The inquiries made by ICE, in the market study phase, are in accordance with the provisions established in Executive Decree No. 44196-MSP-MICITT called "Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher," issued on August 25, 2023, by the Presidency of the Republic, the Minister of Public Security, and the Minister of Science, Innovation, Technology and Telecommunications, published in Supplement No. 166 of the Official Gazette La Gaceta of August 31, 2023, in force from that date. • Said regulation issued by the Executive Branch is mandatory for ICE, as explained above. • If ICE fails to comply with the provisions of the Regulation, it will be subject to the administrative sanctioning regime of the General Telecommunications Law No. 8642 (LGT). • According to what was indicated in the response to fact five, there is no evidence that Huawei Tecnologies (sic) Costa Rica had any kind of disagreement when responding to ICE's inquiries concerning the Regulation in question within the framework of the market study conducted. (…) to date, what ICE has carried out is a market study, in accordance with Article 85 of the Regulation to the General Law of Public Procurement, with the potential suppliers of 5G telecommunications network technology, to verify market conditions and check their compliance in cybersecurity matters, pursuant to the provisions of the aforementioned Decree; that is, there is currently no publication of a set of conditions for a specific tender, as provided by the General Law of Public Procurement. (…)". On November 9, 2023, ICE published on SICOP the "SET OF CONDITIONS FOR THE ACQUISITION OF: GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ON DEMAND", which, in relevant part, states: "3. CYBERSECURITY SECTION RAN-CORE MOBILE 5G. 3.1. The bidder must comply with all aspects alluding to the risk management and mitigation contained in the Costa Rica Cybersecurity Regulation No. 44196-MSP-MICITT, when planning, designing, and implementing their technical proposal, for which they must provide, together with the proposal, the risk management and mitigation plan in accordance with the aforementioned regulations. 3.2. The bidder must submit an affidavit stating that it complies with the adoption of the following cybersecurity standards:

3.3. In accordance with Article 10 of the Costa Rica Cybersecurity Regulation No. 44196-MSP-MICITT, which states that there cannot be a single supplier for hardware and software in critical network elements, ICE may not award the Mobile CORE (items 3 and 4) and the mobile access network (items 1 and 2) to the same bidder. In the event that a bid is submitted for both the Mobile CORE (items 3 and 4) and the mobile access network (items 1 and 2) and meets all technical, financial, and legal aspects and occupies first place in price for all the aforementioned items, ICE will award only items 1 and 2 (mobile access network) to this bidder, and items 3 and 4 (Mobile Core) will be awarded to the second place in price, in order to avoid having a single supplier for hardware and software in critical network elements, in compliance with Article 10 of the Costa Rica Cybersecurity Regulation No. 44196-MSP-MICITT. 3.4. The bidder must submit an affidavit indicating that its headquarters is in a country that has expressed its consent to be bound by the Convention on Cybercrime (Budapest Convention). Supporting documentation must be attached. ICE reserves the right to verify the validity of the information provided. 3.5. The bidder must submit an affidavit indicating whether or not the factory headquarters is susceptible to pressure from a foreign government by normative provision or official public policy of said foreign government, in relation to the location or execution of its operations. 3.6. The bidder must submit an affidavit indicating if it is based in a country, or, in any way, is subject to the direction of a foreign government with established laws or practices that may require them to share the information of end users of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests. 3.7. For the 5G requirements specifically applicable to the CORE, the following must be met: 3.7.1 The contractor must execute, within the contractual execution period, backups of all systems involved in the CORE; these backups must be performed on the institutional systems arranged for this purpose. 3.7.2 There must be execution of periodic penetration tests; these must be negotiated between the manufacturer and the contractor with ICE; these tests will be performed by the ICE cybersecurity areas arranged for these matters. 3.7.3 There must be an integration with a vulnerability management system based on cyber risk; it must allow integration with the solutions arranged at the institutional level. 3.7.4 There must be patch and update management involving the manufacturer and the contractor, for which a defined update schedule is required that allows closing cybersecurity gaps within a period negotiable with ICE. 3.7.5 Replication of records in CEF or Syslog format to the institutional event correlation solution or SIEM, which allows for the detection and analysis of possible suspicious activities or attacks and response to cybersecurity incidents. 3.7.6 In the 5G CORE element, the bidder must present solutions aimed at protecting an IP-based service architecture, preventing common botnet attacks or vulnerabilities through the internet, so that critical services are not degraded and remain available to legitimate users. 3.7.7 For the 5G CORE element, the bidder must present solutions aimed at protecting the main network functions, namely: a) Access and Mobility Management Function (AMF). b) Authentication Server Function (AUSF). c) Unified Data Management Function (UDM). These solutions must protect stored authentication and subscription data against similar botnet threats and DDoS attacks. 3.7.8 For the 5G CORE element, the bidder must present solutions that allow encrypted use for the Internet Protocol Security (IPSec) protocol for non-3GPP access types, preventing common botnet attacks or vulnerabilities through the internet, or DDoS attacks. Considering the 5G requirements specifically those applicable to the Radio Access Network (RAN). 3.8 For the 5G requirements specifically applicable to the RAN, the following must be met: 3.8.1 The contractor must execute, within the contractual execution period, backups of all systems involved in RAN; these backups must be performed on the institutional systems arranged for this purpose. 3.8.2 There must be execution of periodic penetration tests; these must be negotiated between the manufacturer and the contractor with ICE; these tests will be performed by the ICE cybersecurity areas arranged for these matters. 3.8.3 There must be an integration with a vulnerability management system based on cyber risk; it must allow integration with the solutions arranged at the institutional level. 3.8.4 There must be patch and update management involving the manufacturer and the contractor, for which a defined update schedule is required that allows closing cybersecurity gaps within a period negotiable with ICE. 3.8.5 Replication of records in CEF or Syslog format to the institutional event correlation solution or SIEM, which allows for the detection and analysis of possible suspicious activities or attacks and response to cybersecurity incidents. 3.8.6 In the 5G RAN element, the bidder must present solutions aimed at protecting 5G systems and networks that use antennas for Multiple Input Multiple Output (MIMO), ensuring the spectrum bands assigned to this function. 3.8.7 In the 5G RAN element, the bidder must present solutions aimed at protecting transmission and reception data and signaling through encryption that protects their integrity. 3.8.8 In the 5G RAN element, the bidder must present solutions aimed at protecting against potential threats from malicious base stations (RBS), which can generate man-in-the-middle (MiTM) attacks between the user equipment (UE) and the mobile network, preventing common DDoS attacks or vulnerabilities. 3.9 For the 5G requirements specifically applicable to UE, the following must be met: 3.9.1 For the 5G UE element, the bidder must present solutions aimed at protecting against possible threats such as mobile Botnets, DDoS attacks, attacks by device infection (viruses, worms, etc.), and malicious content downloads from the internet. (…)". On December 18, 2023, the company [Name 002] submitted a bid on five of the six items of the electronic file 2023XE000023-0000400001 described as "GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ON DEMAND".

From this perspective, the Chamber dismisses any situation that, at this time, warrants its intervention.

First, at the date of filing this appeal, ICE had not published any tender for procurements related to 5G telecommunications network technology, but had only conducted a study with potential suppliers to verify market conditions and aspects related to cybersecurity. Notwithstanding the foregoing, while the set of conditions was not published until November 9, 2023 (during the processing of this proceeding) and not in the periods alluded to in the filing brief, it is no less true that, essentially, the claimant questions the implementation of requirements alluding to risk management and mitigation, as well as the standards contemplated in the 'Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher'; specifically, it claims the alleged impossibility for [Name 002] to meet the requirements established therein.

Now, the aforementioned regulation, in relation to the allegations of the appellant, states:

"Article 2–Scope of application. The active operation of networks and services based on fifth-generation mobile technology (5G) and higher is subject to this regulation, by individuals or legal entities, public or private, national or foreign, that operate networks or provide telecommunications services based on fifth-generation mobile technology (5G) and higher originating, terminating, or transiting through the national territory, except for the operation of private telecommunications networks.

In the case of public procurement processes aimed at enabling networks and services based on fifth-generation mobile technology (5G) and higher, as well as the active technological equipment necessary for their deployment, for the use and exploitation of the radio spectrum, the Administration or contracting entity must adopt the appropriate mechanisms to verify that potential bidders have considered all aspects alluding to risk management and mitigation contained in these regulations when planning, designing, and implementing their technical proposal. In the event of being awarded the contract, the provisions of this regulation shall be mandatory during the operation of networks and provision of services based on fifth-generation mobile technology (5G) or higher.

(…)

Article 6– Adoption of standards. The subjects included in the scope of application of Article 2 of this Executive Decree must adopt, implement, and maintain cybersecurity standards and/or frameworks, including the following:

(…)

Article 10– High-risk parameters. The subjects included in the scope of application of Article 2 of this Regulation must consider the following high-risk parameters for the operation of 5G or higher telecommunications networks and the provision of their services:

(…)

• c)When the subjects included in the scope of application of Article 2 of this Regulation or their hardware and software suppliers are susceptible to pressure from a foreign government by normative provision or official public policy of said foreign government, in relation to the location or execution of their operations.
• d)When the subjects included in the scope of application of Article 2 of this Regulation or their hardware and software suppliers are based in a country, or, in any way, are subject to the direction of a foreign government with established laws or practices that may require them to share the information of end users of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests.
• e)When the subjects included in the scope of application of Article 2 of this Regulation use hardware and software suppliers having their headquarters in a country that has not expressed its consent to be bound by the Convention on Cybercrime (Budapest Convention).
• f)When the subjects included in the scope of application of Article 2 of this regulation use hardware and software suppliers that do not comply with the cybersecurity standards set forth in Article 6 of this Regulation.

Article 11. Applicable measures upon identification of high risk. When any of the subjects included in the scope of application of Article 2 of this Regulation identifies the presence of any one or several of the high-risk parameters set forth in the previous article, it must inform the Superintendency of Telecommunications (Sutel) in accordance with the provisions of Article 42 of the General Telecommunications Law, No. 8642, within 3 (three) calendar days following its identification and adopt the appropriate technical and administrative measures to guarantee the security of its networks and services.

When the presence of any one or several of the high-risk parameters is identified by the subjects included in the scope of application of Article 2 of this Regulation, it shall be subject to the immediate adoption of the following technical cybersecurity measures:

• 1)They may not be used in critical elements of the network, telecommunications equipment, transmission systems, switching or routing equipment, and other resources that allow the transport of signals, as they represent a high cybersecurity risk for 5G and higher networks, and national security. For this purpose, the following are declared critical elements of the 5G and higher network: i. Those relating to the functions of the network core. ii. The control and management systems and support services. iii. The access network in those geographical areas and locations that provide coverage to centers linked to national security and the provision of essential public services.
• 2)Carry out the replacement of equipment, products, and services of the 5G and higher network when necessary, for which it must take into account the market situation of hardware and software suppliers, the alternative supply of viable substitute equipment and products, the implementation of those equipment and products in the 5G and higher network, especially in critical network elements, the intrinsic difficulty of carrying out the replacement of equipment, equipment update cycles, as well as its economic impact. In no case may the equipment replacement period exceed five years, counted from its classification as high risk.

Compliance with these regulatory provisions must be considered for the operation of 5G and higher networks and their services, in accordance with the provisions of Article 49, numerals 1 and 3 of Law No. 8642, General Telecommunications Law".

In this regard, ICE acknowledged that the inquiries made were based on the regulation in question and, indeed, the published set of conditions makes express reference to aspects relating to the management and mitigation of cybersecurity risks contained in such normative body; however, taking into consideration the terms set forth by the claimant, no manifest and express provision is observed that arbitrarily, absolutely, and unjustifiably prevents the participation of companies solely by reason of their origin. Precisely, without analyzing the merits of each of the regulatory provisions, it can be observed that, according to said normative body, companies with high-risk parameters may adopt "appropriate technical and administrative measures to guarantee the security of their networks and services"; even the set of conditions for the procurement in question expressly stated that "when planning, designing, and implementing their technical proposal, for which they must provide, together with the proposal, the risk management and mitigation plan in accordance with the aforementioned regulations". Now, it is not for this constitutional jurisdiction to analyze whether or not ICE contemplated all the provisions contained in the regulation, nor whether it indirectly limited the participation of companies with unjustified requirements from a technical standpoint. Ergo, if there were any disagreement with the conditions and other technical specifications, this must be aired in ordinary channels. Likewise, the appropriate technical and administrative measures to guarantee the security of networks and services in companies with high-risk parameters are properly to be aired in ordinary channels.

In relation to the above, it is important to mention that matters relating to technology for the telecommunications network, as well as cybersecurity requirements and standards in Costa Rica (for example, ISO/IEC, SCS standards, among others), are technical aspects, in principle, proper to state public policies which, unless they entail some affectation to the essential core of fundamental rights or manifestly transgress the block of constitutionality, constitute matters of government. Hence, prima facie, their appropriateness, convenience, or timeliness is not properly to be assessed by this Court, by virtue of the constitutional judge's principle of self-restraint. In that sense, the claimant's arguments do not demonstrate any arbitrariness contrary to the Law of the Constitution, so, at this time, it is not for the Chamber to analyze the general technical content of such standards, nor to assess whether the European Convention on Cybercrime (an instrument ratified in our country through Law No. 9452) is essential for the implementation of fifth-generation mobile technology. Ergo, if [Name 002] wishes to challenge the technical requirements established by ICE in section 3 "Cybersecurity RAN-CORE Mobile 5G" of the "SET OF CONDITIONS FOR THE ACQUISITION OF: GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ON DEMAND", or, if it considers that it meets or exceeds the parameters put out to tender without exposing the country to cybersecurity risks, it may raise its arguments in the administrative venue, or, in the ordinary jurisdictional channel, for the purpose of subjecting its position to adversarial proceedings and broadly evacuating the evidence it deems pertinent.

Likewise, even though discrimination is alleged, as indicated above, no manifest situation in that sense is verified and, moreover, no comparable comparative elements are provided that allow, at this time and through this amparo appeal, analyzing any transgression of the principle of equality with respect to other individuals or legal entities.

In addition, while a violation of the "principle of technological impartiality" contained in Chapter XIII of the Free Trade Agreement between the Dominican Republic, Central America, and the United States is alleged, the Chamber prima facie does not consider that the alleged principle constitutes a parameter of constitutionality for the specific case, given the generality and abstraction with which the argument was raised and the commercial nature within which such agreement is framed. Note that the claimant does not explain in what terms the alleged affectation to [Name 002] (a company incorporated in Costa Rica and registered in the National Registry of this country) would contravene the stipulations adopted between the Dominican Republic, Central America, and the United States, in a way that would be significant for the Law of the Constitution. It is worth noting that the Minister of Science, Innovation, Technology and Telecommunications, pointed out that: "the principle of flexibility in technological options (technological neutrality) arises within the framework of the commercial opening process of the telecommunications sector, as part of the 'IV. Regulatory Principles approved in Annex 13 of the 'Specific Commitments of Costa Rica in Telecommunications Services' of the Free Trade Agreement Dominican Republic-Central America-United States (FTA) Law No. 8622, which in relevant part provides: '10. Flexibility in Technological Options Costa Rica shall not prevent suppliers of public telecommunications services from having the flexibility to choose the technologies they use to supply their services, subject to the requirements necessary to satisfy legitimate public policy interests.' (Emphasis added) From this regulatory principle, it follows that in telecommunications matters, operators and providers of services available to the public indeed enjoy the flexibility to choose the technologies they prefer to operate public networks and supply their services, for example, to provide International Mobile Telecommunications services known as IMT (in any of their technically available generations), provided they satisfy legitimate public policy interests. In this area, it is important to note that public policy in telecommunications matters is defined through the National Telecommunications Development Plan (PNDT) 2022-2027 'Costa Rica: Towards inclusive digital disruption', which was approved by the Executive Branch through Executive Decree No. 43843-MICITT published in the Official Gazette La Gaceta No. 5 dated January 13, 2023, (…). Therefore, the public policy for the operation of networks and the provision of telecommunications services is embodied in the National Telecommunications Development Plan (PNDT) 2022-2027 'Costa Rica: Towards inclusive digital disruption', with the objective of charting the sector's development from the perspective of sectoral public policy, to address the challenges of telecommunications in the coming years. It must be emphasized that in its section '3.3.3.3 Costa Rica National Cybersecurity Strategy', the PNDT 2022-2027 indicates that 'The cybersecurity strategy dates from 2017 and seeks actions conducive to data assurance and online protection in different aspects, considering the person as a priority, respect for human rights and privacy, coordination with multiple stakeholders, and international cooperation'. Consequently, in the terms presented, the alleged disagreement on this point is proper to be clarified through the channels provided for such purposes.

Furthermore, the claimant seeks a ruling sustaining the appeal in order to order that its represented party cannot be prevented from participating in a public tender through clauses impossible for it to fulfill; however, as indicated above, no transgression of the Law of the Constitution was verified, so determining whether or not it can meet the requirements, as well as their technical basis, constitute issues of legality that, in principle, exceed the summary nature of the amparo appeal.

In that regard, determining whether the offerors can justify or provide reasons for alleged restrictions are aspects proper to be clarified in the procurement procedure, or else, in the ordinary jurisdictional venue so that they may subject their position to adversarial process and adduce the technical evidence they deem pertinent.

On the other hand, in a brief subsequent to the course of this proceeding, the claimant alleges the unconstitutionality and unconventionality of the 'Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores' for the purposes of numeral 75 of the Ley de la Jurisdicción Constitucional; however, this remedy, for the considerations set forth above, does not constitute a reasonable means to protect the right or interest considered injured.

For the considerations set forth, not only is the requested precautionary protection prima facie improper, but it is proper to dismiss the remedy in its entirety. (...)" ... See more Content of Interest:

Content type: Voto de mayoría Branch of Law: 6. LEY DE LA JURISDICCIÓN CONSTITUCIONAL ANOTADA CON JURISPRUDENCIA Topic: 034- Legitimación pasiva. Litis consorcios Subtopics:

NOT APPLICABLE.

ARTICLE 34 OF THE LEY DE LA JURISDICCIÓN CONSTITUCIONAL

"(...) I.- On the co-adjuvancies raised. According to Article 34 of the Ley de la Jurisdicción Constitucional, third parties to the proceeding may file a co-adjuvancy petition, which is a form of adhesive intervention that occurs when a person acts in a proceeding by adhering to the claims of one of the main parties. Consequently, one who holds a direct interest in the outcome of the remedy is legitimized to act as a co-adjuvant; however, not being a principal actor, the co-adjuvant shall not be directly affected by the judgment, that is, the efficacy thereof may not reach them directly and immediately, nor does the res judicata status of the ruling affect them (See, among others, judgments number 3235 at 9:20 a.m. on October 30, 1992, and judgment 2010-000254 at 11:28 a.m. on January 8, 2010). In this case, the passive co-adjuvancy of Silvia Patricia Castro Montero, president of the Cámara Costarricense Norteamericana de Comercio, is admitted, since, given its nature, it could indeed have a direct interest in the outcome of this proceeding. (...)" VCG08/2024

... See more Content of Interest:

Content type: Voto salvado Branch of Law: 4. ASUNTOS DE GARANTÍA Topic: CONTRATOS O LICITACIONES Subtopics:

LICITACION.

VI.- Dissenting vote of Judges Cruz Castro and Araya García.- To grant a deadline to file the unconstitutionality action against the Regulation in question:

We consider that in this case a different approach from that prevailing in the majority vote must be taken. The issue has a dimension directly related to fundamental rights (consumer rights and internet access), so it is not a matter for this Jurisdiction to hear, under amparo, the technical issues related to cybersecurity, but rather it is appropriate to examine whether the rules of the regulation in question that provide for excluding (or classifying as high risk, which amounts to the same thing) certain companies from a public bidding (licitación pública), by reason of their nationality, are consistent with the Law of the Constitution.

Thus, due to the transcendence of the matter in question and its impact on the fundamental rights of internet access for the entire population, it is proper to grant to the petitioner the deadline established in the Ley de la Jurisdicción Constitucional to file the corresponding unconstitutionality action against the norms it considers unconstitutional of the "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (SG) y Superiores". That, so that this amparo serves as the base matter for the action, if an action has not already been filed in that regard. This amparo is not, in reality, about questioning ICE's technical criteria, but rather what the norms of a regulation provide and their impact on fundamental rights.

As observed, the amparo remedy also proceeds against threats (Article 29 Ley de la Jurisdicción Constitucional). In this case, it is indicated that the public bidding (licitación pública) that ICE will launch to implement and operate 5G IMT technology in its networks will be based on the "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (SG) y Superiores", and threatens the rights of the company protected by the amparo because said regulation contains provisions that expressly prevent the participation of its represented party in that public contest. Provisions that, therefore, the petitioner considers, are contrary to the constitutional rights of free competition, equality of participation, and non-discrimination.

In view of the foregoing, we consider that the appropriate course in this case is to grant the petitioner a deadline to file the corresponding unconstitutionality action —so that this amparo serves as the base matter for the action—, against the norms of the regulation in question, which it considers are unconstitutional. Note that an a priori exclusion of participants from a public bidding (licitación pública) has a direct impact on the services that the consumer will receive, since the principle of free participation results in better protection of consumer rights. The more offerors participate, the greater the transparency and assessment in the selection of the public telecommunications service. A restrictive regulation on the number of offerors for this public service would have a direct impact on rates, the digital divide, and, in general, on the fundamental right of internet access.

In the unconstitutionality action, it will be possible to examine in greater detail whether the a priori exclusion of countries that have not adhered to the Budapest Convention (2001) is reasonable, or if, on the contrary, it is discriminatory, a violation of the principle of free participation in public biddings (licitaciones públicas) and threatens consumer rights.

As this Chamber has indicated (see vote no. 2010-10627, and among others 2010-12790, 2011-8408, 2017-11212), there is a true fundamental right to communication derived from the right to freedom of expression, the right to information, and the right to internet access. Particularly in the aforementioned 2017 judgment, where this Chamber examined the fair use policy for internet access, it was indicated that internet access is not only a fundamental right in itself but that "(…) it is a tool that incalculably enhances the exercise of other fundamental rights: it democratizes knowledge by putting an immeasurable amount of information within the reach of any person; facilitates citizen participation in state management, promoting transparency in public administration; establishes means for people to exercise their freedom of expression; constitutes a work tool for many professions, even those outside the field of information technology." From this derived the State's obligation to "protect persons against threats that seek to unjustifiably limit said right, but it also entails the State's obligation to ensure its progressive growth and improvement, as well as the implementation of new technologies that enhance the right of Internet access." Therefore, due to the direct impact that the regulation would have on the public bidding (licitación pública) related to Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (SG) y Superiores, and due to its intimate connection with the fundamental right of internet access, the proper course in this case is to examine the regulation in question in an unconstitutionality action proceeding.

VCG08/2024 ... See more Content of Interest:

Content type: Voto salvado Branch of Law: 6. LEY DE LA JURISDICCIÓN CONSTITUCIONAL ANOTADA CON JURISPRUDENCIA Topic: 033- Legitimación activa Subtopics:

NOT APPLICABLE.

VII.- Dissenting vote of Judge Rueda Leal. This amparo remedy should have been rejected outright, since it was filed on behalf of [Name 002]; however, the filing brief does not reveal the essential link between this legal entity and any natural person, in relation to the alleged aggrieved fundamental rights. Of importance for the sub examine, in the dissenting vote I recorded in judgment no. 2019-2355 at 9:30 a.m. on February 12, 2019, I held:

"in Advisory Opinion 22-16 of February 26, 2016, the Inter-American Court of Human Rights indicated that although some States recognize the right of petition to legal entities under special conditions, such as unions, political parties, or representatives of indigenous peoples, Afro-descendant communities, or specific groups, the fact is that 'Article 1.2 of the American Convention only enshrines rights in favor of natural persons, so legal entities are not holders of the rights enshrined in said treaty.' On the other hand, in the same advisory opinion, the Inter-American Court held that, in certain specific contexts, natural persons may come to exercise their rights through legal entities (for example, through a media outlet, as occurred in the Granier et al. v. Venezuela case); however, for this to be protectable before the inter-American system, 'the exercise of the right through a legal entity must involve an essential and direct relationship between the natural person requiring protection from the inter-American system and the legal entity through which the violation occurred, as a mere link between the two persons is insufficient to conclude that the rights of natural persons are effectively being protected and not those of the legal entities. Indeed, one must prove beyond the simple participation of the natural person in the activities proper to the legal entity, such that said participation relates substantially to the rights alleged as violated.' (emphasis added) (OC. 22/16)".

In my view, the reading of the Ley de la Jurisdicción Constitucional compels the same ratio of the conventional hermeneutics cited above with respect to all fundamental rights. Thus, in a constitutionality proceeding filed in the name of or on behalf of a legal entity, its admission for study requires an essential and direct relationship between the legal entity that claims to be affected by some violation of the constitutional order and the natural person who, by such injury, sees some fundamental right diminished, in a reflexive but direct manner. For such purposes, the mere reference to a connection or link between the legal entity and the natural person is insufficient to infer that, precisely, through the constitutionality proceeding, the safeguarding of the fundamental rights of the latter is being sought, and not merely those of the former. The aforementioned requirement thus becomes a sine qua non prerequisite for the appropriateness of constitutional review in this venue. Based on the foregoing, I consider that this must be the guideline with which the Ley de la Jurisdicción Constitucional must be interpreted, so that in the sub iudice the application of jurisdictional constitutional review becomes inappropriate, since the referred-to link has not been demonstrated, in relation to the alleged aggrieved right. I have followed this thesis not only when companies in the Telecommunications sector have been held as the protected party (for example, judgment no. 2019014375 at 2:20 p.m. on August 1, 2019), but also when, in general, remedies have been filed in the name of or on behalf of legal entities without establishing the aforementioned essential relationship between the natural person and the legal entity (for example, resolutions nos. 2023014282 at 9:30 a.m. on June 16, 2023, 2022029898 at 9:21 a.m. on December 16, 2022, 2022005751 at 9:20 a.m. on March 11, 2022, 2020014695 at 9:15 a.m. on August 7, 2020, 2020012170 at 10:05 a.m. on June 30, 2020, 2020009074 at 9:15 a.m. on May 15, 2020, 2020006905 at 9:20 a.m. on April 3, 2020, among others).

VCG08/2024 ... See more Content of Interest:

Content type: Nota separada Branch of Law: 4. ASUNTOS DE GARANTÍA Topic: CONTRATOS O LICITACIONES Subtopics:

LICITACION.

Sentencia 2024-002222 Note of Judge Garro Vargas Preliminary considerations I have concurred with the majority because I agree in substance with the arguments of the judgment. Furthermore, I have deemed it opportune to record this note to make it clear that in my opinion this is a matter that from the beginning should have been rejected, because it is plainly evident that its object does not correspond to being heard through a summary remedy such as amparo.

Examples of the jurisprudential line upheld by the undersigned On similar occasions, and even in others whose object has been of much lesser magnitude, I have said that it is not enough that fundamental rights are allegedly involved for the matter to be brought before this venue and resolved through an amparo remedy.

Here are some examples:

• 1)Cases of the admission exams to the Instituto Tecnológico de Costa Rica In those cases, which indeed were very numerous, the petitioners challenged the admission criteria of that higher education institution. The issue had a direct relationship to the right to education, the right to equality, and the principle of reasonableness. The Chamber, following a long-standing and very reasonable jurisprudential line, rejected those numerous remedies outright, with statements such as the following:

"As can be deduced from the transcribed judgments, this Court has been consistent in pointing out that the admission requirements to state universities are a matter within their purview. In addition, the Chamber has reiterated that the controversy about the method and content of a university admission exam must be resolved in the ordinary venue of legality, as it is a matter of great technical specificity, the review of which requires a deep examination of technical evidence, which is alien to the summary nature of the amparo remedy" (judgments 2020-023153, 2020-023160, 2020-024016, 2021-04817, among others; emphasis is not from the original).

In those very numerous similar judgments, Judge Hernández López and I recorded the following note:

"Note of Judges Hernández López and Garro Vargas drafted by the latter.

The amparo remedy is a summary proceeding by nature and, pursuant to Article 48 of the Political Constitution, is designed to protect constitutional rights (with the exception of personal liberty and integrity) and those of a fundamental nature established in international human rights instruments applicable to the Republic. Therefore, a matter is susceptible to being heard through an amparo remedy when the alleged violation of any of those rights is invoked. But that is not enough. It is necessary that the object under discussion can be properly heard in a summary proceeding: that is, in a simple procedure without the need for a complex evidentiary phase. Moreover, the summary nature must manifest itself not only in the hearing phase but also in its enforcement phase. On the basis of the foregoing, the undersigned judges consider that the present matter does not correspond to being heard in the Constitutional Chamber through the amparo remedy, because, although fundamental rights may be involved, properly analyzing it requires producing technical evidence from various disciplines, in order to examine the diverse elements that come into play in its resolution." (Judgment 2020-23160; emphasis is not from the original).

• 2)Rainforest Alliance Case On another occasion, the Chamber heard an amparo remedy filed against Rainforest Alliance (expediente 21-023756-0007-CO), which it granted (judgment 2022-005556). I recorded my dissenting vote in which, among other arguments, I stated the following:

"3. On the procedure of the amparo remedy As announced in the preamble of this dissenting vote, for an alleged injury to a constitutional or fundamental right to be heard before this jurisdiction, the nature of the claim must be compatible with the characteristics of the amparo remedy. Although this is not the case—as there is no constitutional or fundamental right involved—, one could assert that many other grievances could be redirected toward Constitutional Law, because ultimately this is the basis from which the rest of the legal order emanates.

However, not every infringement of a constitutional right must necessarily be assessed in the amparo remedy, because due to the nature of the claim, in many cases, the best way to examine it in detail and depth is to bring it before the ordinary venue, which offers ample guarantees for the parties in order to resolve the conflict between them and which has the possibility of resorting to robust interim relief. In this regard, this Court has reiterated a jurisprudential line to the effect that 'the amparo proceeding is of an eminently summary nature because its sole purpose is to provide timely protection against infringements or imminent threats to fundamental rights and freedoms, so its processing does not accommodate well the practice of slow and complex evidentiary proceedings' (among many others, see votes numbers 2003-14336, 2006-014421, and 2020-019038). This jurisprudential line does nothing but recall the very nature of this proceeding. [Emphasis is not from the original].

It is also necessary to indicate that there are other parallel jurisdictional mechanisms, where with ample guarantees, protection can be granted to claims related to infringements of rights of constitutional or fundamental rank. An example of this is the thesis of the Constitutional Chamber that ordered, under a better assessment, to bring claims related to the delay of administrative procedures before the contentious-administrative jurisdiction, since at heart, their analysis implies an examination of the legal deadlines that public administrations have to address the claims of the administered parties. Thus, since judgment no. 2008-002545, the Constitutional Chamber has been upholding uninterruptedly the following:

'It is evident that determining whether the public administration complies with the deadlines set by the Ley General de la Administración Pública (Articles 261 and 325) or the sectoral laws for special administrative procedures, to resolve by final act an administrative proceeding—initiated ex officio or at the request of a party—or to hear the applicable administrative remedies, is an evident matter of ordinary legality that, henceforth, can be discussed and resolved before the contentious-administrative jurisdiction with the application of the principles that nourish the constitutional jurisdiction, such as those of vicarious legitimacy, the possibility of material defense—that is, of appearing without legal representation—and of gratuity for the petitioner.' (The emphasis does not correspond to the original).

In a similar fashion, since judgment no. 2017-017948, this Court has been resolving, in relation to the protection of labor rights, as follows:

'Certainly, the protection of the Constitutional Chamber, when it comes to labor matters, derives from the application of Title V, Single Chapter, of the Political Constitution, called Labor Rights and Guarantees. It is there, where the right to work, to a minimum wage, to the workday, to weekly rest, to paid annual vacations, to free unionization, to the right to strike, to the execution of collective labor agreements, among others, find constitutional protection through the amparo remedy; all this, on the occasion of work. However, under a new assessment, given the enactment of the Labor Procedural Reform, Law No. 9343 of January 25, 2016, in force since July 25, 2017, this Chamber considers that now all claims related to those labor rights, derived from a special immunity (fuero especial) (for reasons of age, ethnicity, sex, religion, race, sexual orientation, marital status, political opinion, national origin, social origin, lineage, disability, union affiliation, economic situation, as well as any other discriminatory cause contrary to human dignity), have an expeditious and swift procedural channel, through a very summary process and a full and universal jurisdiction, for their proper hearing and resolution, in pursuit of adequate protection of those substantial rights and legal situations, grounded in the infra-constitutional legal order, which has an indirect relationship with fundamental rights and the Law of the Constitution. The same reasons apply to State employees, regarding the proceeding before the Tribunal de Servicio Civil that the legal order guarantees them, as well as other workers in the Public Sector for the protection of due process or similar labor immunities (fueros) to which they are entitled according to the constitutional or legal order. In sum, the very summary process shall apply, both in the public and private sectors, by virtue of a special immunity (fuero especial), with job stability or special procedures for its protection, due to dismissal or any other disciplinary or discriminatory measure, for violation of special protective immunities (fueros) or of procedures, authorizations, and formalities to which women in a state of pregnancy or breastfeeding, adolescent workers, persons covered by Article 367 of the Labor Code, persons reporting sexual harassment, workers indicated in Article 620, and in sum, those who enjoy some similar immunity (fuero) by law, special rules, or collective labor instruments are entitled.' This shows that, even when rights of constitutional or fundamental rank are involved, their restoration and protection do not necessarily have to be brought before the constitutional jurisdiction through the amparo remedy, but rather that more protective parallel avenues from a procedural standpoint may exist, intended to hear—with the depth the case requires—claims related to these rights. Precisely due to the way the amparo remedy is designed, the grievances that should be heard in this venue are those in which the protection of the right is compatible with the characteristics and possibilities of this summary proceeding. On the contrary, it is not appropriate to hear in the amparo remedy those matters that require a complex evidentiary analysis, adversarial phases, and immediacy of evidence, which completely distort the essence of the amparo remedy." [Emphasis is not from the original].

• 3)Parque Viva Subsequently, the Chamber heard the Parque Viva case (expediente 22-016697-0007-CO). In the operative part (judgment 2022-25167), as it concerns me, it says: "Judge Garro Vargas delivers a partially dissenting vote in the following sense: grants it, for her own reasons, regarding freedom of expression; and dismisses it regarding the annulment of the sanitary order and the cited official communication, since she considers that matters relating to these are not proper to be heard in this jurisdiction." From my dissenting vote I wish to highlight the following, which is relevant to the present matter:

"The competence of the body is also determined by respect for the nature of the proceeding.

Not every act or omission or de facto action, originating from an authority, even if challengeable per se, is susceptible to being heard in a summary and informal proceeding. The reasons can be diverse: the legal or technical complexity of the act, the need to have a broad body of evidence to determine its validity and efficacy, etc. On this there is consolidated jurisprudence that the Chamber reiterates every week when rejecting a good part of the amparo remedies presented to it.

Likewise, the court must verify whether the protected object (the fundamental rights allegedly violated) can be effectively guaranteed through an amparo remedy, which is a summary and informal proceeding. In this regard, there is very reiterated jurisprudence on the matter, which the Chamber also regularly collects.

Precisely in this sense, I signed with Judge Hernández López a note that we reiterated on many occasions [already cited here] (…) (note to judgment 2020-23153).

This is so because many matters certainly involve fundamental rights but must be heard in their corresponding venue." (Emphasis is not from the original).

On that occasion I added a few paragraphs with a somewhat didactic tone, but which reflected in a simple way my approach to the issue.

"For example, if a person claims they were defrauded in a sale of a lot, there is no doubt—if that was indeed the case—that their right has been violated and that this is a fundamental right. It is the right recognized in Article 45 of the Political Constitution; but it is clear that the litigation on the matter does not correspond to being heard in the Constitutional Chamber, not even if the seller was a public-law entity, because to resolve this type of conflict there is the corresponding jurisdiction. To go no further, since the examples could be very abundant, if a passerby shoots another, the perpetrator is violating the fundamental right to life or, at least, to the integrity of the victim, but evidently the matter also cannot be heard through an amparo remedy, because that conduct is classified as a crime and, therefore, it will be the criminal judge who determines the responsibility and the scope and consequences thereof. Well, the Chamber has habitually been very clear on this in its jurisprudence, which is why, every week, it rejects many amparo remedies pointing out that they are matters proper to ordinary legality.

The foregoing means that, for a case to be examined and resolved in an amparo remedy, it is not enough to assert that the alleged violation of the fundamental right has its cause in a conduct of the respondent party. And the Chamber seeks to respect those criteria precisely so as not to invade the powers of the ordinary jurisdiction (established in Articles 49 and 153 of the Political Constitution) or those of the administrative authorities, as applicable. But not only for that reason, but also because in that way, by bringing the matter to the appropriate venue, the parties will have all the procedural guarantees inherent in due process, which are reduced in a summary and informal remedy like the amparo. Thus, for example, the reports of the authorities, being given under oath, are taken as true, so the possibilities of refuting them are much smaller than in plenary processes.

That is why the Chamber must verify whether, in view of the challenged object (the allegedly harmful acts), the protected object (the fundamental rights allegedly violated), and the type of injury (whether the affectation is direct or not), the matter is susceptible to being heard in a summary proceeding such as the amparo." (Emphasis is not from the original).

• 4)Environmental matters of great complexity This Chamber heard an environmental matter (expediente 22-003777-0007-CO) in which it was partially granted (judgment 2022-9857). As relevant, it considered that the aspects of great complexity should not be brought before this jurisdiction. On that occasion, Judges Castillo Víquez and Garita Navarro and the undersigned recorded a note, which holds the following:

"X.- NOTE OF JUDGES CASTILLO VÍQUEZ AND GARITA NAVARRO AND OF JUDGE GARRO VARGAS, DRAFTED BY THE LATTER.

We deem it necessary to record this note in which we warn that, under a better assessment, in environmental matters of such complexity—as the one challenged in the specific case—we assess that it is proper to dismiss the remedy to bring the discussion to the ordinary venue where, with greater evidentiary and procedural possibilities, as well as enforcement, the questioned conduct can be examined in detail.

Firstly, it is necessary to emphasize that we consider that this Chamber is competent to hear amparo remedies related to the violation of the fundamental right to a healthy and ecologically balanced environment under the terms of Article 50 of the Political Constitution. The foregoing, as this Court has so successfully done in the past.

However, we note that there are questions and complaints which, due to their complexity, exceed the summary nature of the amparo remedy and, in such circumstances, it is more protective for all parties, and even for the effective protection of the right to a healthy and ecologically balanced environment and the protection of natural resources, to place the conflict in an ordinary proceeding, of plenary jurisdiction, in which, with more procedural opportunities, the evidence can be examined and the grievances contrasted. In short, to judge in detail the regularity of the omissive and/or active conduct of the competent public administrations in attending to and resolving the environmental conflict reported.

It should be remembered that historically this Chamber has maintained the jurisprudential line that “the amparo process is eminently summary in nature because its sole purpose is to provide timely protection against infringements or imminent threats to fundamental rights and freedoms, and therefore its processing does not lend itself well to the practice of slow and complex evidentiary proceedings” (among many others, see decisions number 2003-14336, 2006-014421 and 2020-019038). This jurisprudential line simply recalls the very nature of this process. On the other hand, from the entry into force of the Código Procesal Contencioso Administrativo, it was determined that said jurisdiction possesses broad powers to hear grievances such as those challenged in the sub lite case. To that end, this Court has reiterated the following:

“[G]iven the enactment of the Código Procesal Contencioso-Administrativo (Ley No. 8508 of April 24, 2006) and its entry into force as of January 1, 2008, it has become evident that justiciable parties now have a plenary and universal contencioso-administrativa jurisdiction, which is highly expeditious and swift due to the various procedural mechanisms that this legislation incorporates into the legal system, such as the shortening of deadlines for carrying out various procedural acts, the breadth of standing, precautionary measures, the numerus apertus of actionable claims, orality –and its subprinciples of concentration, immediacy, and celerity-, the single instance with appeal only in expressly limited situations, intra-procedural conciliation, the unified process, the preferential processing process or “amparo de legalidad”, processes of pure law, new enforcement measures (coercive fines, substitute or commissarial enforcement, seizure of assets of the fiscal domain and some of the public domain), the broad powers of the panel of enforcement judges, the extension and adaptation of the effects of jurisprudence to third parties, and the flexibility of the cassation appeal. All these novel procedural institutes have the express purpose and objective of achieving procedural economy, celerity, promptness, and the effective or fulfilled protection of the substantial legal situations of those administered, all with a guarantee of basic fundamental rights such as due process, defense, and the adversarial principle”. (See, for example, judgments number 2010-17909, 2020-011247 and 2022-003724).

In contrast, the absence of a plenary evidentiary phase that facilitates the immediacy and the adversarial testing of evidence, necessarily imposes that, in the interests of adequate and prudent protection of the right, the ordinary proceeding be used to hear environmental conflicts that are inherently complex, such as the one raised in the specific case. (...).

From the enumeration of grievances and the analysis of the appellant party's claim, it is possible to verify that the reported conflict is extremely complex to resolve through the amparo process and, therefore, it should be placed in an ordinary venue that, with greater tools, can hear the substantive complaint in depth, adopt precautionary measures, and issue broad and specific orders to address the problems indicated.

The Chamber must hear environmental matters in all those cases whose claim is compatible with the summary nature of the amparo remedy. Everything that can be heard and placed before the constitutional jurisdiction because the claim is compatible with the qualities and possibilities that this process grants, must remain in this venue. Not so with environmental complaints whose elucidation requires, for their hearing and adequate analysis, a plenary evidentiary space such as that provided for in the Jurisdicción Contencioso Administrativa. That is the exception. We consider that the rule is, then, that it is appropriate to hear an amparo remedy when the verification of the problem is relatively simple and the Chamber has the appropriate tools for a timely and appropriate remedy, that is, that its execution is also characteristic of a summary process.

In this regard, it is necessary to note that there are grievances that are easily verifiable and would not be so difficult to hear, but they are part of a whole. Therefore, it is better that this whole be placed in a venue that, by its characteristics, allows the matter to be heard comprehensively with the analysis of all the facets that the specific case presents. That is precisely what happens in the sub lite case, in which the lack of resolution of a complaint to provide more personnel to guard the ACOSA is alleged and, in parallel, a series of problems are reported and enumerated that justify—in the appellants' judgment—the need to appoint more technical personnel to safeguard the area.

In short, we consider that, under a better weighting, it is necessary to conclude that there are conflicts that, due to their magnitude, necessarily require a plenary evidentiary process for their attention and resolution. This is precisely one of those cases, for which reason we consider that the appropriate course is to declare the remedy without merit and refer the entirety of the conflict raised—complaint for shortage of personnel to the detriment of biodiversity—to the contencioso-administrativa jurisdiction.

We make this note in the interest of guaranteeing due legal certainty in the jurisprudential lines of this Constitutional Jurisdiction and to specifically note what the partial change of criterion of the undersigned judges consists of.” (The emphasis is not from the original).

In similar terms, I have referred in other environmental matters (for example, judgments 2023-11233 and 2023-16088).

Conclusion

What has been said so far is sufficient to show that I have tried to be consistent in my voting line. This can be summarized by saying that, for the Sala Constitucional to correctly determine its own competence when hearing matters submitted to it through an amparo remedy, it must respect the necessary congruence that must exist between the protected object (fundamental rights), the challenged object (administrative conduct or conduct of a legal subject), and the procedural mechanism (summary process). This means that it must admit for processing only matters in which, in addition to the alleged injury to a fundamental right being involved, the challenged object is capable of being heard through a summary, simple process, without evidentiary complexity. This must also be done in the interest of due process, respect for the nature of the processes, and the very purpose of this jurisdiction.

It is worth adding that to affirm that only the Sala Constitucional is called upon to protect fundamental rights would be tantamount to calling into question, from its very root, the principle of constitutional supremacy and that of the unity of the legal system. Furthermore, it would imply—in this case—unjustly disparaging the contencioso-administrativa jurisdiction and its robust precautionary justice and its enforcement mechanisms.

Anamari Garro Vargas Judge VCG08/2024 ... See more Content of Interest:

Type of content: Separate note Branch of Law: 4. ASUNTOS DE GARANTÍA Topic: CONTRATOS O LICITACIONES Subtopics:

LICITACION.

Having seen the final wording of the judgment of this Chamber, number 2024-2222, of fourteen hours on January 26, 2024, by which this amparo remedy is declared without merit, the undersigned Judge renounces the note that during the discussion of said judgment he indicated he would record.

San José, July 31, 2024.

Jorge Araya G. Judge VCG08/2024 ... See more Res. N° 2024-002222 SALA CONSTITUCIONAL DE LA CORTE SUPREMA DE JUSTICIA. San José, at fourteen hours on January twenty-sixth, two thousand twenty-four.

Amparo remedy processed in file no. 23-023887-0007-CO, filed by [Name 001], general manager of [Name 002]., legal identification number [Value 001], against the INSTITUTO COSTARRICENSE DE ELECTRICIDAD (ICE).

Whereas:

1.- By brief received at the Secretariat of the Chamber on September 28, 2023, the petitioner files an amparo remedy against the ICE. They state the following facts: “1.- My represented party is prepared to participate in the public bidding process (licitación pública) that the ICE will open to implement and operate 5G IMT technology in its networks, given that we are one of the main providers of that technology in Costa Rica. 2.- On August 31st of this year, the Executive Branch enacted and published in La Gaceta the "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic), which contains provisions that expressly prevent the participation of my represented party in that public tender. 3.- Both the President of the Republic, the Minister of MICITT and the Executive President of ICE have publicly stated that the enactment of the cited Reglamento was done with the specific motive of preventing the participation of companies of various nationalities, especially those of Chinese origin, in the bidding processes aimed at obtaining and operating 5G IMT and Superior telecommunications technology for that institution's networks. 4.- The President of ICE stated through the newspaper El Mundo CR on September 16th that the respective public tender will be published before the end of September of the current year. 5.- Additionally, and as conclusive and absolute proof of the risk that exists for my represented party, on September 5, 2023, at 4:20 p.m., an email was received from Mr. Huberth Valverde Batista, Administrator of Contracts of ICE, in which they send a questionnaire inquiring about compliance with the Reglamento de Ciberseguridad No.44196-MSP-MICITT. The email itself indicates the need to obtain this information within 4 business days. 6.- This questionnaire, as can be seen from the notarial certification provided, is an exact copy of the requirements of the Reglamento. 7.- The foregoing is direct proof that, given the imminent publication of the bidding process, my represented party will be affected and unable to participate in it. 8.- In light of this situation, the direct, unquestionable, current, imminent, and real risk faced by the company I represent is more than clear, evident, and manifest.” They describe threats in the following terms: “1.- The Executive President of ICE has clearly stated that at the end of September that institution will put out to public tender the acquisition of 5G Mobile telecommunications technology and that, in that public tender, the requirements demanded in the "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic) will be applied. 2.- As cited by the digital news outlet "El Mundo.CR" on September 15 of the current year, the Executive President of ICE expressly stated the following: "the decree is already with the teams and they are reviewing it to see how it is included in the tender specifications (cartel). Also, we have some clarifications that we must make. However, the answer is yes, we are going to have to include what is provided there, since it is applicable public policy" (https: elmundo.cr/costa-rica/licitaciónpara-5g-saldra-a-finales-de-setiembre-vetando-empresas-chinas/). 3.- The President of the Republic, Mr. Rodrigo Chaves Robles, had declared to the press when he was in the United States, after having signed the cited Reglamento shortly before his departure, that its enactment was aimed at preventing the participation of companies of diverse origin in the upcoming public tenders that the ICE and SUTEL would open for the acquisition of 5G Mobile telecommunications technology, which can be verified at the following link https://dplnews.com/rodrigo-chaves-prohibeempresas-chinas-en-el-desarrollo-de-5g-en-costa-rica/ 4.- This criterion was ratified by the Minister of MICITT on Amelia Rueda's radio program on Monday, September 4th, as can be verified at the following link https://ameliarueda.com/noticia/huawei-china-5g-micitt-subastacosta-rica-noticas 5.- In line with all of the above, my represented party received a questionnaire from ICE, requesting confirmation of compliance with the Decreto, which refers specifically to 5G or higher technology, this serving as clear and direct evidence of ICE’s intention to promote this tender as soon as possible. 6.- It is evident that the questionnaire sent by ICE is directly related to the Tender Specifications (Pliego de Condiciones) that will be used for the bidding process aimed at 5G technology. In accordance with the Ley General de la Contratación Pública, the Administration, prior to publishing the Tender Specifications of any nature, must conduct a market study to verify the possible bidders. In this case, it is evident that ICE is complying with the market study established in article 34 of the Ley de Contratación Pública, by asking the questions based on the Reglamento, thus making it clear that they will incorporate said provisions into the 5G bidding process, because the Reglamento is a current norm and ICE does not have the power to disapply it. 7.- Therefore, we are in the presence of a certain, real, effective, and imminent threat, almost in the execution stage, of an act harmful to the fundamental rights of my represented party. 8.- Indeed, the public tender that ICE will open before the end of this month, as its own officials have announced, will prevent my represented party from participating in it, for the simple fact of being a company of Chinese origin. 9.- It is important to indicate that it cannot be attributable to my represented party that the Government of the People's Republic of China, within its sovereign powers, has not signed the Budapest Convention to date. 10.- The Budapest Convention was published 18 years before 5G technology was launched on the market, making it impossible for any of its considerations to be related to that technology. An evaluation factor is being used that is outdated and not directly related to cybersecurity, in addition to violating the principle of technological neutrality enshrined in Chapter XIII of the CAFTA. 11- It is completely discriminatory to prevent my represented party from participating in a bidding process due to a decision that is not in its hands, as it is entirely a decision of the Chinese Government. 12- The only way to avoid a flagrant violation of the constitutional rights of free competition and equality of participation that, according to the jurisprudence of this Chamber, have constitutional status (Decision 998-1998), as well as the right to non-discrimination, is through the immediate suspension of the public tender in question. 13- If the cited act were to materialize, the harm to my represented party would be irreversible and of impossible reparation, such as reputational damages. For this reason, we are procedurally legitimized to file this amparo remedy against the imminent threats from ICE, consisting of launching a public tender to implement and operate 5G IMT technology in its networks, from which we are excluded beforehand.” They refer to the following violations of the fundamental rights of their represented party: “The appealed threat violates to the detriment of my represented party at least the following fundamental rights: a) right to free competition and equality of participation in public tenders and b) right not to be discriminated against based on the company's origin. A.-The violation of the fundamental rights of free competition and equality of participation in public tenders. 1.- The jurisprudence of this Chamber has established that “if article 182 of the Constitución Política establishes this principle -that of the bidding process (licitación)-, then all the principles inherent to Administrative Contracting are immersed in the concept. By virtue of the foregoing, it must be understood that from article 182 of the Constitución Política derive all the constitutional principles and parameters that govern the contractual activity of the State. Some of these principles that guide and regulate the bidding process are: 1.- free concurrence, which aims to strengthen the possibility of opposition and competition among bidders within the prerogatives of freedom of enterprise regulated in article 46 of the Constitución Política, intended to promote and stimulate the competitive market, so that the greatest number of bidders participate, allowing the Administration to have a wide and varied range of offers, so that it can select the one that offers the best conditions; 2.- equality of treatment among all possible bidders, a principle complementary to the previous one which within the bidding process has a dual purpose: that of being a guarantee for those administered in the protection of their interests and rights as contractors, bidders, and as individuals, which translates into the prohibition for the State of imposing restrictive conditions for access to the tender, whether through the enactment of legal or regulatory provisions for that purpose, or in its concrete action; and that of constituting a guarantee for the administration, insofar as it increases the possibility of better selection of the contractor; all of the above, within the constitutional framework given by article 33 of the Carta Fundamental" (Decision 998-1998). 2.- ICE's threat to launch a public tender in which it will apply Article 10) subsections c), d), e) and f) and section 11 of the aforementioned Reglamento implies a clear violation, to the detriment of my represented party, of its fundamental rights to free concurrence in public procurement and equality of treatment of bidders. 3.- Indeed, those norms establish requirements so that companies of various nationalities, as well as those of Chinese origin, cannot participate in any public tender for the acquisition of 5G Mobile and higher telecommunications technology. 4.- In this way, the fundamental rights to freedom of competition and equality of treatment that all potential interested parties in participating in public tenders for the acquisition of goods and services in our country have, among them my represented party, are grossly and evidently violated. 5.- In the case of my represented party, the tender specifications will prevent our participation in that public procurement by applying what is stipulated in subsections c), d), e) and f) of article 10 and section 11 of the cited Reglamento, which is the purpose pursued by that regulation according to statements by the Executive President of ICE, the Minister of MICITT, and the President of the Republic. A confession by a party is a discharge of proof. B.- The violation of the constitutional principle of not being discriminated against for any reason 1.- Article 33 of the Constitución enshrines the cardinal principle in Western Law, that no person, physical or legal, can be discriminated against for any reason (sex, religious beliefs, ideology, nationality, etc.). 2.- In the present case, my represented party is openly discriminated against both for its alleged ideology and for its nationality, which implies a gross violation of article 33 of the Constitución Política. 3.- For example, admitting that only companies from countries that have signed the Budapest Convention can participate in public tenders to acquire 5G technology is evidently discriminatory, since such Convention does not strictly refer to cybersecurity issues but rather that regulation focuses on the penalty of cybercrimes that include: fraud, violations of intellectual property, distribution and possession of child pornography, computer forgery, among others. Applying a common criminal policy among the signatory States. In this context, another characteristic of the Budapest Convention is international cooperation, an aspect that facilitates the investigation of cyber offenses and is relevant due to the characteristics of computer crimes and the possibility of them being committed outside the borders of a country, but with an impact on a specific territory. 4.- Let us remember that discrimination, from the legal point of view, means granting different treatment based on unjust or arbitrary inequalities that are contrary to the principle of equality before the law. 5.- The prohibition of discrimination covers the interdiction of doing so for any personal or social circumstance; that is, any differentiation lacking objective and reasonable justification can be classified as discriminatory. 6.- Thus, inequalities of treatment based exclusively on reasons of sex, race, social condition, ideological motives, origin, nationality, etc., are contrary to the principle of non-discrimination. 7.- The regulation that ICE intends to apply in the cited public tender implies a clear violation of the principle of non-discrimination to the detriment of my represented party, given that it is excluded from a public tender for allegedly ideological and nationality reasons.” They formulate the following request for a precautionary measure: “1.- Given that we are facing an exceptional case, because if the execution of the future act harmful to our fundamental rights, which is almost in the execution phase, is not suspended, the harm to my represented party would be irreparable and irreversible as it could not participate in the cited public tender for the acquisition of 5G/IMT Mobile telecommunications technology. To understand this irreparability and irreversibility, it must be considered that ICE represents 60% of Huawei's business in Costa Rica. Given this, if Huawei is prevented from participating in the tender, approximately 80 employees in Costa Rica would be directly affected, in addition to the financial losses for the company. 2.- Therefore, we request that in application of article 41 of the Ley de la Jurisdicción Constitucional, the publication of any tender specifications be suspended, or in the event that it is already published, the suspension of any bidding process by ICE in which the "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic) would have to be applied, until this Sala Constitucional has ruled on the merits of this amparo remedy and, in the event that it is converted into an acción de inconstitucionalidad, until it has ruled on the merits thereof.” They submit this petition: “1.- That my represented party cannot be prevented from participating in the cited public tender by introducing clauses of impossible compliance for it, because this violates the fundamental rights to free competition, equality of treatment, and the prohibition of discrimination exclusively for ideological and nationality reasons. 2.- That once ICE is notified of the impossibility of proceeding with the public tender cited repeatedly, this amparo be converted into an acción de inconstitucionalidad so that various norms of the challenged Reglamento can be eliminated from the legal system and, therefore, cannot be applied in any present or future bidding process.” 2.- By resolution at 18:41 hours on September 29, 2023, the Presidency of the Chamber gave course to the process and requested a report from both the executive president and the contract administrator, both of the ICE, on the following facts: “that the company [Name 002], which you represent, is prepared to participate in the public bidding process (licitación pública) that the Instituto Costarricense de Electricidad -ICE- will open to implement and operate 5G IMT technology in its networks, given that they are one of the main providers of that technology in Costa Rica. It indicates that on August 31, 2023, the Executive Branch enacted and published in La Gaceta the “Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores” (sic) (sic), which contains provisions that expressly prevent the participation of your represented party in that public tender. It points out that the President of the Republic, the Minister of the Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones -MICITT-, and the executive president of ICE have publicly stated that the enactment of the cited reglamento was done with the specific motive of preventing the participation of companies of various nationalities, especially those of Chinese origin, in the bidding processes aimed at obtaining and operating SG IMT and higher telecommunications technology for the networks of the institute appealed against. It argues that on September 16, 2023, the president of ICE stated through the newspaper El Mundo CR, that the respective public tender would be published before the end of the month of September of the current year. It adds that on September 5, 2023, at 4:20 p.m., the company you represent received an email from Mr. Huberth Valverde Batista, in his capacity as Contract Administrator of ICE, in which a questionnaire was sent inquiring about compliance with the Reglamento de Ciberseguridad no. 44l96- MSP-MICITT, and it was also indicated that this information was needed within 4 business days. It claims that this questionnaire is an exact copy of the requirements of the cited reglamento, which it assures is direct proof that, given the imminent publication of the bidding process, its represented party will be affected and prevented from participating in it. It affirms that given this situation, the direct risk faced by the company it represents is more than evident. It deems the fundamental rights to free competition and equal participation in public tenders, and the right not to be discriminated against based on the national origin of the company, to be injured. For the reasons stated, it requests that this remedy be declared with merit.” 3.- By brief received at the Secretariat of the Chamber on October 6, 2023, the appellant party appears. It states: “For the purposes of article 75 of the Ley de la Jurisdicción Constitucional, I succinctly allege the unconstitutionality and unconventionality in toto and of some specific norms of “El Reglamento sobre Medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones en la Tecnología de Quinta Generación Móvil (5G) y superiores”, approved by Decreto Ejecutivo number 44196- MSP -MCITT, published in La Gaceta on August 31, 2023. Below, I briefly substantiate the alleged constitutional vices. I.- Vices of unconstitutionality “El Reglamento sobre Medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones en la Tecnología de Quinta Generación Móvil (5 G) y superiores”, approved by Decreto Ejecutivo number 44196- MSP-MCITT, published in La Gaceta on August 31, 2023, contains serious vices of both unconstitutionality and unconventionality, which we list below in a succinct manner. 1.- The Reglamento in toto violates article 28 of the Constitución Política, inasmuch as it regulates matters reserved by such norms to the domain of the law. That is, only by law can the exercise of fundamental rights be regulated and, above all, restricted. 9.- Finally, articles 9 first paragraph and 11 subsection f) violate the constitutional principle of technical reasonableness, which demands, as the jurisprudence of this Chamber has established, that any norm and, in general, any act emanating from public institutions must be based on technical criteria regarding the matter they regulate. 10.- In the present case, the challenged articles lack technical basis and the requirements established therein do not conform to duly proven, accepted, and adopted international standards.

For example, the first paragraph of Article 9 provides that “The subjects included in the scope of application of Article 2 of these Regulations must request their hardware and software suppliers, who are involved in the operation and functioning of 5G and higher networks and their services, to define the requirements, controls, and measurements of the supply chain cybersecurity management system for the design, development, production, delivery, installation, and maintenance of hardware, software, and services in accordance with the SCS 9001 standard, ‘Supply Chain Security Standard,’” without justifying why this standard is specifically required. The SCS 9001 Standard (Supply Chain Security 9001) was recently created, in 2022, by the TIA (Telecommunications Industry Association), which is a U.S.-based association of ICT (Information and Communication Technologies) suppliers. The SCS 9001 Standard lacks sufficient data to allow verification of its effectiveness, as it is still in the pilot project phase for carrying out the corresponding technical evaluation. The current cybersecurity standards ecosystem, which has been developed by ISO, GSMA, and 3GPP, has been recognized, accepted, verified, and implemented by the cellular mobile telephone services industry worldwide for several years now. 11.- Article 8, subsection i) and Article 10, subsection a) violate the constitutional principle of proportionality. 12.- As established by the jurisprudence of this Chamber, a state act that limits fundamental rights must be necessary, suitable, and proportional. 13.- The previously cited articles of the Regulations are not necessary, suitable, or proportional. Indeed, they are not necessary because the telephone network has operated in the country since its inception using the vertical diversification system, which is the most efficient methodology and therefore the most widely used worldwide, to guarantee a balance of suppliers that ensures network security in a cost-effective manner. If something works well, there is no reason to change it. Therefore, there is no compelling need to adopt the model indicated in Article 8, subsection i) and Article 10, subsection a) of the challenged Regulations. 14.- Finally, there is no proportionality between the supposed benefit that the public interest would obtain according to the model indicated in Article 8, subsection i) and Article 10, subsection a) of the challenged Regulations.” 4.- By a document added to the digital file on October 9, 2023, Marco Vinicio Acuña Mora and Huberth Valverde Batista, in their capacity as Executive President and Contract Administrator, respectively, both of the ICE, provide a sworn report. They state: “I. CONTEXT By virtue of the principle of collaboration with the Justice Authorities, as a preamble and for the purpose of establishing the true dimension of what is alleged by the Petitioner, the following context is provided to facilitate a better understanding of the facts for the High Constitutional Court: 1. The filed Amparo Appeal, and therefore the facts alleged, are based on Executive Decree No. 44196-MSP-MICITT called ‘Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher’ issued on August 25, 2023, by the Presidency of the Republic, the Minister of Public Security, and the Minister of Science, Innovation, Technology and Telecommunications, published in Supplement No. 166 of the Official Gazette La Gaceta of August 31, 2023, effective as of that date. 2. Decree No. 44196-MSP-MICITT, in Article 2, establishes the following: ‘Article 2—Scope of application. The active operation of networks and services based on fifth-generation mobile technology (5G) and higher, by natural or legal persons, public or private, national or foreign, who operate networks or provide telecommunications services based on fifth-generation mobile technology (5G) and higher that originate, terminate, or transit through the national territory, is subject to this regulation, except for the operation of private telecommunications networks. In the case of public procurement processes whose purpose is the enablement of networks and services based on fifth-generation mobile technology (5G) and higher, as well as the active technological equipment necessary for their deployment, for the use and exploitation of the radioelectric spectrum, the Administration or contracting entity must adopt the appropriate mechanisms to verify that potential bidders have considered all aspects related to the risk management and mitigation contained in these regulations when planning, designing, and implementing their technical proposal. If awarded, the provisions of this regulation will be mandatory during the operation of the networks and provision of services based on fifth-generation mobile technology (5G) or higher.’ (The highlighting, with the exception of the article title, is provided). 3. The Regulation under discussion, in Article 13, regarding sanctions and infractions establishes the following: ‘Article 13—Sanctions and infractions. The administrative sanctioning regime applicable for non-compliance with the provisions contained in this Executive Decree will be governed by the provisions of Law No. 8642, General Telecommunications Law.’ (The highlighting, with the exception of the article title, is provided). The previous factual elements, of general knowledge, allow the following aspects, which will be central to resolving the case, to be clearly demonstrated: 1. The ICE did not issue the Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher; therefore, there is an evident lack of passive legitimation of the Institute for the purposes of this Amparo Appeal. 2. The ICE, in its capacity as an operator and provider of telecommunications services, along with other public or private counterparts, is subject to these Regulations issued by the Executive Branch; a scope of application that, in the case of the Institute, when using public funds, also includes public procurement processes. 3. If the ICE, in said capacity as an operator and provider of telecommunications services, fails to comply with the provisions of the Regulations, it will be subject to the administrative sanctioning regime of the General Telecommunications Law No. 8642 (LGT), which, depending on the particular severity of the infraction, could imply sanctions of one percent (1%) and up to ten percent (10%) of the annual sales obtained by the violator during the previous fiscal year, or between one percent (1%) and up to ten percent (10%) of the value of the violator's assets, in addition to the definitive closure of the establishment, shutting down of facilities, in application of Articles 68 and 69 of the LGT. 4. So far, what the ICE has carried out is a market study, in accordance with Article 85 of the Regulation to the General Public Procurement Law, with the possible suppliers of 5G telecommunications network technology, to verify market conditions and check their compliance with cybersecurity matters, pursuant to the provisions of the aforementioned Decree; that is, there is no publication to date of tender specifications for a specific competitive process, as provided by the General Public Procurement Law. Based on these objective and legitimate criteria, in the following section we will refer to the facts indicated by the Petitioner. II. REGARDING THE FACTS ALLEGED BY THE PETITIONER Based on technical report No. 9191-1520-2023 of October 6, 2023, issued by the 5G Program of the ICE's Telecommunications Management, which is provided as evidence, we refer below to the facts that the Petitioner asserts, making the respective exception when they concern factual elements that do not directly correspond to the ICE, or when they are value judgments, and therefore not pure and simple facts. FACT ONE: The Petitioner states the following: (…) RESPONSE FROM THE ICE: The ICE does not attest to the affirmations made by the Petitioner regarding the suitability, status, and characteristics of its represented party. Regarding the statements made concerning that the ICE will open a public tender to implement and operate 5G IMT technology in its networks, the following context and dimensioning must be provided: So far, what the ICE has carried out is a market study, in accordance with Article 85 of the Regulation to the General Public Procurement Law, with the possible suppliers of 5G telecommunications network technology, to verify market conditions and check their compliance with cybersecurity matters, pursuant to the provisions of the aforementioned Decree; that is, there is no publication to date of tender specifications for a specific competitive process, as provided by the General Public Procurement Law. FACT TWO: The Petitioner states the following: (…) RESPONSE FROM THE ICE: This fact, besides being partly of a value-judgment nature, does not correspond to active or passive conduct by the ICE. By virtue of the principle of collaboration with the Honorable Constitutional Court, we allow ourselves to state that what is indicated by the Petitioner is partially true, as explained below: It is true that the Executive Branch, through the Presidency of the Republic, the Minister of Public Security, and the Minister of Science, Innovation, Technology and Telecommunications, on August 31, 2023, enacted and published Executive Decree No. 44196-MSP-MICITT called ‘Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher’; for which it must be specified that the dissemination was carried out in Supplement No. 166 of the Official Gazette La Gaceta of August 31, 2023, effective as of that date. Regarding the affirmations that said Regulation contains provisions that expressly prevent the participation of the Petitioner's represented party in the competitive process, these are the petitioner's own assessments, and not facts, which in any case are not attested to by the ICE. FACT THREE: The Petitioner states the following: (…) RESPONSE FROM THE ICE: The Petitioner, in this fact, partly refers to alleged public statements that do not correspond to the ICE, but to the President of the Republic and the Minister of Science, Innovation, Technology and Telecommunications; therefore, no reference will be made to them as they are facts unrelated to this Institute. In turn, it is rejected that the Executive President of the ICE publicly stated that the enactment of the regulation was done with the specific motive of preventing the participation of companies from various nationalities, especially those of Chinese origin, in the tender processes aimed at obtaining and operating the 5G IMT and Higher telecommunications technology for the Institution's networks, as the Petitioner erroneously indicates. In this regard, although the documentary evidence provided by the Petitioner partially contains some statements transcribed in quotation marks from the Executive President of the ICE (in the media outlets AmeliaRueda.com and elmundo.cr), none of them show that he expressed what the petitioner expressly and specifically alleges in fact three. The respectable opinions, focuses, perspectives, nuances, or editorial line held by the journalists and media outlets regarding the regulation, nor the headlines or headings of said news items, can be attributed to the Executive President of the ICE. Furthermore, as previously explained, the ICE was not the issuer of said Regulation, nor the one who enacted it; rather, as an operator and provider of telecommunications services, it must comply with this general regulation. FACT FOUR: The Petitioner states the following: (…) RESPONSE FROM THE ICE: It is partially true as explained below. It is true that the Executive President of the ICE made statements to the media outlet elmundo.cr, with the following clarifications: • The news is dated September 15, 2023, and not September 16, 2023, as deduced from the documentary evidence provided by the Petitioner. • The news item transcribes in quotation marks some statements from the Executive President of the ICE, without it being true or accurate to conclude specifically and unequivocally what is affirmed in fact four regarding that the public tender will be published before the end of September of the current year; rather, that affirmation is derived from the headline of the news item itself and the wording of its first paragraph, both done by the journalist or media outlet, which, while fully respectable, cannot be directly attributable to the Executive President. • In this regard, the headline of the news item was ‘Tender for 5G will go out at the end of September vetoing Chinese companies’ and the wording of the first paragraph of said news article was ‘San José, Sep 15 (elmundo.cr) – The Executive President of the Costa Rican Institute of Electricity (ICE) stated that the tender to award 5G frequencies will go out at the end of September.’ • On the contrary, as evidenced from the same news item, and this Honorable Court can so verify, to the media outlet's question regarding how long this process will last for Costa Rica to start working on the 5G topic, what was stated by the Executive President of the ICE, according to the quoted text, was as follows: ‘we believe that in about three months, that is, this year, let's see, September, October, December. This year the company should be awarded, and then afterward, to start implementing next year, God willing.’ (The highlighting is provided). Therefore, what is stated in this fact four is not correct, in that the Executive President of the ICE indicated that the tender would be published at the end of September of the current year, given that according to what is transcribed in said news item, he gives a range that oscillates between September and December 2023; note that as of this date, this publication has not occurred. FACT FIVE: The Petitioner states the following: (…) RESPONSE FROM THE ICE: What the Petitioner states does not constitute in its entirety a pure and simple fact, given that the affirmations regarding ‘incontrovertible and absolute proof of the risk that exists for my represented party’ are statements of a value-judgment and subjective nature. Regarding the communication received by the Petitioner's represented party, it is true, under the following contextualization and specifications: 1. Executive Decree No. 44196-MSP-MICITT called ‘Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher’ issued by the Presidency of the Republic, the Minister of Public Security, and the Minister of Science, Innovation, Technology and Telecommunications, as previously mentioned, entered into force on August 31, 2023. (See Annex No. 1 of the Technical Report) 2. This Regulation, as indicated in Article 1, ‘has the object of establishing cybersecurity measures to guarantee the secure use and exploitation, with safeguarding of the privacy of individuals, of telecommunications networks and services based on fifth-generation mobile technology (5G) and higher.’ Likewise, Article 2 establishes the following: (See Annex No. 1 of the Technical Report) ‘Article 2—Scope of application. The active operation of networks and services based on fifth-generation mobile technology (5G) and higher, by natural or legal persons, public or private, national or foreign, who operate networks or provide telecommunications services based on fifth-generation mobile technology (5G) and higher that originate, terminate, or transit through the national territory, is subject to this regulation, except for the operation of private telecommunications networks. In the case of public procurement processes whose purpose is the enablement of networks and services based on fifth-generation mobile technology (5G) and higher, as well as the active technological equipment necessary for their deployment, for the use and exploitation of the radioelectric spectrum, the Administration or contracting entity must adopt the appropriate mechanisms to verify that potential bidders have considered all aspects related to the risk management and mitigation contained in these regulations when planning, designing, and implementing their technical proposal. If awarded, the provisions of this regulation will be mandatory during the operation of the networks and provision of services based on fifth-generation mobile technology (5G) or higher.’ (The highlighting, with the exception of the article title, is provided). 3. Given the entry into force of said Regulation, mandatory for operators and providers of telecommunications services, on September 5, 2023, the Telecommunications Management of the ICE, through the Contract Administrator Area, and for the purposes of a market study, sent to potential interested parties (Huawei, Nokia, Ericsson, GBM Costa Rica, and Rakuten) an electronic communication with the following wording and queries: (See Annex No. 2 of the Technical Report) ‘Good afternoon: In view of the regulation issued regarding cybersecurity for 5G technology in Costa Rica, please indicate compliance with the following points by your represented company, for the purpose of conducting a market study: 1. The supplier will be able to comply with all aspects related to the risk management and mitigation contained in these regulations when planning, designing, and implementing its technical proposal. 2. Indicate compliance with the following cybersecurity standards:

Number \t Names ISO/IEC 27001:2022 \t Information Security, Cybersecurity and Privacy Protection — Information Security Management Systems — Requirements ISO/IEC 27002:2022 \t Information Security, Cybersecurity and Privacy Protection — Information Security Management Systems — Requirements ISO/IEC 27003:2017 \t Information Technology — Security Techniques — Information Security Management Systems — Guidance ISO/IEC 27011:2016 \t Information Technology — Security Techniques — Code of Practice for Information Security Controls Based on ISO/IEC 27002 for Telecommunications Organizations SCS 9001 \t Supply Chain Security and Cybersecurity Standard 3. That the offered solution is not from a single supplier regarding hardware and software. Hardware and software suppliers are understood as: Entities that provide services or active equipment to the subjects included in Article 2 of these regulations. This category includes: i) manufacturers of telecommunications equipment; and ii) other external suppliers, such as cloud infrastructure providers, system integrators, security and maintenance contractors, and transmission equipment manufacturers, when they are responsible for configuring and integrating the active equipment and software of the solution. 4. Indicate whether your headquarters is in a country that has expressed its consent to be bound by compliance with the Convention on Cybercrime (Budapest Convention). 5. Whether the supplier is or is not susceptible to pressure from a foreign government by statutory provision or official public policy of said foreign government, in relation to the location or execution of its operations. 6. Indicate whether it is based in a country, or is in any way subject to the direction of a foreign government with established laws or practices that may require it to share end-user information of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests. The required information must be answered by next September 8, 2023.’ 4. On September 8, 2023, at 12:24 p.m., via email, Mr. Juan Carlos Blanco Infante from the company NOKIA responded to the inquiries made, as shown in Annex No. 3 of the Technical Report, for which confidentiality is requested given that said data is protected by agreements that safeguard this type of information. 5. On September 8, 2023, at 3:46 p.m., via email, Mr. Mustafa Syed from the company Rakuten responded to the inquiries made, as shown in Annex No. 4 of the Technical Report, for which confidentiality is requested given that said data is protected by agreements that safeguard this type of information. 6. On September 8, 2023, at 6:29 p.m., via email, Mr. Neil Baute from the company Ericsson responded to the inquiries made, as shown in Annex No. 5 of the Technical Report, for which confidentiality is requested given that said data is protected by agreements that safeguard this type of information. 7. On September 8, 2023, via official communication UL-2023-0460, Mr. Eduardo Blanco González from the company GBM de Costa Rica responded to the inquiries made, as shown in Annex No. 6 of the Technical Report, for which confidentiality is requested given that said data is protected by agreements that safeguard this type of information. 8. On September 11, 2023, Mr. Marcel Aguilar Sandoval from the company Huawei Tecnologies (sic) Costa Rica responded to the inquiries made, as shown in Annex No. 7 of the Technical Report, for which confidentiality is requested given that said data is protected by agreements that safeguard this type of information. 9. Regarding the responses from Huawei Tecnologies (sic) Costa Rica, as the Honorable Constitutional Court will be able to verify, there is no evidence that said company had any kind of disagreement with what was consulted. (See Annex No. 7 of the Technical Report). 10. So far, what the ICE has carried out is a market study, in accordance with Article 85 of the Regulation to the General Public Procurement Law, with the possible suppliers of 5G telecommunications network technology, to verify market conditions and check their compliance with cybersecurity matters, pursuant to the provisions of the aforementioned Decree; that is, there is no publication to date of tender specifications for a specific competitive process, as provided by the General Public Procurement Law. FACT SIX: The Petitioner states the following: (…) RESPONSE FROM THE ICE: It is true with the following specifications: • The queries made by the ICE, in the market study phase, are in accordance with the provisions of Executive Decree No. 44196-MSP-MICITT called ‘Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher’ issued on August 25, 2023, by the Presidency of the Republic, the Minister of Public Security, and the Minister of Science, Innovation, Technology and Telecommunications, published in Supplement No. 166 of the Official Gazette La Gaceta of August 31, 2023, effective as of that date. • Said regulation issued by the Executive Branch is mandatory for the ICE, as previously explained. • If the ICE fails to comply with the provisions of the Regulations, it will be subject to the administrative sanctioning regime of the General Telecommunications Law No. 8642 (LGT). • As indicated in the response to fact five, there is no evidence that Huawei Tecnologies (sic) Costa Rica had any kind of disagreement at the time of responding to the ICE's queries regarding the Regulation in question within the framework of the conducted market study. FACT SEVEN: The Petitioner states the following: (…) RESPONSE FROM THE ICE: What the Petitioner affirms is not a pure and simple fact, but rather statements of a value-judgment nature, and therefore subjective. By virtue of the principle of collaboration with the Honorable Constitutional Court, we reiterate that so far, what the ICE has carried out is a market study, in accordance with Article 85 of the Regulation to the General Public Procurement Law, with the possible suppliers of 5G telecommunications network technology, to verify market conditions and check their compliance with cybersecurity matters, pursuant to the provisions of the aforementioned Decree; that is, there is no publication to date of tender specifications for a specific competitive process, as provided by the General Public Procurement Law. Likewise, as indicated in the response to fact five, there is no evidence that Huawei Tecnologies (sic) Costa Rica had any kind of disagreement at the time of responding to the ICE's queries regarding the Regulation in question within the framework of the conducted market study. FACT EIGHT: The Petitioner states the following: (…) RESPONSE FROM THE ICE: What the Petitioner affirms is not a pure and simple fact, but rather statements of a value-judgment nature, and therefore subjective. By virtue of the principle of collaboration with the Honorable Constitutional Court, we reiterate that so far, what the ICE has carried out is a market study, in accordance with Article 85 of the Regulation to the General Public Procurement Law, with the possible suppliers of 5G telecommunications network technology, to verify market conditions and check their compliance with cybersecurity matters, pursuant to the provisions of the aforementioned Decree; that is, there is no publication to date of tender specifications for a specific competitive process, as provided by the General Public Procurement Law. Likewise, as indicated in the response to fact five, there is no evidence that Huawei Tecnologies (sic) Costa Rica had any kind of disagreement at the time of responding to the ICE's queries regarding the Regulation in question within the framework of the conducted market study. III. REGARDING THE LEGAL GROUNDS ALLEGED BY THE PETITIONER CONCERNING PRESUMED VIOLATIONS OF THE FUNDAMENTAL RIGHTS OF FREE COMPETITION, NON-DISCRIMINATION, AND EQUAL CONDITIONS IN PUBLIC TENDERS Regarding the statements made by the Petitioner, in the Law Section of the filing document for the Amparo Appeal, on presumed violations of the fundamental rights of free competition, non-discrimination, and equal participation in public tenders, by virtue of the principle of collaboration, we allow ourselves to state the following to the Honorable Constitutional Court: The Regulation on Cybersecurity Measures applicable to Telecommunications Services based on Fifth Generation Mobile Technology (5G) and Higher, issued and published by the Executive Branch, in the second paragraph of Article 2 (Scope of application) establishes the following: ‘In the case of public procurement processes whose purpose is the enablement of networks and services based on fifth-generation mobile technology (5G) and higher, as well as the active technological equipment necessary for their deployment, for the use and exploitation of the radioelectric spectrum, the Administration or contracting entity must adopt the appropriate mechanisms to verify that potential bidders have considered all aspects related to the risk management and mitigation contained in these regulations when planning, designing, and implementing their technical proposal. If awarded, the provisions of this regulation will be mandatory during the operation of the networks and provision of services based on fifth-generation mobile technology (5G) or higher.’ (The highlighting and underlining are provided). This Regulation, as explained supra, is mandatory for the ICE as a telecommunications operator, as also provided by the first paragraph of Article 2 of said regulation. As has been demonstrated in this report, it is not the ICE who issues said regulation; rather, when generating any procurement for the 5G network, it must in due course obligatorily consider the conditions established in said Decree.

To date, what ICE has done is a market study, in accordance with article 85 of the Regulation to the General Public Procurement Law, with the potential suppliers of 5G telecommunications network technology, to verify market conditions and confirm their compliance regarding cybersecurity, pursuant to the provisions of the aforementioned Decree; that is, there is currently no publication of tender documents for a specific competition, as provided by the General Public Procurement Law. Furthermore, the Petitioner mentions the following in the appeal, in the law section: “12- The only way to avoid a flagrant violation of the constitutional rights of free competition and equal participation, which according to the case law of this Chamber have constitutional status (Voto 998-1998), as well as the right to non-discrimination, is through the immediate suspension of the public tender in question.” It is worth clarifying that this assertion made by the Petitioner, in his capacity as representative of the company Huawei, lacks foundation, since ICE has not published any tender aimed at contracting related to 5G technology. The current state of affairs of the Institution, attending to its substantial duty to provide telecommunications and infocommunications services to the population, is that of analyzing the conditions offered by the market to address the development of the 5G network that ICE will occupy, in compliance with article 34 of the General Public Procurement Law No. 9986 and article 85 of the Regulation to said Law. This article 34 of Law No. 9986 precisely provides: “…The market study shall also have the purpose of establishing the existence of goods, works, or services, in the required quantity, quality, and timeliness, as well as verifying the existence of suppliers, enabling informed decision-making regarding the procurement procedure, and providing information for determining budgetary availability. Said study must consider the entire life cycle of the procurement and take into account the principle of value for money, all of which shall be developed in the regulation of this law…” (Underlining supplied). In that regard, ICE’s actions have adhered to the law, in pursuit of making informed and substantiated decisions, consistent with the duty of public officials to support their actions. Additionally, the Constitutional Chamber should note that this same information has been requested by ICE from the potential bidders, where both the Petitioner’s represented company and the companies Nokia, Ericsson, GBM Costa Rica, and Rakuten were consulted, as explained in the response to Fact Five. Thus, it is not true that the principle of free competition and equal participation mentioned by the Petitioner is being violated, since no invitation to participate in an ICE tender has been issued, and the Institution’s actions have adhered to the preliminary stages established in procurement matters, in accordance with the General Public Procurement Law, in a transparent and egalitarian manner. It must be considered that the company represented by the Petitioner at this time does not constitute a bidder or a contractor so as to claim that the principle of equal treatment is being violated, which is a guarantee of the interests of those bidders or contractors specifically in public procurement procedures as such, and not in early stages of market research or study, in which, even so, it was also considered. Regarding the subject under study, it is important to bring up what was ordered by the Comptroller General of the Republic in its resolution R-DCA-0153-2019: “…It is presumed that the administrative function of the State has a public purpose and that therefore its acts (in this case, the tender documents of a bidding process) are presumed to be issued in accordance with the legal order and basically as an instrument for the satisfaction of general interests. In such a way that each set of tender documents implicitly carries the presumption of adherence to the principles of administrative procurement and the rest of the legal order, always starting from the supremacy of the general interest over any other (…) And it is that here we must start from another fundamental element that it is worth reiterating, administrative procurement procedures are not competitions that must be open to the entire market in an unrestricted manner and above the specific needs that each tendering entity has; this would lead not only to the comparative chaos of offers that are diametrically different and therefore incomparable, but mainly to a strong risk of affecting the satisfaction of public needs. In other terms, free competition and equal treatment should not be understood as unrestricted gateways for anyone who wishes to compete, but as a point of healthy and reasonable balance between the true needs that the Public Administration must satisfy and fair and equitable treatment to all those potential bidders who do manage to adequately contribute to that delicate task. In practice, that balance, as well as the justice and equity that the legal order must pursue, is achieved through the incorporation only of limiting (or rather delimiting) clauses that have adequate technical, legal, and financial support, but concomitantly through the possibility of reviewing those clauses, for the sake of adequate satisfaction of the general interest and likewise through objectively substantiated arguments, which allow the study of the tender documents not only from the perspective of particular interests, but primarily from the perspective of the social or collective function pursued by the State.”…” (Highlighting supplied). We can conclude then, that the considerations potentially aimed at mitigating cybersecurity risks identified in the cited Executive Decree do not harm the constitutional principle of equality and free competition in matters of public procurement, with the understanding that they are oriented toward the prevention and mitigation of risk in this area as public policy guidelines defined by the Executive Branch as the governing body of telecommunications in the country. Thus, ICE has acted at all times in accordance with the Principle of Legality, following the provisions of the General Public Procurement Law in these early stages of market research or study, as well as the provisions of the aforementioned Decree; additionally, in adherence to the principles of integrity and transparency, as well as good faith in public procurement dealings and as a basic moral principle of the Administration, in accordance with ethical standards where the public interest prevails over any other. It is important for the Constitutional Court to consider that, in the matter of public procurement, every procedure inherently involves the satisfaction of a public interest, even of a general scope, which the Administration must zealously safeguard in every purchase it promotes, understanding that for this purpose it enjoys broad discretion in defining the clauses of the tender documents aimed at protecting that interest, and which may eventually not be met by some bidders, without such provision tending to harm the constitutional principle of equal treatment and free participation. Now, at the moment when ICE has certainty of the object to be contracted, its scope and conditions, and proceeds to publish tender documents related to 5G technology, any interested company may participate, provided it meets the requirements defined by the Administration in said documents, so that participation is not being limited to any possible supplier. Therefore, there is no type of violation of fundamental rights established in the Political Constitution, nor of those alleged by the Petitioner. IV. ON THE IMPROPRIETY OF THE PRECAUTIONARY MEASURE It is requested that the precautionary measure requested by the Petitioner be rejected regarding suspending the publication of any tender documents, since the requirements established for said exceptional protection are not met. In this regard, as has been explained in this report, to date, what ICE has done is a market study, in accordance with article 85 of the Regulation to the General Public Procurement Law, with the potential suppliers of 5G telecommunications network technology, to verify market conditions and confirm their compliance regarding cybersecurity, pursuant to the provisions of the aforementioned Decree; that is, there is currently no publication of tender documents for a specific competition, as provided by the General Public Procurement Law. The company represented by the Petitioner at this time does not constitute a bidder or a contractor so as to claim that the principles of equality, free competition, or non-discrimination are being violated, which is a guarantee of the interests of those bidders or contractors specifically in public procurement procedures as such, and not in early stages of market research or study, in which, even so, it was also considered, without it having had any type of disagreement at the time of responding to ICE’s inquiries related to the Regulation in question, as explained in the response to Fact Five. ICE’s actions have adhered to the preliminary stages established in procurement matters, in accordance with the General Public Procurement Law and Executive Decree No. 44196-MSP-MICITT called “Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher” issued by the Executive Branch, a provision that, as an operator and provider of telecommunications services, it must comply with obligatorily, given that non-compliance implies that it will be subject to the administrative sanctioning regime of the General Telecommunications Law No. 8642 (LGT). Suspending the publication of any tender documents, in the terms requested by the Petitioner, would not only imply serious, irreparable, and irreversible damage to this Public Institution, preventing it from fulfilling its legally established competencies, but would above all affect the final users of telecommunications, who would be prevented from having access to new technologies and services, affecting their fundamental right of access to telecommunications, recognized jurisprudentially by this Constitutional Court and recently positivized by the Derived Constituent through reform of the Magna Carta. (…) VI. PETITION Based on the foregoing, it is requested that the Amparo Appeal be declared without merit in all its aspects and without special award of costs against the Institute, since ICE has not harmed any fundamental right and also lacks passive standing, as it did not issue the Executive Decree alluded to by the appellant.” 5.- By document received at the Secretariat of the Chamber on October 10, 2023, the petitioner appears. He indicates: “Based on article 41 of the Law of Constitutional Jurisdiction, I reiterate my request to suspend the execution of the bidding process that ICE will promote in a few days for the acquisition of 5G/IMT Mobile telecommunications technology, based on the following factual and legal reasons. 1.- The purposes of the amparo appeal 1.- As is known, the institution of amparo was taken by our 1949 Constituent Assembly from the ephemeral Cuban Constitution of 1940. This model, unlike what occurs in other legislations, establishes the amparo appeal exclusively against administrative conduct (acts, omissions, threats). 2.- This system has the advantage of fulfilling the main objective of the amparo appeal, which consists of avoiding the violation of fundamental rights when filed against threats, or restoring the violated fundamental right before the damage becomes irreversible. To achieve this objective, the institute of precautionary measures is used precisely and, in the Costa Rican case, to suspend the effects of the execution of the challenged conduct, in accordance with the letter and spirit of article 41 of the Law of Constitutional Jurisdiction. 3.- When amparo is established only against judicial rulings, as occurs in most legislations, it only has a compensatory effect, since the violation or threat of violation has already materialized irreversibly, making it legally impossible to restore the protected person’s effective exercise of their violated fundamental right, or the threat of violation has translated into an irreversible infringement of their right. 4.- Therefore, when in our system the execution of the challenged act or threat is not suspended due to the seriousness of its implications, the cited procedural remedy ends up having only compensatory effects since it would have given up on fulfilling its primary vocation of restoring the violated fundamental right or preventing one from being violated. 5.- Therefore, this Chamber must assess, case by case, when it is essential to suspend the present execution (when dealing with acts) or future execution (when we are in the presence of threats), given that if, in certain cases, it does not do so, the non-suspension could produce irreversible violations of fundamental rights and their holders would have to resign themselves to the collection of damages suffered through the contentious-administrative channel. 6.- In such circumstances, the amparo appeal ceases to be a procedural remedy to reinstate the violated right or prevent its violation from materializing, to become a jurisdiction for repairing damages. This latter function is accessory and must yield to the primary purpose of amparo, which is the effective protection of fundamental rights. II.- The elements for decreeing a precautionary measure 1.- In the present case, we are in the presence of an exceptional case, since if the execution of the future act harmful to our fundamental rights, which is almost in the execution phase, is not suspended, the prejudice to my represented party would be irreparable and irreversible since it could not participate in the cited public tender for the acquisition of 5G/IMT Mobile telecommunications technology. 2.- Therefore, it is clear that in this case the three elements that administrative procedural doctrine considers necessary for granting a precautionary measure are present, namely: a) appearance of a good right, b) danger in delay, c) bilaterality of periculum in mora. 3.- The appearance of a good right is amply demonstrated in the case file with the evident violations of the fundamental rights to free competition and equal participation in public tenders to the detriment of my represented party. 4.- The danger in delay consists of the objectively founded and reasonable fear that the substantial legal situation alleged will be seriously damaged or harmed in a serious and irreparable manner, during the time necessary to issue a judgment in the main proceeding. 5.- This requirement necessitates the presence of two elements: serious damage or harm and the delay in the main proceeding, without overlooking that within this requirement lies what doctrine calls the “bilaterality of periculum in mora” or as it is commonly known, the weighing of the interests at stake. 6.- The requirement of danger in delay alludes to two aspects: first, to the damages complained of that are capable of occurring actually or potentially if the required measure is not adopted. Damages that must be established as serious, in addition to being considered as deriving from the situation alleged. 7.- Regarding the damages, it is clear that, if the effects of the conduct challenged in the present amparo appeal are not suspended, damages that are difficult or even impossible to repair could be caused to my represented party, by preventing it from participating in the cited tendering procedure aimed at the acquisition of 5G Mobile telecommunications technology. 8.- For the Costa Rican Electricity Institute alone, the costs of excluding [Name 002], which is the current hardware and software supplier for that entity, would be $1.5 billion. The foregoing is a public and notorious fact that appears in the La República news from September 11, 2023 “Excluding Asian companies from 5G network tender would cost the country $1.5 billion in technology” available at https://www.larepublica.net/noticia/excluir-a-empresas-asiaticas-de-concurso-de-redes-5g-le-costaria-al-pais-15-billones-en-tecnologia 9.- Secondly, this requirement refers to the situation that arises due to jurisdictional proceedings that require, for their development and subsequent conclusion, the performance of a series of acts through which not only due process is guaranteed, but also the issuance of a judgment that, if it cannot be carried out promptly, at least is just. 10.- Putting an end to a proceeding, whose judgment will depend on the prior resolution of an unconstitutionality action against norms that necessarily must be applied in it, demands time and it is precisely where precautionary protection acquires special relevance, because while that decision of the proceeding arrives, the production of serious damages is avoided, which, if they were to occur, would render the right being claimed nugatory. 11.- This amparo appeal cannot be resolved before this same Chamber votes on the merits of the unconstitutionality action that will be filed based on it, which could take at least two years. 12.- The bilaterality of periculum in mora refers to the weighing of the interests at stake, linked to the public interest that may need to be protected, against the interest of third parties and, of course, the interest of whoever resorts through a precautionary measure, these must be comparatively assessed, imposing the repeal of the measure when the harm suffered or capable of being produced to the community or third parties is greater than that which the Applicant for the measure could experience. 13.- The public interest would also be affected because the impact on operators with the exclusion of Huawei in 5G would have very harmful effects. The implementation of the decree could translate into the need for an investment increase of approximately USD 196.69 million over a 5-year period. But beyond the direct monetary impact, this situation could generate a delay in the implementation of 5G technology, extending the duration of its deployment by up to 4 additional years. These delays, in addition to the additional financial costs, can have repercussions on the country’s competitiveness and on the adaptability of local industries to global technological trends. 14.- From the point of view of internal impact, significant harms would also be caused. For example, ICE would have to increase its external debt due to the additional investments it would have to make to make the new system compatible. 15.- GDP would decrease due to the reduction of economic activities driven by advanced technologies that require 5G for their development, such as autonomous driving, autonomous manufacturing, artificial intelligence, etc. 16.- The costs of acquiring equipment by network operators and telecommunications service providers will increase as they have to acquire them at a higher price from American and European companies (public and notorious fact that appears in press media news Semanario Universidad, September 6, 2023 “President Chaves’ Decree leaves out five of the leading companies in 5G” available at https://semanariouniversidad.com/pais/decreto-de-presidente-chaves-deja-fuera-a-cinco-de-las-empresas-lideres-en-5g/ and Diario Extra, September 6, 2023 “Government Decision would raise the price of Internet” https://www.diarioextra.com/Noticia/detalle/504206/decisi-n-de-gobierno-subir-a-precio-del-internet-). 17.- The higher costs in the acquisition of equipment by network operators and telecommunications service providers would be passed on to consumers and final users of such services (Public and notorious fact that appears in press media news Semanario Universidad, September 6, 2023 “President Chaves’ Decree leaves out five of the leading companies in SG” available at https://semanariouniversidad.com/pais/decreto-de.presidente-chaves-deja-fuera-a-cinco-de-las-empresas-lideres-en-5g/ and Diario Extra, September 6, 2023 “Government Decision would raise the price of internet” https://www.diarioextra.com/Noticia/detalle/504206/decisi-n-de-gobierno-subir-a-precio-del-internet-). 18.- There would also be a loss of fair opportunities for system users to obtain access to advanced 5G technologies due to the inevitable increase in telephone rates. Indeed, the additional cost of less advanced technologies and the market with insufficient competition will ultimately be transferred to users. The price of rates would increase by up to 40%. 19.- If the 5G deployment is carried out without restrictions, its investment would contribute USD 748.4 million to Costa Rica’s Gross Domestic Product (GDP) over a 5-year period. This represents a significant 3.19% of GDP. However, under the limitations of the decree, this contribution plummets to just USD 419.1 million. We are talking about a reduction of USD 329.3 million in just five years, a not insignificant figure for any economy and highly significant for Costa Rica. 20.- In any case, the economic study carried out by CINPE of the National University, in which 5 prestigious researchers from that educational center participated, reaches the following conclusions: Chapter IV: Conclusions and Recommendations. Throughout this investigation, we have set out to calculate the financial and economic impact that the decision to implement Executive Decree No. 44196-MSP-MICITT has for Costa Rica. We have made clear in chapter 1 of the investigation the importance and effects that the transition from 4 and 4.5G internet to 5G-based usage platforms will have. This process of transformation of the digital economy has important effects on the competitiveness of companies, on employment and technological development of key industries for the country, and on the generation of innovation opportunities. For all of the above, we must attach the greatest importance and significance to the process coming for the country with the deployment of 5G networks. In chapters 2 and 3 of this study, based on the results obtained from the application of the financial impact and economic impact analysis methodology, as well as the distribution of said amounts in rates, we can conclude that the restrictions on Asian suppliers and in particular on the company Huawei from participating in the bidding for equipment and maintenance of 5G networks in Costa Rica, have significant financial effects for cellular telephone operators and a very high economic and social impact for the country. It is concluded that: 1. The implementation of the decree could translate into the need for an investment increase of approximately USD 196.69 million over a 5-year period. But beyond the direct monetary impact, this situation could generate a delay in the implementation of SG technology, extending the duration of its deployment by up to 4 additional years. These delays, in addition to the additional financial costs, can have repercussions on the country’s competitiveness and on the adaptability of local industries to global technological trends. 2. Regarding the impact on the economy of said effects of the deployment of 5G technology, it can be seen forcefully when comparing the scenarios with and without the implementation of this decree. According to our research and the data presented in table 2.3, if the 5G deployment is carried out without restrictions, its investment would contribute USD 748.4 million to Costa Rica’s Gross Domestic Product (GDP) over a 5-year period. This represents a significant 3.19% of GDP. However, under the limitations of the decree, this contribution plummets to just USD 419.1 million. We are talking about a reduction of USD 329.3 million in just five years, a not insignificant figure for any economy and highly significant for Costa Rica. 3. The most affected industries are the manufacturing industry, the ICT sector, the commercial sector, and public administration. The manufacturing industry is a sector closely linked to the dynamism of free zones and has historically been a pillar of Costa Rica’s economic growth, and this will absorb close to a third of that economic cost (USD 117.0 million), which is alarming. This industry is not only vital for its contribution to GDP, but also because it is a crucial source of employment for Costa Ricans. Additionally, the information and communication sector is not far behind, projecting a negative impact of USD 39.18 million during the same period, as a direct consequence of the decree. In third place is the economic cost for the commercial sector, totaling USD 29.9 million. In some ways, the estimated impact for this industry would be the best possible scenario; that is, there could be a higher cost resulting from the depth that 5G technology has and would have in access to new products for consumers, as is the case with digital platforms. In fourth place is the impact on public administration totaling USD 24.6 million, which would limit the government in general and local governments in particular, in being able to accelerate the process of smart cities. Complementing this are technological improvements to enhance citizen security and the coverage of public service rates such as water and electricity. 4. By integrating the effects of additional investment costs into an average industry rate model, we find that rates could rise by up to an additional 40 percent, with the implementation of the decree. The effect for users tends toward digital exclusion in a very significant way; however, it will depend on the pricing strategy developed by 5G service providers and/or the intervention of the Costa Rican State to cushion this impact on Costa Ricans’ income resulting from the increase in costs and prices of telecommunications services. 5. The exclusion of clients in rural areas and in lower relative income segments is of great concern. The existing gap today could widen significantly with dire implications for excluded persons. Additionally, non-implementation on time will have effects on the loss of investment and employment opportunities. 6. As a whole, we see that the financial, economic, and social impact of the decree speaks to a significant loss for the country from implementing this measure. It is clear that there are conflicting positions on the subject, but the magnitude of the effects requires a deep, critical, and coherent analysis with the country’s reality. To exemplify the size of the economic impact, we can compare it with three large investment items: a. Eurobond Issuance: The loss of USD 329.3 million is equivalent to approximately 33% of what the Government of Costa Rica would obtain through the issuance of a eurobond. These bonds are crucial tools that the government uses to finance its operations and infrastructure projects. b. Sports Infrastructure: The amount in question could finance the construction of almost four National Stadiums. These venues serve not only for sporting events but also for cultural and social activities that benefit the population. c. National Security: The figure also represents twice the annual budget allocated to the Judicial Investigation Agency (OIJ), a vital entity for maintaining security and order in the country. 7. These examples illustrate the seriousness of the financial and economic consequences implied by the decree and emphasize the need to reconsider policies that may have such profound repercussions on the country’s economy and well-being.

All of the foregoing leads us to consider the need to discuss technological neutrality in 5G supplier policy and, above all, the need to disregard criteria based on unsubstantiated political prejudice, as they affect critical market factors, namely: • Promotion of Competition: A policy of technological neutrality ensures a level playing field for all suppliers, promoting competition, which can result in lower prices and more innovative solutions. • Security and Resilience: Relying on a variety of suppliers can increase network security and resilience by reducing dependence on a single supplier or technology. • Inclusive Technological Development: A neutral policy avoids technological exclusion, ensuring that the country has access to the full range of 5G advances and solutions available globally. In short, it is imperative that Costa Rica and other countries adopt a policy of technological neutrality when considering the implementation of 5G technology. This neutrality will not only guarantee efficient and economical adoption, but will also position the country optimally to capitalize on the opportunities of the next digital era and all those to come in the future. The effective and timely implementation of 5G can be one of the most critical decisions leaders make to ensure progress and prosperity in the modern era. 21.- In order for the substantial legal situation at hand to be corrected and to avoid further serious and irreparable harm while the constitutionality and validity of the content of the challenged conduct is being discussed, we request the suspension of the bidding procedure cited repeatedly. 22.- This measure is entirely proportionate to the public interest, given that the potential interim measure (medida cautelar) would provide us with comprehensive protection in that we would have the possibility of participating in the public tender for the acquisition of 5G telecommunications technology that ICE will promote in the coming days and in which, from the outset, we are prevented from participating. 23.- Therefore, the harm that the bidding act will produce is greater and more real than that which the public interest would presumably suffer. Thus, the urgent need to adopt this interim measure (medida cautelar) is demonstrated, which constitutes the only remedy to prevent and avoid further harm to our right to engage in a business activity that is highly beneficial to the country. 24.- The foregoing confirms the suitability of the measure being requested, which is also proportionate to the purpose sought in this amparo action (recurso de amparo), that is, the evident and manifest unconstitutionality of any public tender promoted by ICE for the acquisition of 5G Mobile telecommunications technology for violating the fundamental rights of free competition and equal participation in public tenders. EVIDENCE 1.- Technical report: On the economic repercussions that the exclusion of Asian suppliers in 5G network investments in Costa Rica would have for the country, particularly the non-participation of Huawei in the aforementioned public tender promoted by ICE for the acquisition of 5G telecommunications technology in the country, prepared by the CINPE of the UNA. 2.- Notarized copy of the publication in the digital newspaper La República of September 11, 2023, indicating that the exclusion of Asian companies from the 5G network tender would cost the country $1.5 billion in technology. 3.- Notarized copy of the news item from the press outlet Semanario Universidad of September 6, 2023, "Decreto de Presidente Chaves deja fuera a cinco de las empresas líderes en 5G". 4.- Notarized copy of the news item from the press outlet Diario Extra, September 6, 2023, "Decisión de Gobierno subiría precio del internet". PRAYER FOR RELIEF 1.- Therefore, we request that, in application of Article 41 of the Ley de la Jurisdicción Constitucional, the publication of any tender specifications (pliego de condiciones) be suspended, or if already published, the suspension of any bidding process by ICE in which the "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic) must be applied, until such time as this Constitutional Chamber (Sala Constitucional) has ruled on the merits of this amparo action (recurso de amparo) and, in the event that it were converted into an unconstitutionality action (acción de inconstitucionalidad), until it has ruled on the merits thereof (sic)."

6.- On October 16, 2023, Magistrate Anamari Garro Vargas filed a motion to recuse herself (inhibitoria).

7.- By resolution issued at 8:27 a.m. on October 17, 2023, the Presidency of the Chamber rejected the motion to recuse (inhibitoria) of Magistrate Garro Vargas and enabled her to hear the amparo action (recurso de amparo).

8.- By resolution issued at 3:16 p.m. on October 23, 2023, the investigating magistrate (magistrado instructor) ordered: "Whereas the brief added to the digital case file on October 6, 2023 (received in the Secretariat of the Chamber at 5:11 p.m. on that same day), according to the order of the arguments and the numbering of the last page, is incomplete (it does not contain page no. 2), before resolving as legally appropriate, the plaintiff [Name 001], general manager of [Name 002], is hereby warned to provide, within a period of THREE DAYS, counted from the notification of this order, the entirety of said brief. Notify." 9.- By brief received in the Secretariat of the Chamber on October 25, 2023, Rubén Hernández Valle appears, in his capacity as special judicial representative (apoderado especial judicial) of the plaintiff. He states that, in compliance with the warning, he again provides the brief submitted on October 6 past. The latter contains the following argument: "For the purposes of Article 75 of the Ley de la Jurisdicción Constitucional, I succinctly allege the unconstitutionality and unconventionality in toto and of certain specific norms of 'El Reglamento sobre Medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones en la Tecnología de Quinta Generación Móvil (5G) y superiores', approved by Executive Decree (Decreto Ejecutivo) number 44196-MSP-MCITT, published in La Gaceta of August 31, 2023. Below, I briefly substantiate the alleged constitutional defects. I.- Defects of unconstitutionality 'El Reglamento sobre Medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones en la Tecnología de Quinta Generación Móvil (5G) y superiores', approved by Executive Decree (Decreto Ejecutivo) number 44196-MSP-MCITT, published in La Gaceta of August 31, 2023, contains serious defects of both unconstitutionality and unconventionality, which we list below succinctly. 1.- The Regulation in toto violates Article 28 of the Constitución Política, insofar as it regulates matters reserved by such norms to the domain of the law. That is, only (sic) by law can fundamental rights be regulated and, above all, restricted. 2.- The Regulation governs the fundamental right to informational self-determination, the rights of free competition and equal participation in public tenders, in addition to establishing a sanctioning regime against those who violate provisions contained in the Regulation. All these aspects are removed from the domain of the Regulation because they must necessarily be regulated by law. 3.- As a consequence of the foregoing, the principle of the division of powers enshrined in Article 9 of the Constitución Política is also violated, according to which no Branch of Government may interfere in the competencies constitutionally guaranteed to another Branch. 4.- In the instant case, the Executive Branch (Poder Ejecutivo) invaded competencies belonging to the Legislative Assembly (Asamblea Legislativa), since according to Article 121, subsection 1) of the Constitution, it is the responsibility of the legislative body to approve, authentically interpret, and repeal laws. 5.- Article 13 violates Article 39 of the Constitución Política, a norm that enshrines the principles of legality and specificity (tipicidad) in matters of administrative and criminal sanctions. 6.- According to the first principle, sanctioning types must be established by law, while specificity (tipicidad) requires that the conduct subject to a possible sanction must be specified in the norm. 7.- Article 13 of the Regulation does not specify the infractions or the sanctions, but merely refers to the provisions on the matter in the Ley General de Telecomunicaciones. 8.- Articles 9 and 10, subsections c), d), e), and f), violate the constitutional principles of freedom of competition and equal participation in public procurement procedures, by preventing free competition among all possible bidders possessing 5G technology and by limiting such participation for reasons unrelated to strictly technical criteria. 9.- Finally, the first paragraph of Article 9 and Article 11, subsection f), violate the constitutional principle of technical reasonableness, which requires, as established by the jurisprudence of this Chamber, that every norm and, in general, every act issued by public institutions must be based on technical criteria regarding the matter they regulate. 10.- In the instant case, the challenged articles lack technical foundation, and the requirements established therein do not conform to duly proven, accepted, and adopted international standards. For example, Article 9, first paragraph, provides that 'The subjects included in the scope of application of Article 2 of this Regulation must request from their hardware and software suppliers, which are involved in the operation and functioning of 5G and higher networks and their services, the definition of the requirements, controls, and measurements of the supply chain cybersecurity management system for the design, development, production, delivery, installation, and maintenance of hardware, software, and services in accordance with the SCS 9001 "Supply Chain Security Standard"' without justifying why this standard is specifically required. The SCS 9001 Standard (Supply Chain Security 9001) was recently created, in 2022, by the TIA (Telecommunications Industry Association), which is a U.S. association of ICT (Information and Communication Technologies) providers. The SCS 9001 Standard lacks sufficient data to allow verification of its effectiveness, since it is still in the pilot plan phase for carrying out the corresponding technical evaluation. The current ecosystem of Cybersecurity standards, which has been developed by ISO, GSMA, and 3GPP, has been recognized, accepted, verified, and implemented by the Cellular Mobile Telephone Services industry worldwide for several years now. 11.- Articles 8, subsection i), and 10, subsection a), violate the constitutional principle of proportionality. 12.- As established by the jurisprudence of this Chamber, a state act that limits fundamental rights must be necessary, suitable, and proportionate. 13.- The aforementioned articles of the Regulation are not necessary, suitable, or proportionate. Indeed, they are not necessary because the telephone network has operated in the country since its inception using the vertical diversification system, which is the most efficient methodology and, therefore, the most widely used worldwide to guarantee a balance of suppliers that ensures network security in a cost-effective manner. If something works well, there is no reason to change it. Therefore, there is no urgent need to adopt the model indicated in Article 8, subsection i), and Article 10, subsection a), of the challenged Regulation. 14.- Finally, there is no proportionality between the supposed benefit that the public interest would obtain under the model indicated in Article 8, subsection i), and Article 10, subsection a), of the challenged Regulation." 10.- By brief received in the Secretariat of the Chamber on November 9, 2023, Rubén Hernández Valle, special representative (apoderado especial) of the plaintiff, appears. He states the following: "1.- ICE published today, November 9, 2023, the TENDER SPECIFICATIONS (PLIEGO DE CONDICIONES) FOR THE ACQUISITION OF: GT-ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ON DEMAND". 2.- The tender document (cartel) contains requirements that are impossible for my client to meet because its parent company is located in the People's Republic of China. Specifically, Section 3, Ciberseguridad RAN-CORE Móvil 5G, which, as relevant, states: "3. 5G MOBILE RAN-CORE CYBERSECURITY SECTION. 3.1. The bidder must comply with all aspects relating to risk management and mitigation contained in the Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT, when planning, designing, and implementing its technical offer, for which it must provide, together with the offer, the risk management and mitigation plan in accordance with the aforementioned regulation. 3.2. The bidder must submit a sworn statement indicating that it complies with the adoption of the following cybersecurity standards:

| Estándares de cumplimiento obligatorios | | | --- | --- | | Número | Nombre | | ISO/IEC 27001:2022 | Seguridad de la Información, Ciberseguridad y Protección de la Privacidad- Sistemas de Gestión de la Seguridad de la Información Requerimientos | | ISO/IEC 27002:2022 | Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Controles de seguridad de la información | | ISO/IEC 27003:2017 | Tecnologías de la información —Técnicas de seguridad — Sistemas de Gestión de la Seguridad de la Información —Guía | | ISO/IEC 27011:2016 | Tecnologías de la información —Técnicas de seguridad — Código de prácticas para los controles de seguridad de la información basado en ISO/IEC 27002 para organizaciones de telecomunicaciones. | | SCS 9001 | Estándar de Seguridad de la Cadena de Suministro Ciberseguridad | | GSMA NESAS | Esquema de aseguramiento de ciberseguridad definido por GSMA y 3GPP. | | ISO/IEC 27400 | Ciberseguridad — Seguridad y privacidad en IoT— Guías de implementación | | 3GPP 33.501 | Arquitectura y procedimiento de seguridad para sistemas 5G. | | NIST 1800-33B | 5G Ciberseguridad | 3.3. In accordance with Article 10 of the Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT, which indicates that there cannot be a single supplier regarding hardware and software in critical elements of the network, ICE may not award the Mobile CORE (items 3 and 4) and the mobile access network (items 1 and 2) to the same bidder. In the event that the bid participates for the Mobile CORE (items 3 and 4) and the mobile access network (items 1 and 2) and meets all technical, financial, and legal aspects and ranks first in price for all the mentioned items, ICE will award only items 1 and 2 (mobile access network) to this bidder, and items 3 and 4 (Mobile Core) will be awarded to the second-place bidder in price, in order not to have a single supplier regarding hardware and software in critical elements of the network, in compliance with Article 10 of the Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT. 3.4. The bidder must submit a sworn statement indicating that its headquarters is in a country that has consented to be bound by the Convention on Cybercrime (Budapest Convention). For which it must attach supporting documentation. ICE reserves the right to verify the validity (sic) of the information provided. 3.5. The bidder must submit a sworn statement indicating whether or not the location of the factory is susceptible to pressure from a foreign government due to a regulatory provision or official public policy of said foreign government, in relation to the location or execution of its operations. 3.6. The bidder must submit a sworn statement indicating whether it is based in a country, or is in any way subject to the direction of a foreign government with established laws or practices that may require them to share end-user information of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests." As can be seen from the preceding quote, the discriminatory elements contained in the Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT are involved in this procurement, which are mandatory conditions for the qualification of the bidder to participate in the bidding process, which excludes my client from access to the tender, and loses the opportunity to compete, due to the origin of its parent company. All of the foregoing, as duly substantiated, supported, and proven in the main Amparo Action (Recurso de Amparo) of case file 23-023887-0007-CO. 3.- In this way, the violation of our fundamental rights was imminently realized, as we had indicated in the initial brief of this amparo action (recurso de amparo). (...) LAW I.- The violations of the fundamental rights of my client The cited tender specifications (pliego de condiciones) of ICE's public tender violate, to the detriment of my client, at least the following fundamental rights: a) the right of free competition and equal participation in public tenders and b) the right not to be discriminated against due to the origin of the company. A.- The violation of the fundamental rights of free competition and equal participation in public tenders 1.- The jurisprudence of this Chamber has established that "if Article 182 of the Constitución Política establishes this principle -that of tendering (licitación)- then all the principles inherent to Administrative Contracting are encompassed in the concept. By virtue of the foregoing, it must be understood that all the constitutional principles and parameters governing the State's contractual activity derive from Article 182 of the Constitución Política. Some of these principles that guide and regulate tendering (licitación) are: 1.- free concurrence, which aims to strengthen the possibility of opposition and competition among bidders within the prerogatives of freedom of enterprise regulated in Article 46 of the Constitución Política, intended to promote and stimulate the competitive market, so that the largest number of bidders participate, enabling the Administration to have a wide and varied range of offers, so it can select the one that offers the best conditions; 2.- equality of treatment among all potential bidders, a principle complementary to the former and which, within tendering (licitación), has a dual purpose: to serve as a guarantee for the administered persons in the protection of their interests and rights as contractors, bidders, and as individuals, which translates into the prohibition for the State to impose restrictive conditions for access to the tender, whether through the enactment of legal or regulatory provisions for that purpose, or in its specific actions; and to constitute a guarantee for the administration, insofar as it increases the possibility of a better selection of the contractor; all of the foregoing, within the constitutional framework provided by Article 33 of the Carta Fundamental" (Voto 998-1998). 2.- The tender specifications (pliego de condiciones) published by ICE for the acquisition of "GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ON DEMAND", implies a clear violation, to the detriment of my client, of its fundamental rights to free concurrence in public procurement and equal treatment of bidders, given that Articles 10, subsections c), d), e), and f), and numeral 11 of the "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic) are directly applied in that public tender, norms that establish discriminatory regulations contrary to the cited fundamental rights of free competition and equal treatment in public tenders. 3.- Indeed, these norms establish requirements for the specific case, so that companies of different origins, especially Chinese, cannot participate in any public tender for the acquisition of 5G Mobile telecommunications technology and higher. 4.- In this way, the fundamental rights to freedom of competition and equal treatment held by all potential interested parties in participating in public tenders for the acquisition of goods and services in our country are grossly and evidently violated. 5.- In my client's case, the tender specifications (pliego de condiciones) prevent our participation in that public procurement by applying the provisions of subsections c), d), e), and f) of Article 10 and numeral 11 of the cited Regulation, which is the purpose pursued by that regulation according to statements made, at the time, by the Executive President of ICE, the Minister of MICITT, and the President of the Republic. A confession by a party, relief of proof. B.- The violation of the constitutional principle of not being discriminated against for any reason 1.- Article 33 of the Constitution enshrines the cardinal principle in Western Law that no person, physical or legal, may be discriminated against for any reason (sex, religious beliefs, ideology, nationality, etc.). 2.- In the present case, my client is openly discriminated against both for its supposed ideology and for its nationality, which implies a gross violation of Article 33 of the Constitución Política. 3.- Let us recall that discrimination, from a legal point of view, means granting different treatment based on unjust or arbitrary inequalities that are contrary to the principle of equality before the law. 4.- The prohibition of discrimination encompasses the interdiction against doing so for any personal or social circumstance; that is, any differentiation that lacks objective and reasonable justification can be classified as discriminatory. 5.- Thus, inequalities of treatment based exclusively on reasons of sex, race, social condition, ideological motives, origin, nationality, etc., are contrary to the principle of non-discrimination. 6.- The regulation that ICE intends to apply contains discriminatory elements as mandatory requirements in the cited public tender, implying a clear violation of the principle of non-discrimination to the detriment of my client, given that it is excluded from the outset of a public tender for supposedly ideological and nationality reasons. INTERIM MEASURE (MEDIDA CAUTELAR) 1.- Given that we are facing an exceptional case, since if the execution of the future harmful act against our fundamental rights, which is in the execution phase, is not suspended, the harm to my client would be irreparable and irreversible as it prevents its participation in the cited public tender for the acquisition of 5G/IMT Mobile telecommunications technology. 2.- Therefore, we request that, in application of Article 41 of the Ley de la Jurisdicción Constitucional, the processing of the bidding process indicated in the challenged tender document (cartel) be suspended, given that it is applying the "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic), until such time as this Constitutional Chamber (Sala Constitucional) has ruled on the merits of this amparo action (recurso de amparo) and on the unconstitutionality action (acción de inconstitucionalidad) filed against that decree in a timely manner. PRAYER FOR RELIEF Based on the invoked facts, offered evidence, and legal considerations indicated, I request that in the judgment it be declared: 1.- That my client cannot be prevented from participating in the cited public tender by introducing clauses impossible for it to fulfill, because this violates the fundamental rights to free competition, equal treatment, and the prohibition of discrimination exclusively for ideological and nationality reasons. 2.- I reiterate the request for an order against ICE for the payment of damages and costs of this action." 11.- By brief received in the Secretariat of the Chamber on November 14, 2023, Rubén Hernández Valle, special judicial representative (apoderado especial judicial) of the plaintiff, appears. He indicates: “1. With the attached technical document, the losses that both my client and the country would suffer if we were prevented from participating in ICE's tender." 12.- By brief received in the Secretariat of the Chamber on November 24, 2023, Rubén Hernández Valle, in his capacity as special judicial representative (apoderado especial judicial) of the plaintiff, appears. He states the following: "I hereby expand the amparo action (recurso de amparo) filed and followed under case file 23-023887-0007-CO, based on the following FACTS 1.- That by brief sent to this Constitutional Chamber (Sala Constitucional) on November 9, 2023, the amparo action (recurso de amparo) filed was expanded on a first occasion, because on November 9, 2023, ICE published the TENDER SPECIFICATIONS (PLIEGO DE CONDICIONES) FOR THE ACQUISITION OF: GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ON DEMAND." 2.- The tender document (cartel) contains requirements that are impossible for my client to meet because its parent company is located in the People's Republic of China. Specifically, Section 3, CiberSeguridad RAN-CORE Móvil 5G, the same which can be reviewed in the brief of November 9, 2023. 3.- That against said tender specifications (pliego de condiciones), for being discriminatory and preventing the participation of [Name 002], an objection to the specifications (recurso de objeción al pliego) was filed in time and proper form. 4.- That by official communication 5201-250-202 of November 21, 2023, ICE proceeded to partially admit the objection to the specifications (recurso de objeción); however, it proceeded to absolutely reject all objections related to Section 3, CiberSeguridad RAN-CORE Móvil 5G, which precisely excludes Huawei from the tender. 5.- In this way, my client demonstrates the timely use of all available legal mechanisms to seek to guarantee its constitutional rights, and nevertheless, the violation of our fundamental rights materialized as we had indicated in the initial brief of this amparo action (recurso de amparo). Thus, the discrimination against my client and the current conditions in Costa Rica against Chinese companies, discriminating against them based on their nationality, is configured—no longer a possible violation but a consummated violation. EVIDENCE 1.- Copy of the filed appeal and of ICE's response. LAW I.- The violations of the fundamental rights of my client The cited tender specifications (pliego de condiciones) of ICE's public tender are consolidated, and given the rejection of the objection to the specifications (recurso de objeción), there are no further legal remedies that my client can use to seek protection of its legitimate constitutional rights. Based on this, we can assert that, with the exhaustion of that administrative avenue, the specifications violate, to the detriment of my client, at least the following fundamental rights: a) the right of free competition and equal participation in public tenders and b) the right not to be discriminated against due to the origin of the company, all of the foregoing, as duly explained and substantiated in the brief of November 9, 2023. INTERIM MEASURE (MEDIDA CAUTELAR) 1.- We reiterate in this act that we are facing an exceptional case requiring extremely urgent interim protection (protección cautelar), given that currently, and having exhausted the procedural remedies, it is impossible to stop the tender. Once the tender receives offers and my client is unable to submit its own, for not complying with Section 3, CiberSeguridad RAN-CORE Móvil 5G, serious, manifest, imminent, and irreparable harm will be realized, by being completely excluded from the tender and without standing to claim. Likewise, it has been amply demonstrated in this amparo proceeding, the appearance of a sound legal right (apariencia de buen derecho) of the claim, supported by constitutional norms, constitutional principles, comparative law, and also by technical documentation and analysis, which demonstrate that our claim has due foundation. Finally, in the balancing of the interests at stake, the suspension does not generate direct harm to the Administration, as it would be a provisional interim measure (medida cautelar). 2.- Therefore, we request that, in application of Article 41 of the Ley de la Jurisdicción Constitucional, the processing of the bidding process indicated in the challenged tender document (cartel) be suspended, given that the "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic) must be applied therein, until such time as this Constitutional Chamber (Sala Constitucional) has ruled on the merits of this amparo action (recurso de amparo) and on the unconstitutionality action (acción de inconstitucionalidad) filed against that decree in a timely manner.

PETITION Based on the facts invoked, evidence offered, and legal considerations indicated, I request that the judgment declare: 1.- That my client cannot be prevented from participating in the cited public tender by introducing clauses that are impossible for her to comply with, because this violates the fundamental rights to free competition, equal treatment, and the prohibition of discrimination exclusively for ideological and nationality reasons. 3.- I reiterate the request for ICE to be ordered to pay damages and the costs of this action." 13.- By resolution at 1:18 p.m. on November 24, 2023, the instructing magistrate, by order of the Full Court, expanded the facts of this appeal against ICE and requested a report from its executive president and contract administrator on the following facts: "i) By a writing received at the Secretariat of the Chamber on September 28, 2023, the plaintiff files an amparo appeal against ICE, in the following terms: '1.- My client is prepared to participate in the public tender that ICE will open to implement and operate 5G IMT technology in its networks, given that we are one of the main providers of that technology in Costa Rica. 2.- On August 31st of this year, the Executive Branch enacted and published in La Gaceta the “Regulation on Cyber Measures Applicable to Telecommunications Services Based on Fifth Generation Mobile Technology (5G) and Superior” (sic), which contains provisions that expressly prevent my client's participation in that public tender. 3.- The President of the Republic, the Minister of MICITT, as well as the Executive President of ICE have publicly stated that the enactment of the cited Regulation was done with the specific reason of preventing the participation of companies of various nationalities, especially those of Chinese origin, in the tender processes aimed at obtaining and operating 5G IMT and Superior telecommunications technology in that institution's networks. 4.- The President of ICE stated through the newspaper El Mundo CR on September 16th that the respective public tender will be published before the end of September of the current year. 5.- Additionally, and as reliable and absolute proof of the risk that exists for my client, on September 5, 2023, at 4:20 p.m., an email was received from Mr. Huberth Valverde Batista, ICE Contract Administrator, sending a questionnaire inquiring about compliance with Cybersecurity Regulation No. 44196-MSP-MICITT. The email itself indicates the need to obtain that information within 4 business days. 6.- Said questionnaire, as can be seen from the notarial certification provided, is an exact copy of the requirements of the Regulation. 7.- The foregoing is direct proof that, given the imminent publication of the tender, my client will be affected and unable to participate in it. 8.- Given this situation, the direct, undoubted, current, imminent, and real risk faced by the company I represent is more than clear, evident, and manifest.' Describes threats in the following terms: '1.- The Executive President of ICE has clearly stated that at the end of September, that institution will put out to public tender the acquisition of 5G Mobile telecommunications technology and that, in that public tender, they will apply the requirements demanded in the “Regulation on Cyber Measures Applicable to Telecommunications Services Based on Fifth Generation Mobile Technology (5G) and Superior” (sic). 2.- As cited by the digital news outlet “El Mundo.CR” on September 15th of the current year, the Executive President of ICE expressly stated the following: “the teams already have the decree and are reviewing it to see how it is included in the tender document. We also have some clarifications we need to make. However, the answer is yes, we will have to include what is provided therein, since it is applicable public policy” (https: elmundo.cr/costa-rica/licitacionpara-5g-saldra-a-finales-de-setiembre-vetando-empresas-chinas/). 3.- The President of the Republic, Mr. Rodrigo Chaves Robles, had declared to the press while in the United States, after having signed the cited Regulation shortly before his departure, that its enactment was intended to prevent the participation of companies of various origins in the upcoming public tenders that ICE and SUTEL would open for the acquisition of 5G Mobile telecommunications technology, which can be verified at the following link https://dplnews.com/rodrigo-chaves-prohibeempresas-chinas-en-el-desarrollo-de-5g-en-costa-rica/ 4.- This criterion was ratified by the Minister of MICITT on Amelia Rueda's radio program on Monday, September 4th, as can be verified at the following link https://ameliarueda.com/noticia/huawei-china-5g-micitt-subastacosta-rica-noticas 5.- In line with all the foregoing, my client received a questionnaire from ICE, requesting confirmation of compliance with the Decree, which specifically refers to 5G or superior technology, as clear and direct evidence of ICE's intention to promote this tender as soon as possible. 6.- It is evident that the questionnaire sent by ICE has a direct relationship with the Set of Conditions that will be used for the tender process aimed at 5G technology. In accordance with the General Public Procurement Law, the Administration, prior to publishing the Set of Conditions of any nature, must conduct a market study to verify the possible bidders. In this case, it is evident that ICE is complying with the market study established in Article 34 of the Public Procurement Law, by asking questions based on the Regulation, thus making it clear that they are going to incorporate said provisions into the 5G tender process, because the Regulation is a current norm and ICE has no power to disapply it. 7.- Therefore, we are in the presence of a certain, real, effective, and imminent threat, almost in the execution stage, of an act injurious to the fundamental rights of my client. 8.- Indeed, the public tender that ICE will open before the end of this month, as its own representatives have announced, will prevent my client from participating in it, for the simple fact of being a company of Chinese origin. 9.- It is important to point out that my client cannot be blamed for the fact that the Government of the People's Republic of China, within its sovereign powers, has not signed the Budapest Convention to date. 10.- The Budapest Convention was published 18 years before 5G technology was launched on the market, so it is impossible for any of its considerations to have been related to that technology. An evaluation factor is being used that is outdated and not directly related to cybersecurity, in addition to violating the principle of technological neutrality enshrined in Chapter XIII of CAFTA. 11.- It is completely discriminatory to prevent my client from participating in a tender due to a decision that is not in its hands, as it is a decision entirely of the Chinese Government. 12.- The only way to avoid a flagrant violation of the constitutional rights of free competition and equal participation that, according to the jurisprudence of this Chamber, have constitutional rank (Vote 998-1998), as well as the right to non-discrimination, is by the immediate suspension of the public tender in question. 13.- If the cited act were to materialize, the harm to my client would be irreversible and of impossible reparation, such as reputational damages. For this reason, we are procedurally legitimized to file this amparo appeal against the imminent threats from ICE, consisting of putting out a public tender to implement and operate 5G IMT technology in its networks, from which we are preemptively excluded.' Refers to the following violations of the fundamental rights of her client: 'The appealed threat violates, to the detriment of my client, at least the following fundamental rights: a) the right of free competition and equal participation in public tenders and b) the right not to be discriminated against based on the company's origin. A.- The violation of the fundamental rights of free competition and equal participation in public tenders. 1.- The jurisprudence of this Chamber has established that “if Article 182 of the Political Constitution establishes this principle - that of public tender - then all the principles inherent to Administrative Procurement are immersed in the concept. By virtue of the foregoing, it must be understood that all the constitutional principles and parameters governing the contractual activity of the State are derived from Article 182 of the Political Constitution. Some of these principles that guide and regulate public tender are: 1.- free concurrence, which aims to strengthen the possibility of opposition and competition among bidders within the prerogatives of freedom of enterprise regulated in Article 46 of the Political Constitution, intended to promote and stimulate the competitive market, so that the largest number of bidders participate, allowing the Administration to have a wide and varied range of offers, so it can select the one offering the best conditions; 2.- equal treatment among all possible bidders, a principle complementary to the previous one and which within the public tender has a dual purpose: to be a guarantee for the administered parties in the protection of their interests and rights as contractors, bidders, and as individuals, which translates into the prohibition for the State to impose restrictive conditions for access to the tender, whether through the enactment of legal or regulatory provisions for that purpose, or in its concrete action; and to constitute a guarantee for the administration, insofar as it increases the possibility of a better selection of the contractor; all within the constitutional framework provided by Article 33 of the Fundamental Charter” (Vote 998-1998). 2.- The threat by ICE of putting out a public tender in which it will apply Article 10) subsections c), d), e), and f), and section 11 of the aforementioned Regulation implies a clear violation, to the detriment of my client, of its fundamental rights to free concurrence in public procurement and equal treatment of bidders. 3.- Indeed, those norms establish requirements so that companies of various nationalities, as well as those of Chinese origin, cannot participate in any public tender for the acquisition of 5G Mobile and superior telecommunications technology. 4.- In this way, the fundamental rights to freedom of competition and equal treatment held by all potential parties interested in participating in public tenders for the acquisition of goods and services in our country, including my client, are grossly and evidently violated. 5.- In the case of my client, the set of conditions will prevent our participation in that public procurement by applying what is stipulated in subsections c), d), e), and f) of Article 10 and section 11 of the cited Regulation, which is the intent pursued by that regulation according to statements by the Executive President of ICE, the Minister of MICITT, and the President of the Republic. A party's confession relieves proof. B.- The violation of the constitutional principle of not being discriminated against for any reason. 1.- Article 33 of the Constitution enshrines the cardinal principle in Western Law that no person, physical or legal, may be discriminated against for any reason (sex, religious beliefs, ideology, nationality, etc.). 2.- In the present case, my client is openly discriminated against both for its alleged ideology and its nationality, which implies a gross violation of Article 33 of the Political Constitution. 3.- For example, admitting that only (sic) companies from countries that have signed the Budapest Convention can participate in public tenders to acquire 5G technology is evidently discriminatory, since said Convention does not strictly refer to cybersecurity issues but rather, that regulation focuses on the penalization of computer crimes including: fraud, intellectual property infringements, distribution and possession of child pornography, computer forgery, among others. Applying a common criminal policy among the signatory States. In this context, another characteristic of the Budapest Convention is international cooperation, an aspect that facilitates the investigation of cybercrimes and is relevant due to the characteristics of computer crimes and the possibility that they are committed outside a country's borders but with an impact on a specific territory. 4.- Let us remember that discrimination, from a legal point of view, means granting different treatment based on unjust or arbitrary inequalities that are contrary to the principle of equality before the law. 5.- The prohibition against discrimination covers the interdiction of doing so for any personal or social circumstance; meaning, any differentiation lacking objective and reasonable justification can be classified as discriminatory. 6.- In this way, inequalities in treatment based exclusively on reasons of sex, race, social condition, ideological motives, origin, nationality, etc., are contrary to the principle of non-discrimination. 7.- The regulation that ICE intends to apply in the cited public tender implies a clear violation of the principle of non-discrimination to the detriment of my client, given that it is excluded from a public tender for allegedly ideological and nationality reasons.' Formulates the following request for a precautionary measure: '1.- Given that we are facing an exceptional case, because if the execution of the future act injurious to our fundamental rights, which is almost in the execution phase, is not suspended, the harm to my client would be irreparable and irreversible as it could not participate in the cited public tender for the acquisition of 5G/IMT Mobile telecommunications technology. To understand this irreparability and irreversibility, one must consider that ICE represents 60% of Huawei's business in Costa Rica. Given this, if Huawei is prevented from participating in the tender, it would directly affect nearly 80 employees in Costa Rica, in addition to the financial losses for the company. 2.- Therefore, we request that, applying Article 41 of the Law of Constitutional Jurisdiction, the publication of any set of conditions be suspended, or in the event it has already been published, the suspension of any tender process by ICE in which the “Regulation on Cyber Measures Applicable to Telecommunications Services Based on Fifth Generation Mobile Technology (5G) and Superior” (sic) must be applied, until this Constitutional Chamber has ruled on the merits of this amparo appeal and, should it be converted into an unconstitutionality action, until it has ruled on the merits thereof.' States this petition: '1.- That my client cannot be prevented from participating in the cited public tender by introducing clauses impossible for it to comply with, because this violates the fundamental rights to free competition, equal treatment, and the prohibition of discrimination exclusively for ideological and nationality reasons. 2.- That once ICE is notified of the impossibility of proceeding with the repeatedly cited public tender, this amparo be converted into an unconstitutionality action so that various norms of the challenged Regulation can be eliminated from the legal order and, therefore, cannot be applied in any present or future tender.' ii) By a writing received at the Secretariat of the Chamber on October 6 and 25, 2023, the appellant appears and states: 'For the purposes of Article 75 of the Law of Constitutional Jurisdiction, I succinctly allege the unconstitutionality and unconventionality in toto and of some specific norms of “The Regulation on Cybersecurity Measures Applicable to Telecommunications Services in Fifth Generation Mobile Technology (5G) and Superiors,” approved by Executive Decree number 44196-MSP-MCITT, published in La Gaceta on August 31, 2023. Below, I briefly state the alleged constitutional defects. I.- Defects of unconstitutionality “The Regulation on Cybersecurity Measures Applicable to Telecommunications Services in Fifth Generation Mobile Technology (5G) and Superiors,” approved by Executive Decree number 44196-MSP-MCITT, published in La Gaceta on August 31, 2023, contains serious defects of both unconstitutionality and unconventionality, which we list below succinctly. 1.- The Regulation in toto violates Article 28 of the Political Constitution, as it regulates matters reserved by such norms to the domain of law. That is, only (sic) by law can the exercise of fundamental rights be regulated and, above all, restricted. 2.- The Regulation regulates the fundamental right to informational self-determination, the rights of free competition and equal participation in public tenders, in addition to enshrining a sanctioning regime against those who violate provisions contained in the Regulation. All these aspects are removed from the domain of the Regulation because they must necessarily be regulated by law. 3.- As a consequence of the foregoing, the principle of division of powers enshrined in Article 9 of the Political Constitution is also violated, according to which no Power may interfere in the competences constitutionally guaranteed to another Power. 4.- In this case, the Executive Branch invaded competences belonging to the Legislative Assembly, since according to Article 121, subsection 1) of the Constitution, it corresponds to the legislative body to approve, authentically interpret, and repeal laws. 5.- Article 13 violates Article 39 of the Political Constitution, a norm that enshrines the principles of legality and specificity in matters of administrative and criminal sanctions. 6.- According to the first principle, sanctioning types must be established by law, while specificity requires that the conduct subject to a possible sanction must be specified in the norm. 7.- Article 13 of the Regulation does not specify the infractions or the sanctions but merely refers to the provisions on the matter in the General Telecommunications Law. 8.- Articles 9 and 10, subsections c), d), e), and f) violate the constitutional principles of freedom of competition and equal participation in public procurement procedures, by preventing free competition among all possible bidders possessing 5G technology and thus limiting that participation for reasons beyond strictly technical criteria. 9.- Finally, the first paragraph of Article 9 and Article 11, subsection f) violate the constitutional principle of technical reasonableness, which requires, as the jurisprudence of this Chamber has established, that every norm and, in general, every act emanating from public institutions must be based on technical criteria regarding the matter they regulate. 10.- In this case, the challenged articles lack technical justification, and the requirements established in them do not conform to duly proven, accepted, and adopted international standards. For example, the first paragraph of Article 9 provides that “The subjects included in the scope of application of Article 2 of this Regulation must request from their hardware and software suppliers, which intervene in the functioning and operation of 5G and superior networks and their services, the definition of the requirements, controls, and measurements of the supply chain cybersecurity management system for the design, development, production, delivery, installation, and maintenance of hardware, software, and services in accordance with the SCS 9001 “Supply Chain Security Standard” without justifying why this standard is specifically demanded. The SCS 9001 Standard (Supply Chain Security 9001) was recently created, in 2022, by the TIA (Telecommunications Industry Association), which is a US association of ICT (Information and Communication Technologies) providers. The SCS 9001 Standard lacks sufficient data to allow verification of its effectiveness, as it is still in the pilot plan phase to carry out the corresponding technical evaluation. The current ecosystem of Cybersecurity standards, which has been developed by ISO, GSMA, and 3GPP, has been recognized, accepted, verified, and implemented by the global Cellular Mobile Telephony Services industry for several years now. 11.- Article 8 subsection i) and Article 10 subsection a) violate the constitutional principle of proportionality. 12.- As established by the jurisprudence of this Chamber, a state act that limits fundamental rights must be necessary, suitable, and proportionate. 13.- The aforementioned articles of the Regulation are not necessary, suitable, or proportionate. Indeed, they are not necessary because the telephone network has operated in the country since its inception through the vertical diversification system, which is the most efficient methodology and therefore the most widely used worldwide, to guarantee a balance of suppliers that ensures network security in a cost-effective manner. If something works well, there is no reason to change it. Therefore, there is no compelling need to adopt the model indicated in Article 8 subsection i) and Article 10 subsection a) of the challenged Regulation. 14.- Finally, there is no proportionality between the supposed benefit that the public interest would obtain according to the model indicated in Article 8 subsection i) and Article 10 subsection a) of the challenged Regulation.' iii) By a writing received at the Secretariat of the Chamber on October 10, 2023, the plaintiff appears. Indicates: 'Based on Article 41 of the Law of Constitutional Jurisdiction, I reiterate my request to suspend the execution of the tender that ICE will promote in a few days for the acquisition of 5G/IMT Mobile telecommunications technology, based on the following factual and legal reasons. 1.- The purposes of the amparo appeal 1.- As is known, the institution of amparo was adopted by our 1949 Constituent Assembly from the ephemeral 1940 Cuban Constitution. This model, unlike what occurs in other legislations, establishes the amparo appeal exclusively against administrative conduct (acts, omissions, threats). 2.- This system has the advantage that it fulfills the main objective of the amparo appeal, which consists of preventing the violation of fundamental rights when it is brought against threats, or restoring the infringed fundamental right before the damage becomes irreversible. To achieve this objective, the institute of precautionary measures is precisely used, and in the Costa Rican case, suspending the effects of the execution of the challenged conduct, in accordance with the letter and spirit of Article 41 of the Law of Constitutional Jurisdiction. 3.- When amparo is established only (sic) against judicial resolutions, as occurs in most legislations, it only (sic) has an compensatory effect, since the violation or threat of violation has already materialized irreversibly, making it legally impossible to restore the protected party to the effective exercise of their infringed fundamental right, or the threat of violation has translated into an irreversible infringement of their right. 4.- Therefore, when in our system the execution of the challenged act or threat is not suspended due to the gravity of its implications, the cited procedural remedy ends up having only (sic) compensatory effects because one would have renounced fulfilling its primary vocation of restoring the violated fundamental right or preventing one from being violated. 5.- Therefore, this Chamber must assess, on a case-by-case basis, when it is essential to suspend the present execution (when dealing with acts) or future execution (when in the presence of threats), given that if, in certain cases, it does not do so, the non-suspension could produce irreversible violations of fundamental rights, and their holders would have to resign themselves to collecting the damages suffered in the contentious-administrative jurisdiction. 6.- In such circumstances, the amparo appeal ceases to be a procedural remedy to restore the violated right or prevent its violation from materializing, becoming instead a jurisdiction for the reparation of damages. This latter function is accessory and must yield to the primary purpose of amparo, which is the effective protection of fundamental rights. II.- The elements to decree a precautionary measure 1.- In the present case, we are facing an exceptional case, because if the execution of the future act injurious to our fundamental rights, which is almost in the execution phase, is not suspended, the harm to my client would be irreparable and irreversible as it could not participate in the cited public tender for the acquisition of 5G/IMT Mobile telecommunications technology. 2.- Therefore, it is clear that in this case the three elements that the administrative procedural doctrine considers necessary for the granting of a precautionary measure are present, namely: a) appearance of a good right, b) danger in delay, c) bilaterality of periculum in mora. 3.- The appearance of a good right is amply demonstrated in the file with the evident violations of the fundamental rights to free concurrence and equal participation in public tenders to the detriment of my client. 4.- The danger in delay consists of the objectively founded and reasonable fear that the substantial legal situation alleged may be seriously damaged or harmed gravely and irreparably during the time necessary to issue a judgment in the principal proceeding. 5.- This prerequisite requires the presence of two elements: the grave damage or harm and the delay in the principal proceeding, without ignoring that within this prerequisite lies what the doctrine calls the “bilaterality of periculum in mora” or, as it is commonly known, the weighing of the interests at stake. 6.- The prerequisite of danger in delay alludes to two aspects: first, to the damages alleged that are likely to occur currently or potentially if the requested measure is not adopted. Damages that must be established as grave, in addition to being considered as derived from the alleged situation. 7.- As for the damages, it is clear that if the effects of the conduct challenged in this amparo appeal are not suspended, damages of difficult or even impossible reparation could be caused to my client, by preventing it from participating in the cited tender procedure aimed at acquiring 5G Mobile telecommunications technology. 8.- For the Instituto Costarricense de Electricidad alone, the costs of excluding [Name 002], which is the current hardware and software supplier for that entity, would be $1.5 billion. The foregoing is a public and notorious fact recorded in the La República news article of September 11, 2023, “Excluding Asian companies from 5G network tender would cost the country $1.5 billion in technology” available at https://www.larepublica.net/noticia/excluir-a-empresas-asiaticas-de-concurso-de-redes-5g-le-costaria-al-pais-15-billones-en-tecnologia 9.- Secondly, this prerequisite refers to the situation generated by jurisdictional processes that require, for their development and subsequent conclusion, the performance of a series of acts through which not only (sic) due process is guaranteed, but also the issuance of a ruling that, if it cannot be carried out promptly, at least is just. 10.- Putting an end to a process, the judgment of which will depend on the prior resolution of an unconstitutionality action against norms that must necessarily be applied within it, demands time, and it is precisely here that precautionary protection acquires special relevance, because while that decision in the process is pending, the production of serious damages is prevented, damages which, if they were to occur, would render the claimed right nugatory. 11.- This amparo appeal cannot be resolved before this same Chamber votes on the merits of the unconstitutionality action that will be filed based on it, which could take at least two years.

12.- The bilateral nature of the periculum in mora refers to the balancing of the interests at stake, linked to the public interest that may be in need of protection, against the interest of third parties and, of course, the interest of the party seeking a precautionary measure. These must be comparatively assessed, with the annulment of the measure being required when the harm suffered or likely to be caused to the community or third parties is greater than that which the Applicant for the measure could experience. 13.- The public interest would also be affected because the impact on operators excluding Huawei in 5G would have very harmful effects. The implementation of the decree could translate into the need for an investment increase of approximately USD196.69 million over a 5-year period. But beyond the direct monetary impact, this situation could generate a delay in the implementation of 5G technology, extending the duration of its deployment by up to 4 additional years. These delays, in addition to the additional financial costs, could have repercussions on the country's competitiveness and on the adaptability of local industries to global technological trends. 14.- From the point of view of internal impact, significant harm would also be caused. For example, ICE would have to increase its external debt due to the additional investments it would have to make to make the new system compatible. 15.- The GDP would decrease due to the reduction in economic activities driven by advanced technologies that require 5G for their development, such as autonomous driving, autonomous manufacturing, artificial intelligence, etc. 16.- The equipment acquisition costs for network operators and telecommunications service providers will increase as they have to purchase them at a higher price from U.S. and European companies (a public and well-known fact recorded in news reports from the press outlets Semanario Universidad, September 6, 2023, “Decreto de Presidente Chaves deja fuera a cinco de las empresas líderes en 5G” available at https://semanariouniversidad.com/pais/decreto-de-presidente-chaves-deja-fuera-a-cinco-de-las-empresas-lideres-en-5g/ and Diario Extra, September 6, 2023, “Decisión de Gobierno subiría precio del Internet” https://www.diarioextra.com/Noticia/detalle/504206/decisi-n-de-gobierno-subir-a-precio-del-internet-). 17.- The higher costs in the acquisition of equipment by network operators and telecommunications service providers would be passed on to the consumers and end users of such services (A public and well-known fact recorded in news reports from the press outlets Semanario Universidad, September 6, 2023, “Decreto de Presidente Chaves deja fuera a cinco de las empresas líderes en 5G” available at https://semanariouniversidad.com/pais/decreto-de-presidente-chaves-deja-fuera-a-cinco-de-las-empresas-lideres-en-5g/ and Diario Extra, September 6, 2023, “Decisión de Gobierno subiría precio del internet” https://www.diarioextra.com/Noticia/detalle/504206/decisi-n-de-gobierno-subir-a-precio-del-internet-). 18.- There would also be a loss of fair opportunities for system users to obtain access to advanced 5G technologies due to the inevitable increase in telephone rates. Indeed, the additional cost of less advanced technologies and the market with insufficient competition will ultimately be transferred to users. The price of rates would increase by approximately 40%. 19.- If the 5G deployment is carried out without restrictions, its investment would contribute USD 748.4 million to Costa Rica's Gross Domestic Product (GDP) over a span of 5 years. This represents a significant 3.19% of the GDP. However, under the limitations of the decree, this contribution plummets to just USD 419.1 million. We are talking about a reduction of USD 329.3 million in just five years, a figure that is far from negligible for any economy and highly significant for Costa Rica. 20.- In any case, the economic study conducted by the CINPE of the Universidad Nacional, in which 5 prestigious researchers from that educational center participated, reaches the following conclusions: Chapter IV: Conclusions and Recommendations. Throughout this research, we have aimed to calculate the financial and economic impact that the decision to implement Executive Decree No. 44196-MSP-MICITT has on Costa Rica. We have made clear in Chapter 1 of the research the importance and effects that the transition from 4 and 4.5 G internet to 5G-based usage platforms will have. This process of digital economy transformation has significant effects on business competitiveness, employment, and technological development in key industries for the country, and on the generation of innovation opportunities. For all of the above, we must attach the utmost importance and significance to the process ahead for the country with the deployment of 5G networks. In Chapters 2 and 3 of this study, based on the results obtained from applying the financial impact and economic impact analysis methodology, as well as the distribution of said amounts in rates, we can conclude that the restrictions on Asian suppliers, and particularly on the company Huawei, from participating in the bidding for equipment and maintenance of 5G networks in Costa Rica, has significant financial effects for cellular telephone operators and a very high economic and social impact for the country. It is concluded that: 1. The implementation of the decree could translate into the need for an investment increase of approximately USD 196.69 million over a 5-year period. But beyond the direct monetary impact, this situation could generate a delay in the implementation of 5G technology, extending the duration of its deployment by up to 4 additional years. These delays, in addition to the additional financial costs, could have repercussions on the country's competitiveness and on the adaptability of local industries to global technological trends. 2. Regarding the impact on the economy of said effects of the 5G technology deployment, it can be appreciated forcefully when comparing the scenarios with and without the implementation of this decree. According to our research and the data presented in Table 2.3, if the 5G deployment is carried out without restrictions, its investment would contribute USD 748.4 million to Costa Rica's Gross Domestic Product (GDP) over a span of 5 years. This represents a significant 3.19% of the GDP. However, under the limitations of the decree, this contribution plummets to just USD 419.1 million. We are talking about a reduction of USD 329.3 million in just five years, a figure that is far from negligible for any economy and highly significant for Costa Rica. 3. The most affected industries are the manufacturing industry, the ICT sector, the commercial sector, and public administration. The manufacturing industry is a sector closely linked to the dynamism of free trade zones (zonas francas) and has historically been a pillar of Costa Rica's economic growth, and this sector would absorb nearly one-third of that economic cost (USD 117.0 million), which is alarming. This industry is not only vital for its contribution to the GDP but also because it is a crucial source of employment for Costa Ricans. Additionally, the information and communication sector is not far behind, projecting a negative impact of USD 39.18 million during the same period, as a direct consequence of the decree. In third place is the economic cost for the commercial sector, totaling USD 29.9 million. In some ways, the estimated impact for this industry would be the best possible scenario, meaning there could be a greater cost resulting from the depth that 5G technology has and would have in access to new products for consumers, as is the case with digital platforms. In fourth place is the impact on public administration for a total of USD 24.6 million, which would limit the government in general and local governments in particular from accelerating the process of smart cities. This is complemented by technological improvements to enhance citizen security and coverage of public service rates, such as water and electricity. 4. By integrating the effects of additional investment costs into an average industry rate model, we find that rates could increase by up to an additional 40 percent with the implementation of the decree. The effect on users tends toward significant digital exclusion; however, it will depend on the pricing strategy developed by 5G service providers and/or the intervention of the Costa Rican State to cushion this impact on Costa Ricans' income resulting from the increase in costs and prices of telecommunications services. 5. The exclusion of customers in rural areas and in lower relative income segments is of great concern. The currently existing gap could widen significantly, with dire implications for the excluded individuals. Additionally, a failure to implement on time will have effects in terms of lost investment and employment opportunities. 6. As a whole, we see that the financial, economic, and social impact of the decree accounts for a significant loss for the country from implementing this measure. It is clear that there are opposing positions on the issue, but the magnitude of the effects requires a deep, critical analysis that is coherent with the country's reality. To exemplify the size of the economic impact, we can compare it with three major investment items: a. Issuance of Eurobonds: The loss of USD 329.3 million is equivalent to approximately 33% of what the Government of Costa Rica would obtain through the issuance of a Eurobond. These bonds are crucial tools that the government uses to finance its operations and infrastructure projects. b. Sports Infrastructure: The amount in question could finance the construction of almost four National Stadiums. These venues serve not only for sporting events but also for cultural and social activities that benefit the population. c. National Security: The figure also represents double the annual budget allocated to the Judicial Investigation Organization (Organismo de Investigación Judicial, OIJ), a vital entity for maintaining security and order in the country. 7. These examples illustrate the severity of the financial and economic consequences implied by the decree and emphasize the need to reconsider policies that could have such profound repercussions on the country's economy and well-being. All of the above leads us to consider the need to discuss technological neutrality in 5G supplier policy and, above all, the need to disregard criteria based on unproven political prejudices, as they affect critical market factors, namely: • Promotion of Competition: A policy of technological neutrality ensures a level playing field for all suppliers, promoting competition, which can result in lower prices and more innovative solutions. • Security and Resilience: Depending on a variety of suppliers can increase network security and resilience by reducing dependence on a single supplier or technology. • Inclusive Technological Development: A neutral policy avoids technological exclusion, ensuring that the country has access to the full range of advances and 5G solutions available globally. In summary, it is imperative that Costa Rica and other countries adopt a policy of technological neutrality when considering the implementation of 5G technology. This neutrality will not only guarantee an efficient and economical adoption but will also optimally position the country to capitalize on the opportunities of the next digital era and all those to come in the future. The effective and timely implementation of 5G can be one of the most critical decisions that leaders make to ensure progress and prosperity in the modern era. 21.- In order for the substantial legal situation at hand to be corrected and to avoid further serious and irreparable harm while the constitutionality and validity of the content of the challenged conduct is being discussed, we request the suspension of the tendering procedure (procedimiento licitatorio) so often cited. 22.- This measure is entirely proportionate to the public interest, given that the eventual precautionary measure would provide us with comprehensive protection as we would have the possibility of participating in the public tender for the acquisition of 5G telecommunications technology that ICE will promote in the coming days and in which, beforehand, we are prevented from participating. 23.- Therefore, the harm that the tendering act will produce is greater and more real than that which the public interest would allegedly suffer. In this way, the imperative need to adopt this precautionary measure is demonstrated, which constitutes the only remedy to prevent and avoid further harm to our right to engage in a business activity that is highly beneficial to the country. 24.- The foregoing confirms the suitability of the measure being requested, which also proves to be proportionate to the purpose sought in this amparo appeal (recurso de amparo), that is, the evident and manifest unconstitutionality of any public tender promoted by ICE for the acquisition of 5G Mobile telecommunications technology because it violates the fundamental rights of free competition and equality of participation in public tenders.

EVIDENCE 1.- Technical report: On the economic repercussions that the exclusion of Asian suppliers in 5G network investments in Costa Rica would have for the country, particularly the non-participation of Huawei in the cited public tender promoted by ICE for the acquisition of 5G telecommunications technology in the country, prepared by the CINPE of the UNA. 2.- Notarized copy of the publication from the digital newspaper La República of September 11, 2023, indicating that the exclusion of Asian companies from the 5G network tender would cost the country $1.5 trillion in technology. 3.- Notarized copy of the news report from the press outlet Semanario Universidad of September 6, 2023, "Decreto de Presidente Chaves deja fuera a cinco de las empresas líderes en 5G". 4.- Notarized copy of the news report from the press outlet Diario Extra, September 6, 2023, "Decisión de Gobierno subiría precio del internet" PETITION 1.- Therefore, we request that, in application of Article 41 of the Law of Constitutional Jurisdiction (Ley de la Jurisdicción Constitucional), the publication of any bidding conditions (pliego de condiciones) be suspended, or, if already published, the suspension of any tendering procedure by ICE in which the "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" must be applied, until such time as this Constitutional Chamber (Sala Constitucional) has ruled on the merits of this amparo appeal and, should it be converted into an action of unconstitutionality (acción de inconstitucionalidad), until it has ruled on the merits thereof.

• iv)By written submission received at the Secretariat of the Chamber on November 9, 2023, Rubén Hernández Valle, special legal representative of the plaintiff, appears. He states the following: "1.- ICE published today, November 9, 2023, the BIDDING CONDITIONS FOR THE ACQUISITION OF: GT-ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ACCORDING TO DEMAND". 2.- The tender documents contain requirements that are impossible for my represented party to meet because its parent company is located in the People's Republic of China. Specifically, Section 3, Ciberseguridad RAN-CORE Móvil 5G, which, to the relevant part, states: "3. SECTION ON CIBERSEGURIDAD RAN-CORE MOVIL 5G. 3.1. The bidder must comply with all aspects related to the management and mitigation of risks contained in the Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT, when planning, designing, and implementing their technical offer, for which they must provide, together with the offer, the risk management and mitigation plan in accordance with the aforementioned regulations. 3.2. The bidder must present a sworn statement indicating that they comply with the adoption of the following cybersecurity standards:

3.3. In accordance with Article 10 of the Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT, which indicates that a single supplier for hardware and software in critical network elements cannot be used, ICE may not award the Mobile Core (items 3 and 4) and the mobile access network (items 1 and 2) to the same bidder. In the event that the bid participates for the Mobile Core (items 3 and 4) and the mobile access network (items 1 and 2) and meets all technical, financial, and legal aspects and ranks first in price for all the mentioned items, ICE will award only items 1 and 2 (mobile access network) to this bidder, and items 3 and 4 (Mobile Core) will be awarded to the second-place bidder in price, in order not to have a single supplier for hardware and software in critical network elements, in compliance with Article 10 of the Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT. 3.4. The bidder must present a sworn statement indicating that its headquarters is in a country that has expressed its consent to be bound by the Convention on Cybercrime (Budapest Convention). For which it must attach supporting documentation. ICE reserves the right to verify the validity of the information provided. 3.5. The bidder must present a sworn statement indicating whether or not the factory headquarters is susceptible to pressure from a foreign government due to a regulatory provision or official public policy of said foreign government, in relation to the location or execution of its operations. 3.6. The bidder must present a sworn statement indicating whether it is based in a country, or is, in any way, subject to the direction of a foreign government with established laws or practices that may require them to share end-user information of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests." As can be seen from the foregoing citation, the discriminatory elements contained in the Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT are involved in this contracting, which are mandatory conditions for the qualification of the bidder to participate in the tender process, which excludes my represented party from access to the tender, and it loses the opportunity to compete, by reason of the origin of its parent company. All the foregoing, as was duly founded, supported, and proven in the main Amparo Appeal of file 23-023887-0007-CO. 3.- In this way, the violation of our fundamental rights was imminently concretized, as we had indicated in the filing submission of this amparo appeal. (…)

LAW I.- The violations of my represented party's fundamental rights The bidding conditions of ICE's public tender cited violate, to the detriment of my represented party, at least the following fundamental rights: a) the right of free competition and equality of participation in public tenders and b) the right not to be discriminated against by reason of the company's origin. A.- The violation of the fundamental rights of free competition and equality of participation in public tenders 1.- The jurisprudence of this Chamber has established that "if Article 182 of the Political Constitution establishes this principle - that of tendering - then all the principles inherent to Administrative Contracting are immersed in the concept. By virtue of the foregoing, it must be understood that all the constitutional principles and parameters that govern the State's contractual activity derive from Article 182 of the Political Constitution. Some of these principles that guide and regulate tendering are: 1.- of free concurrence (libre concurrencia), which aims to strengthen the possibility of opposition and competition among bidders within the prerogatives of freedom of enterprise regulated in Article 46 of the Political Constitution, intended to promote and stimulate the competitive market, so that the largest number of bidders can participate, allowing the Administration to have a wide and varied range of offers, so that it can select the one that offers the best conditions; 2.- of equality of treatment among all possible bidders, a principle complementary to the previous one and which within the tender has a dual purpose: that of being a guarantee for the administered parties in the protection of their interests and rights as contractors, bidders, and as private individuals, which translates into the prohibition for the State to impose restrictive conditions for access to the tender, whether through the enactment of legal or regulatory provisions with that objective, or in its specific actions; and that of constituting a guarantee for the administration, insofar as it increases the possibility of a better selection of the contractor; all of the above, within the constitutional framework provided by Article 33 of the Fundamental Charter" (Voto 998-1998). 2.- The bidding conditions published by ICE for the acquisition of "GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA", implies a clear violation, to the detriment of my represented party, of its fundamental rights to free concurrence in public procurement and equality of treatment of bidders, given that Article 10, subsections c), d), e), and f), and numeral 11 of the "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" are directly applied in this public tender, norms that establish discriminatory regulations contrary to the cited fundamental rights of free competition and equality of treatment in public tenders. 3.- Indeed, these norms establish requirements for the specific case, so that companies of different origins, especially Chinese, cannot participate in any public tender for the acquisition of 5G Mobile telecommunications technology and superior generations. 4.- In this way, the fundamental rights to freedom of competition and equality of treatment held by all potential interested parties in participating in public tenders for the acquisition of goods and services in our country are grossly and evidently violated. 5.- In my represented party's case, the bidding conditions prevent our participation in this public procurement by applying the provisions of subsections c), d), e), and f) of Article 10 and numeral 11 of the cited Reglamento, which is the purpose sought by that regulation according to statements made, at the time, by the Executive President of ICE, the Minister of MICITT, and the President of the Republic. A confession by a party relieves the need for proof. B.- The violation of the constitutional principle of not being discriminated against for any reason 1.- Article 33 of the Constitution enshrines the cardinal principle in Western Law that no person, physical or legal, can be discriminated against for any reason (sex, religious beliefs, ideology, nationality, etc.). 2.- In the present case, my represented party is openly discriminated against both for its alleged ideology and for its nationality, which implies a gross violation of Article 33 of the Political Constitution. 3.- Let us remember that discrimination, from a legal point of view, means the granting of different treatment based on unjust or arbitrary inequalities that are contrary to the principle of equality before the law. 4.- The prohibition of discrimination encompasses the interdiction of doing so for any personal or social circumstance; that is, any differentiation that lacks objective and reasonable justification can be classified as discriminatory. 5.- In this way, unequal treatments based exclusively on reasons of sex, race, social condition, ideological motives, origin, nationality, etc., are contrary to the principle of non-discrimination. 6.- The regulation that ICE intends to apply contains discriminatory elements as mandatory requirements in the cited public tender, implying a clear violation of the principle of non-discrimination to the detriment of my represented party, given that it is excluded from the outset of a public tender for allegedly ideological reasons and nationality.

PRECAUTIONARY MEASURE 1.- Given that we are facing an exceptional case, because if the execution of the future act harmful to our fundamental rights, which is in the execution phase, is not suspended, the harm to my represented party would be irreparable and irreversible as it prevents its participation in the cited public tender for the acquisition of 5G/IMT Mobile telecommunications technology. 2.- Therefore, we request that, in application of Article 41 of the Law of Constitutional Jurisdiction (Ley de la Jurisdicción Constitucional), the processing of the tendering procedure indicated in the challenged tender documents be suspended, given that the "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" is being applied in it, until such time as this Constitutional Chamber has ruled on the merits of this amparo appeal and on the action of unconstitutionality filed against that decree in due course.

PETITION Based on the facts invoked, evidence offered, and legal considerations indicated, I request that the judgment declare: 1.- That my represented party cannot be prevented from participating in the cited public tender by introducing clauses impossible for it to fulfill, because this violates the fundamental rights to free competition, equality of treatment, and the prohibition of discrimination exclusively for ideological reasons and nationality. 2.- I reiterate the request for an order against ICE for the payment of damages and costs of this action." v) By written submission received at the Secretariat of the Chamber on November 14, 2023, Rubén Hernández Valle, special judicial representative of the plaintiff, appears. He indicates: "1. With the attached technical document, the losses that both my represented party and the country would suffer if we were prevented from participating in ICE's tender." vi) By written submission received at the Secretariat of the Chamber on November 24, 2023, Rubén Hernández Valle appears, in his capacity as special judicial representative of the plaintiff. He states the following: "I hereby expand the amparo appeal filed and processed under file 23-023887-0007-CO, based on the following FACTS 1.- That by means of a writing submitted to this Constitutional Chamber on November 9, 2023, the amparo appeal filed was expanded for the first time, because on November 9, 2023, ICE published the BIDDING CONDITIONS FOR THE ACQUISITION OF: GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ACCORDING TO DEMAND". 2.- The tender documents contain requirements that are impossible for my represented party to meet because its parent company is located in the People's Republic of China. Specifically, Section 3, CiberSeguridad RAN-CORE Móvil 5G, which can be reviewed in the submission of November 9, 2023. 3.- That against said bidding conditions, for being discriminatory and preventing the participation of [Name 002]., a challenge to the bidding conditions (recurso de objeción al pliego) was filed in a timely manner.

4.- That by means of official letter 5201-250-202 of November 21, 2023, ICE proceeded to partially admit the objection appeal; however, it proceeded to absolutely reject all objections related to Section 3, 5G Mobile RAN-CORE Cybersecurity, which precisely excludes Huawei from the bidding process. 5.- In this manner, my client demonstrates the timely use of all available legal mechanisms to seek to guarantee its constitutional rights, and nevertheless, the violation of our fundamental rights materialized as we had indicated in the filing brief for this amparo appeal. Thus, discrimination against my client and the current conditions in Costa Rica against Chinese companies, discriminating against them based on their nationality, is now constituted—no longer a potential violation but a consummated violation.

EVIDENCE 1.- Copy of the appeal filed and of ICE's response.

LAW I.- Violations of my client's fundamental rights The statement of conditions of the cited ICE public tender is finalized, and given the rejection of the objection appeal, there are no further legal remedies that my client can use to seek the protection of its legitimate constitutional rights. It is on this basis that we can affirm that, with the exhaustion of that administrative channel, the statement of conditions violates, to the detriment of my client, at least the following fundamental rights: a) the right to free competition and equal participation in public tenders, and b) the right not to be discriminated against based on the company's origin, all of the above, as was duly explained and substantiated in the brief of November 9, 2023.

PRECAUTIONARY MEASURE 1.- We reiterate at this juncture that we are facing an exceptional case of extremely urgent precautionary protection, given the fact that currently, and having exhausted procedural remedies, it is impossible to halt the tender. Once the tender receives offers and my client is unable to submit its own, for not complying with Section 3, 5G Mobile RAN-CORE Cybersecurity, grave, manifest, imminent, and irreparable harm will materialize, as it will be completely excluded from the tender and without standing to claim. Similarly, it has been amply demonstrated in this amparo process that the claim has the appearance of sound legal basis, supported by constitutional norms, constitutional principles, comparative law, and also by documentation and technical analyses, which demonstrate that our claim is duly grounded. Finally, in the balancing of interests at stake, the suspension does not generate direct harm to the Administration, as it would be a provisional precautionary measure. 2.- Therefore, we request that, in application of Article 41 of the Law of Constitutional Jurisdiction, the processing of the bidding procedure indicated in the challenged tender document be suspended, given that the “Regulation on Cybersecurity Measures Applicable to Telecommunications Services Based on Fifth Generation Mobile Technology (5G) and Higher” must be applied therein, until such time as this Constitutional Chamber has ruled on the merits of this amparo appeal and on the unconstitutionality action filed against that decree in due course.

PETITION Based on the facts invoked, evidence offered, and legal considerations indicated, I request that the judgment declare: 1.- That my client cannot be prevented from participating in the cited public tender by introducing clauses that are impossible for it to fulfill, because this violates the fundamental rights to free competition, equal treatment, and the prohibition of discrimination exclusively for ideological and nationality reasons. 3.- I reiterate the request to order ICE to pay damages and the costs of this action.” 14.- By means of a resolution issued at 1:22 p.m. on November 24, 2023, the instructing magistrate, by order of the Plenary, granted a hearing to the superintendent of the General Superintendency of Financial Entities, and to those representing both the Chamber of Infocommunication and Technology (Infocom) and the Chamber of Information and Communication Technologies (Camtic).

15.- By brief incorporated into the digital case file on November 30, 2023, Marco Vinicio Acuña Mora and Hubert Valverde Batista, in their order Executive President and Contract Administrator, both of ICE, render a report in the following terms: I. CONTEXT In the resolution at hand, by order of the Plenary, your Authority, upon expanding the course of the summary amparo process, requests a report from ICE, through the undersigned, on six (6) facts alleged by the Claimant in briefs filed in the period from September 28 to November 24, all of 2023. Before referring to these factual elements, in protection of the principle of collaboration with the Justice Authorities, in accordance with the original report filed on October 6, 2023, by official letter No. 0060-456-2023, the following context is provided for the purpose of placing what is alleged by the Appellant in its proper dimension and thus contributing to the better understanding of the facts by the Honorable Constitutional Chamber: 1. The Amparo Appeal filed, and therefore the alleged facts—including those expanded upon—are based on Executive Decree No. 44196-MSP-MICITT named “Regulation on cybersecurity measures applicable to telecommunications services based on fifth generation mobile (5G) technology and higher” issued on August 25, 2023, by the Presidency of the Republic, the Minister of Public Security, and the Minister of Science, Innovation, Technology and Telecommunications, published in Supplement No. 166 of the Official Gazette La Gaceta of August 31, 2023, effective as of that date. 2. Executive Decree No. 44196-MSP-MICITT, in Article 2, establishes the following: “Article 2—Scope of application. The active operation of networks and services based on fifth generation mobile (5G) technology and higher is subject to this regulation, by natural or legal persons, public or private, national or foreign, who operate networks or provide telecommunications services based on fifth generation mobile (5G) technology and higher that originate, terminate, or transit through the national territory, excepting the operation of private telecommunications networks. In the case of public procurement processes whose purpose is the enablement of networks and services based on fifth generation mobile (5G) technology and higher, as well as the active technological equipment necessary for the deployment thereof, for the use and exploitation of the radioelectric spectrum, the Administration or contracting entity must adopt the suitable mechanisms to verify that potential bidders have considered all aspects alluding to the risk management and mitigation contained in this regulation, when planning, designing, and implementing their technical bid. In the event of being awarded the contract, the provisions of this regulation shall be of mandatory compliance during the operation of the networks and provision of services based on fifth generation mobile (5G) technology or higher.” (The highlighting, with the exception of the article title, is provided). 3.- The Regulation at hand, in Article 13, relating to sanctions and infractions, establishes the following: “Article 13—Sanctions and infractions. The administrative sanctioning regime applicable for non-compliance with the provisions contained in this Executive Decree shall be governed by the provisions of Law No. 8642, General Telecommunications Law.” (The highlighting, with the exception of the article title, is provided). The preceding factual elements, of general knowledge, make it possible to clearly demonstrate the following aspects that will be central to resolving the case: 1.- ICE did not issue the Regulation on cybersecurity measures applicable to telecommunications services based on fifth generation mobile (5G) technology and higher, whereby there is an evident lack of passive standing on the part of the Institute for the purposes of this Amparo Appeal. 2.- ICE, in its capacity as an operator and provider of telecommunications services, along with other counterparts of a public or private nature, is subject to this Regulation issued by the Executive Branch; a scope of application that, in the case of the Institute, when using public funds, also comprises public procurement processes. 3.- If ICE, in said capacity as an operator and provider of telecommunications services, fails to comply with the provisions of the Regulation, it will be subject to the administrative sanctioning regime of the General Telecommunications Law No. 8642 (LGT), which, depending on the particular severity of the fault, could involve sanctions of one percent (1%) up to ten percent (10%) of the annual sales obtained by the offender during the previous fiscal year, or between one percent (1%) up to ten percent (10%) of the value of the offender's assets, in addition to the definitive closure of the establishment, shutting down of facilities, in application of Articles 68 and 69 of the LGT. 4.- ICE, on November 9, 2023, published in the SICOP system, special procedure 2023XE-000023-0000400001 GT- Acquisition of Goods and Services for the Implementation of the 5G Network, Delivery on Demand with the objective of providing 5G services to telecommunications users, where within the statement of conditions, the requirements related to Executive Decree No. 44196-MSP-MICITT were incorporated, which is in force, being a provision of general scope issued by the Executive Branch, of mandatory compliance for the Institute. Currently, said public procurement procedure is in the bid receipt stage. 5.- Therefore, what ICE is doing is complying, as legally corresponds, and in accordance with the principle of legality, with said Regulation issued by the Executive Branch, both in its capacity as an operator and provider of telecommunications services, and as a public institution in public procurement processes, under the General Public Procurement Law, whose purpose is the enablement of networks and services based on fifth generation mobile (5G) technology and higher, as well as the active technological equipment necessary for the deployment thereof, for the use and exploitation of the radioelectric spectrum (as will be explained punctually in the following section) according to the scope of application established in Article 2 of the aforementioned Executive Decree, the non-compliance of which implies regulatory and economic sanctions and infractions as regulated in numeral 13 of said norm of general scope. II. ON THE SIX FACTS ALLEGED BY THE CLAIMANT Based on technical report No. 9191-1860-2023 of November 29, 2023, issued by the 5G Program of the Telecommunications Management of ICE, which is provided as evidence, we refer below to the six facts indicated by the High Constitutional Court, numbered from i) to vi) in the referral resolution. Fact i) Given that the fact refers to the brief received by the Secretariat of the Chamber on September 28, 2023, on which the original course of the Amparo Appeal was granted and therefore the matter was transferred to ICE, we respectfully state to your Authority that the undersigned referred to said factual element in the mandatory report filed on October 6, 2023, by official letter No. 0060-456-2023, in which, under the principle of procedural collaboration, the respective documentary evidence was provided. In this sense, in accordance with the principle of efficiency and in order not to bother the High Constitutional Court with the lengthy transcription of said original report, we respectfully refer to what is established in said brief incorporated into the judicial case file. Fact ii) Said fact, originating from the Claimant's brief of October 6, 2023, replicated in a brief of the 25th of the same month and year (given that page 2 was missing), refers to alleged defects of unconstitutionality “in toto and of some specific norms” of Executive Decree No. 44196-MSP-MICITT named “Regulation on cybersecurity measures applicable to telecommunications services based on fifth generation mobile (5G) technology and higher.” In this sense, what is alleged in fact ii) are aspects alien to ICE, which, as has been explained, is not the issuer of said Regulation, being obliged to apply it. Likewise, as is known to your Authority, the Appellant, subsequent to the statement in the brief of October 6, appeared before the Constitutional Chamber to directly file an unconstitutionality action against said Regulation, processed under case file No. 23025158-0007-CO, which, as of the date of signing this mandatory report, is reported to be in processing status, according to the public information available in the Online Management System of the Judicial Branch, in the public consultation modality. Likewise, the Appellant itself, as will be explained in the response to Fact vi), has informed ICE about the filing of said unconstitutionality action under case file No. 23-025158-0007-CO. Therefore, given that the unconstitutionality action on the Regulation at hand, even by the will of the Appellant, is being processed under another type of process and judicial case file, it is considered that this fact ii), under legal-procedural technique, is impertinent, besides lacking current interest, given that the resolution of the action, as applicable, will not be resolved in this summary amparo process. Fact iii) In this fact, based on the brief of October 10, 2023, the Appellant reiterates the request for a precautionary measure, originally made in the filing brief for the amparo appeal, regarding “suspending the execution of the tender that ICE will promote in a few days for the acquisition of 5G/IMT Mobile telecommunications technology,” for which it provides three news items issued by press media and an academic study from the Universidad Nacional (UNA) of October 2023 named “Evaluation of the economic impact of excluding providers in 5G network investments in Costa Rica.” In this regard, given that the Appellant reiterates what was already requested and argued in the brief of September 28, 2023, where it files the amparo appeal, we state that even though the facts on which the original mandatory report was requested to be rendered did not contemplate said request for a precautionary measure, the undersigned, by virtue of the principle of collaboration with the Justice Authorities, referred to the inadmissibility of said request in the mandatory report filed on October 6, 2023, by official letter No. 0060-456-2023, specifically in Section IV, where it was explained that none of the requirements established for precautionary protection are met; likewise, it was demonstrated that: “Suspending the publication of any statement of conditions, in the terms requested by the Appellant, would not only imply grave, irreparable, and irreversible damage to this Public Institution, preventing it from fulfilling its competencies established by law, but would above all affect the end users of telecommunications, who would be prevented from having access to new technologies and services, affecting their fundamental right of access to telecommunications, recognized jurisprudentially by this Honorable Constitutional Court and recently positivized by the Derived Constituent Assembly through a reform to the Magna Carta.” (The highlighting is provided). Now then, given that the Honorable Constitutional Court, in this fact iii), formally brings to attention the request for a precautionary measure, we not only reiterate the inadmissibility of said requirement, but also develop the grave, irreparable, and irreversible damages that would be caused not only to ICE, but above all to the end users of telecommunications, affecting the public interest. In this regard, an eventual suspension of the ongoing public procurement procedure for the implementation of 5G technology (Special Procedure 2023XE-000023-0000400001 GT- Acquisition of Goods and Services for the Implementation of the 5G Network, Delivery on Demand) would generate grave, irreparable, and irreversible damage to ICE for the following reasons: 1. It prevents ICE from fulfilling the historical and legal competencies of providing telecommunications services to the community established since Decree Law 449 of 1949, reaffirmed and complemented in the Law for the Strengthening and Modernization of Public Entities of the Telecommunications Sector No. 8660 of 2008, implying at the same time a breach of the commitments expressly made by the Costa Rican State in Annex 13 of the Dominican Republic-Central America-United States Free Trade Agreement (CAFTA-DR) to strengthen and modernize ICE as a participant in a competitive telecommunications market, where public and private operators coexist. Said competencies of the state telecommunications company established in the laws, and the strengthening commitments in CAFTA, respond to a public interest that must be safeguarded and that has to do primarily with best satisfying the right of users to obtain quality telecommunications services, in a timely manner, and at affordable prices. 2.- It prevents ICE from complying with the obligations established in the enabling title (Executive Agreements of Concession and Resolution No. RT-024-2009-MINAET of December 18, 2009) for the use and exploitation of the radioelectric spectrum to provide telecommunications services to the community. 3.- It prevents ICE, on the verge of commercially launching a whole range of innovative 5G technology services into the market, affecting not only in a grave, irreparable, and irreversible manner its substantive function as a state telecommunications operator, but above all negatively impacting the end users of telecommunications, who would be prevented from having access in the shortest possible time to new technologies and services, affecting their fundamental right of access to telecommunications, recognized jurisprudentially by this Honorable Constitutional Court and recently positivized by partial reform to the Magna Carta, as explained below: a) The commercial launch aims at the implementation of a national 5G network, which will provide ICE with strategic support to sustain and maintain the telecommunications business, as well as offer telecommunications users in our country the possibility of venturing into a wide range of new services that are currently not available through 4G technology, enhancing improvement in health services, transportation, virtual reality, augmented reality, security, and smart homes, among others. b) Furthermore, it will allow for improved mobile broadband, the capacity to support extremely high densities of devices per cell, lower latency, flexible network deployment and operations, and greater energy efficiency, thus contributing to reducing the digital divide at the national level. c) According to what is planned by ICE, under the business case, it is intended to build the first phase of the 5G network, which will imply a technological evolution of mobile networks and responds to the objective of offering a new range of services and improvement in current ones, with a technology that meets the needs of technological ecosystems. d) In addition, it allows securing current revenues of the telecommunications sector, consequently avoiding revenue losses associated with the risk of losing customers. e) The commercial launch of 5G services will allow ICE to meet the objectives of customer loyalty, retention, and recovery, as well as the enablement of the first three services through 5G technology, based on the implementation plan of the General 5G Program. f) ICE, as a state telecommunications operator and referent in the country as a driver of telecommunications development, has foreseen in its strategic objectives the gradual evolution of the mobile network to provide benefits to companies already established in the country, SMEs, and customers who wish to have high-quality services that allow them secure mobility to attend to work, educational, or entertainment matters anywhere in the country. After the launches of services worldwide using 5G technology in the last quarter of 2019, its trend of use and reach continues to increase considerably, while 4G, 3G, and 2G technologies are beginning to decline. g) The implementation of 5G will position Grupo ICE, once again, as an engine of development at the national level and a pioneer of digital transformation, driving the evolution of mobile services through 5G technology and offering the Costa Rican population the possibility of venturing into a wide range of new services that this technology enables, enhancing improvement in health services, transportation with the use of autonomous vehicles, virtual reality, augmented reality, security, and smart homes, among others, being the technological ally par excellence in the markets, individuals, SMEs, large companies, and Government. h) 5G solutions (together with the Internet of Things (IoT), artificial intelligence, robotics, blockchain, bioinformatics, augmented and virtual reality, among others) constitute one of the disruptive technologies of the Fourth Industrial Revolution, which, moreover, due to their characteristics, represent a revolution in the field of infocommunications. i) All these advantages of technological evolution will help create services that will open new opportunities for market players (current and future) and will contribute to closing the digital divide. j) In this way, the deployment of this technology will contribute to the development and progress of the country, by favoring greater competitiveness of companies and an increase in direct foreign investment, the improvement of the productive processes of MSMEs and of public services associated with their digitalization, the construction of smart cities, the connection of rural areas with city centers through high-speed Internet, among multiple applications. All of the above will help to move towards a more connected world, significantly improving people's quality of life. k) The public resources that ICE will invest in the 5G network, and in its commercial launch, will be maximized in the following way: • Positions the country as a pioneer in technological development in the region. • Raises economic development indicators at the national level by increasing competitiveness. • Allows expanding the portfolio of solutions for companies, as they will have a 5G network with improved capabilities to provide greater and better services to customers who acquire their products and services. • Makes broadband services superior to those currently available accessible to the population. • New services can be developed that will improve health, transportation, energy sector, and education services. • Progress would be made in closing the digital divide. • Contributes to the country's economic development and progress. • Provides greater competitiveness to companies. • Direct foreign investment will be maximized, as companies wishing to invest in the country will be able to carry out their commercial activities more efficiently by having a network with broader bandwidth capabilities; therefore, our country will be more attractive to new companies, boosting the creation of new sources of employment. • Strengthens the competitive position of Grupo ICE, as well as creating new businesses that go beyond connectivity. l) The development of 5G technology, through the commercial launch by ICE, allows the country economic growth, based on attracting new investments, which results in new sources of employment that improve the quality of life of Costa Ricans, which is also aligned with the vision established in the National Telecommunications Development Plan 2022-2027 regarding: “Promoting the availability of affordable, quality, and innovative telecommunications services nationwide, through the timely deployment of secure, robust, scalable, resilient, and sustainable telecommunications networks, and developing digital competencies by reducing the digital divide in all its components and dimensions, maximizing the benefits of the digital economy for the enjoyment and well-being of all people.” The alleged business interest of the Claimant must not prevail over the public interest of telecommunications users in having 5G technology services available in the shortest possible time through ICE's commercial launch, the particular interest not being protectable over the general interest of the community. On the contrary, the public interest is not affected at all if ICE continues with the public procurement procedure aimed at commercially launching 5G services into the market, given that it would allow telecommunications users to enjoy the benefits of 5G technology in the shortest possible time, fulfilling the ultimate goal of regulation, which is the benefit to the end user. This is not the first time that, under particular business interests, an attempt is made (unsuccessfully), as now happens with 5G, to judicially prevent ICE from making services provisioned under a new technology available to end users. In this regard, there is an important judicial precedent, in the contentious-administrative jurisdiction, where at the time the private operator TELEFÓNICA, assisted by SUTEL, sought to prevent, by means of a request for a precautionary measure, ICE from commercially launching 4G technology provisioned in the 2.6 GHz band, before which the Contentious-Administrative Court, under case file No. 13-006841-1027-CA, upon rejecting said measure in Resolution No. 2343-2013 of 09:50 a.m. on October 30, 2013, provided interesting reasoning, also applicable to the case at hand, in that attempting to prevent the launch of said technological innovation implies, from the perspective of the end user, an impact on the public interest: “Finally, there is a third impact on the public interest, viewing it from the perspective of the users of the public telecommunications service, as we well know in a globalized world like the one we live immersed in today, access to new technologies is increasingly not only more desired, but also more necessary and complementary. From this perspective, it is reasonable to think, contrary to what is stated by the plaintiff firm and endorsed by the Superintendency of Telecommunications itself, in the sense that indicating that the user will be affected by not having the opportunity to choose an operator, and eventually, as stated by the regulatory body, of having their contracted service interrupted, that the user-administered party will indeed be harmed in the event that the Court suspends, just a few hours away, the operation in the market of new technologies that eminently benefit them. Consider only the detriment to those persons, whether natural or legal, who wish to implement faster and more advanced technologies for their individual or commercial benefit, for their personal or collective growth, a situation with which this Court cannot concur, and it is precisely for this reason that, given the prevalence of a clearly prevailing public interest from three different perspectives as has been explained, and the private interest of the plaintiff company, the latter must yield, resulting in the rejection of the requested precautionary measure in all its aspects.” (The highlighting and underlining are provided). This judicial precedent that was generated from the rejection of a request for a precautionary measure in the contentious-administrative venue that sought to prevent ICE from commercially launching a new technology provisioned by the 2.6 GHz band, which the Claimant now attempts for 5G technology, makes it possible to demonstrate how the making available of a technological innovation to end users, as was the case with 4G at the time and will now be the 5G that ICE will commercially launch, indisputably protects the public interest. Therefore, it is evident that the option that best satisfies the public interest and the benefit of users is for ICE to be able to implement 5G services for the community.

The arguments and documents presented by the Recurring Party do not allow for the accreditation, with any minimum degree of reasonable certainty, of any of the constitutive prerequisites for the issuance of a precautionary measure, with the Claimant seeking a plenary debate and the evaluation of technical-economic evidence that is foreign to the summary nature of the Amparo Appeal (Recurso de Amparo), and which is proper to ordinary legality as established by the Constitutional Chamber (Sala Constitucional) in several precedents, among them Votos 1998-01318 of 10:15 a.m. on February 27, 1998, 1998001650 of 5:36 p.m. on March 10, 1998, and 2002-06123 of 9:33 a.m. on June 21, 1998. In this regard, in one of its most guiding jurisprudential precedents, the High Constitutional Court indicated the following: “The domain of the amparo is reserved for the analysis of facts and acts and their comparison with the legal system to conclude on a possible illegitimacy of what is challenged, without it being possible to venture into fields of science or technique for this purpose. The dispute of technical or scientific criteria is reserved for other venues”[1]. A criterion that, the “Chamber extended to the field of public services and, even, to many others, according to national jurist José Francisco Barth Jiménez[2], in his specialized article “Recurso de Amparo y regulación de las Telecomunicaciones”.

Fact iv) In this fact, derived from the filing of November 9, 2023, the Recurring Party mentions that ICE on that date published the bidding terms (pliego de condiciones) for the acquisition of GT- Adquisición de Bienes y Servicios para la Implementación de la Red 5G, Entrega Según Demanda, alleging it contains requirements impossible to meet, reiterating the request for a precautionary measure to suspend the contracting until the Chamber has ruled on the merits of the appeal (recurso) and on the action of unconstitutionality (acción de inconstitucionalidad) filed against the regulation. In this regard, it is true that ICE on November 9, 2023, published in the SICOP system, special procedure 2023XE-000023-0000400001 GT- Adquisición de Bienes y Servicios para la Implementación de la Red 5G, Entrega Según Demanda”. (See Prueba 1, Anexo 1). Within the bidding terms (pliego de condiciones), the requirements derived from Decreto Ejecutivo N.º 44196-MSP-MICITT called “Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores” were incorporated, which, as we mentioned previously, was issued on August 25, 2023, by the Presidency of the Republic, the Minister of Public Security, and the Minister of Science, Innovation, Technology and Telecommunications, published in Alcance N.º 166 of the Official Gazette La Gaceta of August 31, 2023, in force as of that date and is a provision of general scope issued by the Executive Branch, which is of obligatory compliance for ICE. Said Decreto Ejecutivo, in its article 2, relating to the scope of application, establishes the following: “Artículo 2º-Ámbito de aplicación. Está sometida al presente reglamento la operación activa de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, por parte de las personas físicas o jurídicas, públicas o privadas, nacionales o extranjeras, que operen redes o presten servicios de telecomunicaciones basadas en la tecnología de quinta generación móvil (5G) y superiores que se originen, terminen o transiten por el territorio nacional, exceptuando la operación de redes privadas de telecomunicaciones. En el caso de procesos de compra pública que tengan por objeto la habilitación de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, así como de equipamiento tecnológico activo necesario para el despliegue de éstas, para el uso y explotación del espectro radioeléctrico, la Administración o entidad contratante deberá adoptar los mecanismos idóneos para verificar que los potenciales oferentes han considerado todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en la presente normativa, a la hora de planificar, diseñar e implementar su oferta técnica. En caso de resultar adjudicatario, las disposiciones de la presente norma serán de acatamiento obligatorio durante la operación de las redes y prestación de los servicios basados en la tecnología de quinta generación móvil (5G) o superiores.” Article 13 of the Decree also incorporates certain sanctions and infractions, for which it establishes the following: “Artículo 13º— Sanciones e infracciones. El régimen sancionatorio administrativo aplicable por el incumplimiento de las disposiciones contenidas en este Decreto Ejecutivo se regirá por lo dispuesto en la Ley Nº 8642, Ley General de Telecomunicaciones.” If ICE, in its condition as an operator and provider of telecommunications services, fails to comply with the provisions of the Regulation, it will be subject to the administrative sanctioning regime of the Ley General de Telecomunicaciones N.º 8642 (LGT), which, depending on the particular severity of the fault, could imply sanctions of one percent (1%) and up to ten percent (10%) of the annual sales obtained by the offender during the previous fiscal year, or between one percent (1%) and up to ten percent (10%) of the value of the offender's assets, in addition to the definitive closure of the establishment, closure of facilities, in application of articles 68 and 69 of the LGT. ICE, in its condition as an operator and provider of telecommunications services, along with other counterparts of a public or private nature, is subject to the Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores issued by the Executive Branch; scope of application that, in the case of the Institute, when using public funds, also includes public procurement procedures, which is why the aforementioned bidding terms (pliego de condiciones) requested compliance with the provisions of said general scope provision in force and of obligatory compliance for the Institute. For its part, regarding the reiteration of the request for a precautionary measure made by the Claimant Party, we allow ourselves to confirm the arguments of inadmissibility indicated both in the original report presented on October 6, 2023, via official letter N.º 0060-456-2023, and in the response to Fact i) and iii) of this supplementary report.

Fact v) In this fact, originating from the filing of November 14, 2023, the Claimant Party indicates that it provides a “technical document” on the losses that said company, as well as the country, would suffer if it were prevented from participating in ICE's tender. In this regard, the document presented by the Recurring Party does not allow for the accreditation, with any minimum degree of reasonable certainty, of any of the constitutive prerequisites for the issuance of a precautionary measure, with the Claimant seeking a plenary debate and the evaluation of technical-economic evidence that is foreign to the summary nature of the Amparo Appeal (Recurso de Amparo), and which is proper to ordinary legality as established by the Constitutional Chamber (Sala Constitucional) in several precedents, among them Votos 1998-01318 of 10:15 a.m. on February 27, 1998, 1998001650 of 5:36 p.m. on March 10, 1998, and 2002-06123 of 9:33 a.m. on June 21, 1998, as we mentioned in the response to Fact iii). As mentioned in the response to that Fact iii), the alleged business interest of the Claimant Party must not prevail over the public interest of telecommunications users to have, in the shortest possible time, the provision of 5G technology services through the commercial launch by ICE, the particular interest not being protectable over the general interest of the community. On the contrary, the public interest is not at all affected by ICE continuing with the public procurement procedure aimed at commercially launching 5G services into the market, given that it would allow telecommunications users to enjoy the benefits of 5G technology in the shortest possible time, fulfilling the ultimate goal of regulation, which is the benefit to the end user.

Fact vi) In this fact, based on the filing of November 24, 2023, the Recurring Party essentially indicates that it filed an objection appeal (recurso de objeción) to the bidding terms (pliego de condiciones) of ICE's public procurement for the acquisition of GT- Adquisición de Bienes y Servicios para la Implementación de la Red 5G, Entrega Según Demanda, that, in its opinion, clauses of impossible compliance are introduced, that ICE partially admitted the appeal, rejecting the objections referring to the application of the regulation, the Claimant Party reiterating the request for a precautionary measure to suspend the processing of the procurement procedure until the Chamber has ruled on the merits of the appeal (recurso) and on the action of unconstitutionality (acción de inconstitucionalidad) filed against the regulation. In this regard, it is true that ICE received an objection appeal (recurso de objeción) to the bidding terms (pliego de condiciones) from [Name 002], filed on November 14, 2023 (See Prueba 1, Anexo 2), where the Claimant Party mentioned that it had filed an action of unconstitutionality (acción de inconstitucionalidad) against said Regulation before the Constitutional Chamber (Sala Constitucional), managed under expediente N.º 23-025158-0007-CO, which, as of the date of subscription of this legal report, is reported to be in processing status, according to the public information available in the Online Management System of the Judicial Branch, in the public consultation mode. The objection appeal (recurso de objeción) was partially admitted regarding several aspects of the bidding terms (pliego de condiciones) related to the form of award, technical specifications of the goods and services, rejecting, for its part, the objections of said company referring to the application of Decreto Ejecutivo N.º 44196-MSP-MICITT called “Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores”, for which, in the resolution, in a reasoned manner, and supported by internal opinions that sustain said act, the reasons why ICE must apply said regulation in the bidding terms (pliego de condiciones) of the procurement were explained in detail. For this purpose, official letter 5201-250-2023 of November 21, 2023, is attached (See Prueba 1, Anexo 3), which contains the details of the resolution that resolved said appeal (recurso), which was issued by the General Management of ICE (Anexo 4), which indicated: “This General Management, as the competent Body to resolve this Objection Appeal (Recurso de Objeción), based on the criteria issued by the Administrative Procurement Directorate (Dirección de Contratación Administrativa, DCA) via official letter 258-7212023 of November 17, 2023 (Sequence 0172023600000012) and email of November 21, 2023, as well as the technical criterion of the Network Development and Construction Division - Telecommunications Management, via document of November 21, 2023, signed by the Contract Administrator (Sequence 0152023830800006), and the recommendation issued by the Procurement Directorate via letter 5210-250-2023, sequence 1348682 on the SICOP platform on November 21, 2023, determines to partially accept the objection appeal (recurso de objeción) filed by the company [Name 002], against the bidding terms (pliego de condiciones) of special procedure No. 2023XE-0000230000400001, promoted by the aforementioned Division, for the procedure “GT- Adquisición De Bienes Y Servicios Para La Implementación De La Red 5G entrega según demanda”, regarding the aspects indicated in the aforementioned criteria. The foregoing in accordance with Articles No. 68 and 95 of the Ley General de Contratación Pública, No. 9986, articles 253, 255, and 258 of the Reglamento a la Ley General de Contratación Pública. Notify the appealing company of this resolution, as appropriate.” As indicated in the response to Fact iv) within the bidding terms (pliego de condiciones), the requirements derived from Decreto Ejecutivo N.º 44196-MSP-MICITT called “Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores” were incorporated, which, as we mentioned previously, was issued on August 25, 2023, by the Presidency of the Republic, the Minister of Public Security, and the Minister of Science, Innovation, Technology and Telecommunications, published in Alcance N.º 166 of the Official Gazette La Gaceta of August 31, 2023, in force as of that date and is a provision of general scope issued by the Executive Branch, which is of obligatory compliance for ICE. Said Decreto Ejecutivo, in its article 2, relating to the scope of application, establishes the following: “Artículo 2º-Ámbito de aplicación. Está sometida al presente reglamento la operación activa de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, por parte de las personas físicas o jurídicas, públicas o privadas, nacionales o extranjeras, que operen redes o presten servicios de telecomunicaciones basadas en la tecnología de quinta generación móvil (5G) y superiores que se originen, terminen o transiten por el territorio nacional, exceptuando la operación de redes privadas de telecomunicaciones. En el caso de procesos de compra pública que tengan por objeto la habilitación de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, así como de equipamiento tecnológico activo necesario para el despliegue de éstas, para el uso y explotación del espectro radioeléctrico, la Administración o entidad contratante deberá adoptar los mecanismos idóneos para verificar que los potenciales oferentes han considerado todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en la presente normativa, a la hora de planificar, diseñar e implementar su oferta técnica. En caso de resultar adjudicatario, las disposiciones de la presente norma serán de acatamiento obligatorio durante la operación de las redes y prestación de los servicios basados en la tecnología de quinta generación móvil (5G) o superiores.” Article 13 of the Decree also incorporates certain sanctions and infractions, for which it establishes the following: “Artículo 13º— Sanciones e infracciones. El régimen sancionatorio administrativo aplicable por el incumplimiento de las disposiciones contenidas en este Decreto Ejecutivo se regirá por lo dispuesto en la Ley Nº 8642, Ley General de Telecomunicaciones.” If ICE, in its condition as an operator and provider of telecommunications services, fails to comply with the provisions of the Regulation, it will be subject to the administrative sanctioning regime of the Ley General de Telecomunicaciones N.º 8642 (LGT), which, depending on the particular severity of the fault, could imply sanctions of one percent (1%) and up to ten percent (10%) of the annual sales obtained by the offender during the previous fiscal year, or between one percent (1%) and up to ten percent (10%) of the value of the offender's assets, in addition to the definitive closure of the establishment, closure of facilities, in application of articles 68 and 69 of the LGT. ICE, in its condition as an operator and provider of telecommunications services, along with other counterparts of a public or private nature, is subject to the Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores issued by the Executive Branch; scope of application that, in the case of the Institute, when using public funds, also includes public procurement procedures, which is why the aforementioned bidding terms (pliego de condiciones) requested compliance with the provisions of said general scope provision in force and of obligatory compliance for the Institute. For its part, regarding the reiteration of the request for a precautionary measure made by the Claimant Party, we allow ourselves to confirm the arguments of inadmissibility indicated both in the original report presented on October 6, 2023, via official letter N.º 0060-456-2023, and in the response to Fact i) and iii) of this supplementary report”.

16.- By resolution of 11:02 a.m. on December 4, 2023, the instructing magistrate rectified the material error contained in the resolution of 1:22 p.m. on November 24, 2023, in that it granted a hearing to the superintendent of the Superintendencia General de Entidades Financieras and left it without effect; likewise, it granted a hearing to the superintendent of the Superintendencia de Telecomunicaciones.

17.- By filing received in the Secretariat of the Chamber on December 5, 2023, Ana Lucía Ramírez Calderón appears, Executive Director and representative of the Asociación Cámara de Infocomunicación y Tecnología. She indicates that she attaches official letter CIT-0039-2023 of September 26, 2023, sent by her represented party to the Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones, which contains general and technical considerations on the decreto ejecutivo nro. 44196-MSP-MICITT.

18.- By filing incorporated into the digital case file (expediente) on December 7, 2023, Paul Fervoy appears, in his capacity as president of the Cámara de Tecnologías de Información y Comunicación (CAMTIC). He states the following: “We consider that the matter submitted to the knowledge of the Constitutional Chamber (Sala Constitucional) in this case file (expediente) is due to technical questions of constitutionality and legality on which we cannot issue an opinion as it is not part of our work as representatives of the industry. For reference, the press release issued by CAMTIC on November 7, 2023, entitled "CAMTIC insta al MICITT a promover mesas de diálogo para optimizar el marco de ciberseguridad 5G" is attached; this document reflects our position as industry representatives regarding the technical aspects of cybersecurity and 5G technology”.

19.- By filing received in the Secretariat of the Chamber on December 8, 2023, Rubén Hernández Valle appears, in his capacity as special judicial representative of the plaintiff party. He states the following: “In response to the supplementary report provided by the Instituto Costarricense de Electricidad dated November 29 of this year, we consider it relevant for the amparo proceeding at hand to point out the following: 1.- Regarding what ICE pointed out in the first part of its report called "Contexto", it is clear that the Institute intends to distort the foundations of the Amparo proceeding at hand. The foregoing, because it shields itself in that the Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT was issued by the Presidency of the Republic, the Minister of Public Security, and the Minister of Science, Innovation, Technology and Telecommunications. However, the amparo appeal (recurso de amparo) is filed against that Institute due to the discriminatory and unconstitutional conditions that were included in the tender procedure it has promoted through the BIDDING TERMS FOR THE ACQUISITION OF: GT-ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA. 2.- Despite the fact that ICE justifies its actions on its duty to comply with the cited Regulation, it omits to indicate whether, before or after the publication of the Decree (sic), it took any action within the legal system to avoid being forced to include the harmful and unconstitutional conditions that violate the fundamental rights of my represented party and are contrary to the public interest. It is important to indicate, as ICE itself does, that it is a public-law telecommunications operator with an interest in a range of 5G services and that, therefore, it was in a privileged position of control and supervision of the actions that the Executive Branch was carrying out, with which there is a clear violation of its duty of vigilance over the market it targets. 3.- In the same order of its response, we will proceed to refer to the justifications used in each of the facts it refers to regarding the allegations of my represented party. Regarding the first fact, concerning the publication of the bidding terms (pliego de condiciones) and the start of the tender process subject to this amparo appeal (recurso de amparo), ICE merely refers to its initial report presented in the amparo proceeding at hand. However, at that time, the referenced bidding terms (pliego de condiciones) had not been published, as they were published on November 9 of this year, and the report it refers to was presented on October 6 of this same year. What ICE does have is the power to determine the circumstantial and opportune moment to begin the competitive stage of the tender procedure at hand. In this sense, as previously indicated and as the Institute itself acknowledges, it was aware of the amparo appeal (recurso de amparo) at hand and of the action of unconstitutionality (acción de inconstitucionalidad) filed before this Chamber, in which the unconstitutionality of the repeatedly cited Regulation (sic) is questioned. Therefore, in protection of the public interest and legal certainty, said Institute should not have started the process of receiving offers in the tender procedure at hand, until there was clarity from this Constitutional Chamber. As has been exhaustively demonstrated in the evidentiary documents provided by my represented party, the damage to the same, as well as to the public interest, to the competitiveness of the Institute itself (sic) and to users, is much more serious than having waited a few days until this Chamber resolved in accordance with the law. 4.- The reference made in Fact ii) to the action of unconstitutionality (acción de inconstitucionalidad) filed against the repeatedly cited Regulation cannot be considered "impertinent", much less "lacking current interest" as ICE intends to make it seem. On the contrary, the knowledge of the existence of said action of unconstitutionality against the Regulation (sic) that ICE itself states it was forced to comply with and include conditions in the bidding terms (pliego) of the tender at hand, obliges that Institute (sic) to act with due diligence and caution, seeking the protection of the general interest. This is because, by questioning the unconstitutionality of the norms that support its actions, it could result in the illegality and absolute nullity of its actions in the procurement process, which in turn would result in damage to the public treasury due to the expenditure of public resources invested in a process that is openly unequal and that limits participation. This in addition to the public and notorious fact that for the Instituto Costarricense de Electricidad, the exclusion of [Name 002] would imply an increase in hardware and software provisioning costs of $1.5 billion. The foregoing was reported in the nationally circulated newspaper La República on September 11, 2023, "Excluir a empresas asiáticas de concurso de redes 5G le costaría al país $1,5 billones en tecnología" available at https://www.larepublica.net/noticia/excluir-a-empresas-asiaticasdeconcurso-de-redes-5g-le-costaria-al-pais-15-billones-entecnologia 5.- In Fact iii) ICE attempts to minimize our request for the precautionary measure; however, it forgets that from its perspective it must also demonstrate the damage to the public interest, in order to weigh the balance of interests in the measure. However, ICE does not even present third-party data in its report that proves what is said about the delay or damage it will supposedly suffer. Nor has it presented any evidence that refutes in any way the reliable evidentiary studies that Huawei did present. ICE merely justifies the continuity based on the expectation that the "ICE Group" has in the eventual services it hopes to place on the market. However, it does not present any statistical, technical, or other type of data, issued by a third party, that proves all the benefits it claims, discriminating against the participation of companies of Chinese origin, such as my represented party. On the contrary, INFOCOM has already pronounced itself in this same proceeding, stating that: “5G networks will provide a telecommunications platform that will allow the implementation of innovative digital services, which would not be possible without this technology; which will give space for new business models, allowing the creation of jobs and mobilizing the economy. We are concerned about the incidence of the measures adopted and, in that sense, the impacts we are pointing out in costs and eventual delays in the process towards the 5G route in Costa Rica, which will negatively affect investments, inhibiting this emerging market; which is detrimental to the economy, people, and businesses. The strengthening of telecommunications services is of vital importance for the development of all other industries. An important part of sustainable development is the participation of companies of all levels, in a fair manner, and based on the guiding principles that have been part of the Costa Rican regulatory framework for decades.” INFOCOM's doubts regarding the decree are clear, but it also managed to determine the damage to the market and the public interest by indicating: “11. Considering that all network equipment is involved in the transport and management of 5G data, by forcing compliance with the provisions of the Regulation on each element that issues 5G data, it is being inferred that the equipment of the supplier considered High Risk must be replaced, regardless of the place in the network where it is located, requiring much larger investments and longer implementation times.” (The highlighting is ours) INFOCOM agrees with the arguments and study presented by Huawei in relation to the impact on the public interest. The studies that have been presented as evidence by my represented party are very clear and conclusive, demonstrating the harm to the public interest, because by unjustifiably and discriminatorily denying the participation of Huawei and other companies of Chinese origin, there would be a need to increase investment by USD196.69 million over a period of 5 years. Furthermore, contrary to what ICE states, maintaining the discriminatory conditions in the 5G technology implementation processes will translate into a delay of up to 4 additional years. Likewise, ICE will have to incur greater expenses, the country's competitiveness and GDP will be negatively affected, as well as an impact on rates of at least 40%, as has been proven through the studies, analyses, and documents presented as evidence. Precisely, because of the obligation that ICE claims to fulfill to provide “quality telecommunications services, in a timely manner and at affordable prices for users”, the requested precautionary measure must be accepted. For, as has been proven, if the tender process continues with discriminatory conditions that violate constitutional principles, the direct effect will be completely opposite on the rights of users and the fulfillment of their duties in protecting the public interest. It is clear that it is in the interest of operators, providers, interested sectors, regulatory entities, and users that 5G technology services be developed in our country. But above all, it is in everyone's interest that they be developed in compliance with the constitutional principles of free competition, equal participation, without discrimination for unjustified reasons based on company origin, under the principle of technological neutrality, as well as ensuring the principles and precepts of our Political Constitution and treaties ratified by our country. Now, ICE attempts to confuse the Constitutional Court by citing a precedent resolved by the Administrative Litigation Court in a 2013 case that in no way resembles the present case. The transcription of the resolution made by ICE refers to the precautionary measure requested by Telefónica, which was based at that time on a mere individual and commercial interest of said company, without alleging a benefit of the measure for the public interest. Our action is not aimed at the individual commercial interests of Huawei; our action relates to the violation of the constitutional principles of free competition, equal participation, without discrimination for unjustified reasons based on company origin, under the principle of technological neutrality, as well as ensuring the principles and precepts of our Political Constitution and treaties ratified by our country. In the case of the present measure, not only the direct damage to Huawei has been demonstrated, but also and especially, the damage to ICE itself and to the public interest. It is worth reiterating that said damage to ICE and the public interest has not only been stated in our filings but has also been demonstrated through a report from an objective and neutral entity.

It is clear then that there is no similarity between the cases and therefore, the citation of the resolution is irrelevant for the resolution of this matter. Even more so, when added to this is the body of evidence that my represented party has brought to this process. In light of all the foregoing, the need is reiterated for the requested precautionary measure to be granted in favor of my represented party and for ICE to be ordered to suspend the bidding process of interest. 6.- What ICE stated as Fact v) is a simple manifestation that it does not agree with the evidence documents presented by Huawei. That is, it does not present any study that contradicts what has been proven by third parties. Unlike ICE, my represented party supports its allegations with serious documents issued by third parties that have conducted exhaustive analyses of the impact that will occur if the bidding process continues and the “Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT” is applied. 7.- Regarding what was stated in Fact vi) by ICE, as has been repeatedly stated, those conditions that were sought to be objected to at the opportune procedural moment are unjustifiably discriminatory and based on a Decree (sic) whose normative content is contrary to the principles and rights enshrined in the Political Constitution, as well as conventional norms signed by our country. The application, by the same Institute (sic), of the conditions of the bidding process specifications that concern us to my represented party is proven and reiterated, grossly and openly violating the fundamental rights of my represented party. Additionally, this action not only impacts [Name 002], but it has been sufficiently demonstrated, through technical documentation provided by impartial third parties, that this is a matter that will also seriously affect the finances of ICE itself, which could be affected by an impact of around 1.5 trillion colones, implying a severe blow to its financial state. But moreover, this exorbitant cost overrun, in turn, will result in a cost overrun that all of us who use telephony will have to pay, which could reach 40% over the current rate, not to mention the possibility of a 4-year delay in the implementation of the 5G network. For all the foregoing, we confirm that our petition and the request for a precautionary measure are thus reinforced.

PRECAUTIONARY MEASURE 1.- By reason of all the foregoing and as has been undeniably demonstrated, we request that preferential processing be given to the precautionary measure of suspending the bidding process because the deadlines of said process are running and the opening of bids has been extended to December 18 of this year, as published in the Integrated Public Procurement System (SICOP). The foregoing, because it is an act harmful to our fundamental rights and is in the execution phase, the harm to my represented party would be irreparable and irreversible as it prevents its participation in the cited public tender for the acquisition of 5G/IMT Mobile telecommunications technology. As well as the serious damages and losses it will cause to the public interest as has been demonstrated through the documentation provided by my represented party as evidence supporting what is alleged. 2.- Therefore, we request that in application of Article 41 of the Constitutional Jurisdiction Law, the processing of the bidding process indicated in the challenged tender specifications be suspended given that the “Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores” (sic) is being applied therein, until such time as this Constitutional Chamber has ruled on the merits of this amparo appeal and on the unconstitutionality action filed against that decree in due course.

PETITION Based on the facts invoked, evidence offered, and legal considerations indicated, I request that the judgment declare: 1.- That my represented party cannot be prevented from participating in the cited public tender by introducing clauses impossible for it to fulfill, because this violates the fundamental rights to free competition, equal treatment, and the prohibition of discrimination exclusively for ideological and nationality reasons. 2.- I reiterate the request for an order against ICE to pay damages and losses and costs of this action.” 20.- By document incorporated into the digital case file on December 11, 2023, Federico Chacón Loaiza, president of the Council of the Superintendency of Telecommunications, appears. He states the following: “II. REPORT OF SUTEL Regarding the facts of the appeal, we report that this Superintendency, in response to a confidential consultation made by the Ministry of Science, Innovation, Technology and Telecommunications (hereinafter MICITT), referred by means of official communication number 06900SUTEL-CS-2023 dated August 17, 2023, to the proposed text of the “Reglamento sobre medidas cibernéticas aplicables a los servicios de telecomunicaciones basados en tecnología de quinta generación móvil (5G) y superiores” (hereinafter Reglamento de Ciberseguridad), making some considerations of a technical, legal nature and from the scope of safeguarding market competition, which was sent to MICITT prior to the issuance of said Regulation. These observations are taken as a basis to address the request for a report.

1. THE PRINCIPLE OF LEGAL RESERVE In official communication number 06900-SUTEL-CS-2023, this Superintendency indicated that the proposed Reglamento de Ciberseguridad could touch upon aspects of legality and competition in the following terms: “(...) no specific powers of Sutel are observed in relation to cybersecurity issues as contemplated in the regulation under consultation. Thus, the obligations and functions of Sutel and the Council are established in Articles 59, 60, and 73 of the Law of the Regulatory Authority for Public Services (Ley N°7593), and from their reading, no specific powers of the Superintendency arise in cybersecurity matters and their oversight, much less regarding the supply chain. Furthermore, Article 42 of Law 8462 emphatically states that the subjects obligated to guarantee the secrecy of communications, the right to privacy, and the protection of personal data of subscribers and end users are the operators and providers of telecommunications services, so this obligation cannot be extended to third parties not foreseen by said law, such as bidders in public procurement processes, permit holders, or those who enable networks and services or are suppliers of technological equipment.(...)” In this regard, it must be considered that currently, there is no norm of legal rank that specifically regulates the matter of cybersecurity, nor matters related to the verification functions of the supply chain, the latter to be understood as the verification of the geographical provenance, country of origin, and countries through which the shipping process of the equipment and software used for the provision of telecommunications services is carried out. The foregoing is sought to be done through an Executive Decree of regulatory rank, this being a violation of the principle of legal reserve, which evokes that the regulation or restriction of fundamental rights and freedoms can only be done by formal law emanating from the Legislative Power and, by the constitutionally foreseen procedure for the enactment of legal norms. Establishing this type of function through a decree with regulatory character entails an excess of the exercise of regulatory power by the Executive Power. In relation to the principle of legal reserve, the Constitutional Chamber in Voto No. 1739-1992 (reiterated in No. 440-1998), considered the following: “(...) the principle of legality in the rule of law postulates a special form of linkage of public authorities and institutions to the legal system, based on its basic definition according to which every public authority or institution is so and can only act to the extent that it is empowered to do so by the same legal system, and normally by express text – for public authorities and institutions, only what is constitutionally and legally authorized in express form is permitted, and everything that is not authorized is forbidden-; as well as its two most important corollaries, still within a general order: the principle of minimum regulation, which has special requirements in procedural matters, and that of legal reserve, which in this field is almost absolute. In our Political Constitution, the general principle of legality is enshrined in Article 11, and also results, from its context with Article 28, which enshrines the general principle of freedom – for private persons- and guarantees the legal reserve to regulate it, with Article 121, especially as it attributes to the Legislative Assembly exclusive powers to legislate (subsections 1, 4, and 17), to create courts of justice and other public bodies (subsections 19 and 20), and to order the collection, destination, and use of public funds (subsections 11, 13, and 15); powers that cannot be delegated nor, therefore, shared with any other power, organ, or entity (Article 9), and that generate even more explicit consequences such as those enshrined in the General Law of Public Administration, mainly in its Articles 5 and 7 - which defines the normative hierarchies -, 11 – which enshrines the principle of legality and its corollary of minimum regulation -, 19 and 59.1 – which reaffirm the principle of legal reserve for the regime of fundamental rights and for the creation of public powers of external effect (...)” (See in a similar sense Judgments Nos. 6379-02 of June 26, 2002; 10356-02 of October 30, 2002; 5015-04 of May 12, 2004; 1809-06 of February 15, 2006, and 13333-06 of September 6, 2006).” (Emphasis is supplied).

In this sense, it is SUTEL's criterion that the Reglamento de Ciberseguridad includes restrictions on the choice of hardware and software equipment suppliers by telecommunications service operators; it also establishes functions for MICITT and Sutel regarding the application of the regulation and includes a sanctioning regime which, as will be addressed in the following sections, corresponds to provisions that can only be established through legal means. Precisely because of the need to establish specific elements such as the foregoing, the draft Law called “LEY DE CIBERSEGURIDAD DE COSTA RICA”, file number 23.292, is currently in the legislative process, in which Article 4 proposes the creation of the National Cybersecurity Agency that will be part of the Ministry of Science, Innovation, Technology and Telecommunications (MICITT) and “will be responsible for the preventive, reactive, and proactive management of cyber threats and incidents that, through the use of data, may generate a risk for the Costa Rican population”. Additionally, besides the eventual excess of regulatory power, the Reglamento de Ciberseguridad is incompatible with precepts outlined in the General Telecommunications Law (hereinafter, LGT), as well as in the Dominican Republic-Central America-United States Free Trade Agreement (hereinafter CAFTA), all of higher rank. This is the case of the principle of technological neutrality which will be developed next.

2. THE PRINCIPLE OF TECHNOLOGICAL NEUTRALITY Annex 13 of CAFTA provides the following regarding the principle of technological neutrality: “Costa Rica shall not prevent suppliers of telecommunications services from having the flexibility to choose the technologies they use to supply their services, subject to the requirements necessary to satisfy legitimate public policy interests.” This principle is congruent with that contained in the LGT, as indicated in official communication number 06900-SUTEL-CS-2023 in the following terms: “Article 3, subsection h) of the General Telecommunications Law establishes the following: ‘h) Technological neutrality: the possibility that network operators and telecommunications service providers have to choose the technologies to be used, provided that these have common and guaranteed standards, meet the necessary requirements to satisfy the goals and objectives of sectoral policy, and adequately guarantee the quality and price conditions referred to in this Law.’ (…) Thus, the regulatory proposal does not comply with the cited principle, being that it is directed solely at one type of technology, even disregarding that 5G networks can operate interconnected with other technologies such as ‘non-standalone’ mode, given the power that operators have to develop and design their own networks.” Upon the entry into force of the Reglamento de Ciberseguridad, the risk of non-compliance with the principle of technological neutrality materialized, as was warned by the Sutel Council through official communication 06900-SUTEL-CS-2023.

Finally, the Reglamento de Ciberseguridad makes extensive reference to and justifies its issuance on the Convention on Cybercrime (hereinafter Budapest Convention), issued in Budapest on November 23, 2001, without considering the principle of technological neutrality mentioned here, thus restricting the participation of companies whose country of origin has not signed said Convention. The foregoing violates CAFTA and the freedom of commerce established in Article 46 of the Political Constitution. In relation to the Budapest Convention and its relationship with cybersecurity, this Superintendency indicated in official communication number 09063-SUTEL-SCS-2023 dated October 25, 2023, in which observations on the National Cybersecurity Strategy of Costa Rica 2023-2027 are sent to MICITT, the following: “(...) however, it is necessary to consider that the regulatory object of said Convention corresponds to cybercrime, that is, its orientation is not directly associated with the object outlined in the Strategy: Cybersecurity. It should be noted that Cybersecurity is related to Info-communication Technologies, while cybercrime, a matter regulated in the Budapest Convention, focuses on the treatment of cybercrimes as crimes, typical of police power and punitive matters (Judicial Power). (...)”.

3. SUTEL'S POWERS IN MATTERS OF CYBERSECURITY The Reglamento de Ciberseguridad exceeds the scope of application of the LGT, as it establishes functions for Sutel not contemplated in the scope of application of said law, as extracted from the following Article: “ARTICLE 1.- Object and scope of application The object of this Law is to establish the scope and mechanisms for the regulation of telecommunications, which comprises the use and exploitation of networks and the provision of telecommunications services. Subject to this Law and Costa Rican jurisdiction are persons, physical or legal, public or private, national or foreign, that operate networks or provide telecommunications services that originate, terminate, or transit through the national territory.” However, Sutel's powers, in accordance with Article 42 of the LGT, are limited to guaranteeing the privacy of telecommunications and the protection of personal data of end users of telecommunications. In this regard, official communication number 06900-SUTEL-CS-2023 indicated the following: “(...) Article 60, subsection a) of the Aresep Law (Ley N°7593), determines as a fundamental obligation of Sutel to apply ‘the legal system of telecommunications, for which it shall act in accordance with the policies of the Sector (...)’. From reading the Law of the Regulatory Authority for Public Services and the General Telecommunications Law and its regulations, no specific powers of Sutel are observed in relation to cybersecurity issues as contemplated in the regulation under consultation. Thus, the obligations and functions of Sutel and the Council are established in Articles 59, 60, and 73 of the Law of the Regulatory Authority for Public Services (Ley N°7593), and from their reading, no specific powers of the Superintendency arise in cybersecurity matters and their oversight, much less regarding the supply chain. Thus, although the Reglamento de Ciberseguridad assigns specific powers to Sutel in this matter, based on Article 42 of the LGT, the truth of the matter is that, in application of the principle of legal reserve, Sutel does not have specific powers regarding cybersecurity, rendering the functions conferred therein inapplicable.

4. THE IMPACT ON COMPETITION SUTEL, as part of its functions as competition authority, analyzed the Reglamento de Ciberseguridad from the perspective of the principle of free competition enshrined in Article 46 of the Political Constitution, as well as according to the elements contained in the sectoral competition regime in telecommunications contained in the LGT. SUTEL's analysis was based on the application of a standardized methodology whose object is to determine if a regulation has the potential to affect competition in the telecommunications market. From the perspective of competition regulations, an adequate regulation is one that “seeks that the achievement of the objective the norm pursues is reached through a regulatory exercise that imposes the minimum possible restrictions on economic activity”5. To guarantee this, the regulation must respect a series of principles that contribute to minimizing the burden on economic activity and harm from the perspective of the efficient functioning of competition in the market. Based on the analysis carried out, which is incorporated in section IX of official communication number 06900-SUTEL-CS-2023, it is concluded that: “(...) For the purposes of interest to this Authority, the proposed regulation contains provisions that could have the potential to affect competition, for which reason the DGCO's analysis focuses on Articles 6, 7, 8, 9, 10, and 11 of the proposed regulation. (...)” Particularly, it is understood that the provisions contained in Article 10 of the Reglamento de Ciberseguridad may exclude companies from certain countries from participating in the deployment of 5G networks in Costa Rica. According to the criterion issued by SUTEL as the sectoral competition authority, the following is highlighted: A. Potential limitation on operators and telecommunications service providers The proposed regulation has the potential to limit the ability of certain types of telecommunications operators or providers to provide their services, by conditioning the granting of concessions for the use and exploitation of the radio electric spectrum for 5G telecommunications networks and services, as well as establishing specific characteristics, not strictly of a commercial nature, that telecommunications operators and providers must adopt when procuring goods and services required in the implementation of their 5G networks. B. Potential to raise costs The proposed regulation has the potential to raise the costs of all operators or providers based on 5G technology, as a result of the application of standards established in the regulation, as well as eventual substitutions of equipment, products, and services, which could be passed on to the end users of telecommunications services. C. Potential reduction of companies' incentives to compete The proposed regulation has the potential to promote the reduction of companies' incentives to compete, by not establishing clear and unambiguous criteria conducive to the presentation of the results of risk analyses and their classification as high, in addition to not detailing the procedure and any other element for the purpose of ordering the execution of cybersecurity audits at the expense of the audited entity. It is important to consider that the restriction of competition in markets has an impact, not only on the economic agents that participate in the provision of goods and services in said markets, but ultimately on consumers. Actions that make the provision of telecommunications services more expensive, or that cause markets to become less competitive or innovative, end up being reflected in higher prices for users, as well as in a delay in the introduction of improvements to the services provided. Competition possesses a series of benefits for societies, and hence comes its protection as a constitutional principle; among some of the benefits that market competition has are: a. Direct benefit to users: by directly driving a greater variety of products and services, higher quality, as well as via price reduction. b. Innovation: favors the development of more and new services according to the needs of users, which enables the development of new industries. c. Fiscal: this benefit arises in two ways. The first as a result of a higher level of economic activity that ultimately results in greater sources of tax collection. The second refers to how competition limits the possibilities of collusion in public procurement matters, or even in private purchasing processes. The above points constitute benefits that, directly and indirectly, end up benefiting the user; therefore, the effect that the Reglamento de Ciberseguridad has by limiting the competitive process of the telecommunications market, in the opinion of this Superintendency, may end up impacting the end user of telecommunications services. An essential element that must be taken into consideration in relation to the restrictions on the principle of competition caused by the Reglamento de Ciberseguridad is that the impact is not limited only to the telecommunications market since 5G mobile technology is an enabler of innovation in other industries, such as agriculture, industrial, airport, among others. Thus, the increase in cost and slowdown of the introduction of 5G technology that the restrictions on competition can cause, and which are established in the Reglamento de Ciberseguridad, would eventually end up affecting other industries, and even competitiveness at the country level, which today is supported partly on the basis of telecommunications services and networks that are capable of providing state-of-the-art services and broad capabilities.

Thus, from the extensive analysis set forth in official communication number 06900-SUTEL-CS-2023, it is concluded that the Reglamento de Ciberseguridad has the potential to generate barriers to competition among market agents, as it imposes restrictions according to the country of origin for the provision of hardware and software technological equipment in 5G and higher technology. These barriers could in turn have economic consequences for market operators and providers, as well as consequences in terms of delays in the deployment of 5G networks, which would limit access to these technologies for users and companies located in Costa Rican territory, ultimately causing a slowdown in innovation at the country level.

5. THE HIGH RISK PARAMETERS IN THE SUPPLY CHAIN AND THEIR RELATIONSHIP WITH CYBERSECURITY MATTERS In addition to the above, the Reglamento de Ciberseguridad provides high risk parameters, which are directed at the evaluation of the supply chain, with Articles 10 and 11 of the cited regulation referring, in their various subsections, to restrictions applicable to hardware and software suppliers based on their geographical locations and the relationship with respective governments, which are not included as subjects of regulation under the LGT. Precisely, the evaluation of the supply chain and the determination of the risk level associated with each supplier according to its country of origin is assigned to SUTEL in the Reglamento de Ciberseguridad, these functions not being consistent with the powers and scope of application of the LGT, which are limited to guaranteeing the privacy of telecommunications and the protection of personal data of end users of telecommunications, and not to matters associated with the evaluation of the supply chain of hardware and software suppliers. That is, Sutel has no regulatory powers over software and hardware suppliers according to the stipulations of the LGT. The cited official communication number 06900-SUTEL-CS-2023 states the following on the subject in question: “(...) It is then Sutel's responsibility, in its role as regulator of the telecommunications sector, to ensure that communications (e.g., calls or data sessions) are not intercepted, listened to, or inspected by third parties not authorized by the user, with the regulatory exceptions referred to above. And in relation to personal data linked to location and billing, the protection provided by Sutel legally encompasses the exchange of service and interconnection rating records (e.g., CDRs of calls or data) so that possible ‘tracking’ of communications does not operate without the authorization of the information owner or by judicial or Public Prosecutor's Office order, as applicable. (…) In accordance with the above, it is clear that the legal and infra-legal telecommunications regulations, with respect to Sutel's powers, expressly regulate the regime for the protection of end-user rights, and do not contemplate within their broad scope of regulation matters related to cybersecurity measures and the value chain applicable to telecommunications services, as proposed in the Reglamento sobre Medidas de ciberseguridad (…) From reading the proposed numeral 10, it is inferred that the high risk parameters are directed at the supply chain, with reference made in its various subsections to hardware and software suppliers, that is, it is directed at manufacturers or traders of equipment and software, which are not included as subjects of regulation in the LGT. (…)” 6. THE TECHNICAL REASONABLENESS OF THE REGLAMENTO DE CIBERSEGURIDAD Considering the constitutional principle of technical reasonableness, which requires that every act issued by State institutions must be based on technical criteria, in accordance with the provisions of Article 16 of the General Law of Public Administration, this Superintendency carried out an analysis of the case file related to the proposed Reglamento de Ciberseguridad, in which the following deficiencies were found: A. There are no technical analyses that justify the reasons why it is technically necessary to distance oneself from the standards applicable to the specific industry and resort to others. In this sense, SUTEL is of the criterion that those standards relevant to the telecommunications industry should be used, being for the specific case of mobile service, the standards of 3GPP and NESAS (from the joint work developed by GSMA8 and 3GPP), and their updates. These organizations were consolidated after the adoption of GSM standards and have established the standards used for the global deployment of 3G networks onwards, so the role of these standardization bodies has been key to ensuring the interconnection, interoperability, and roaming of the different generations of mobile networks. It is necessary to consider that national mobile networks, which operate under the guidelines of the International Mobile Telecommunications (hereinafter, IMT) of the International Telecommunication Union (ITU), have been globally standardized by 3GPP, a group that includes seven of the main global standardization entities in telecommunications matters. Additionally, 3GPP brings together an extensive list of market representation organizations, which together with manufacturers reach consensus on the design of IMT networks. 3GPP focuses its work on establishing technical specifications for mobile networks and their constant updates (documents called Releases), through which new functionalities are presented by technological evolution, packaging provisions, security provisions, use of radio electric resources, service capabilities, among others. Therefore, it is essential that matters relating to network security be submitted to industry standards such as those noted in the previous paragraphs, as they are standards that the sector dominates and for which there is broad knowledge for their application. B.

In the record of the consultation on the proposed regulation, MICITT does not present a financial analysis of the potential impact of the aforementioned regulation on the telecommunications market, taking into account the development of a Standalone (SA) or Non‑standalone (NSA) network. That is, the decision is not evaluated from a cost‑benefit perspective. In this regard, it is important to bear in mind that a Non‑standalone network allows its integration with other networks of lower technologies (such as 4G), making it possible to implement it in stages and to make the relevant upgrades as needed depending on market needs and evolution in terms of technology adoption. On this matter, the following figure shows the relationship of a Standalone network and its comparison with a Non‑standalone network: (…) From the above image, it is highlighted that with the Non‑standalone method, 5G networks can begin their provision without requiring an immediate investment in their own core, which allows the operator to determine, according to the scale of clients, traffic requirements and network conditions, when it is appropriate to make the leap to Standalone, meaning that each operator can synchronize the ideal moment to make the investments and continue to profit from previous networks. The Cybersecurity Regulation, by setting aside the principle of technological neutrality and stipulating subjection to 5G and subsequent networks (consequently all network elements), would be forcing operators that have previous‑generation networks contracted from manufacturers or suppliers whose country of origin has not signed the Budapest Convention to implement 5G networks in Standalone mode, which have high implementation costs that may be passed on to end users. Similarly, the aforementioned Regulation sets aside the natural interaction that must exist between 5G networks and their predecessors, to facilitate, for example, making telephone calls or the transition of service between areas with coverage of previous technologies, as well as service continuity in the face of the various interactions of mobile terminals with telecommunications networks. To expand on the above, the following image taken from the report called “October 2023 5G Standalone” by the GSA is presented, showing the proportion of Standalone (SA) network launches and Non‑standalone (NSA) network launches in 5G technology worldwide: (…) As shown in the image above, it is clear that the predominance of Non‑standalone 5G network implementations is far greater than Standalone networks. In the aforementioned report, it has been stated that “GSA has identified 121 operators in 55 countries and territories worldwide that have been investing in the implementation of public 5G SA networks in the form of trials, planned or actual. This equates to 20.9% of the 578 known operators that are investing in licenses, trials or deployments of any type of 5G” (own translation). Based on the above, it is correct to indicate that the most widely applied transition to 5G worldwide initially involves a Non‑standalone network that relies on elements of 4G networks, with 79% of current deployments as of the third quarter of 2023 (121 operators in 55 countries) being Non‑standalone, as shown in the aforementioned GSA report. Therefore, the Cybersecurity Regulation could generate significant limitations for those operators that have acquired 4G networks based on manufacturers and suppliers whose country of origin has not signed the Budapest Convention. In this regard, we reiterate that the record of the process subject to confidential consultation does not contain a technical and financial study of the implications of these restrictions on the national market. C. The record of the proposed regulation did not address the possible implementation timelines for the networks, the impact on their timely launch, and the cost for operators and providers, for the adoption of restrictions that do not correspond to the standards applicable to the IMT industry. Nor did it address the impact on users of the potential slowdown of the development of these new‑generation networks. 7. THE ESTABLISHMENT OF A SANCTIONING REGIME VIA DECREE The Cybersecurity Regulation in Article 13 refers to the sanctioning regime of the LGT, however, as noted, there are significant limitations. One of these relates to the fact that hardware and software providers are outside the scope of application of the LGT. The LGT does not regulate cybersecurity elements, nor the supply chain, and as a consequence, according to the principle of legal reserve (principio de reserva de ley), it is not possible via regulation to establish sanctions on the subjects that carry out said activity. Therefore, the sanctioning regime must be based on a legal‑rank norm, or at least the legal‑rank norm must enable it to exercise that power via regulation. On what has been developed here, official letter number 06900‑SUTEL‑CS‑2023 stated: “(…) it must be considered that it is not possible via regulation to establish a sanctioning regime, as it requires as a basis that the sanction and infraction be previously defined in a norm of law rank. Consequently, in accordance with what has been stated, in the event of non‑compliance with the regulation under consultation, the sanctioning regime provided for in Law No. 8642 could be inapplicable. Likewise, it can be observed that the sanctioning regime of the cited law arises from non‑compliance with the rights of the end users of telecommunications services, and not matters relating to cybersecurity in telecommunications networks and their due implementation by operators, as is proposed. (…)”. In accordance with the above, in order for the sanctions contained in the Cybersecurity Regulation to materialize, a law of the Republic is required, as is being promoted in the draft Law in file No. 23.292. Likewise, it must be noted that offenses relating to violations in the area of cybersecurity, regarding the form and terms established in the cited regulation, are not defined in the LGT, according to the graduation contemplated in that regulatory body (minor, serious and very serious). By way of conclusion, this Superintendency was emphatic in pointing out the existence of aspects that needed to be reviewed and adjusted in the proposed Cybersecurity Regulation. These aspects remain in the Cybersecurity Regulation, materializing the regulatory and normative deficiencies related to regulatory excess (legal reserve), the absence of a legal norm in the LGT assigning competences to Sutel in the area of cybersecurity and supervision of the supply chain, the establishment of a sanctioning regime without a legal norm that protects or references it, and finally, the impacts on competition in the telecommunications market.” 21.- By means of a written submission received at the Secretariat of the Chamber on December 13, 2023, Paula Bogantes Zamora, Minister of Science, Innovation, Technology and Telecommunications, appears. She indicates that she serves as the governing minister in the telecommunications sector. She states that she provides a USB drive with a folder called “MANIFESTACIONES MICITT‑RECURSO AMPARO 23‑023887‑0007‑CO”.

22.- By means of a written submission received at the Secretariat of the Chamber on December 13, 2023, Paula Bogantes Zamora, Minister of Science, Innovation, Technology and Telecommunications, appears, in the following terms: “FIRST. That this Ministry has consulted the electronic file No. 23023887‑0007‑CO, in which an amparo appeal filed by the company [Name 002] against the Costa Rican Electricity Institute is being heard, where various entities and bodies have been granted an audience, which justifies the informative participation of the Ministry in my charge, thus providing the Constitutional Chamber with complementary technical advice as an exercise of the Rectoría de Telecomunicaciones, for the purposes indicated. (…) FOURTH. That there is a direct relationship between the facts set forth in the amparo appeal, in its entirety, and the functions of the Ministry Governing Telecommunications, insofar as its claims relate to the issuance of Executive Decree 44196‑MSP‑MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” published in La Gaceta on August 31, 2023. FIFTH. Given that the reference norm was issued by the Executive Branch with the direct participation of this Ministerial Office, I deem it appropriate to provide the following statements for the full investigation of the real truth of the facts, satisfaction of the public interest that involves national security, the legal regime of rights of end users of telecommunications services, cybersecurity applied to telecommunications services under fifth‑generation 5G and superior mobile technology, the adequate exploitation of the radio spectrum as a constitutional public domain asset in order to guarantee a fair, equitable, independent, transparent and non‑discriminatory assignment and in safeguard of the principle of procedural equality with respect to the opportunity granted to the entities referred to in the Resolution of thirteen hours twenty‑two minutes of November twenty‑four, two thousand twenty‑three, to the Ministry of Science, Innovation, Technology and Telecommunications. The foregoing, for the purposes of contextualizing the application of the Decree cited, which will be of procedural utility and relevance for what the Constitutional Chamber of the Supreme Court of Justice may decide, all in accordance with Articles 33, 39 and 41 of the Political Constitution. SIXTH: That, for a better understanding of the factual and legal aspects that motivate the issuance of the “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Executive Decree 44196‑MSP‑MICITT, published in La Gaceta on August 31, 2023, they will be developed below. A. ON THE POWERS DELEGATED TO THE EXECUTIVE BRANCH FOR THE ESTABLISHMENT OF THE CONDITIONS AND OBLIGATIONS OF THE ENABLING TITLES FOR CONCESSION GRANTED TO TELECOMMUNICATIONS SERVICE OPERATORS FOR THE USE AND EXPLOITATION OF THE RADIO SPECTRUM. On this matter, it is appropriate to start from the constitutional mandate of Article 121 point 14) subparagraph c) which in this regard states: “(...) The following shall not permanently leave the State domain: c) Wireless services; The goods mentioned in subparagraphs a), b) and c) above may only be exploited by the public administration or by private parties, in accordance with the law or through a special concession” (Highlighting is our own). In this sense, the constitution established which were the two ways to exploit public domain goods such as wireless services, firstly in accordance with the block of legality and secondly, through a special concession. Regarding the specific sector regulations of No. 8642, Ley General de Telecomunicaciones and its Reglamento, it is of interest to mention that at the time that draft law was considered, the constitution was emphatic about the priority objective of said text, which was to order the Telecommunications Sector, specifically regarding the use and exploitation of the radio spectrum. The foregoing being that a respectful regulatory framework was required, it was recorded in minutes that the discussion of the bill was for the purpose of regulating aspects such as the administration and assignment of a finite and limited resource such as the radio spectrum. Within this systematic model, the legislator took into account a series of axes that must be highlighted. First, within the objectives of the Ley General de Telecomunicaciones, Article 2 subparagraph g) stands out: “To ensure the efficient and effective assignment, use, exploitation, administration and control of the radio spectrum and other scarce resources”. As it is a finite good, the spectrum must be disposed of in the most transparent manner possible, which is why a tripartite role‑separation model was established in said norm, where the figures of the Governing Entity, the Regulatory Body and the Telecommunications Operator interact. This disaggregation of roles was enshrined in the regulations in accordance with the principles of transparency, equity and legal certainty that inform the telecommunications sector, where the State, in the figure of the Executive Branch, is the only one that grants, modifies or extinguishes the enabling title to exploit said constitutional public domain asset. As a corollary of the foregoing, we can read in Article 10 of the Law in question (No. 8642) the definition of competencies where: “(...) The Executive Branch shall assign, reassign or reclaim the frequencies of the radio spectrum, in accordance with the provisions of the Plan nacional de atribución de frecuencias, in an objective, timely, transparent and non‑discriminatory manner, in accordance with the Political Constitution and the provisions of this Law. Sutel shall be responsible for the technical verification of radio emissions, as well as the inspection, detection, identification and elimination of harmful interference”. As can be seen, the permanent competence to assign available frequencies in accordance with the Plan Nacional de Atribución de Frecuencias (PNAF) was delegated by the constitution to the Executive Branch, which it may do by applying the criteria of objectivity, transparency and non‑discrimination. It is here that the principle of protection and control of the radio spectrum manifests, where the granting administration inherently carries the competence to grant concessions, and together with this, exercises the powers of supervision and oversight to ensure that the granted use is not only efficient, but also that in its oversight it is a guarantor of the protection of the superior regime of human rights under the principle of progressivity and not to the detriment of private parties. Of course, the Procuraduría General de la República emphasized this role of the Executive Branch during the discussion of the text of the norm, on which the Opinión Jurídica No. OJ‑015‑2007 of February 26, 2007 can be consulted, where it stated: “(...) The Procuraduría is of the opinion that functions such as the control and administration of the spectrum are proper to the State, which should exercise them through the Executive Branch. (...) The Procuraduría reaffirms its position regarding the competence to grant concessions. Said competence belongs to the Executive Branch. The electromagnetic spectrum is a national good, it is a scarce good and today it is a strategic good. Therefore, it must remain in the sphere of the State. (...)”. As a corollary of the foregoing, the Ley General de Telecomunicaciones in its Article 7 reiterates: “ARTICLE 7.‑ Planning, administration and control. The radio spectrum is a public domain good. Its planning, administration and control shall be carried out in accordance with the Political Constitution, international treaties, this Law, the Plan nacional de desarrollo de las telecomunicaciones, the Plan nacional de atribución de frecuencias and the other regulations issued to that effect. By virtue of the foregoing, and through an adequate legal hermeneutics, it is necessary to point out that the highly specialized telecommunications matter that concerns us is governed first by the provisions of the constitutional regime and in turn, by public international law, taking into account that Article 7 of the Political Constitution establishes that: “public treaties, international conventions and concordats, duly approved by the Legislative Assembly, shall have, from their enactment or from the day they designate, authority superior to the laws.” (Highlighting is our own) In this sense, Law No. 8622 “Tratado de Libre Comercio República Dominicana - Centroamérica - Estados Unidos (TLC)”, in its Anexo 13 of CAFTA “Specific Commitments of Costa Rica on Telecommunications Services”, observes in its Article 4 the principle of spectrum assignment which falls precisely on the figure of the Executive Branch: “Assignment and Use of Scarce Resources Costa Rica shall ensure that the procedures for the assignment and use of scarce resources, including frequencies, numbers and rights of way, are managed in an objective, timely, transparent and non‑discriminatory manner, by a competent domestic authority. 6 The Republic of Costa Rica shall issue licenses directly to service providers for the use of the spectrum, in accordance with Article 121, subsection 14 of the Political Constitution of the Republic of Costa Rica.” On the other hand, Articles 6 and 10 set the necessary guidelines for access to and use of networks, insofar as it must be considered: 6. Access to and Use of Networks (...) (b) Notwithstanding the provisions of subparagraph (a), Costa Rica may take measures that are necessary to ensure the security and confidentiality of messages, or protect the privacy of non‑public personal data of public telecommunications service subscribers, subject to the requirement that such measures are not applied in a manner that could constitute a means of arbitrary or unjustifiable discrimination, or a disguised restriction on trade in services. (c) Costa Rica shall also ensure that no conditions are imposed on access to and use of public telecommunications networks or services, other than those necessary to safeguard the public service responsibilities of public telecommunications network or service providers, in particular their capacity to make their networks or services available to the general public, or to protect the technical integrity of public telecommunications networks or services. (...) 10. Flexibility in Technological Options Costa Rica shall not impede that public telecommunications service providers have the flexibility to choose the technologies they use to supply their services, subject to the necessary requirements to meet legitimate public policy interests”. Thus, the special telecommunications regime imposed on the Executive Branch a special duty of vigilance over the use and exploitation of the spectrum, as it is a scarce good, of non‑free use, so that said exploitation certainly escapes the legal sphere of private parties and is only carried out under certain terms and conditions defined by the legal system, the discretionary regulatory power of the Executive Branch and other technical regulations that apply to the specific case. On this matter, the Procuraduría General de la República in its Opinion No. C177‑2023 dated September 18, 2023, has stated in relevant part: “In coherence with the foregoing considerations, the LGT constitutes the general legal framework by which the competence of the Executive Branch to grant the concession for the use and exploitation of the radio spectrum and the conditions under which the frequencies will be exploited and the corresponding services provided is regulated in our environment, namely: requirements and procedure for granting the concession, obligations and rights of the concessionaire, powers of the granting Administration, transfer of enabling titles, among other aspects. (...) Consequently, neither a private party nor the public Administration are authorized to exploit the spectrum if they do not have the respective concession granted by the Executive Branch (see pronouncement PGROJ‑059‑2023, of May 23). The word concession in its very legal meaning implies exclusivity, this being the rule imposed by the LGT when it entails the “reservation” of a determined use (in this case commercial) in exclusive favor of the holder. This also derives from Article 19 of the same law, when, as an exception to the competitive bidding procedure, it contemplates the concession granted by the Executive Branch directly and according to the order of receipt of the request by the interested party, in the cases of “frecuencias requeridas para la operación de redes privadas y de las que no requieran asignación exclusiva para su óptima utilización” (the underlining is added). The exclusive assignment thus implies that only the holder of the concession may use or exploit the spectrum frequency bands that were reserved for them with said act, to the point that the LGT defines as a very serious infraction, the “[u]so o explotar bandas de frecuencias del espectro radioeléctrico sin la correspondiente concesión o permiso”. This exclusive assignment also responds to technical reasons, to the extent that shared use by several operators of the same frequency ranges could generate interference that affects the quality of the service.” Therefore, as part of the powers conferred on the Executive Branch in its capacity as the granting administration, it is responsible for promoting the procedure imposed by the constitution for the respective assignment of frequencies in the radio spectrum, which is applicable in the area of network exploitation through the technology of interest, 5G. In this regard, Articles 11 and 12 of the Ley General de Telecomunicaciones, in relevant part, provide: “ARTICLE 11.‑Concesiones. A concession shall be granted for the use and exploitation of the radio spectrum frequencies required for the operation and exploitation of telecommunications networks. Said concession shall enable its holder for the operation and exploitation of the network. In the case of public telecommunications networks, the concession shall enable its holder for the provision of all types of telecommunications services available to the public. The concession shall be granted for a determined coverage area, regional or national, in such a way as to guarantee the efficient use of the radio spectrum. (Highlighting is our own) Artículo 12.‑ Competitive bidding procedure. Frequency concessions for the operation and exploitation of public telecommunications networks shall be granted by the Executive Branch through the public competitive bidding procedure, in accordance with the Ley de contratación administrativa and its regulation. Sutel shall instruct the procedure, after carrying out the necessary studies, to determine the need and feasibility of granting the concessions, in accordance with the Plan nacional de desarrollo de las telecomunicaciones and sector policies.” (Highlighting is our own) From this it follows that the use and exploitation of the radio spectrum as a constitutional public domain asset can be assigned under a regime of competition and free concurrence, as provided in Article 182 of the Political Constitution: “ARTICLE 182.‑ Contracts for the execution of public works entered into by the Branches of the State, the Municipalities and the autonomous institutions, purchases made with funds from those entities and the sales or leases of goods belonging to them, shall be made through public tender, in accordance with the law as to the respective amount”. In accordance with the foregoing, the assignment of new frequencies must observe the principle of public tender regulated in the cited Article 182 of our Political Constitution, in concordance with the provisions of the Ley General de Telecomunicaciones, Law No. 8642 and the provisions systematically established in the Ley General de Contratación Pública (hereinafter LGCP), Law No. 9986; and in an infra‑legal sphere by the provisions of Article 21 of the Reglamento a la Ley General de Telecomunicaciones (by its initials RLGT), Executive Decree No. 34765‑MINAET, which in relevant part states: “Article 21. —Concesiones. A concession shall be granted for the use and exploitation of the radio spectrum frequencies required for the operation and exploitation of telecommunications networks. (...) Frequency concessions shall be granted by the Executive Branch through the public competitive bidding procedure, (...) and Sutel shall be responsible for instructing the procedure.” We have then that frequency concessions shall be granted by the Executive Branch through the public competitive bidding procedure, a process whose instruction corresponds to the Superintendency of Telecommunications, as the regulatory Body established by law to technically determine the possibility of granting any requested frequency. This is stipulated in Article 23 of the RLGT which establishes the requirements that must be accredited for the Executive Branch to initiate a public competitive bidding process for the concession of radio spectrum frequencies: “Article 23. —Initial decision. Once the technical criteria of the previous studies have been issued by Sutel and the need and feasibility of the concession have been verified, the Executive Branch shall issue the decision to initiate the respective competitive bidding procedure, which it shall forward to Sutel for instruction. The administrative decision initiating the procurement procedure shall be issued by the Executive Branch. This decision shall be adopted once at least the following has been accredited: a) A justification for the appropriateness of the public competitive bidding, with an express indication of the need to be satisfied, considering for this purpose the long‑ and medium‑term plans, the Plan Nacional de Desarrollo de las Telecomunicaciones and sector policies. b) The technical specifications and characteristics of the radio spectrum frequency to be conceded. c) The existence of necessary studies and the feasibility of granting the concession must be accredited. Sutel shall assess compliance with the foregoing requirements, prior to the start of the procedure, and shall arrange the preparation of a schedule with tasks and those responsible for their execution and shall ensure due compliance with the procedure.” Thus, and in adherence to the principle of legality, the Executive Branch only tenders the spectrum available registrally as sized by the norms of the telecommunications sector system, in a sound investment of public funds, a legal maxim reiterated in Article 8 subparagraph e) of the LGCP that precisely brings together the principles of constitutional rank that inform the matter: “(...) e) Principles of effectiveness and efficiency: the use of public funds and goods and the conduct of all subjects involved in the public procurement activity must respond to the fulfillment of the institutional purposes, goals and objectives and to the satisfaction of the public interest. (...)”. It is under the protection of the constitutional mandate and other special laws that regulate public procurement, that the State in its capacity as Granting Administration has the obligation to guarantee equality and the broadest concurrence in an integral, impartial and transparent environment, adhering to the general principles of public procurement. The foregoing, with special safeguarding also in the technical specificity of the contractual object in this case, as regulated by Article 23 subparagraph b) of the RLGT cited above. This is why the power of the Executive Branch must reconcile all aspects derived from the applicable legal regime with the necessary technical measures in order to protect, administer and control the use and exploitation made of this constitutional public domain asset with strict adherence to fundamental rights, conditions that must be enshrined in the specifications of the respective competitive bidding procedure. In this vein, Title II, Chapter II called the Regime for the Protection of Privacy and Rights of End Users of Law No. 8642, Ley General de Telecomunicaciones, establishes a special norm that regulates the privacy and protection regime for the rights and interests of end users of telecommunications services, and specifically Articles 41 and 42 of this legal body provide: “ARTICLE 41.‑ Legal regime. This chapter develops the privacy and protection regime for the rights and interests of end users of telecommunications services. Agreements between operators, the stipulations in concessions, authorizations and, in general, all contracts for telecommunications services that are entered into in accordance with this Law, shall have due regard for the protection of the privacy and rights and interests of end users. Sutel is responsible for ensuring that operators and providers comply with the provisions of this chapter and what is established by regulation. ARTICLE 42.‑ Privacy of communications and protection of personal data. Operators of public networks and providers of telecommunications services available to the public must guarantee the secrecy of communications, the right to privacy and the protection of personal data of subscribers and end users, through the implementation of the systems and the necessary technical and administrative measures. These protection measures shall be established by regulation by the Executive Branch.” (...) As can be inferred from the first paragraph of Article 42 of the General Telecommunications Law (Ley General de Telecomunicaciones), the Executive Branch is granted discretionary power to establish, through regulations, those necessary and suitable technical and administrative measures directed at public network operators and service providers, who must at all times align telecommunications activity with the constitutional mandates of secrecy of communications (secreto de las comunicaciones), the right to privacy (derecho a la intimidad), and the protection of end users' personal data. This delegation to regulate the pertinent measures naturally derives from Article 140 of the Political Constitution (Constitución Política), which states, as relevant: ARTICLE 140.- The following are duties and attributions corresponding jointly to the President and the respective Government Minister: (...) 3) To sanction and promulgate laws, regulate them, execute them, and ensure their exact compliance; The Executive Branch's power to regulate laws constitutionally originates from the preceding mandate, which the legislator, in turn, derivatively embodied in the norm of Article 42 of the General Telecommunications Law. Naturally, to exercise this power, it is also necessary to observe the significance of economic competence and free competition (libre concurrencia) for the proper functioning of the market and for the benefit of consumers or users, which entails due protection of their security and economic interests in accordance with Article 46 of the Political Constitution, as stated by this Constitutional Chamber (Sala Constitucional) in its Resolution No. 01104 - 2017 of January 25, 2017. In this sense, it has been the desire of the Constitutional Assembly that private parties participate in the exploitation of the radioelectric spectrum, provided they comply with the conditions stipulated in the Fundamental Norm itself; therefore, the supervision of the Executive Branch in this regard is an obstacle. (Constitutional Chamber, Resolution No. 04569 - 2008 of March 26, 2008). It is under the constitutional and legal competences already outlined that the Executive Branch issued the "Regulation on Cybersecurity Measures applicable to telecommunications services in fifth-generation mobile technology (5G) and higher" (Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores), Executive Decree 44196-MSP-MICITT, published in Supplement No. 166 to the Official Gazette La Gaceta No. 159 of August 31, 2023, with the purpose of establishing cybersecurity measures to guarantee the secure use and exploitation, with safeguarding of individuals' privacy, of telecommunications networks and services based on fifth-generation mobile technology (5G) and higher, also based on the considerations detailed below.

B. ON THE FUNDAMENTAL RIGHTS DERIVED FROM HUMAN DIGNITY: PRIVACY (INTIMIDAD), PRIVACY (PRIVACIDAD), SECRECY OF COMMUNICATIONS (SECRETO DE LAS COMUNICACIONES), AND INFORMATIONAL SELF-DETERMINATION (AUTODETERMINACIÓN INFORMATIVA) OF END USERS OF TELECOMMUNICATIONS. In view of our country's technological transformation and the transition to 5G technology, the constitutionally rooted guarantees relating to privacy, secrecy of communications, and informational self-determination of end users of telecommunications, derived from Article 24 of the Fundamental Charter (Carta Fundamental), must always be observed, which states, as relevant: "ARTICLE 24.- The right to privacy (intimidad), freedom, and secrecy of communications is guaranteed. Private documents and written, oral, or any other type of communications of the inhabitants of the Republic are inviolable. However, the law, whose approval and reform shall require the votes of two-thirds of the Deputies of the Legislative Assembly, shall determine in which cases the Courts of Justice may order the seizure, registration, or examination of private documents, when it is absolutely indispensable to clarify matters submitted to their cognizance. Further elaborating, the Constitutional Court has stated that privacy is comprised of a series of activities that are not part of general knowledge, including communications, thus through Resolution No. 05996-2015, at 4:00 p.m. on April 28, 2015, it developed the following: "(…) III.-- JURISPRUDENTIAL PRECEDENTS ON THE RIGHT TO PRIVACY (INTIMIDAD). (...) 'Article 24 of the Political Constitution enshrines the fundamental right to privacy (intimidad). This is a protective forum for the private life of citizens. Privacy is formed by those phenomena, behaviors, data, and situations of a person that are normally withheld from the knowledge of strangers and whose knowledge by them can morally disturb the person by affecting their modesty and reserve, unless that same person consents to that knowledge. Although it cannot but be deemed that what happens within a citizen's home is private life, what happens in offices, friends' homes, and other private enclosures may also fall within that scope. In this way, the constitutional rights of inviolability of domicile, private documents, and communications exist to protect said privacy, which is an essential right of every individual…' Likewise, in judgment number 6776-94 at 2:57 p.m. on November 22, 1994, the following was indicated: 'The right to privacy has a positive content manifested in multiple forms, such as: the right to one's image, domicile, and correspondence. For this Chamber, the right to private life can be defined as the sphere into which no one may intrude. The freedom of private life is the recognition of an area of activity that is specific to each individual, and the right to privacy limits the intervention of other persons or public authorities in the private life of the person; this limitation can manifest itself both in the observation and capture of images and documents in general, and in the listening to or recording of private conversations and the subsequent dissemination or disclosure of what was captured or obtained without the consent of the affected person. (...)'" (Emphasis added) Based on the foregoing, it is worth remembering that such fundamental rights (privacy (intimidad), privacy (privacidad), and secrecy of communications, and the right to informational self-determination) are grounded in the dignity of the person and the conscious and responsible self-determination of one's own life. In that sense, it is affirmed that dignity is inherent to the human being and is the legal minimum that must be ensured to the person so that their status as such and a minimum quality of human life are respected. Respect for the rights derived from Article 24 manifests respect for human dignity." (Office of the Attorney General of the Republic (Procuraduría General de la República), Legal Opinion OJ-103-2010, of December 13, 2010).

Similarly, as a derivative of human dignity and privacy, the processing of personal data is provided for in a special legal framework that guarantees its adequate treatment; therefore, the Office of the Attorney General of the Republic, in its Opinion No. C-064-2022 dated March 22, 2022, stated: "(...) For example, the processing by third parties of data considered sensitive or personal, in which case they are considered confidential, is prohibited; additionally, personal data of restricted access are protected, which, even (sic) when contained in publicly accessible records, cannot be of unrestricted access; hence, their processing is only permitted (sic) for the head of the interested Public Administration entity, when pursuing public purposes, or when the express consent of the data subject is obtained. (...)" In this sense, what was indicated in point A of this report is reiterated, given that the hierarchy of sources operates in this matter, and in accordance with this, the provisions of the Treaties must be observed. Thus, Law No. 8622 "Dominican Republic-Central America-United States Free Trade Agreement (CAFTA-DR) (TLC)", in its Annex 13 of CAFTA "Specific Commitments of Costa Rica on Telecommunications Services", observes in its Article 6 provisions concerning access to and use of networks, as follows:

6. Access to and Use of Networks (...) (b) Notwithstanding the provisions of subparagraph (a), Costa Rica may take such measures as are necessary to ensure the security and confidentiality of messages, or to protect the privacy of non-public personal data of subscribers to public telecommunications services, subject to the requirement that such measures are not applied in a manner that would constitute a means of arbitrary or unjustifiable discrimination, or a disguised restriction on trade in services. (c) Costa Rica shall also ensure that no conditions are imposed on access to and use of public telecommunications networks or services, other than those necessary to safeguard the public service responsibilities of public telecommunications network or service providers, in particular their ability to make their networks or services available to the general public, or to protect the technical integrity of public telecommunications networks or services.

Along the same lines, Article 3, subsections c), d), f), i), j), of Law No. 8642, General Telecommunications Law (Ley General de Telecomunicaciones), establishes that our sectorial legal system is based on guiding principles such as the benefit to the end user of telecommunications services, transparency, optimization of scarce resources, information privacy (privacidad de la información), effective competition—guiding principles for the administrative function of this Regulatory Body, the activity of the Executive Branch, as well as for operators and providers of telecommunications services, which derive from the constitutional norm referred to above.

In conjunction with the above, it must be highlighted that the Preamble of Annex 13 of Law No. 8622 "Dominican Republic-Central America-United States Free Trade Agreement (CAFTA-DR)", in its Annex 13 of CAFTA "Specific Commitments of Costa Rica on Telecommunications Services" emphasizes that the opening process shall be for the benefit of the user. In this regard, it is important to state that the Universal Declaration of Human Rights, adopted by Resolution of the General Assembly of the United Nations on December 10, 1948, highlights in its Article 1 the value of human dignity in the following terms: "All human beings are born free and equal in dignity and rights. They are endowed with reason and conscience and should act towards one another in a spirit of brotherhood." (Emphasis added) In that same sense, it is read from Article 2 that the protection of human dignity as a fundamental value must prevail under equal conditions, as follows: 1. Everyone is entitled to all the rights and freedoms set forth in this Declaration, without distinction of any kind, such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status. 2. Furthermore, no distinction shall be made on the basis of the political, jurisdictional or international status of the country or territory to which a person belongs, whether it be independent, trust, non-self-governing or under any other limitation of sovereignty. (Emphasis added) As a corollary to the above, our country is a signatory to the American Convention on Human Rights (Pact of San José), Law No. 4543 of February 23, 1970, which establishes a series of obligations for the Costa Rican State as observed below: "Article 1. Obligation to Respect Rights 1. The States Parties to this Convention undertake to respect the rights and freedoms recognized herein and to ensure to all persons subject to their jurisdiction the free and full exercise of those rights and freedoms, without any discrimination for reasons of race, color, sex, language, religion, political or other opinion, national or social origin, economic status, birth, or any other social condition. 2. For the purposes of this Convention, 'person' means every human being." (Emphasis added) Along the same lines, Article 2 of the cited Convention indicates that the States Parties undertake to adopt internal measures within their national legal systems to enforce the rights and freedoms enshrined in said Pact; thus, the article reads: "Article 2. Duty to Adopt Domestic Legal Provisions Where the exercise of any of the rights or freedoms referred to in Article 1 is not already ensured by legislative or other provisions, the States Parties undertake to adopt, in accordance with their constitutional processes and the provisions of this Convention, such legislative or other measures as may be necessary to give effect to those rights or freedoms." In relation to the above, Article 26 of the referenced Convention provides that the development of internal measures must be progressive to contribute to the development and cooperation among countries based on the due protection of economic, social, educational, scientific, and cultural rights, among others, thus stipulating: "Article 26. Progressive Development The States Parties undertake to adopt measures, both internally and through international cooperation, especially those of an economic and technical nature, with a view to achieving progressively, by legislation or other appropriate means, the full realization of the rights implicit in the economic, social, educational, scientific, and cultural standards set forth in the Charter of the Organization of American States as amended by the Protocol of Buenos Aires, to the extent of available resources." It is also of special relevance that Article 29 of the Pact of San José sets the rules of interpretation of said instrument to guarantee that fundamental rights and freedoms are not undermined through internally adopted laws or practices, thus indicating: "Article 29. Rules of Interpretation No provision of this Convention shall be interpreted as: a) permitting any State Party, group, or person to suppress the enjoyment or exercise of the rights and freedoms recognized in this Convention or to restrict them to a greater extent than is provided for herein; b) restricting the enjoyment or exercise of any right or freedom recognized by virtue of the laws of any State Party or by virtue of another convention to which one of the said states is a party; c) precluding other rights or guarantees that are inherent in the human personality or derived from representative democracy as a form of government; or d) excluding or limiting the effect that the American Declaration of the Rights and Duties of Man and other international acts of the same nature may have. (Emphasis added) As can be seen, Costa Rica's regime for the protection of fundamental human rights comprises the norms of International or Community Law in force in the Republic, formally incorporated into the legal system through adherence to the various instruments that contribute to the protection of human rights. For internal purposes, the provisions that the Constitutional Assembly regulated in the Magna Carta (Carta Magna), which will be analyzed later in this document, must also be observed. As has been well indicated, the incorporation of supranational law into domestic law is not exhausted by the process of adhering to international instruments but rather responds to a progressive interpretation; thus, the implementation of international instruments requires the intervention of the Judicial Branch bodies that exercise constitutional control. This progressive and necessary exercise also involves the ex officio conventionality analysis between internal norms and international instruments within the framework of the respective competences of public bodies. By virtue of the foregoing, the participation of all State officials is required to exercise conventionality control, who, in the performance of their duties, must interpret internal norms in such a way that they are compatible with international obligations, in guarantee of human rights. An adequate legal hermeneutics implies that this conventionality control is also carried out in harmony with the principles of International Law of Treaties, which entail encouraging all bodies of the state apparatus to adopt the necessary measures to ensure that the terms of an international agreement have effects in harmony with domestic law (effet utile requires of the State), followed by the obligatory nature of the treaty between the parties (pacta sunt servanda), which must be fulfilled exactly as enshrined in good faith (bona fides). This position has been addressed by the Constitutional Chamber in Resolution 2017-002800 at 9:30 a.m. on February 24, 2017:

"VIII- On the obligatory application of International Conventions for Costa Rica. The parameter of constitutional control, according to Article 1 of the Constitutional Jurisdiction Law (Ley de la Jurisdicción Constitucional), is not only composed of the norms of the Fundamental Law but also by 'the constitutional principles and those of International or Community Law in force in the Republic, their uniform interpretation and application, as well as the fundamental rights and freedoms enshrined in the Constitution or in international human rights instruments in force in Costa Rica.' Ergo, all the cited legal sources, principles, and rights, which include both constitutional principles and others of International or Community Law, in the exercise of constitutional control, must be applied harmonically, in such a way that their protective contents are optimized in the best possible way and the essential content of none of them is affected. Likewise, the principle of international law effet utile requires of the State, in the interpretation and application of Treaties, including those that are non-self-executing, the obligation to encourage all bodies of the state apparatus to generate lasting effects within the domestic order in accordance with the international obligations acquired, so that all necessary measures must be taken as a whole to ensure that the terms of an international agreement have effects in harmony with domestic law. This is followed by cooperation mechanisms between States and international organizations, and monitoring of the compatibility of domestic legislation with that of international conventions. In the same sense, the principles of pacta sunt servanda and bona fides determine that treaties must be fulfilled exactly as enshrined in good faith, since the obligatory nature of the treaty between the parties requires them to establish policies aimed at its adequate compliance. The foregoing principles oblige an interpretation of domestic law, including of course the Constitution and the norms of treaties signed by Costa Rica, in light of the principle of coherence (principio de coherentia), by virtue of which, when faced with two statements, one from an international treaty norm and another from a domestic law norm, to the extent possible, they should not be attributed a meaning that produces incompatibility between them. The requirement of coherence is a logical consequence of the principles of pacta sunt servanda, bona fides, and effet utile to which we have already referred. If States commit themselves in the international order, it is because they have the will to fulfill the obligations contracted, and it is the duty of the States and their internal bodies to adopt all necessary measures, including those of an interpretative nature, to adapt the domestic legal system so that the objective pursued in the ratified international convention is achieved. For these reasons, the Constitutional Court, in exercising constitutional control, has the duty to harmonize the obligations derived from the Political Constitution and International Law, all to the extent that precise technical-legal reasoning based on the constitutional block (bloque de constitucionalidad) so permits, so that the protective contents of the various sources are optimized in the best possible way, without, of course, affecting the essential content of any fundamental right. Certainly, on the domestic plane, constitutional law has priority over international law; however, on the external plane, the foregoing does not justify the unilateral non-compliance by a State of a binding conventional obligation, which would inevitably entail liability for the non-complying State as it constitutes a violation of international law, and would only have the complicated possibility of proceeding with the regulation of nullity, termination, or suspension of the application of treaties according to Part V of the 1969 Vienna Convention on the Law of Treaties. (...)" Thus, Costa Rica must implement the provisions of international instruments on Human Rights, which, in harmony with the mandates of the Political Constitution, view the person as the center of jurisdiction, and consequently, the regime for protecting their fundamental rights and freedoms must be guaranteed. In this way, our constitutional order is conciliatory with the international protection regime of the fundamental rights and freedoms of the human person, since Article 33 recognizes and proclaims the constitutional value of human dignity, which constitutes the cornerstone of all fundamental and human rights, as follows: "ARTICLE 33.- Every person is equal before the law and no discrimination contrary to human dignity may be practiced." (Emphasis added) Now, it is appropriate to refer to the considerations expressed by this Constitutional Chamber in Resolution No. 16069-2020 at 9:15 a.m. on August 26, 2020, which relates to the recognition of human dignity and the equal treatment underlying it, regarding which it indicated: "The human being, by the mere fact of being so, by having been born such, is the repository of a series of rights recognized for the protection of their dignity. Ultimately, one of the fundamental values and principles of Constitutional Law is, precisely, dignity, upon which the entire edifice of the dogmatic part of the Constitution is erected, that is, the fundamental rights of persons. It is from the recognition of the intrinsic dignity of the human being that international Human Rights instruments and Constitutions grant them a series of indisputable and universally accepted freedoms and rights. In this sense, the General Assembly of the United Nations, when adopting the Universal Declaration of Human Rights in its resolution No. 217 A (III) of December 10, 1948, considered in the Preamble that freedom, justice, and peace in the world are based on the recognition of the intrinsic dignity and the equal and inalienable rights of all members of the human family. In that understanding, it was agreed in Article 1 that 'All human beings are born free and equal in dignity and rights...'. Likewise, Article 2 recognizes that everyone is entitled to the rights and freedoms proclaimed in said Declaration without distinction of any kind. Identical considerations were made by the General Assembly of the United Nations when issuing the International Covenant on Civil and Political Rights and the International Covenant on Economic, Social and Cultural Rights, adopted in resolution No. 2200 A (XXI) of December 16, 1966, and incorporated into our legal system through Law No. 4229 of December 11, 1968, in which it was decreed that the recognition of the rights provided therein derive from the inherent dignity of the human person. For their part, the American States adopted the American Convention on Human Rights, which is Law of the Republic No. 4534 of February 23, 1970, and, in the preamble, recognized that the essential rights of man do not arise from the fact of being a national of a certain State but are based on the attributes of the human person. Article 1 provides that the States Parties to the Convention undertake to respect the rights and freedoms recognized therein and to ensure the free and full exercise thereof to all persons without discrimination." (Emphasis added) As is well indicated, human dignity is inherent to any human being and, therefore, representative of a series of rights and freedoms whose enjoyment and protection must be guaranteed to all equally. From the foregoing, the Human Rights protection regime is based on the principle of equality before the law enshrined in Article 24 of the Pact of San José, pursuant to which: "Article 24. Right to Equal Protection All persons are equal before the law. Consequently, they are entitled, without discrimination, to equal protection of the law." It is of special relevance to analyze the provisions of Article 24 of the Pact of San José together with the constitutional mandate of Article 33, cited in previous lines, as both invoke the value of human dignity hand-in-hand with the principle of equality free from all discrimination. Specifically, the Constitutional Chamber has characterized that discrimination occurs when, in a given situation, equals are treated unequally, without any justification. In this sense, through Resolution No. 03421-2020, at 12:10 p.m. on February 19, 2020, it held: "In relation to the Principle of Equality and the Right to Non-Discrimination, Article 33 of the Constitution establishes equality, not only as a principle informing the entire legal system but also as a true subjective right in favor of the inhabitants of the Republic. For this reason, it extends over all legal relationships, especially those established between citizens and public power. Hence, the right to equality is summed up as the right to be treated equally as others in each and every legal relationship constituted. On the other hand, equality is also a constitutionally imposed obligation on public authorities, which consists of treating equally those who find themselves in equal factual conditions, simultaneously constituting a limit on the action of public power. Notwithstanding this and that, on principle, everyone is equal before the law, situations of inequality may occur in reality. Here it is important to indicate that there are two basic concepts often confused when discussing the topic of equality before the Law, such as discrimination and differentiation. The Constitution prohibits discrimination but does not exclude the possibility that public power may grant different treatments to different situations, provided it is based on an objective, reasonable, and proportionate basis. A differentiation of treatment is legitimate, and even obligatory, when there is inequality in the factual circumstances, which would imply that the principle of equality is only violated when equals are treated unequally and, therefore, unequal treatment for identical situations is unconstitutional." From the foregoing, it is relevant to bring into the discussion the character of the principle of equality, which is an obligation for Public Power, transformed into the duty to materialize fair treatment among all human beings who find themselves in equal factual conditions, because they are born free and equal in dignity and rights. In this sense, one starts from the most basic, as established by the Universal Declaration of Human Rights, in which, human beings being endowed with reason, elevates our duty to behave rationally towards one another, whereby the State must build a legal framework that treats those who are in equal factual conditions equally. It is evident that there are factual situations in which not everyone is treated equally, especially when compensating for those factual situations produced by the alterations inherent to nature and things, which may cause the State, by omitting corrective measures, to incur injustices, as they can result in inequalities contrary to human dignity. As established by the preceding precedent, it is clear that the difficulty lies in determining the negative connotation that treating people differently entails, where one may fall into discrimination and not differentiation. Discrimination is a different treatment lacking an objective, reasonable, and proportionate basis. When referring to differentiation, it involves establishing differentiated legal treatments when there is an objective, reasonable, and proportionate basis.

(...)” (Emphasis added) From the aspects outlined above by that esteemed Constitutional Chamber, it is evident that in the case law when discussing the principle of equality and the right to non-discrimination, it must necessarily be examined whether in the case there exists some objective factual basis that allows for a difference in treatment, a scenario that is consequently termed differentiation of treatment and proves to be a perfectly feasible and valid scenario, grounded in the principle of equality. This conceptual precision implies that public authorities must treat those who are in equal factual conditions in an equal manner, and in a reasoned way. Consequently, the principle of equality is only violated when equals are treated unequally in the absence of justification, which translates into discrimination. Now then, this Ministry deems it worthwhile to reiterate that the “Regulation on Cybersecurity Measures Applicable to Telecommunications Services in Fifth-Generation Mobile Technology (5G) and Higher,” Executive Decree 44196-MSP-MICITT, seeks to safeguard the aforementioned rights of end users of telecommunications deriving from Article 24 of the Constitution (already cited), such as privacy, inviolability of private documents, privacy of communications, and quality of services, by establishing technical and objective measures in the deployment of 5G and higher networks, since these rights find their basis in the dignity of the person and their exercise entails the conscious and responsible self-determination of one's own life. Human dignity is the legal minimum that must be assured to end users of telecommunications, so that their condition as such and a minimum quality of human life are respected. The development of new technologies and the possibilities of invasion into the private sphere of individuals are capable of threatening the dignity and privacy of individuals. Hence derives the true need for the issuance of the “Regulation on Cybersecurity Measures Applicable to Telecommunications Services in Fifth-Generation Mobile Technology (5G) and Higher,” Executive Decree 44196-MSP-MICITT, since it safeguards the protection of the cited rights from an area that is extremely vulnerable, namely the establishment of the network itself, which is transcendental given that this Collegiate Court has recognized the fundamental role of the same in satisfying the fulfillment of the public domain asset: “which is to protect the public service and the quality of the public service intended to be provided” (...) In that same vein, Resolution No. 03089-2011, of 08:38 hours on March 11, 2011, that same Constitutional Chamber indicated regarding the equipment intended to be connected to the mobile telephone network: “(...) complying with minimum conditions or standards, so as to guarantee the health, safety, and economic interests of the users themselves, is consistent with the provisions of Article 46 of the Political Constitution. (...). Among the technical reasons are included, among others, ensuring that the terminal equipment allows the user to freely choose and change service providers, receive service continuously and equitably, have access to improvements that the provider implements, receive quality services under the terms previously stipulated and agreed upon with the provider, and have access to information in the Spanish language. (...)” (Emphasis added) Based on the foregoing, I will now refer to the legal protection regime for privacy and end-user rights in the area of telecommunications services. C. REGARDING THE LEGAL PROTECTION REGIME FOR PRIVACY AND END-USER RIGHTS IN THE AREA OF TELECOMMUNICATIONS SERVICES. As was well developed in previous paragraphs, the Executive Branch has the obligation, within the framework of spectrum allocation, to guarantee that said allocation is not only carried out in strict adherence to the principle of legality. Furthermore, the services to be provided via telecommunications networks must conform to the considerations of Title II, Chapter II, called the Regime for the Protection of Privacy and End-User Rights, of Law No. 8642, General Telecommunications Law. This is because said special law regulates the privacy regime and the protection of the rights and interests of the end users of telecommunications services, and specifically Articles 41 and 42 of this legal body provide: “ARTICLE 41.- Legal Regime This chapter develops the privacy regime and the protection of the rights and interests of the end users of telecommunications services. Agreements between operators, the stipulations in concessions, authorizations, and, in general, all contracts for telecommunications services subscribed to in accordance with this Law, shall take into account the due protection of the privacy and the rights and interests of end users. Sutel is responsible for ensuring that operators and providers comply with the provisions of this chapter and with what is established by regulation. ARTICLE 42.- Privacy of Communications and Protection of Personal Data Operators of public networks and providers of publicly available telecommunications services must guarantee the secrecy of communications, the right to privacy, and the protection of the personal data of subscribers and end users, through the implementation of the necessary systems and technical and administrative measures. These protection measures shall be established by regulation by the Executive Branch. Operators and providers must adopt appropriate technical and administrative measures to guarantee the security of their networks and services. In the event that an operator becomes aware of an identifiable risk to network security, it must inform Sutel and the end users about said risk. Operators and providers must guarantee that communications and the traffic data associated with them are not listened to, recorded, stored, intercepted, or monitored by third parties without their consent, except when there is a corresponding judicial authorization, in accordance with the law.” As can be seen, these articles establish three aspects of relevance for the purposes of this report, namely: a) The obligation to which operators are subject to observe the due protection of the privacy and the rights and interests of end users. b) The competence imposed on Sutel to ensure that operators and providers comply with said obligations. c) The competence of the Executive Branch to establish protection measures via regulation. All of this in favor of the legal protection regime for end users in the access to and effective enjoyment of telecommunications services. In addition, Article 49, subsections 1, 2, and 3 of Law No. 8642, General Telecommunications Law, establishes the obligations of operators and providers in the following terms: ARTICLE 49.- Obligations of operators and providers Network operators and telecommunications service providers shall have the following obligations: 1) Operate networks and provide services under the conditions established by the respective enabling title, as well as the law, regulations, and other provisions issued for that purpose. 2) Comply with the obligations of universal access, universal service, and solidarity that correspond to them, in accordance with this Law. 3) Respect the rights of telecommunications users and attend to their claims, as provided for in this Law. (...) For its part, Article 74, subsection f) of the Regulation to the General Telecommunications Law, Executive Decree No. 34765, establishes within the general obligations of the holders of concessions for the use and exploitation of the radioelectric spectrum the duty to adopt the necessary measures to guarantee the privacy of telecommunications. As will be specified in later sections of this report, the Regulation in question incorporates the highest standards and best international practices in cybersecurity, for the tender process for telecommunications services via International Mobile Telecommunications (IMT) systems, including fifth-generation 5G technology and higher. The incorporation of these elements constitutes objective parameters to strengthen prevention against cybercrime, which, as will be seen, has generated significant repercussions in the country. As part of the cybersecurity measures regulated by the “Regulation on Cybersecurity Measures Applicable to Telecommunications Services in Fifth-Generation Mobile Technology (5G) and Higher,” Executive Decree 44196-MSP-MICIT, the need for both operators and providers not to present high-risk parameters when providing telecommunications services is identified. In that sense, it is important to emphasize that the cited Regulation only contemplates high-risk parameters because the aim has been to ensure minimal state intervention, so that the assessment and management of medium- and low-impact risks is carried out by the network operators or telecommunications service providers. Finally, it should be noted that the protection of human dignity and the enjoyment of the rights emanating from it prevails over any other matter, as the Constitutional Chamber has pointed out in decision No. 03421-2020, of 12 hours 10 minutes, dated February 19, 2020, when reviewing that: “(...) it is important to recall an elementary issue of Public International Law. Human Rights Treaties have, by their subject matter, an object and purpose very different from bilateral or multilateral international treaties on commercial matters, technical, scientific, cultural cooperation relations, etc. In these treaties, the subjects of international law agree on mutual obligations among themselves on the respective agreed topics; however, in those related to human rights, States place the human person within their jurisdiction as the object and purpose. In this sense, States grant, in accordance with the golden rule of international law, international obligations in favor of the human person, which must be fulfilled in good faith (in accordance with Article 26, Pacta sunt servanda, of the Vienna Convention on the Law of Treaties). (Emphasis added) Consequently, the international law rule of pacta sunt servanda to fulfill international obligations in favor of the human person prevails, which is precisely what Costa Rica has sought with the implementation of the Regulation under analysis. All this understanding that the human being is the cornerstone of the Information and Knowledge Society, and therefore must be provided with all protection, especially when dealing with complex digital environments such as those represented by the imminent implementation of the fifth-generation mobile technology known as 5G. For a better understanding of the provisions and standards contained in the Regulation under study, the following sections will address the aspects that were evaluated for its preparation. It is thus in the protection of the legal regime of the fundamental rights of end users of telecommunications that the Executive Branch, in the exercise of its tasks and regulatory powers delegated constitutionally and legally, may adopt the necessary measures to guarantee their privacy, the secrecy of communications, and their informational self-determination. D. REGARDING THE NEED TO STRENGTHEN AND ADAPT THE SECTORAL REGULATORY FRAMEWORK FOR REASONS OF NATIONAL SECURITY DUE TO THE CYBERATTACKS SUFFERED BY OUR COUNTRY. As background, on April 12, 2022, Costa Rica received a strong cyberattack on the databases of the Ministry of the Treasury, and on subsequent dates, cyberattacks were received on different databases of other institutions. Due to the foregoing, our country has been the focus of international headlines in which the magnitude of the cyberattack was revealed, as well as the vulnerability of the Costa Rican State to this type of event. As a demonstration of the impact generated on the different public systems, the National Emergency Plan for Cyberattacks,[3] showed in its Table No. 1, the institutions affected by the cyberattack in the following way: TABLE 1 Emergency Decree No. 43542 – MP - MICITT Institutions affected by the Cyberattacks INSTITUTION DATE INCIDENT ---|---|--- Ministry of the Treasury April 17 ● Exfiltration of information published on the CONTI cybercriminal group's website ● Encryption of information ● Impact on the functionality of computer systems MICITT April 18 ● Defacement (modification of the website) ● Impact on the functionality of computer systems National Meteorological Institute (IMN) ● Exfiltration of information published on the CONTI cybercriminal group's website ● Impact on the functionality of computer systems RACSA ● Exfiltration of information published on the CONTI cybercriminal group's website ● Impact on the functionality of computer systems Costa Rican Social Security Fund (CCSS) April 20 ● Theft of social media credentials ● Attack via SQL injection ● Impact on the functionality of the CCSS Human Resources computer system ● Exfiltration of information from a table with log data, but no sensitive data Ministry of Labor and Social Security (MTSS) April 21 ● Exfiltration of information published on the CONTI cybercriminal group's website ● Encryption of information ● Impact on the functionality of computer systems Administrative Board of the Municipal Electrical Service of Cartago (JASEC) April 23 ● Encryption of information ● Impact on the functionality of computer systems Interuniversity Headquarters of Alajuela (SIUA) ● Exfiltration of information published on the CONTI cybercriminal group's website ● Impact on the functionality of computer systems In the other institutions (Municipality of Golfito, Municipality of Turrialba, INDER, Municipality of Santa Bárbara, Municipality of Garabito, MEIC, University College of Cartago, FANAL, Municipality of Alajuelita, CONAPE, Ministry of Justice and Peace) the technical measures deployed successfully detected and contained the possible CONTI in their systems.

Source: MICITT, citing the General Emergency Plan for Cyberattacks. Due to the above, the Executive Branch, through Decree No. 43542-MP-MICITT, “Declares a state of national emergency in the entire public sector of the Costa Rican State, due to the cybercrimes that have affected the structure of information systems,” a declaration based on the immediate impact on the computer systems linked to the functioning of the State's critical services. Now then, these breakdowns in the different institutional systems generated significant long-term consequences. In that regard, the Comptroller General of the Republic, by means of communication No. DFOE-CAP-OS-00001-2023 dated May 1, 2023, titled “Opinions and Suggestions: 'Cyber Emergency: Obstacle to Digital Transformation and Social Welfare; Setbacks for Transparency and Accountability',” identified the following: ● Loss of internal efficiency, since the disabling of computer systems causes delays in their processes, work stoppages, or overload of technical-administrative functions for staff. ● Loss of income. For example, it was reported that the Ministry of Labor and Social Security experienced a delay in the collection of income of ₡1,431 million for employer-worker contributions to be received by the Costa Rican Social Security Fund, and at the Administrative Board of the Municipal Electrical Service of Cartago, ₡93 million in service sales were not made during the period of system interruption. These delays acquired a significant dimension because they not only caused financial losses in the income of these institutions, but also generated biases in public spending and thereby in the adequate provision of public services. ● Loss of information that undoubtedly impacts the continuity of operations and decision-making. The value of information transcends decision-making; it also affects trust, transparency, and accountability. For example, providing greater openness and access to information stimulates and strengthens citizen control and facilitates the development of public services that are more focused on people's needs, more reliable, and more open. More extensively, the Comptroller General of the Republic, in the cited document, indicated: “(...) Cyberattacks directly impact the accountability and transparency of institutions in the form of loss of information and reliability of data. The cyberattacks also affected the availability of financial and fiscal information relevant for decision-making. According to the State of the Nation Program [12], the cyberattacks demonstrated that “(...) the availability and openness of fiscal information is not only more limited, but to date, the historical records have not been reestablished (SIC) (...)” • Direct impact on people's well-being, who have been affected by the interruption of health services. In that sense, the Costa Rican Social Security Fund identified impacts on waiting lists and appointment rescheduling, specifically in surgical procedures, outpatient consultations, outpatient procedures, laboratory, and radiology and imaging, which constituted a total of 158,255 rescheduled appointments during the months of June to September 2022. Thus, inhabitants had to assume costs related to longer response times, more costly alternatives, and even difficult access to information by having to move from one service window to another within the same institution. Regarding the economic impact on the affected institutions only concerning actions related to the recovery of the affected areas, the National Emergency Plan for Cyberattacks,[4] showed in its Table No. 6 some data of interest to this document in this way: “TABLE 6 Emergency Decree No. 43542–MP–MICITT Reconstruction Phase: Proposals for Actions by Executing Unit” Institution Proposal of Actions Amount ---|---|--- Ministry of the Treasury Acquisition of technological tools to perform network analytics, identify and block malware, ransomware, and any new type of threat from the Internet or internally, and also allow full visibility of all user activity (and the trail left by their devices), to block any threat. Acquisition of secure productivity services, cloud online services, security monitoring and response services, Azure cloud services, and service hours for sanitizing remaining equipment.

₡1,049,388,494.63 Ministry of Science, Innovation, Technology and Telecommunications (MICITT) Implement a new website under an updated and secure platform version that minimizes the risk of being targeted again. Tools for intelligent and automated defense of web applications and email protection. Information backup equipment and equipment for CSIRT-CR tasks. Contracting temporary personnel (for emergency) to reinforce CSIRT-CR's response capacity. Payment for microCLAUDIA licenses to the National Cryptologic Center of Spain.

₡641,475,400.00 National Meteorological Institute (IMN) Renewal of Antivirus, EDR licenses. Renewal of licenses for the 3 Firewalls held by IMN. Renewal of the digital certificate. Renewal of licensing for the institutional backup system. Renewal of the licensing contract for our Oracle Database. Renewal of license for the cluster, containing vCenter Service.

₡66,000,000 Ministry of Labor and Social Security (MTSS) Acquisition of SIEM XDR platform option including HW Appliance, PaloAlto Cortex licensing, Kaspersky EDR Expert (700) + KATA for servers (50), Web Application Firewall (WAF) (Up to 1 Gb/sec) ₡345,000,000 Administrative Board of the Municipal Electrical Service of Cartago (JASEC) Contracting of expert consultancy in NetApp storage media (SAN) to perform analysis and recovery of critical data. Acquisition of a Firewall device to detect and control incoming and outgoing data traffic, updating Microsoft Windows 2007 and 2010 licenses for more current Windows licensing, updating the ORACLE license, and acquiring two Enterprise-type licenses.

₡164,000,000 Interuniversity Headquarters of Alajuela (SIUA) Obtaining at least one physical server to implement a SIEM/EDR solution at SIUA is required. Purchase of a firewall-ng device that can identify DDoS, DoS attacks, exploits, malware, unwanted applications, provide email protection, among others; at least one device with threat intelligence and signature matching is needed to guarantee the security and access to public and private services of the siua.ac.cr domain.

₡28,500,000 TOTAL ₡2,294,363,894.63 Source: System of Reports on Damages, Losses, and Response Proposals for Declarations of National Emergency, 2022. In this regard, according to the National Emergency Commission, the actions of the cited National Emergency Plan for Cyberattacks, “(...) are aimed at attending to the computer systems, rehabilitating the affected public services, reinforcing their security; all under satisfactory conditions that ensure the continuity of these services without a repeat event of this nature, as far as possible.” However, in the long term, it is essential to adopt measures that go beyond attending to the affected systems and services, because the danger of cyberattacks remains latent. Thus, the state of emergency must also be addressed through the establishment of regulations and security protocols to act defensively and preventively for future events, with the establishment of cybersecurity measures for telecommunications services based on fifth-generation mobile technology (5G) and higher being an essential element for comprehensive management of the indicated risks. Therefore, the Executive Branch, in the cited Decree No. 43542-MP-MICITT, established a series of measures encompassing all necessary actions, works, and services to contain, resolve, and prevent new attacks against the Information Systems of the Costa Rican State. The same Decree No. 43542-MP-MICITT states that the cessation of the state of national emergency will be declared when the phases of the emergency defined in Article 30 of said Law and Article 2 of this Executive Decree are completed, and with the technical criteria issued by the National Commission for Risk Prevention and Emergency Response supporting it. In this sense, Article 2 provides: Article 2.- All actions, works, and services necessary to contain, resolve, and prevent new attacks against the Information Systems of the Costa Rican State are considered included within this emergency declaration. Due to the foregoing, and given the severity of the cyberattacks received, the state of national emergency remains in effect as of the date of issuance of the “Regulation on Cybersecurity Measures Applicable to Telecommunications Services in Fifth-Generation Mobile Technology (5G) and Higher,” Executive Decree 44196-MSP-MICITT, and the Executive Branch continues to carry out preventive actions allowing for a better response to this type of transgression. Cyberattacks exploit any gap or exposure vector in networks and services, or failures in technologies, to violate the principles of cybersecurity and information security: confidentiality, integrity, and availability. However, the evolution towards 5G networks will enable a wide range of new and improved critical services, from autonomous vehicles and telemedicine to automated manufacturing. This implies that the exposure vector expands and the risk increases, since a violation of the principles of the information security triad could cause anything from failures in essential services to loss of life. Therefore, it is necessary to strengthen security in 5G networks and protect them adequately, applying safeguards to reduce the risk that these networks are used in computer attacks. It should be highlighted that, despite the cyberattacks, Costa Rica continues to promote and foster technological advancement and thereby the promotion of new technologies for the benefit of telecommunications users within the framework of the Information and Knowledge Society, albeit with greater caution. As an example, the Foreign Trade Promoter of Costa Rica (PROCOMER) has pointed out regarding service exports: “(...) By 2022, Costa Rica's service exports totaled US$11.79 billion, 29% more than in 2021, this growth being the highest in the last five years and exceeding pre-pandemic levels. Excluding the travel subsector, growth is 16% and exports total US$8.653 billion. Business services (45%), travel (27%), telecommunications, information technology, and information (16%), and transformation services (6%) are the main service subsectors. (Emphasis not in the original) (...)” Based on the foregoing considerations, it is important to keep in mind that cybersecurity measures must be continuous since risks do not behave statically; they are present in everyday life. It is for this reason that the upcoming introduction of 5G technology, as will be analyzed later, demands the articulation of continuous efforts, requiring the reinforcement of the regulatory framework, among other actions, through the incorporation of security measures on two fronts: first, for IMT-2020 networks, and secondly, for the protection of the privacy, the secrecy of communications, and the informational self-determination of end users of telecommunications. Another element that must be considered, as stated by the Information and Knowledge Society Program (PROSIC) of the University of Costa Rica, is that “Today, cybercrime represents 'half of all property crimes occurring in the world' (IDB, 2021, p.10), which demonstrates the magnitude of this problem, so absent from most government plans.” And particularly in relation to the cyberattack of April 2022, PROSIC states that the “experience lived with the cyberattacks shows us the need to reinforce preparation and the adoption of measures that ensure resilience and adequate management of cyber threats. (...)” In the National Cybersecurity Strategy of Costa Rica 2023-2027, published on November 13, cybersecurity risks are comprehensively addressed, and under this approach, pillar 3 consists of: “strengthening the protection of infrastructures and national cyber resilience, protecting critical national infrastructures and adequately managing cybersecurity risks so that stakeholders can maximize the benefits of the digital environment and citizens are safer online (...).” Thus, it is important to emphasize that the greater the complexity of the technology, the greater the degree of vulnerability, and consequently, the measures adopted have a different level of rigor than what might work for other technologies.

Risk management for 5G and higher technologies thus acquires a differentiated character, where even best practices should address the supply chain, as incorporated in the “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT. Given the consequences of the cyberattacks of 2022 that affected residents’ access to essential services, it was decided to adopt at the national level, among other actions added to the emergency declaration, the “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196MSP-MICITT, which, as already stated, is grounded in the highest standards and best international practices in this matter, in view of the competitive process for telecommunications services via IMT systems, including 5G.

E. ON THE IMPORTANCE OF TELECOMMUNICATIONS NETWORKS AND SERVICES BASED ON FIFTH-GENERATION MOBILE TECHNOLOGY (5G) AND HIGHER. The deployment of networks and the provision of telecommunications services based on 5G technology represent a process of importance for the country, due to the consequent improvements in the economic and social conditions of Costa Ricans. There are higher reasons of public interest and national convenience, derived from the public policies guiding the Telecommunications Sector set forth in the Plan Nacional de Desarrollo de las Telecomunicaciones and sector regulations, which seek, given the market-opening model of Telecommunications, to invigorate operator participation, enable the expansion of supply, and therefore the possibility of choice in favor of users of telecommunications services in the country.

As has been stated, the radio spectrum (espectro radioeléctrico), as a public-domain asset (bien de dominio público), has a special purpose, and its purpose serves a public interest. Public interest can be defined as: “the result of a set of shared and coincident interests of a majority group of individuals, which is assigned to the entire community as a consequence of that majority, and which finds its origin in the axiological will of those individuals, appearing with a concrete and determinable content, current, eventual or potential, personal and direct with respect to them, who can recognize in it their own will and their own valuation, prevailing over individual interests that oppose or affect it, which it displaces or substitutes, without annihilating them.” When speaking of the use and assignment of the radio spectrum (espectro radioeléctrico), these aspects of public interest may be undermined if the Executive Branch does not adopt the corresponding actions in a timely manner, in order to fulfill its legal mandates and thereby generate the necessary tender processes (procesos licitatorios) for the assignment of said public-domain asset (bien demanial), and therefore the deployment of telecommunications networks that enables the provision of telecommunications services via IMT systems, including 5G.

Therefore, for this Rectoría it is necessary to bring to the attention of the Constitutional Chamber (Sala Constitucional) aspects related to the implementation of IMT systems, including 5G, and the cost that this decision represents for the country, should this implementation be delayed, so the following sections will now be expanded upon.

a. Implementation of telecommunications services via IMT systems including 5G.

Article 2 of the Ley General de Telecomunicaciones, Ley Nº 8642, establishes as its objectives, among others: “a) Guarantee the right of residents to obtain telecommunications services, under the terms established in this Law. (…) f) Promote the development and use of telecommunications services within the framework of the information and knowledge society and as support to sectors such as health, citizen security, education, culture, commerce, and electronic government. g) Ensure the efficient and effective assignment, use, exploitation, administration, and control of the radio spectrum (espectro radioeléctrico) and other scarce resources. h) Encourage investment in the telecommunications sector, through a legal framework that contains mechanisms guaranteeing the principles of transparency, non-discrimination, equity, legal certainty, and that does not encourage the establishment of tributes. i) Strive for the country to obtain the maximum benefits from technological progress and convergence. (…)”.

For its part, Article 3 of Ley N° 8642 proclaims the guiding principle “Optimization of scarce resources,” as follows: “(…) i) Optimization of scarce resources: assignment and utilization of scarce resources and telecommunications infrastructures in an objective, timely, transparent, non-discriminatory, and efficient manner, with the dual objective of ensuring effective competition, as well as the expansion and improvement of networks and services.” The optimization of the scarce resource is a continuous task and a challenge for the Executive Branch and for the Sector Rectoría, so it must constantly carry out efforts for this principle to be fulfilled. The radio spectrum (espectro radioeléctrico), being a scarce public-domain asset (bien demanial), must be maximized in its use and assignment, so that the satisfaction of the public interest can be achieved. Since, otherwise, it negatively affects the fulfillment of the objectives of the legal framework of telecommunications, contemplated in numeral 2 of the Ley General de Telecomunicaciones transcribed in the relevant part above.

In that line of thought, the Executive Branch has identified that the deployment of “IMT” systems, including 5G, is a priority and necessity, as part of the fulfillment of the guiding principles and public-policy objectives of the Telecommunications Sector, so that, as in other countries, in Costa Rica, the assignment of currently available spectrum through public competitive process (concurso público), would make it possible to provide new telecommunications services, and thereby seek to close the digital divide, promote better quality and innovative services, and foster competitiveness in terms of equality in the market, which redounds to greater benefits for end users. SUTEL, in the technical opinion (dictamen técnico) issued via official communication Nº 4225-SUTEL-OTC-2021 of May 19, 2021, “Report on Spectrum Assignment for Future Deployment of 5G Networks from the Competitiveness Perspective,” in exercise of its powers as Sector Competition Authority, stated the following about the deployment of 5G Networks:

“(…) “C. DEPLOYMENT OF FIFTH-GENERATION NETWORKS WORLDWIDE. (…) 5G technology is more than a technological change, as it consists of a revolution of the wireless communications ecosystem through the enablement of different use cases in the various fields of society, taking into consideration the benefits associated with greater speed, lower latency, and a greater capacity to connect multiple devices simultaneously. In comparison with current networks, this next generation will provide download speeds 200 times faster and upload speeds 100 times faster, as well as one-tenth of the latency[1], therefore, its development is being focused on three generic usage scenarios: enhanced mobile broadband (eMBB), massive machine-type communications (mMTC), and ultra-reliable and low-latency communications (uRLLC). In this way, 5G enables the development of convergent communication systems, integrates networks, hardware, and software; however, just as with any service of a wireless communications nature, the essential input is spectrum.

For the year 2020, the spectrum requirement for a 5G deployment ranged between 1340 and 1960 MHz, therefore, despite network densification and efficient spectrum use, it is expected to be insufficient to meet the future demand for services, and consequently, being able to handle the growing traffic on mobile networks depends on the availability of additional spectrum resources. To deploy 5G technology, a combination of various frequency band groups is required; each of these band types fulfills a specific functionality in the deployment of the technology. Thus, the spectrum requirements for 5G deployment can be segmented into three main frequency ranges:

• Low bands (below 1GHz) In the low bands, the 600 and 700 MHz bands have frequently been identified as suitable candidates that would assist with the transition from 4G to 5G. Low bands have properties of coverage and indoor penetration. Likewise, these low bands, due to their propagation characteristics, allow uses of 5G in large areas such as agricultural extensions, industrial and agro-industrial parks, and rural roads with regular topography.

• Mid-bands (between 1 GHz and 6 GHz) Mid-bands will enable the deployment of 5G in cities, given their versatility in both propagation or coverage and capacity; they are the central bands of 5G deployment. Among these bands are the 2.3 GHz, 2.6 GHz, and 3.5 GHz bands. (…)

• High bands (above 24 GHz) In the third category is the millimeter wave spectrum located above 24 GHz, which becomes key for 5G since, due to its capacity characteristics, it will enable the massive connectivity of thousands of objects in a reduced area. For example, the pioneer 5G band identified by the Radio Spectrum Policy Group in Europe is 24.25-27.5 GHz (26 GHz). In many parts of America and Asia, the 28 GHz band, followed by parts of the 37-43.5 GHz band, have also been identified for 5G. (…)

By virtue of the above, it is found that it is only (sic) through a combination of frequencies distributed across the three types of ranges that 5G technology could be successfully deployed. Likewise, it is appropriate to keep in mind that the OECD has recognized that ‘to benefit from the capabilities offered by the new 5G radio technology, large contiguous blocks of spectrum per operator may be needed.’ The scenario implies that spectrum management becomes a primary and complex task for regulators and companies. In various countries, measures have been taken to promote the introduction of 5G, and along with the definition of industry standards, important advances have been made, facilitating the rapid spread of the new technology in those countries that reacted and took actions, propitiating that there currently exists a relevant number of countries with a significant number of operators offering commercial 5G services, with the adoption of 5G expected to be the fastest and to reach one billion users in 3.5 years. (…)” In addition to the above, the Sector Competition Body established in the referred technical opinion (dictamen técnico) that the radio spectrum (espectro radioeléctrico) constitutes: “(…) the most relevant input for the deployment of IMT services and, therefore, its timely availability is of vital importance for the deployment of 5G networks. //On the assignment of spectrum for IMT services, the Tribunal de Defensa de la Libre Competencia of Chile indicated in its Resolution 59/2019 ‘Ultimately, it was considered that ‘the radio spectrum (espectro radioeléctrico), besides constituting a barrier to entry, affects the cost structure of incumbent operators and, with it, the intensity of competition in the relevant market,’ so it was ordered that an entrant that is awarded a smaller portion of radio spectrum (espectro radioeléctrico) than that of the incumbent operators will have to face higher investment and operation costs than them for the same level of coverage and traffic.’” Therefore, taking into consideration the current holding of radio spectrum (espectro radioeléctrico), and the need of telecommunications operators for this scarce element in low, mid, and high bands to implement 5G in Costa Rica, the Superintendencia de Telecomunicaciones concluded in the cited technical opinion (dictamen técnico), regarding this point, the following: “15. (...) a. To achieve the standards pursued by IMT-2020 for 5G, it is necessary for an operator to leverage the complementarity between different frequency bands, which is only achieved through a portfolio of low, mid, and high frequencies. b. In relation to the spectrum needs for 5G in the country, the three mobile operators will have to compete to obtain frequencies in the low band, the 700 MHz frequency; the same would occur in relation to millimeter-wave bands, the 26 MHz and 28 MHz bands, therefore it is considered that in the case of these frequencies a competition impact analysis is not required, since all mobile companies, by needing to participate in the eventual competitive process for the assignment of frequencies, would be in the same competitive situation. By virtue of the above, this analysis focuses on the mid-frequency bands, where ICE holds the concession (concesión) for 100% of the 2600 MHz frequency bands and (…), insofar as the MICITT agrees with what is stated in the technical opinions (dictámenes técnicos) issued by SUTEL. c. In the mid-bands, the ideal spectrum requirement needed by operators for the deployment of 5G is 80-100 MHz of continuous spectrum, which contrasts with the spectrum that ICE holds in the mid-bands, where it holds 190 MHz (140 MHz FDD and 50 MHz in TDD) of IMT spectrum in the 2600 MHz band and 225 MHz in the 3500 MHz band, which in total corresponds to 415 MHz. (…).” Within this conception, many countries in different regions are in the process of carrying out, or have already established, planned assignment processes, as follows: “(…) Of the worldwide deployments shown in the previous figure, the most commonly used bands are the C band (3300 MHz to 3700 MHz), the millimeter-wave bands of 26 GHz and 28 GHz, 700 MHz, and 2600 MHz, in that order. Furthermore, it is possible to estimate that around 80% of operators that have deployed or are carrying [SIC] out tests for the implementation of 5G networks, use the cited bands. Thus, although the strategies for the development and implementation of 5G have been diverse and dissimiles [SIC], it is a fact that changes are being made, at the regulatory and private investment levels, for the implementation of this technology. In relation to the above, and in the case of mid-bands for the deployment of 5G networks, it is considered pertinent to highlight the situation of the 2.6 GHz and 3.5 GHz bands, as central bands in the deployment of 5G technology. (…)” Thus, the importance of the implementation of telecommunications services via IMT systems including 5G, is that it promotes not only the provision of new, innovative, and accessible services, but also provides users with greater possibilities to choose which offer best satisfies their particular needs, enabling the affordability thereof and contributing to closing the digital divide in all its components (access, use, and appropriation).

b. User access to more and better telecommunications services, user benefit, and effective competition.

Regarding user benefit and competition, the Ley General de Telecomunicaciones establishes regulations in accordance with the scheme that emerged from the opening of the Telecommunications Sector in Costa Rica. In that sense, Article 2 of the Ley General de Telecomunicaciones, Ley 8642, contemplated them within its objectives as follows: “a) Guarantee the right of residents to obtain telecommunications services, under the terms established in this Law. e) Promote effective competition in the telecommunications market, as a mechanism to increase the availability of services, improve their quality, and ensure affordable prices. (...)” Article 3 of Ley 8642 defines among its guiding principles the following: “c) User benefit: establishment of guarantees and rights in favor of end users of telecommunications services, so that they can access and enjoy, in a timely manner, quality services at an affordable price, receive detailed and truthful information, exercise their right to freedom of choice, and to equitable and non-discriminatory treatment. f) Effective competition: establishment of adequate mechanisms so that all operators and providers in the market compete under conditions of equality, in order to seek the greatest benefit for residents and the free exercise of the constitutional Right and freedom of choice. g) Non-discrimination: treatment no less favorable than that granted to any other operator, provider, or user, public or private, of a similar or equal telecommunications service. (…)”.

This translates into the duty to guarantee citizens access to more and better telecommunications services, which would include the development of innovative services. To achieve this, it is necessarily required to grant, through public competitive process (concurso público), the assignment of radio spectrum (espectro radioeléctrico) for the development of IMT systems, which allows all operators to propose new services and business schemes, and in turn expands the supply for the benefit of users, enabling the exercise and enjoyment of rights such as consumer freedom of choice, and access to new technologies.

In this regard, the Superintendencia de Telecomunicaciones established in its technical opinion (dictamen técnico) N° 05348-SUTEL-DGC-2019 of June 19, 2019, the following: “The development of telecommunications, specifically that driven by mobile technologies encompassed in the designation International Mobile Technologies (hereinafter, IMT), generates noticeable socioeconomic impacts, which is evidenced in the radical change they have implied in lifestyle, both in terms of leisure and in the workplace. IMT technologies have allowed people’s communication to be within their reach, and as the capabilities for mobile Internet access have been enhanced, it is clear that through these technologies, phenomena such as social networks that allow interacting at any time and in any place with other people develop. It is also clear that these technologies have influenced the creation of a new work environment, where the office can similarly be formed at any time and in any place; these virtual offices imply new interaction scenarios, enable teleworking, and make possible the formation of professional teams from a global perspective; with much potential still to be exploited such as the role of Machine-to-Machine Communications (hereinafter, M2M) and the Internet of Things (hereinafter, IoT). Some of these impacts do not yet have a quantitative description (...).” Bearing (sic) in mind the relevance of the development of new technologies such as IMT and their impact on the citizen’s social environment, the Constitutional Chamber (Sala Constitucional) has recognized in its Resolution Nº 12790-2010 of 8:58 a.m. on July 30, 2010, that these act as a vehicle for the exercise of different human rights and therefore the correlative need to optimize the use and assignment of the radio spectrum (espectro radioeléctrico) through the promotion of competitive procedures (procedimientos de concurso):

“Regarding this last point, it must be said that the advance in the last twenty years in the field of information and communication technologies (ICTs) has revolutionized the social environment of the human being. Without fear of error, it can be affirmed that these technologies have impacted the way in which the human being communicates, facilitating connection between people and institutions worldwide and eliminating barriers of space and time. At this moment, access to these technologies becomes a basic instrument to facilitate the exercise of fundamental rights such as democratic participation (electronic democracy) and citizen control, education, freedom of expression and thought, access to information and online public services, the right to interact with public authorities by electronic means, and administrative transparency, among others. It has even been affirmed the fundamental right character that access to these technologies holds, specifically, the right of access to the Internet or network of networks. In this sense, the Constitutional Council of the French Republic, in decision No. 2009-580 DC of June 10, 2009, deemed access to the Internet a basic right, deriving it directly from Article 11 of the Declaration of the Rights of Man and of the Citizen of 1789. The foregoing, by holding the following:

‘Considering that in accordance with Article 11 of the Declaration of the Rights of Man and of the Citizen of 1789: «The free communication of thoughts and opinions is one of the most precious rights of man: any citizen may therefore speak, write, print freely, provided they answer for the abuse of this freedom in the cases determined by law»; that in the current state of communication means and with respect to the widespread development of public online communication services as well as the importance these services have for participation in democratic life and the expression of ideas and opinions, this right implies the freedom to access these services; (…)’ (Highlighting added) In this context of the information or knowledge society, it is incumbent upon the public authorities, for the benefit of the administered, to promote and guarantee, universally, access to these new technologies.

Based on the foregoing, this Constitutional Court concludes that the verified delay in the opening of the telecommunications market has violated not only the right enshrined in Article 41 of the Political Constitution but also has affected the exercise and enjoyment of other fundamental rights such as the freedom of choice of consumers enshrined in Article 46, final paragraph, of the Constitution, the right of access to new information technologies, the right to equality and the eradication of the digital divide (info-exclusion) –Article 33 of the Constitution–, the right to access the Internet through the interface chosen by the consumer or user, and the freedom of enterprise and commerce.” The State must guarantee the exercise of these rights, for which purpose it considers it necessary to promote competition among service operators that benefits users. However, as SUTEL indicated in technical opinion (dictamen técnico) N° 04225-SUTEL-OTC-2021 of May 19, 2021, these services could not be made available to users if operators do not have radio spectrum (espectro radioeléctrico) for that purpose, as indicated below:

“(…) There is broad consensus that competition can generate significant benefits by improving consumer welfare through the provision of better products and services at a lower cost. These benefits are equally available in purely private markets, as well as where public and private enterprises compete. However, public enterprises can often benefit from advantages conferred by existing legislative and administrative frameworks, which can have an effect on the quality and cost of the goods and services they provide. These effects include, among others, lower capital costs, lower tax burdens, and lower acquisition and bankruptcy risks. As a consequence, competition between public and private enterprises can be distorted. Since these distortions cannot always be addressed through the application of competition law, a possible solution can be found in policies aimed at achieving competitive neutrality in markets where public and private enterprises compete.” In this sense, according to the Superintendencia de Telecomunicaciones, there is a high social and economic cost of not making the radio spectrum (espectro radioeléctrico) available to the market, which transgresses the sectoral legal objectives of ensuring an equitable and balanced assignment of this scarce and strategic public-domain asset (bien del demanio público). As an example, in the technical opinion (dictamen técnico) issued via official communication N° 05071SUTEL-DGC-2020 of June 9, 2020, SUTEL established the direct and indirect social impact of the different use cases of 5G technology, for which its analysis identifies the social impacts and, by Sustainable Development Goal, that 5G technology can offer in 15 of its 17 areas, among which “contributing to health and well-being, improving infrastructure, promoting sustainable industrialization, and fostering innovation stand out. Other key areas in which social value is created through 5G include contributing to responsible consumption, sustainable cities and communities, reducing inequalities, and promoting decent work and economic growth.” Regarding these identified impacts, the referred technical opinion (dictamen técnico) retakes information, among others, from the industry that would benefit and the use cases, and their linkage with the fulfillment of sustainable development objectives that are impacted, such that it has pointed out:

“(…) Tabla 2.

Social impact by SDG and by industry Industry Trends Use cases SDGs impacted Transformation Manufacturing Increased competition without sustainable competitive advantages.

Increased volatility of trade cycles and product life cycles.

Smart factories due to developments in IoT and automation.

Need to securely connect systems on a common infrastructure.

Increased consumer demand for customized products Demand for more complex products to build and deliver.

Societal demand for the acquisition of products whose production process seeks not to affect the environment Smart factories Human-robot collaborations Predictive maintenance Augmented reality Digital performance management SDG 6 SDG 7 SDG 8 SDG 9 SDG 12 SDG 13 SDG 14 SDG 15 Predictive maintenance results in greater equipment availability and performance.

Reduction of operating costs through remote maintenance.

Greater operational efficiency as a consequence of digital performance management and digital operating procedures.

Reduction of emissions, waste and scrap Mobility Autonomous driving and connected traveler with telematics Vehicle sharing and changing travel habits Electric mobility in line with the green agenda Digital vehicle ecosystem In-motion infotainment Environmental awareness Urban lifestyle and growing expectations regarding public transport Predictive maintenance Intelligent traffic control Remote monitoring of vehicle health On-board information and entertainment SDG 3 SDG 7 SDG 9 SDG 11 SDG 15 Autonomous mobility leads to greater individual productivity (less time spent driving) Green and sustainable mobility reduces environmental impacts Health Increased consumer focus on well-being.

Rising costs to meet sociodemographic changes Increased demand for quality, patient safety and data storage Changes in consumer behavior, freedom of choice and alternative service providers Remote patient monitoring Remote surgeries Image transfer Health care through virtual reality and augmented reality Delivery of supplies via drones SDG 3 SDG 4 SDG 5 SDG 8 SDG 9 m-health (mobile health) and the introduction of telemedicine result in increased access to quality health services Preventive health measures (for example, through “wearable” devices) reduce long-term health care costs Financial services Fintech disruption: online payments, digital wallets, etc.

Changes in the customer relationship towards online transactions and customizable solutions Structural changes: government intervention, protectionism and tax measures Mobile banking “Wearables” for payments Virtual financial advisor Digital deposits, peer-to-peer lending Digital wallets Remote teller SDG 4 SDG 5 SDG 8 SDG 9 SDG 10 SDG 13 Shorter settlement cycles in capital markets lead to greater economic activity Personalized virtual services and mobile wallets enhance the customer experience Increased inclusion in the financial system Public administration Digitalization of the state Citizen digital identity Open government Increased demand for transparency on the part of citizens Smart cities Connection with the citizen through multiple channels System interoperability Electronic government Cloud computing SaaS platforms Chatbots SDG 8 SDG 9 SDG 10 SDG 11 SDG 13 SDG 15 SDG 16 Citizen-centered services Zero paper in public administration Reduction of the digital divide by, through cloud computing and SaaS, providing smaller-scale government entities with the same tools as the central administration Increased communication between the state and the citizen Commerce Omnichannel strategies Personalized experiences Growing culture of immediacy Increased relevance of virtual wallets Reduction of delivery times Increase in e-commerce through subscriptions Augmented reality Automated check-out Optimization of product layout Intelligent customer relationship Personalized promotions Algorithms and machine learning Inventory shrinkage prevention SDG 2 SDG 3 SDG 8 SDG 10 SDG 12 SDG 13 Pre-purchase testing through virtual reality or augmented reality results in an improved customer experience Personalized advertising results in increased sales Reduction of the digital divide between urban centers with greater connectivity and those without it allows access to the same product offering Energy and utility provision Renewable energies Decentralized business models Social and political pressure for sustainable energy systems Production and transmission located in remote areas Need for improvement of the customer relationship Smart grids Drone monitoring Intelligent energy management Incident maintenance and detection Electric vehicles Residential smart meters Smart public lighting SDG 6 SDG 7 SDG 8 SDG 9 SDG 13 SDG 14 SDG 15 Smaller plants that depend on renewable energy and smart grids improve reliability and availability.

The digitalization of gas networks leads to faster decision-making, minimizing potential losses Entertainment Consumers acting as content generators Growing interactive entertainment New sensory dimension for entertainment Ecosystem complexity Immersive media applications (ultra-high definition, augmented reality, virtual reality) Live experiences 3D holographic displays Gaming (in the cloud and augmented reality) In-car home entertainment subscription SDG 3 SDG 4 SDG 5 Content-powered interactions that ignite emotional connections lead to greater customer spending The consumer as co-creator of content results in greater consumer participation Gaming induced by other industries Regarding the above, the World Economic Forum in the cited document expanded the information on the indirect socioeconomic impact in four environments: Table 3. Indirect socioeconomic impact from the use of 5G technology Benefits Smart cities Rural environments Smart homes Smart workplaces Social benefits Greater access to information and interconnection between cities Ability to reduce traffic congestion and accidents Increased educational opportunities through free massive online courses Improve health care, through fast and remote access to health services - Greater access to information due to improved connectivity - Improved medical support and life assistance - Improvement in privacy, safety and security - Better access control Greater assistance for the elderly and people with disabilities General improvement in quality of life Environmental benefits Reduction of pollution and CO2 emissions - Better management of natural resources Reduction of pollution and CO2 emissions Waste reduction Reduction of energy consumption and CO2 emissions More informed and better management of electronic waste Cleaner environments This means that, when considering the implementation of use cases, companies, consistent with the plans and agendas issued by the Administration regarding job creation, environmental care and climate change, must incorporate these objectives during their planning strategy. In this way, all parties involved in the development of 5G will advance in constant communication and promoting the benefit to the population.” The above agrees with what was indicated by the OECD, regarding the importance of broadband access and the social and economic benefits that this implies: “Broadband Internet access is playing an increasingly significant transformative role in all economic and social sectors of the Latin America and the Caribbean (LAC) region. It has become a key digital tool for citizens, businesses and governments to interact with each other. It empowers citizens in their daily lives through the promotion of social inclusion and communication in disadvantaged sectors; increases productivity by increasing the information base, efficiency and innovation, and improves governance thanks to lower coordination costs and greater participation and accountability.” Finally, the Superintendencia de Telecomunicaciones has pointed out some considerations about the economic impacts of continuing to delay the development of mobile technologies, mainly 5G, noting that: “6.2. Economic impact on GDP (…) Finally, considering a WACC of 11.28% established by the Council of SUTEL through resolution RCS-365-2018, the net present value of the impact on GDP is estimated based on the year in which the spectrum allocation processes are ordered. Thus, to the extent that such processes are delayed, the net present value of the positive impact on GDP will be lower. That is, for each year that the IMT spectrum competitive bidding processes are delayed, the State will see the contribution to GDP from the deployment of 4G and 5G networks diminished. If the processes are ordered without delay, the net present value of the impact on GDP is USD 3,166 million. As previously indicated, such delay refers to a lag with respect to the level of progress and preparation of the market for the allocation of spectrum for these technologies. (…) Thus, it can be seen that, as a result of the delay in ordering the spectrum allocation processes, the positive impact on GDP could be reduced by up to 36% or USD 1,134 million (expressed in terms of its present value) in the event that such delay is 4 years. For delays of 1, 2 or 3 years, the impact is 10%, 19% or 27% respectively (USD 321, 609 and 868 million). From the situations pointed out, it can be noted that the public interest is compromised if delays are generated for the public bidding process, which damages the principles of user benefit and competition contained in the Ley General de Telecomunicaciones, as well as the public policy objectives set forth in the Plan Nacional de Desarrollo de las Telecomunicaciones. Regarding this aspect, it is necessary to return to what was pointed out by the Regulatory Body in the technical opinion issued through official letter No. 02823-SUTEL-DGC2021 dated April 8, 2021, on the topic under analysis, it warned of the high social and economic costs, as well as the damages to the industry in general and to the country's competitiveness of not bidding the largest amount of radio spectrum in the shortest possible time, mainly for the implementation of international mobile telecommunications services. Particularly on that occasion, it ordered the following: “In addition, as indicated by agreement 014-045-2020 of the ordinary session 045-2020 of June 19, 2020, where report 05071-SUTEL-DGC-2020 of June 9, 2020 was approved (…), to the extent that the competitive bidding processes to make IMT spectrum available to the market are delayed, the net present value of the positive impact on GDP will be increasingly smaller. That is, for each year that the IMT spectrum competitive bidding processes are delayed, the State will see the contribution to GDP from the deployment of 4G and 5G networks diminished. If the processes are ordered without delay, the net present value of the impact on GDP is USD 3,166 million. As previously indicated, such delay refers to a lag with respect to the level of progress and preparation of the market for the allocation of spectrum for these technologies. Thus, as a result of the delay in ordering the spectrum allocation processes, the positive impact on GDP could be reduced by up to 36% or USD 1,134 million (expressed in terms of its present value) in the event that such delay is 4 years. For delays of 1, 2 or 3 years, the impact is 10%, 19% or 27% respectively (USD 321, 609 and 868 million). (…) Regarding the country's position in terms of the progress of 5G network deployment compared to other administrations in the region, the Vice Minister pointed out that ‘[i]n the Latin American issue, we are in the top group in terms of time… we are in the portion that is advancing.’ Certainly, Costa Rica has taken the first steps for an eventual competitive bidding process: adjusting the Plan Nacional de Atribución de Frecuencias in accordance with the provisions of the Radio Regulations of the International Telecommunication Union on the use of frequency segments for IMT systems and carrying out the prior studies required for the eventual bidding.” c. On the satisfaction of present and future demand for radio spectrum in IMT (5G). Feasibility and Necessity Studies for the IMT bidding process Under this context, the Superintendencia de Telecomunicaciones, in exercise of its powers as Sectoral Competition Authority, established that technological development in our country has undergone an evolution in recent years, moving from the use of voice transport devices to technologies that, in a short time, allowed data transmission, which was of great importance and brought Costa Rica closer to new development possibilities. With 5G technology, the possibilities expand and allow new applications in various sectors, with greater capacity and speed than we currently know. In official letter No. 5071-SUTEL-DGC-2020 titled “PROPOSAL FOR UPDATING THE SPECTRUM ALLOCATION SCHEDULE FOR THE DEVELOPMENT OF IMT AND IMT-2020 SYSTEMS IN COSTA RICA FOR THE PERIOD 2021-2025\", SUTEL considered development opportunities through the use of mobile technologies, mainly 5G and their respective impact in fields such as: industry, mobility, health, banking, public administration and others, the above in light of the results of the 2019 World Radiocommunication Conference. With this, the Superintendencia de Telecomunicaciones subsequently carried out an assessment of various bands for IMT purposes regarding their current situation, problems and implications, and finally proposals for solutions and alternatives. Hence, with the analysis carried out in the document in question, it concluded, among other things, that, based on “global trends regarding the use of radio spectrum, it is necessary to carry out efforts to attribute, clear, bid for and assign spectrum for the development of IMT systems, thus seeking for the country to have the ideal scenario for the implementation of 5G.” Therefore, they also conclude that “(…) they must be prioritized to allow the market to have at its disposal low, mid and high bands, key spectrum for the development of 5G.” In addition to the above, the Sectoral Competition Body established that radio spectrum constitutes: “(…) the most relevant input for the deployment of IMT services and, therefore, its timely availability is of vital importance for the deployment of 5G networks. //Regarding the allocation of spectrum for IMT services, the Tribunal de Defensa de la Libre Competencia of Chile indicated in its Resolution 59/2019 ‘Ultimately, it was considered that ‘radio spectrum, in addition to constituting an entry barrier, affects the cost structure of incumbent operators and, with it, the intensity of competition in the relevant market’, for which it was ordered that an entrant that is awarded a smaller portion of radio spectrum than that of the incumbent operators’ must face higher investment and operation costs than these for the same level of coverage and traffic.”"' Particularly regarding the interest of the future fifth-generation networks, the Superintendencia has stated in its opinion No. 09228-SUTEL-OTC2022 dated October 20, 2022”, when it mentioned in reference to fifth-generation mobile technology (5G) that: “(…) they promise to generate changes in many industries. 5G technology is a great innovation capable of helping many other complementary innovations to develop. The most promising aspects of the technology are increased capacity (bandwidth), increased data upload and download speeds, decreased latency (delay) in data transmissions and greater input efficiency. (...)”" Under this consideration, MICITT, in accordance with action 2.1. detailed in the Plan Nacional de Desarrollo de las Telecomunicaciones 2022-2027 (PNDT), 2.1 “Execute the Radio Spectrum Allocation Schedule for IMT systems”, strategic area “Radio Spectrum for competitiveness”, determined the need to comply with the scheduling objective established in the PNDT, and therefore request the necessity and feasibility study from SUTEL as prerequisites for the radio spectrum allocation bidding process for telecommunications services available to the public. Through official letter No. MICITT-DM-OF-013-2023 dated January 9, 2023, the Regulator was requested by this Ministry to expand the necessity and feasibility study issued through official letters No. 00138-SUTEL-DGC-2021 dated January 7, 2021, No. 02156-SUTEL-DGC-2021 dated March 12, 2021, No. 04482-SUTEL-DGC-2021 dated May 28, 2021, approved by its Council through Agreement No. 022-046-2021, adopted by its Board of Directors in ordinary session No. 046-2021, held on June 24, 2021, in order to consider: a) The spectrum recovered in the 3500 MHz band by mutual agreement with the companies of the ICE Group, b) The ongoing legal procedures in relation to the frequency segments of the 3500 MHz and 2600 MHz bands, c) The statements of Sector representatives regarding the importance for the country to continue with the bidding process in the short term with the spectrum available today without being conditioned by the ongoing legal processes, d) The spectrum available registrally in low, mid and high bands (which was idle), which was technically sufficient and therefore can be used for the development of IMT systems including 5G, and e) The country cost of the delay in the deployment of 5G networks in the country, as part of the analysis that would allow accrediting the feasibility of the proposed public bidding process, so that this Council would proceed to expressly rule on the accreditation or not of the feasibility of the public radio spectrum bidding process for IMT systems including 5G. Through official letter No. 01601-SUTEL-SCS-2023 dated February 24, 2023, the Superintendencia de Telecomunicaciones sent the technical opinion issued through official letter No. 01355-SUTEL-DGC-2023 dated February 22, 2023, approved by its Council through which it recommended to the Executive Branch the feasibility of carrying out the competitive bidding process, according to Article 12 of Law No. 8642, Ley General de Telecomunicaciones. The Executive Branch proceeded to issue Executive Agreement No. 031-2023-TEL-MICITT dated May 2, 2023, through which it proceeds to give the instruction to start the competitive bidding process. At this point, it is of interest to note that the Executive Branch, in the provisions of the instruction to start the competitive bidding process, established in Article 1 that Sutel was to instruct the public competitive bidding procedure for the granting of concessions for the radio spectrum frequency bands of 700 MHz (from 703 MHz to 748 MHz and from 758 MHz to 803 MHz), 2300 MHz (from 2300 MHz to 2400 MHz), 3500 MHz (from 3300 MHz to 3500 MHz and from 3600 MHz to 3625 MHz), 26 GHz (only the segment from 24.25 GHz to 25.50 GHz) and 28 GHz (from 27.5 GHz to 29.5 GHz), as well as any spectrum that is eventually available in the 2600 MHz band (from 2500 MHz to 2690 MHz) and 3500 MHz (from 3500 MHz to 3600 MHz and from 3625 MHz to 3700 MHz) according to the importance indicated by SUTEL and based on the results of various legal processes currently underway, as long as the stage of the competitive bidding procedure allows it, in order to satisfy the need for the provision of telecommunications services available to the public through IMT2020 systems, including 5G, in a manner that guarantees compliance with the objectives of the Plan Nacional de Desarrollo de Telecomunicaciones 2022-2027, which must address, among other aspects: “k) Security of IMT-2020 networks and the privacy of telecommunications service users” Derived from said instruction and as a complement to it, MICITT issued its public policy guidelines for consideration in the 5G public bidding process, in which through official letter MICITT-DM-OF-416-2023 dated May 19, 2023, it was expressly indicated regarding the security of IMT-2020 networks and the privacy of telecommunications service users, the following:“(...) k. Security of IMT-2020 networks and the privacy of telecommunications service users: In view of the security of IMT-2020 mobile networks, including 5G, and given the implications that this issue has on the edge of national security, as well as the privacy and security of telecommunications service users, it is essential that, for the realization of the competitive spectrum bidding process for IMT-2020 mobile networks, including 5G, given the wide range of existing international recommendations on security in the telecommunications field, the aspects and standards related to the security of IMT-2020 mobile networks, including 5G, be incorporated within the technical deployment conditions required of eventual awardees, considering for this purpose the different technical, risk management, network architecture and supply chain measures that may generate security and privacy vulnerabilities for the end users of telecommunications networks, as the primary purpose of this measure, in protection of the principles of law and constitutional level, and to foster suitable environments to promote investment, innovation, and infrastructure development, and thereby achieve higher levels of well-being in society. For this, bidders must be required to comply with all applicable existing legal and regulatory provisions and those issued for the case.” (The highlighting is intentional) It is in this context that Executive Decree No. 44196-MSP-MICITT “Reglamento Sobre Medidas de Ciberseguridad Aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores” is approved, to ensure that the development of the public bidding process established in sectoral regulations and the future implementation of telecommunications networks and the provision of services under fifth-generation 5G technology and higher, is carried out safely based on the powers delegated to the Executive Branch to establish the conditions and obligations that allow a safe exploitation of the radio spectrum as a constitutional public domain asset. This is because the telecommunications concessionaire, from the partial transfer of public powers in its favor, rises to the category of a subject qualified as an instrument for satisfying public interests. Through the legal act of concession, the Granting Administration, that is, the Executive Branch, transfers temporarily and limitedly part of its powers or faculties to a particular subject, whether a natural or legal person, for their active co-participation in satisfying public interests. As a consequence of the above, public intervention must be based, in every case, on an objective definition of what is considered general interest and on an analysis linked to the need for public intervention that is materialized, among other ways, through the imposition of specific legal obligations, in the case of the “Reglamento Sobre Medidas de Ciberseguridad Aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores” Executive Decree No. 44196-MSP-MICITT, through the establishment, via general regulatory provisions, of the technical and administrative measures that allow for the safe exploitation of telecommunications networks in safeguarding the intimacy, privacy and secrecy of communications and the informational self-determination of end users. . In this way, the main effect of granting a concession and, therefore, of entering into a contract that ratifies the extremes of said legal act, is precisely its binding force that “(…) translates into the imperative that the parties comply, in good faith, with the obligations arising from the agreement of wills, as well as with those that emanate from the nature of the agreed obligations or that by law belong to them.”; in the specific case of the safeguarding delegated to the Executive Branch based on the provisions of Article 42 of the Ley General de Telecomunicaciones to the legal regime of rights and interests of end users. The legal duty then arises for both parties – Granting Administration and Concessionaire – to comply in good faith with each and every one of the conditions and obligations emanating directly from sectoral regulations, from their concession title and the respective administrative contract, and from those that arise from their very nature under a framework of legal certainty in accordance with Article 34 of our Fundamental Charter. Said technical benefits were developed in greater depth in the joint Technical Report of the Ministry of Science, Innovation, Technology and Telecommunications called “Consideraciones de Ciberseguridad para el despliegue de Redes 5G” No. DGDCFD-INF-011-2023//MICITT-DERRT-INF-0072023//MICITT-DCNT-INF-011-2023, whose objective was to expand, for the purposes of the Legislative Branch, the technical and legal basis of the “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores”. By way of illustration, observe the detail prepared by the European Union in its document titled “Caja de Herramientas de la Unión Europea para la seguridad de las redes 5G” which lists the following benefits fostered by the establishment of these networks, namely: BENEFITS OF THE ESTABLISHMENT OF 5G NETWORKS (…) In the case of 5G networks, cybersecurity measures are crucial because, as previously indicated, they are highly connected to a large number of devices and systems in diverse types of environments and applications, which increases the probability of cyberattacks and attempts to steal user data. Furthermore, 5G networks can also be used to control critical systems, such as energy and transportation, so any cybersecurity failure could have serious consequences for public safety.

The international community, through its experience, has outlined some of the risks associated with the deployment of 5G technology, as can be seen in the image below: MAIN RISKS OF 5G TECHNOLOGY (…) In Costa Rica, by constitutional provision of Article 24 in conjunction with Articles 3(j), 41, 42, and subsequent and concordant articles of Law No. 8642, General Telecommunications Law (previously cited), operators and providers of telecommunications services have the obligation to guarantee the right to intimacy, freedom, and the secrecy of communications, as well as to protect the confidentiality of the information they obtain from their clients or from other operators. This implies that operators must implement adequate information cybersecurity measures to prevent unauthorized access to user information and avoid the leakage of sensitive data. The implementation of 5G networks has generated concerns about national security, as there is a possibility that confidential and sensitive information could be intercepted and used by foreign agents in an unauthorized manner, or that these networks could be breached to affect public safety. For this reason, safeguarding national security must be a priority in the implementation of 5G networks, and the Government must work in close collaboration with operators and providers to guarantee the security and integrity of the information transmitted through these networks. All of this, of course, includes the incorporation of cybersecurity measures into the very architecture of 5G networks; the training of cybersecurity experts; and the awareness-raising of end users of telecommunications about cyber threats. It is in this way that a secure and reliable connection of devices to the 5G network is promoted, which will allow for the maximum benefits of this technology to be leveraged, reducing the possibility that user security is compromised. Specifically, 5G networks present advantages and characteristics over other generations of mobile networks that enable a series of use scenarios, such as health care (telemedicine), management of critical infrastructure (such as generation and distribution of electrical energy, gas, or potable water; the latter typically having national impact and great relevance in various productive sectors), industry in general, agriculture, smart cities, massive Internet of Things, Artificial Intelligence, autonomous vehicles, the metaverse, virtual and augmented reality applications (industrial and educational uses), etc. With the development of IMT-2020 (5G) networks, the implementation of measures focused on reducing cybersecurity risks becomes more critical due to their highlighted technical characteristics such as: user-experienced data transfer rate (10 times greater than 4G), latency (10 times less than 4G), densification of connections (10 times more than 4G, up to 1M devices per square kilometer), mobility scenarios (up to 500 km/h), spectral efficiency (3 times greater), "Network slicing" (capacity to segment networks), among others. This massification of mobile connectivity and its deep integration with the activities of society and industry is precisely what generates a greater cyberattack surface in the environment of these mobile networks. That is, large amounts of data, including personal and sensitive user information, are stored and transferred. In that sense, operators and providers in Costa Rica have the legal obligation to guarantee the right to intimacy, privacy, and the secrecy of communications, as well as to protect the confidentiality of the information they obtain from their clients or from other operators. Faced with a new technical reality, which makes intensive use of techniques such as virtualization and provides new characteristics to users, it is evident that the establishment of a series of much more rigorous technical and administrative measures is required by virtue of its complexity, given that telecommunications are a facilitating axis for the exercise of human rights; therefore, cybersecurity measures must be established to guarantee the safe use and exploitation, with the protection of people's privacy (governing principle according to Article 3(j) of the General Telecommunications Law, No. 8642), of networks and telecommunications services based on fifth-generation mobile technology (5G) and later generations.

Characteristics of 5G networks • Spectral efficiency: Under 3GPP24 specifications, and in compliance with the requirements established by the International Telecommunication Union (ITU), these networks implement technical schemes that enable much more efficient use of the spectrum, under carrier frequency utilization conditions that enable peak spectral efficiency scenarios for the downlink (towards the mobile network user) of up to 30 bits/s/Hz, and up to 10 bits/s/Hz on the uplink (from the mobile network user). (Ahmadi, 2019). • Maximum data rate: Under ideal conditions, these networks can offer data download rates of up to 20 Gbit/s, compared to the maximum rate associated with 4G technologies, which reach up to 1 Gbit/s under ideal conditions. This is achieved through the use of modulation schemes, coding, and multiple access schemes (Kumar, 2021), which allow for more efficient use of the radio spectrum in the access networks; as well as the use of large spectrum blocks, depending on the available bandwidth of each frequency band. These mobile networks, unlike previous generations, allow the use of frequency bands above 6 GHz which, due to the bandwidths available in these bands, allow the data rates foreseen for these mobile networks to be achieved in coverage areas of several tens of meters (GSMA, 2022). • Mobility scenarios: These mobile networks allow mobility scenarios at speeds in km/h higher than previous generations of mobile networks, where the expected end-user quality of experience thresholds can be achieved and maintained. For commercial deployments of these new 5G-type technologies, for example, it is possible to achieve and maintain QoE[5] conditions under theoretical speeds of up to 500 km/h (Fan, 2016), these speeds being higher than those achievable under previous technologies (these scenarios are associated with certain threshold values of spectral efficiency, according to each technology). • "Network slicing": IMT-2020 type mobile networks, including 5G, foresee the technical possibility of dynamically employing network resources which, together with the software and virtualization capabilities of these networks, make it possible to define or "virtually" create different logical networks (GSMA, 2020). These specifically address the requirements of different use cases of these mobile networks and, from the operator's point of view, open market possibilities such as NSaaS[6] and possibilities for self-management and improvement of their own mobile network through the "network slices as NOP internals" model (3GPP, 2023; ETSI, 2021). ● Densification of connections: It is technically foreseen that these networks can offer conditions for a greater density of devices connected to mobile networks per km2 of surface area (GSMA, 2019). Specifically, these networks would allow a density 10 times greater than what was technically possible in previous generations of mobile networks, now permitting up to 106 (one million) devices connected or accessible through the mobile network per km2 of surface area, these scenarios varying between urban, dense urban, rural use cases, among others. This is very important for the development of certain applications, particularly the massive Internet of Things (MIoT) in industrial uses, smart cities, logistics, and many others, where large numbers of simultaneously connected devices are required on wireless networks.

Under the above technical premises, a series of use cases have been defined for IMT-2020 type mobile networks, including 5G, which make use of the different capabilities of these networks, which, according to the objectives delimited by the International Telecommunication Union itself, are classified as follows: • Enhanced mobile broadband (eMBB) • Ultra-reliable low latency communications (uRLLC) • Massive machine-type communications (mMTC) d. Regarding the alleged obligation to develop Stand Alone networks, within the framework of the application of Executive Decree No. 44196-MSP-MICITT "Regulation on Cybersecurity Measures Applicable to Telecommunications Services Based on Fifth Generation Mobile Technology (5G) and Later Generations" ("Reglamento Sobre Medidas de Ciberseguridad Aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores").

To develop 5G networks, there are several technically possible options that each network operator must analyze, depending on their current infrastructure and expansion plans, among other elements. In one of the options, it is possible to use part of the infrastructure and equipment of 4G networks to build the network that will provide 5G services, in what is called a Non-Stand Alone (NSA) network configuration. This can offer some short-term advantages in terms of cost and speed to market with 5G services, but it also has some disadvantages in the provision of fifth-generation services, since these cannot be offered with all the possible technical characteristics (referred to in the previous table) nor all the use cases of 5G technology, as they are limited by the hardware and software elements of the previous generation, as well as by the differences in the frequencies they use. Usually, operators that decide to go to market with 5G networks that leverage elements of 4G networks in Non-Stand Alone systems eventually plan to evolve to 5G Stand Alone (SA) networks, in order to include services in millimeter-wave frequency bands and to be able to realize the full potential offered by the technology. The Global System for Mobile Communications Association (GSMA) has indicated that "GSMA Intelligence research shows that 55% of operators in Latin America with active 5G networks have announced plans to upgrade and migrate to 5G SA (in line with the global average)." Furthermore, said organization has stated that "This will help operators deliver the full benefits of 5G technology in terms of latency, network slicing and IoT support, which will be essential for new use cases." On the other hand, it is important to note that, according to the "Regulation on Cybersecurity Measures Applicable to Telecommunications Services in Fifth Generation Mobile Technology (5G) and Later Generations" Executive Decree 44196MSP-MICITT, the elements of 5G and later generation networks that must be included in the corresponding risk analysis are indicated in Article 7 of said regulation (they include the core, transport and transmission, access, control and management, among others). In that sense, any of these elements of a 4G network intended to be used by an Operator as part of a 5G network must comply with the security requirements indicated in the cited Regulation. In this regard, it is clear from the reading of the articles of Executive Decree No. 44196-MICITT-MSP itself that said regulatory body does not establish any requirement for operators subject to its scope of application to deploy Stand Alone or Non-Stand Alone networks. The decision regarding the network architecture with which the deployment will begin belongs to the operator itself, who must in any case ensure compliance with the provisions in terms of risk and standards in the aforementioned Regulation.

F. REGARDING THE SAFEGUARDING OF NATIONAL SECURITY AND CYBERSPACE (CYBERSECURITY MEASURES).

Regarding this particular matter, it is important to clarify that this report has been issued based on the competency framework legally delegated to MICITT in its capacity as Governing Body of the Telecommunications Sector, pursuant to the provisions of Articles 7, 10, and concordant articles of Law No. 8642, General Telecommunications Law, Article 39 of the Law for the Strengthening and Modernization of Public Entities of the Telecommunications Sector No. 8660, Law No. 7169, Law for the Promotion of Scientific and Technological Development to strengthen the competencies of MICITT, as well as Executive Decree No. 37052-MICIT "Creates the Computer Security Incident Response Center CSIRT-CR" issued on March 9, 2012, and published in the Official Gazette La Gaceta No. 72 on April 13, 2012.

In this vein, as informed by the Office of the Attorney General of the Republic (Procuraduría General de la República) in its opinion No. C-156-2016 dated July 15, 2016, administrative competence represents the capacity of public bodies to exercise the functions that have been conferred by the legal system. On this matter, regarding what is of interest, it has stated: "…Each public body possesses the legal capacity to act upon the competence it holds. Administrative competence is a corollary of the principle of legality, whose purpose is to indicate the powers and duties that the Public Administration has to act in accordance with the legal system. Competence is the aptitude to act of public persons or their bodies and is summarized in the powers and duties that have been attributed by the legal system to an organ or public entity, which delimits the acts it can validly issue. (...)" Under that reference, it is clear that the Executive Branch is responsible for exercising the necessary defense actions to prevent detriments to national security, the latter defined in the Usual Dictionary of the Judicial Branch as: "National Security: Military notion referring to the prevention and defense of the nation against war threats or war situations. || Sociological and military notion that supposes the protection of the country against military threats, terrorist threats, environmental dangers, massive migrations, and refuge of displaced persons. || Military, social, and political concept that includes guidelines, norms, and conducts aimed at repressing forces opposing the Government and preventing actions that seek political change." Of course, this conceptualization in the current era encompasses threats generated in the cyber domain and therefore possible cyberattacks on telecommunications networks that have an impact on the privacy, secrecy of communications, and informational self-determination of end users of telecommunications, for which reason the Ministry of Science, Innovation, Technology and Telecommunications must exercise its Rectorship in safeguarding the cited rights.

Cybersecurity being an expression of the concept of national security, it aims to guarantee the existence of controls that minimize the risks of possible breaches or cyberattacks. These risks can compromise the data and integrity of information residing in or transmitted through technological infrastructures. Verifying the presence of such controls reduces the risk and impact of an adverse event. In this sense, it should be noted that cybersecurity measures are part of the regulatory mechanisms in telecommunications matters to safeguard the safe use and exploitation of networks by operators. Therefore, it is not an issue that is unrelated or isolated from the protection of intimacy, privacy, and secrecy of communications, but rather constitutes a mechanism that responds to the evolution of the technology usable for its provision, with the purpose of ensuring that operators effectively comply with this responsibility.

As has been thoroughly explored in this document, Costa Rica was affected in different areas such as economic, social, institutional, social security, among others, by the undermining of the Costa Rican State's information systems caused by multiple cyberattacks, all of which constituted a state of national emergency requiring imminent attention. These pressing circumstances are precisely what motivated the Executive Branch to adopt a series of measures promptly and opportunely, such as the "Regulation on Cybersecurity Measures Applicable to Telecommunications Services in Fifth Generation Mobile Technology (5G) and Later Generations" Executive Decree 44196-MSP-MICITT.

There is also a mandate from the General Law of Public Administration, Law No. 6227, whose Article 14(1) establishes that "General principles of law may implicitly authorize acts of the Public Administration necessary for the better development of the special relationships created between it and individuals by virtue of administrative acts or contracts of duration." In complement to the above, the cited Law, in its Article 113(3), determines that "In the appreciation of the public interest, the values of legal certainty and justice for the community and the individual shall be taken into account, in the first place, to which mere convenience can in no case be put before." Now, with regard to the national emergency declared by Executive Decree No. 43542-MP-MICITT, already referred to, Article 1 of Law No. 8488, National Law of Emergencies and Risk Prevention, establishes that "(…) it shall regulate the ordinary actions, established in its Article 14, which the Costa Rican State must develop to reduce the causes of loss of life and the social, economic, and environmental consequences, induced by risk factors of natural and anthropic origin; as well as the extraordinary activity that the State must carry out in the event of a state of emergency, for which an exception regime shall be applied"; an exception regime that is currently in effect in relation to the provisions of the cited Executive Decree. Along these lines, author Jaime Romero Galicia, citing Orozco in the digital document entitled "CONCEPTUALIZATION OF A CYBERSECURITY STRATEGY FOR THE NATIONAL SECURITY OF MEXICO"[7], points out that "national security generally tends to be defined as a 'condition' that the State must provide for the development of the society it serves." In that sense, he adds that current definitions are influenced by the emergence of the concept of human security (which focuses more on the security of the individual), as well as by the phenomenon of globalization, economic factors, and the importance of Information and Communication Technologies (ICTs) in national security strategies. In this same vein, Romero Galicia explains that ICTs are a bridge to human development, as well as a fundamental instrument in new national and international security strategies, since the interconnected world transforms into a global village. In this way, the author explains the close relationship that exists between the subjects of cybersecurity and national security insofar as the former, "(...) allows determining what to protect in cyberspace, so that the negative effects against national security do not materialize in the physical world." Romero Galicia also adds that: (...) cyberspace became entrenched in the cybersecurity language with the publication of the National Strategy to Secure Cyberspace, published by the Bush administration in 2003 (Bush, 2003). But it was not until the final year of the Bush administration that the term was completely defined by the Federal government as "The interdependent networks of information technology infrastructures including the Internet, telecommunications networks, computer systems and processors, and controllers embedded in critical industries" (Hare, 2010:13). This definition makes it clear that cyberspace is considered larger than the Internet. (...) Thus, cyberspace is so important today and its protection so fundamental, because many productive processes take place there and the communication of societies is established, that it has been militarily considered by most countries as the fifth domain of war, alongside the domains of land, sea, air, and outer space (Murphy, 2010; Schreie et al., 2015). In this way, cybersecurity, similar to information security from the point of view of risks, is a matter that concerns three dimensions. On one hand, with the protection of the integrity, confidentiality, and availability of information, although there are other characteristics such as reliability and non-repudiation; secondly, cybersecurity has to do with protecting information from its processing, transmission, and storage; and finally, cybersecurity is a matter that concerns, from the management point of view, people, processes, and technology. (...) From the above, it is possible to extract that cyberspace is an economic asset of great global interest, and given all the possibilities it allows regarding the transfer of information, it is a constant target for threats, against which countries must articulate continuous efforts to facilitate the prevention and mitigation of such risks.

In addition, in the protection model that involves the Government, operators, and individuals, we have at the top the Executive Branch, which is responsible for establishing all measures to guarantee adequate cybersecurity in the Telecommunications Sector. According to the above, it is appropriate to point out what was stated by the Office of the Attorney General of the Republic (Procuraduría General de la República), in its opinion No. C-239-1995 dated November 21, 1995, which, for the purposes of this report, states: "(...) The purpose of public action is the public interest and the protection of institutional public order. The public interest, a principle of order and unity, is an interest proper to the political community, which differs from and transcends, therefore, the particular interests of its members. An indeterminate legal concept, the 'public interest' must be specified in each case: '...A variable norm, the general interest acquires a precise meaning in the context of a particular situation. However, this adaptation to concrete situations presupposes a principle of order, a logic that guides the application of the norm.' In the case at hand, that logic is informed by the principle of security and maintenance of public order, which presupposes institutional and social stability. (...)" Taking as a reference what was stated by the Attorney General's body, cybersecurity (as a manifestation of national security) is configured as that element of general interest that gives rise to the issuance of norms that minimize the risks of possible breaches or cyberattacks and consequently transgress the fundamental rights of end users of telecommunications. In that sense, cybersecurity measures also emerge as tools to protect the public interest, understood as the rights of the administered to access telecommunications in their capacity as end users for the exercise of other fundamental rights such as education, health, communication and information, Open Government, justice, among others.

The Constitutional Chamber of the Supreme Court of Justice referred to the public interest and the importance of telecommunications infrastructure, indicating: “(…) IMPORTANCE, PUBLIC INTEREST, AND NATIONAL VOCATION OF TELECOMMUNICATIONS INFRASTRUCTURE IN THE CONSTITUTIONAL AND INFRACONSTITUTIONAL LEGAL SYSTEM. From a systematic analysis of the current constitutional and infraconstitutional legal system, it is feasible to conclude that infrastructure, in telecommunications matters, has a relevance that exceeds the local or cantonal sphere, assuming a clear public interest and, of course, standing as an issue that concerns the national orbit with, even, projections in the field of Public International Law, as its development implies the fulfillment of a series of international obligations previously assumed by the Costa Rican State. In the first place, as this Constitutional Court has indicated, the issue of telecommunications has great constitutional relevance, so much so that in Article 121(14)(c) of the Constitution, it is indicated that 'wireless services' or the electromagnetic spectrum forms part of the constitutional public domain and is concretely a property of the Nation, and it cannot be disaffected or leave the domain of the State. The General Telecommunications Law No. 8642 of June 4, 2008 – hereinafter LGT-, when enunciating the governing principles in this sector, indicates in its Article 3(i), that there must be an 'optimization of scarce resources,' highlighting that the use of telecommunications infrastructures must be '(…) objective, timely, transparent, non-discriminatory, and efficient, with the dual objective of ensuring effective competition, as well as the expansion and improvement of networks and services (…)’ In turn, the Law of the Regulatory Authority of Public Services, No. 7593 of August 9, 1993, in its Article 74, modified by the Law for the Strengthening and Modernization of Public Entities of the Telecommunications Sector No. 8660 of August 8, 2008, made a declaration of public interest for infrastructure and networks in telecommunications by prescribing the following: 'The establishment, installation, expansion, renewal, and operation of public telecommunications networks or any of their elements is considered an activity of public interest.' Such declaration has great repercussions, since it is recognized, by law, that the issue of infrastructure in the matter holds a clear and unequivocal public or general interest that transcends the local or regional sphere within the country, to project itself in the national and international sphere, by allowing the Costa Rican State to fulfill, in good faith, a series of obligations and commitments assumed in the context of Public International Law." In that same line of thought, the Constitutional Chamber indicated in its Resolution No. 2010012790 of 8:58 a.m., dated July 30, 2010, the following: “(…) it must be said that the advance in the last twenty years in the field of information and communication technologies (ICTs) has revolutionized the social environment of the human being. Without fear of mistakes, it can be affirmed that these technologies have impacted the way in which human beings communicate, facilitating connection between people and institutions worldwide and eliminating barriers of space and time. At this moment, access to these technologies becomes a basic instrument to facilitate the exercise of fundamental rights such as democratic participation (electronic democracy) and citizen control, education, freedom of expression and thought, access to information and online public services, the right to interact with public powers by electronic means, and administrative transparency, among others. It has even been affirmed that access to these technologies has the character of a fundamental right, specifically, the right of access to the Internet or network of networks." (Emphasis added) Therefore, the Executive Decree denominated "Regulation on Cybersecurity Measures Applicable to Telecommunications Services in Fifth Generation Mobile Technology (5G) and Later Generations" Executive Decree 44196-MSP-MICITT, being a matter of State defense and national security, as well as the public interest that telecommunications networks hold, its treatment is more sensitive than other matters, which is why its elaboration acquired a reserved character based on current regulations.

Finally, regarding national security and safeguarding from the perspective of the Telecommunications Rectorship, it must be considered that, through Executive Decree No. 37052-MICIT, the Computer Security Incident Response Center called CSIRT-CR was established in Costa Rica, based in the Ministry of Science, Innovation, Technology and Telecommunications (established since 2012). This Center has sufficient powers to coordinate with the branches of government, autonomous institutions, companies, and state banks everything related to the field of computer and cyber security and to assemble the team of Information Technology security experts that will work to prevent and respond to computer and cyber security incidents that affect government institutions.

G.

REGARDING THE CONSULTATION PROCESS CARRIED OUT IN THE SPECIFIC CASE BY REASON OF THE NATIONAL SECURITY SUBJECT MATTER OF THE REGULATION OF EXECUTIVE DECREE No. 44196-MSP-MICITT "REGULATION ON CYBERSECURITY MEASURES APPLICABLE TO TELECOMMUNICATIONS SERVICES BASED ON FIFTH-GENERATION MOBILE TECHNOLOGY (5G) AND HIGHER". Article 361, subsection 2) of Law No. 6227, the General Law of Public Administration, establishes that: "2) Entities representative of general or corporate interests affected by the provision shall be granted the opportunity to present their views, within a period of ten days, unless reasons of public interest or urgency, duly recorded in the preliminary draft, oppose it." In the case at hand, it is on record that by official communication MICITT-DM-OF-651-2023 dated August 4, 2023, MICITT directed a consultation to the Board of Directors of the Regulatory Authority for Public Services and to the Superintendency of Telecommunications so that, within their respective spheres of competence, they could issue observations on the draft regulation, granting them a period of ten business days. In response to the consultation mentioned in the preceding paragraph, the Board of Directors of the Superintendency of Telecommunications sent official communication No. 06900SUTEL-CS-2023 dated August 17, 2023, based on Law No. 9736, the Law for the Strengthening of Competition Authorities of Costa Rica, with the considerations on the preliminary draft executive decree. Considerations that were reviewed and analyzed for the issuance of this regulation. It is worth noting that the Ministry of Science, Innovation, Technology and Telecommunications, through official communication No. MICITT-DM-OF-687-2023, dated August 31, 2023, sent to the Superintendency of Telecommunications the detail of the treatment and assessment of each of the observations that said regulatory body submitted. As indicated, the General Law of Public Administration, in Article 361, establishes in subsections 2 and 3 the power to submit to public knowledge the preliminary draft or provisions of a general nature. In this regard, it is important to reiterate that this hearing is optional in cases where the Law itself has objectively so provided. Thus, the Administrative Litigation Tribunal, Section VI, in its Resolution No. 00046 - 2020, dated April 16, 2020, at 3:30 p.m., in relation to public consultation, has stated: "(...) ii. Mandatory hearing for entities representative of general or corporate interests (subsection 2). In this scenario, although the need to grant said hearing is established given the potential affectation of general or corporate interests—economic, professional, or trade union—the rule allows this procedure to be dispensed with, provided that the reasons of public interest or urgency that give rise to such dispensation are set forth in the respective draft. Ergo, it is not an unrestricted liberality, but rather a power subject to sine qua non conditions, consisting of the due reasoning of the conditions or circumstances that determine, in each specific case, merit for not disclosing the regulation draft in order to obtain observations or objections. The absence of the inclusion of that reasoning, or the improper exercise of that power, due to the absence of the underlying premises that permit it, would affect the legal procedure provided for the issuance of that type of provisions; iii) Optional public information hearing (subsection 3). This is a power of the Administration that adopts a particular conduct of general scope, regarding which it may establish, based on criteria of convenience, the holding of a generic public hearing. In the context of that mandate, unlike the scenario provided for in the first paragraph of said rule, this is not a mandatory hearing, but a liberality of the Public Administration; therefore, the absence of its granting would imply the decision not to submit it to public debate. Ergo, being optional, its disregard would not affect the validity of that type of conduct. It should be noted that, depending on the case, the mere absence of the hearing in question would not, per se, lead to a pathology of absolute degree, and in those cases, it is necessary to analyze the significance of the invalidity that may be claimed regarding that type of act. The foregoing as a derivation of the principle of substantiality of nullity, by virtue of which not any defect of the act leads to its absolute nullity and, therefore, to its suppression, but only those deficiencies that have produced a state of defenselessness, have injured due process, or entail a formality that, had it been satisfied, could have modified the content of the decision. This is in accordance with precepts 128, 158, 168, and 223 of the General Law of Public Administration. That said, it should be pointed out that, in the present case, the State alleges a lack of standing on the part of the claimant to question the validity of the decree in question. (...)" (Emphasis added). That is, even when numeral 361, subsections 2 and 3 provides for the prerogative of a hearing, given the potential affectation of general or corporate interests, the legislator foresaw that when the nature of the provision itself so advises, said procedure can be dispensed with at the judgment of the Executive Branch based on reasons of public interest or urgency duly demonstrated in the case file. In accordance with the foregoing, it is important to highlight that in its recitals, the "Regulation on Cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher," Executive Decree 44196-MSP-MICITT, records all the factual and legal elements that motivated its drafting for the adequate satisfaction of the public interest in the face of the state of national emergency. This position has been clearly developed by the Administrative Litigation Tribunal itself, Section VI, highlighting in Resolution No. 00147-2021, at 9:00 a.m. on November 4, 2021, that the decision not to grant a hearing does not generate a nullity defect that entails consequences in and of itself, but rather it is in the face of a demonstrated injury. It thus outlined: "(...) On the other hand, this Tribunal considers that the mere omission of the referred hearing would also not necessarily lead to a pathology of absolute degree. The foregoing because it is essential, in those cases, to analyze the significance of the invalidity that may be claimed regarding that type of act. The foregoing as a derivation of the principle of substantiality of nullity, by virtue of which not any defect of the act leads to its absolute invalidity, but only those that have produced a state of defenselessness, injured due process, or entail a formality that, had it been satisfied, could have modified the content of the decision. The foregoing in accordance with articles 128, 158, 168, and 223 of the General Law of Public Administration. (...)" (Emphasis added). This criterion has been widely reiterated by the Administrative Litigation Tribunal, Section VII, which in Resolution No. 00082-2022, at 11:00 a.m. on August 11, 2022, emphasized: "(...) As can be seen, the prior hearing constitutes an essential element of validity in matters where, due to the content of the rule and its scope, it must be granted mandatorily; but it is not essential in all cases, nor is it required to be served on all persons who would fall within its normative scope, nor does its absence vitiate with invalidity every general normative provision, so a case-by-case analysis is necessary to determine whether or not a defect exists. In the case at hand, we find several relevant elements that must be set forth. Firstly, note that the referred Article 361 of the General Law of Public Administration provides that: '2. Entities representative of general interests shall be granted...' (...) (Emphasis added). From the cited case law, it is possible to deduce that not all cases merit proceeding with the hearing requirement, provided that the Executive Branch determines that the situation qualifies to dispense with its procedure, documenting the assessments of the case for that purpose. As has been reiterated in this report, Costa Rica suffered attacks on multiple systems due to the cyberattacks initiated in the year 2022, all of which configures a state of national emergency requiring imminent but continued attention. Along these lines, the Office of the Attorney General of the Republic, in its binding opinion No. C-022-89 dated January 25, 1989, has stated: "(...) the vast majority of urgency situations that have arisen and arise in Costa Rica are atypical. This is because the legal norms that regulate such situations do not define them sufficiently as constitutive grounds for urgency, nor do they contemplate the effect or content that the measures adopted shall have; rather, such situations must be addressed through an act whose justification is defined with considerable imprecision, which may consist of the pure and simple fact of a pressing need, provided for without further specification or qualification, and in which the content of the act is left blank so that the respective authority may fill it and determine it, case by case, within a wide range of possibilities. (...)" (Emphasis added). In that same sense, through Resolution No. 16359-2016 dated November 4, 2016, the Constitutional Chamber stated, in relation to the State's national security matter, the following: "(...) State secrecy is a limit to the right of access to information; State secrecy exists, in general terms, in matters of national security, national defense, and foreign relations, not only with other States, but with other subjects of Public International Law (...)". As indicated, the defense of the State and national security require differentiated handling from other ordinary matters. Thus, as stated supra in its prior stage, that is, before publication in the Official Gazette La Gaceta, the draft Decree on Cybersecurity Measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher was considered with the characteristics inherent to State secrecy as a limit to the constitutional right of access to public information, and therefore, it is subject to the principle of statutory reservation (reserva de ley), in accordance with Article 19.1 of the General Law of Public Administration, Law No. 6227, which provides: "Article 19. 1. The legal regime of constitutional rights shall be reserved to law, without prejudice to the corresponding executive regulations. 2. (...)" In relation to the concept of "State secrecy," our Constitutional Court has repeatedly indicated that it refers solely to matters of security, defense, or foreign relations of the Nation. In that sense, ruling no. 01362003 at 3:22 p.m. on January 15, 2003, taken up in numerous pronouncements, indicated: "(...) State secrecy as a limit to the right of access to administrative information is a statutory reservation (reserva de ley) (Article 19, paragraph 1, of the General Law of Public Administration); however, more than fifty years have passed since the Constitution came into force and the legislative omission in issuing a law on state secrets and classified matters still persists. This legislative gap has, obviously, caused serious uncertainty and has fostered the custom contra legem of the Executive Branch of classifying, by way of executive decree, in a specific and circumstantial manner, certain matters as reserved or classified because they constitute, in its understanding, State secrecy. Regarding the scope, extent, and reach of State secrecy, the doctrine is unanimous in accepting that it encompasses aspects such as national security (internal or external), national defense against aggressions that threaten the sovereignty and independence of the State, and the foreign relations entered into between it and the rest of the subjects of Public International Law (see Article 284 of the Penal Code, when defining the crime of 'disclosure of secrets'). (...)" (Emphasis added). Thus, it is possible to affirm, in accordance with what was indicated by this esteemed Constitutional Chamber, that information considered State secrecy concerns matters of national security (internal or external), national defense against aggressions that threaten the sovereignty and independence of the State, and the foreign relations entered into between it and the rest of the subjects of Public International Law. This criterion is also shared by the Office of the Attorney General of the Republic in its opinion No. C-175-83 dated May 31, 1983, when stating: "(...) in the opinion of this Office, the legislator is competent to define what State secrecy consists of, and what its scope of application is, without prejudice to the constitutional regulation on the matter. But, once said concept is defined, it corresponds to the Executive Branch to declare, in a specific case, the existence of said secrecy. That is, to determine that the communication of certain facts, information, or documents endangers State security, international relations, and national defense. Obviously, this determination constitutes a discretionary act. 3. Timing of the declaration. The declaration of 'State secrecy' proceeds when the disclosure of certain facts, information, or documents would harm the security, defense, and international relations of the Republic. To issue the corresponding decree, the Executive Branch must take into account various internal and external factors, the timeliness of the declaration, the internal and external political environment. The circumstances in which the ends protected by State secrecy may be compromised are diverse, so the moment at which State secrecy must be declared cannot be regulated beforehand. It will be criteria of timeliness—subject to the objectives and subject matter of State secrecy—that will determine the moment at which secrecy is declared. (...)" (Emphasis added). Now, regarding the national emergency declared through Executive Decree No. 43542-MP-MICITT, already referred to, Article 1 of Law No. 8488, the National Emergency and Risk Prevention Law, establishes that "(...) it shall regulate the ordinary actions, set forth in its Article 14, which the Costa Rican State must undertake to reduce the causes of loss of life and the social, economic, and environmental consequences induced by risk factors of natural and anthropic origin; as well as the extraordinary activity that the State must carry out in the event of a state of emergency, for which an emergency regime shall apply"; an emergency regime that is currently present in relation to the provisions of the cited Executive Decree. Such that, in principle, access to information from State offices is public, a condition that can be restricted under the protection of the assumptions that shelter State secrecy to safeguard the protection of its sovereignty. The reasons of public interest that the Regulation under analysis intends to protect have already been extensively detailed. Along those lines, as has already been stated in this report, the Sectorial Authorities were given the opportunity to comment on the content of the proposal; in that sense, the proposed text was socialized and adjusted in relation to the observations received. It is of special relevance to point out that the text of the Regulation does not impose new powers in contravention of the principle of statutory reservation (reserva de ley); on the contrary, in observance of the provisions of Chapter II, entitled Regime for the protection of privacy and the rights of the end user, of Title II, Regime of Fundamental Guarantees, of the General Telecommunications Law, Law No. 8642, this regulatory body is issued with the aim of ensuring the due protection of the privacy and the rights and interests of end users. Particularly, Article 41 of the General Telecommunications Law, previously cited, clearly establishes two mandates: the first, the due protection of the privacy and rights of end users, and the other, the obligation of the Superintendency of Telecommunications to ensure compliance with the provisions of the Law and its regulations. Meanwhile, numeral 42 of the General Telecommunications Law provides for the regulatory power of the Executive Branch in this matter for the establishment of technical and administrative measures in favor of effective protection of the fundamental rights contemplated in Article 42 in relation to the operation of telecommunications networks. For its part, systematically, Article 60, subsections a), d), e), and k) of the Law of the Regulatory Authority for Public Services, Law No. 7593, lists a set of fundamental obligations of the Superintendency of Telecommunications, stating: "Article 60.—Fundamental obligations of the Superintendency of Telecommunications (Sutel). The fundamental obligations of Sutel are: a) Apply the legal framework of telecommunications, for which it shall act in accordance with the policies of the Sector, the provisions of the National Telecommunications Development Plan, the General Telecommunications Law, the provisions established in this Law, and other applicable legal and regulatory provisions. (...) d) Guarantee and protect the rights of telecommunications users. e) Ensure compliance with the duties and rights of network operators and providers of telecommunications services. (...) k) Hear and sanction the administrative infractions incurred by network operators and providers of telecommunications services; as well as establish the civil liability of their officials. (...)" Likewise, Article 73, subsection a) on the functions of the Board of said Superintendency, reads as follows: "Article 73. Functions of the Board of the Superintendency of Telecommunications (Sutel). The functions of the Board of Sutel are: a) Protect the rights of users of telecommunications services, ensuring efficiency, equality, continuity, quality, greater and better coverage, greater and better information, more and better alternatives in the provision of services, as well as guaranteeing privacy and confidentiality in communications, in accordance with the Political Constitution. (...)". In this manner, the Administrative Litigation Tribunal, Section VI, through its Resolution No. 001-2017-VI at 8:00 a.m. on January 13, 2017, stated: "(...) In accordance with these powers, and attending to the principles imposed by the General Telecommunications Law, No. 8642, SUTEL is constituted as an instance that enters into a triangular dynamic, in which the operators and providers of telecommunication services converge, whom it regulates, oversees, and controls regarding compliance with the duties and obligations associated with that condition, and also protects the rights of the users of these services. This gives rise to diverse levels of relationships that arise between SUTEL-operators (and providers), SUTEL-users, and the control of the relationships between operator-user, operator-operator, so that the principles imposed by numeral 3 of Law No. 9462 are duly satisfied (universality, solidarity, benefit to the user, transparency, publicity, effective competition, non-discrimination, technological neutrality, optimization of resources, information privacy, and environmental sustainability). (...)". In this sense, it must be noted that cybersecurity measures are part of the regulatory mechanisms in the field of telecommunications to safeguard the secure use and operation of networks by operators. Therefore, it is not an issue that is alien or isolated from the protection of intimacy, privacy, and secrecy of communications, but rather constitutes a mechanism that responds to the evolution inherent to the technology usable for its provision; thus, the adherence and reference to internationally recognized frameworks, as well as what is established in the Regulation under study, provide a solid basis to ensure that operators effectively comply with this responsibility. It can be seen that the preliminary draft of the Regulation was known to the Sectorial Authorities designated by the legislator itself, also addressing the subject matter for which they were precisely created, meaning the Regulation does not extend beyond the powers exclusively reserved to law. Finally, the First Chamber of the Supreme Court of Justice has repeatedly stated that nullity, as a sanction or as a logical consequence of non-observance of procedural forms, is not applied unrestrictedly. Resolution No. 02769-2020, at 9:50 a.m. on November 24, 2020, states in the pertinent part: "(...) Rather, it proceeds only when it is not possible to correct a defect and it causes defenselessness impossible to remedy, hence nullity for the sake of nullity does not proceed. (See, among others, resolutions No. 848 at 9:00 a.m. on July 31, 2015, and No. 950 at 9:45 a.m. on August 17, 2017). (...) It must not be lost sight of that procedural norms are instrumental to substantive law, and in that line of thought, they must be understood as means to realize the constitutional right to prompt and complete justice. They cannot, therefore, be interpreted with such rigidity, abandoning that instrumentality, turning them into ultimate ends and an obstacle to the decision that the litigants demand. Nullities do not have the purpose of correcting formal errors per se, but of remedying the damages derived from them; hence, there is no nullity if the deviation had no significance for essential guarantees of the parties. (...)" (Emphasis added). Finally, the Executive Branch, in exercise of the powers conferred in this highly specialized matter, issues this Regulation with the inputs provided by the Superintendency of Telecommunications as the regulator of the Sector and the Sectorial Authority in the relevant branch of competence, attending to objective criteria of timeliness, given that prolonging these actions could have transferred risks to the administered party and thus incurred liability that could later result in substantial claims against the State. This at a local level, without prejudice to the fact that inactivity could represent damage to the country's image at the international level. H. REGARDING THE SUBJECTION OF THE PRINCIPLE OF FLEXIBILITY IN TECHNOLOGICAL OPTIONS AND THE SECTORIAL GOVERNING PRINCIPLE OF TECHNOLOGICAL NEUTRALITY TO LEGITIMATE PUBLIC POLICY INTERESTS AND TO COMMON AND GUARANTEED STANDARDS. The principle of flexibility in technological options (technological neutrality) arises within the framework of the process of trade liberalization in the telecommunications sector, as part of the "IV. Regulatory Principles approved in Annex 13 of the 'Specific Commitments of Costa Rica Regarding Telecommunications Services'" of the Dominican Republic-Central America-United States Free Trade Agreement (CAFTA), Law No. 8622. From this regulatory principle, it follows that, in the field of telecommunications, operators and providers of services available to the public effectively enjoy the flexibility to choose the technologies they prefer to operate public networks and supply their services, for example, to provide International Mobile Telecommunications services (known as IMT) (in any of their technically available generations), provided that legitimate public policy interests are satisfied. In this area, it is important to note that public policy in telecommunications is defined through the National Telecommunications Development Plan (PNDT) 2022-2027 "Costa Rica: Towards inclusive digital disruption," which was approved by the Executive Branch through Executive Decree No. 43843-MICITT, published in the Official Gazette La Gaceta No. 5 on January 13, 2023, following a participatory process held during 2022 through workshops and open working sessions in multiple areas of telecommunications, in which representatives of civil society, the various sectors of the country, including operators and providers of telecommunications services, information service providers, representatives of social networks, among others, could freely participate, and could express and share their vision on the future of the Telecommunications sector until the year 2027. Therefore, the public policy for the operation of networks and the provision of telecommunications services is embodied in the National Telecommunications Development Plan (PNDT) 2022-2027 "Costa Rica: Towards inclusive digital disruption," with the objective of marking the development of the sector from the perspective of sectorial public policy, allowing the challenges of telecommunications to be addressed in the coming years. It must be emphasized that in its section "3.3.3.3 National Cybersecurity Strategy Costa Rica," the PNDT 2022-2027 points out that "The cybersecurity strategy dates back to 2017 and seeks to pursue actions conducive to data assurance and online protection in different aspects, considering the person as a priority, respect for human rights and privacy, coordination with multiple interested parties, and international cooperation." Furthermore, the PNDT indicates that "in terms of cybersecurity and the challenges this represents for different populations, from critical infrastructures, online services, financial services, MSMEs, populations in vulnerable conditions, among others, the issue must be considered transversally in the axes of sectorial planning with a vision towards 2027." In this line, in its section "3.3.4 Synthesis of the instruments published associated with the PNDT," it adds that "there are various instruments in which Costa Rica has formulated directives and lines of action for addressing public interest problems in topics related to the telecommunications sector, such as: infrastructure, radio spectrum and digital television; specific populations in the ICT area; science, innovation and technology, digital economy, digital transformation and cybersecurity; (...)". The foregoing is complemented by specifying that according to the Global Cybersecurity Index (GCI), which is an initiative of the International Telecommunication Union established with the aim of measuring countries' commitment to cybersecurity and helping them identify areas for improvement, Costa Rica's position relative to OECD member countries is second to last on the list (position 37 out of 38), only surpassing Colombia. Based on this, and seeking to materialize the objectives established for our country through public policy, the "Regulation on Cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher," Executive Decree 44196-MSP-MICITT, is approved, which forms part of the technical cybersecurity measures to guarantee the secure use and operation of networks and with protection of individuals' privacy. This regulation is oriented toward satisfying a set of fundamental rights and legitimate interests of the end users of telecommunications services. This community comprises those of us who access these services daily and have the right to be guaranteed secure provision regarding the privacy and confidentiality of information, the secrecy of communications, and the protection of personal data of all kinds. Thus, there must be total clarity that cybersecurity in the field of telecommunications is defined through public policy and the regulatory instruments that comprise it, such as the "Regulation on Cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher," Executive Decree 44196-MSP-MICITT, as well as any other regulatory instrument, plan, or strategy approved for the satisfaction of legitimate interests and subjective rights protected in the privacy and confidentiality of personal data and communications, in accordance with the regulatory principle of Flexibility in technological options (technological neutrality) established in the CAFTA, and it is, therefore, a matter that interests us all as end users and beneficiaries of these rights.

For its part, from a technical standpoint I would like to make it very clear that the issuance of the “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT: • Does not prohibit or mandate the use of any specific technology, such as fifth-generation mobile technologies, but rather establishes minimum security requirements that all mobile telecommunications network operators that decide to implement fifth-generation or higher networks must meet. These requirements consider the Budapest Convention on Cybercrime and a series of standards relating to information security, such that the regulation seeks to ensure that operators can trust the integrity, availability, and confidentiality of their networks and services, and that users can enjoy the benefits of 5G without risks to their privacy, security, or human rights. • Does not limit competition or innovation in the 5G market, but rather promotes a level playing field for all providers, regardless of their origin or size. By requiring providers to be subject to a legal framework that respects the principles of the Budapest Convention, as well as the other standards highlighted in the regulation, it prevents unfair competitive advantages or market distortions on the part of those providers that could potentially operate under more lax regulations or those incompatible with those required by the referenced Decree. The regulation also fosters diversity and interoperability of technologies and platforms for the deployment of IMT-2020 systems, including 5G and higher, by allowing operators to choose from a variety of reliable equipment providers that meet the established security requirements. • Does not violate the principle of technological neutrality, but rather respects and reinforces it. Technological neutrality implies that the government should not favor or discriminate against any specific technology or platform in the provision of communications services. The regulation makes no distinction between the different technologies or platforms for the deployment of IMT2020 systems, including 5G and higher, but applies equally to all of them. The regulation also does not impose any restriction on access to or use of these innovative mobile networks or services by users, but rather ensures that they can exercise their freedom of expression, information, and communication through secure networks and communication media. Finally, in relation to this sectoral principle of flexibility in technological options, it is considered fundamental to cite the appearance of Mr. Sergio Ortíz Pérez as a representative of the Asociación Sindical Costarricense de Telecomunicaciones y Electricidad (ACOTEL) before the International Affairs and International Trade Committee of the Legislative Assembly, held on December 6, 2023, which has formed part of the scrutiny of that Branch of the Republic in the exercise of its political control powers over the Executive Branch. In this regard, Mr. Ortíz stated: “This matter of the Decree that deals with cybersecurity in view of the development of 5G technology in the country is currently, as you know, under analysis by both this Committee and the Constitutional Chamber itself, which is hearing an unconstitutionality action filed by the company Huawei, so we are facing a scenario that is not just an analysis and debate, which is fine legally and politically, but it is also necessary to clarify these different aspects of the motivation and consequences that this Decree may have had (...) Regarding this Regulation, there are a series of motivations that, seen objectively, are necessary for a globalized world, and the challenges at the cybersecurity level must be not only technical but also administrative, regulatory, and political. Should this Regulation or Decree be declared unconstitutional in whole or in part, thought should already be given to other tools that provide us with and compel support among the world’s governments for multilateral cooperation in the event violations of our networks are detected stemming from vulnerabilities in equipment belonging to specific manufacturers. (...) internally at ICE where this Decree, believe it or not, would lead to the existence of real technological neutrality at ICE, a company like ICE, which is a telecommunications company that needs it as best practice, but this Decree would also curb possible cases of corruption generated many years ago by the dependence between ICE and, for example, the company Huawei. At ICE today there is no technological neutrality because Huawei and its equipment practically hold a monopoly on our network, this due to its presence in 8 of the 10 most important components of the ICE Telecommunications system, namely the transport network, television platform, fixed access system, 3G and 4G mobile access network, mobile terminals, data center, 3G and 4G mobile core, and voice over IP platforms (...) Therefore, it is correct to ask, where is the technological neutrality internally at ICE that some or many are advocating for? The dependence on a single manufacturer at ICE, which increases over the years, has unfortunately also brought multimillion-dollar losses for ICE and multimillion-dollar gains for Huawei, and that is why I insist that this Decree, ironically, would also curb this ruinous relationship for ICE that would generate, and does generate, possible corruption. (...)” (Emphasis added) The use of that political control carried out by the Legislative Assembly has resulted in being able to affirm that the “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT constitutes a fundamental tool for the exercise of technological neutrality.

I.INTRODUCTION TO THE MEASURES AND PARAMETERS RELATING TO THE RISK MANAGEMENT REGULATED IN THE DECRETO EJECUTIVO N.º 44196-MSPMICITT “REGLAMENTO SOBRE MEDIDAS DE CIBERSEGURIDAD APLICABLES A LOS SERVICIOS DE TELECOMUNICACIONES BASADOS EN LA TECNOLOGÍA DE QUINTA GENERACIÓN MÓVIL (5G) Y SUPERIORES”.

In this regard, it is worth contextualizing that the “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT, contains a total of fifteen articles. Specifically, its Article 1 establishes the purpose: “Article 1º-Purpose. The purpose of this regulation is to establish cybersecurity measures to guarantee the secure use and exploitation, with protection of individuals’ privacy, of telecommunications networks and services based on fifth-generation mobile technology (5G) and higher.” As has been clearly set out in the articles of that regulatory body and from what has been developed in this report, the Decree regulates cybersecurity measures inspired by best practices and international standards, to safeguard the security and privacy of users of telecommunications networks and services.

That Decree continues, in numeral 2, to indicate the scope of application of the risk management and mitigation contemplated for telecommunications networks and services based on fifth-generation mobile technology (5G), namely: “Article 2º-Scope of application. The active operation of networks and services based on fifth-generation mobile technology (5G) and higher is subject to this regulation, by natural or legal persons, public or private, national or foreign, that operate networks or provide telecommunications services based on fifth-generation mobile technology (5G) and higher that originate, terminate, or transit through the national territory, excepting the operation of private telecommunications networks. In the case of public procurement processes whose purpose is the enabling of networks and services based on fifth-generation mobile technology (5G) and higher, as well as the active technological equipment necessary for their deployment, for the use and exploitation of the radioelectric spectrum, the procuring Administration or entity must adopt suitable mechanisms to verify that potential offerors have considered all aspects relating to the risk management and mitigation contained in this regulation when planning, designing, and implementing their technical offer. If awarded the contract, the provisions of this regulation shall be of mandatory observance during the operation of the networks and provision of services based on fifth-generation mobile technology (5G) or higher.” It is worth making a series of clarifications regarding the coverage indicated in the cited numeral. As an initial point, the article warns in its first paragraph that the security measures contemplated in said regulation and all applicable actions for risk management are mandatory and binding for all natural or legal persons, public or private, national or foreign, who hold an enabling title for the operation of networks and services based on fifth-generation mobile technology (5G) and higher. Now, the scenario regulated by the second paragraph is applicable to a first stage of the public procurement cycle, which is precisely during the bidding process where potential offerors must construct their technical offer taking into consideration the security and risk management measures that will be binding and mandatory for them if they are awarded a contract. In that sense, it was reserved under the responsibility of the procuring Administration to adapt, under its discretionary authority, the requirement to be included in the tender specifications by which it will verify that said offerors are aware of the scope of said regulation necessary for planning, designing, and implementing their technical offer. The foregoing anticipating that subsequently - as can be read from the third paragraph - in an execution and oversight stage, the selected contractor has full knowledge of the conditions and terms that will be verified for the secure operation of networks and services based on fifth-generation mobile technology (5G) and higher, and thus not placing them in a position of defenselessness by being unaware of the obligations that will be supervised during the execution of the service. The foregoing even obeys the maxim of sound investment of public funds, since the Public Administration must not only promote bidding processes to ensure efficient provision in view of satisfying the public interest, but its administrative conduct must even be diligent in ensuring that the selection not only reflects the most suitable offeror but also involves an object that is executable securely and in adherence to the legal and cybersecurity framework. In this vein, it was considered that the provision set forth in the second paragraph is in accordance with the due protection of superior protected legal interests such as human dignity, privacy, and security. This is where the principle of the autonomy of the will of private parties finds its limit in attempting to exploit such public domain assets, since any operator of networks and services based on fifth-generation mobile technology (5G) and higher is obligated to respect the technical regulatory measures established by the Executive Branch. From what has been examined above, the cited article must be interpreted in its entirety, in the sense that it is the operator of networks and services using 5G technology who will be strictly obligated to comply with the adoption of standards and risk analysis whenever it involves an active service, while the potential offeror is obligated to foresee that, if awarded a contract, they will be responsible for addressing and implementing such measures to guarantee the security of their networks.

Now, in Chapter II, Article 4 called “National Cybersecurity Risks in 5G and Higher Networks,” the risk scenarios regarding cybersecurity are seen, which have been identified and grouped according to the recommendations and experience of the international community, specifically the European Union, as can be seen from Informe N° MICITT-DGDCFD-INF-011-2023/ MICITT-DERRT-INF-0072023/ MICITT-DCNT-INF-011-2023. In this vein, the Regulation in question continues to indicate in its Articles 6 and 7 the need for the subjects within the regulation's scope of application to adopt a series of standards and a risk analysis of the networks they operate, to determine if any of the network elements qualify under the high-risk parameters set forth in numeral 10, and therefore must be addressed under the due process established by Article 11.

Now, given that this Ministry knows that the company [Name 002] has alleged that the standards and risk parameters regulated in this Decree violate the constitutional principle of technical reasonableness, the exercise carried out by this Ministry regarding the definition of the parameters in dispute will be set forth below. Specifically, the reasonableness of the regulation established in Article 10 of Decreto Ejecutivo Nº 44196-MSP-MICITT can be determined under the criteria established by the Constitutional Chamber in resolutions 03933-98 of 9:59 a.m. on June 12, 1998, and 08858-98 of 4:33 p.m. on December 15, 1998, based on the following considerations that deal specifically with Articles 6 and 10 respectively.

The analysis of the technical reasonableness of the risk parameters regulated in Article 4 of Decreto Ejecutivo Nº 44196-MSP-MICITT is developed below:

I.Risk scenarios related to insufficient security measures - R1 Network configuration failures. It is grounded under the parameter of necessity, because in the current cyber landscape, where threats evolve constantly, it is crucial to recognize and prepare for the risks associated with inadequate security measures and network configuration failures. These scenarios can lead to security breaches, data loss, and unauthorized access, which underscores the need to proactively identify and address these risks to protect critical information assets. Risk scenarios arising from inadequate security measures or configuration failures can result in significant vulnerabilities. Identifying and mitigating these risks requires a rigorous technical approach, including configuration reviews, security audits, and the implementation of appropriate technical controls. Including these scenarios is suitable, adequate, and relevant, given that incorrect configurations and deficiencies in security measures are common causes of security incidents. Recognizing these risks allows organizations to take specific measures to reinforce their defenses and adjust their network configurations, aligning these actions with industry best practices and standards. The severity and potential frequency of incidents arising from insufficient security measures or configuration failures justify attention to these scenarios; therefore, it meets a criterion of proportionality in the strict sense to indicate the foresight of this risk. Investment in identifying and mitigating these risks is proportional to the costs associated with a security incident, including financial, legal, and reputational damages. Regarding its legitimacy, from a legal perspective, addressing these risks is not only a recommended practice but in many cases a regulatory requirement. Data protection and cybersecurity regulations often require organizations to take reasonable measures to protect information, which includes ensuring proper network configurations and effective security measures. - R2 Insufficient access controls. In the field of cybersecurity, access control meets a criterion of necessity to protect information assets from unauthorized access, manipulation, or theft. The lack of adequate access controls is a significant vulnerability that can lead to security breaches, loss of confidential data, and other security incidents. Therefore, it is necessary to identify and address these risks to ensure the integrity, confidentiality, and availability of information. It is essential to implement robust security solutions such as defense in depth, which applies different types of controls like multifactor authentication, zero trust, privilege management, and network segmentation, among others, to mitigate this risk. These technical measures are vital to prevent unauthorized access and ensure that only legitimate users have access to necessary resources. Assessing risks related to insufficient access controls is suitable, adequate, and pertinent given that unauthorized access is one of the most common and damaging forms of cyberattack. Addressing these scenarios allows organizations to establish specific measures to strengthen authentication, authorization, and identity management. Investment in improving access controls is proportional to the benefits obtained in terms of improved security. The costs associated with implementing more robust access controls are lower compared to the potential financial, legal, and reputational damages that can result from a security incident caused by deficient access controls. Ensuring adequate access controls is a requirement that meets a criterion of legitimacy as it is present in many data protection and cybersecurity regulations. The lack of adequate access controls can lead to legal non-compliance and sanctions. Therefore, its inclusion in cybersecurity risk management is not only a recommended practice but also a legal requirement in many contexts.

II.Risk scenarios related to the 5G supply chain. - R3: Low-quality products. Its necessity is justified since 5G networks are critical infrastructures that support a wide range of essential applications and services. Low-quality products can introduce significant vulnerabilities into these networks, which could result in serious security breaches, service interruptions, and data compromise. It is necessary to identify and mitigate these risks to maintain the integrity, security, and reliability of the 5G network. Low-quality products can affect the performance and security of the 5G network. They may be more susceptible to vulnerabilities, not optimized for 5G high-speed performance, or incompatible with other network components, making it important to include these scenarios in the risk assessment. The assessment of risks related to low-quality products in the 5G supply chain is suitable and adequate given the complexity and critical nature of these networks. Proactive identification and management of such risks are fundamental to ensuring that 5G components and systems meet the required security and performance standards. Investment in identifying and mitigating risks associated with low-quality products is proportional to the potential damages they can cause. These risks have not only cybersecurity implications but also economic and legal consequences, which justifies the need for rigorous control and detailed assessment of the 5G supply chain. The legitimacy of specifying the indicated risk is reaffirmed, since from a legal standpoint, ensuring the quality of products in the 5G supply chain is essential to comply with regulations and security standards. Many jurisdictions impose strict legal and regulatory requirements on the security of critical infrastructures, which includes the 5G supply chain. - R4: Dependence on a single supplier in certain networks or lack of diversity at a national level, when it is responsible for configuring and integrating all active equipment and software of the solution, or if the network is composed of active equipment and software from a single manufacturer. It is justified under a parameter of necessity, to reduce the risk of a single point of failure. Depending on a single supplier significantly increases the risk of a single point of failure in the network. If this supplier experiences problems, such as security failures, technical issues, or service interruptions, the entire system could be compromised. Identifying and managing this risk is crucial to ensuring operational resilience and continuity. Technically, depending on a single supplier can limit a network's ability to adapt to new security challenges and evolve technologically. Diversification allows for greater flexibility and adaptability, as well as the possibility of implementing different security layers and resilience approaches. As a criterion of suitability for Cybersecurity Risk Management, including this risk is adequate as it directly addresses one of the key challenges in cybersecurity risk management: supplier diversification and redundancy. Assessing dependence on a single supplier allows organizations to take measures to diversify their suppliers and reduce vulnerability to isolated incidents. As a parameter of proportionality against potential risks, supplier diversification may require more initial investment and management effort, but it is proportional to the potential risk being mitigated. An incident affecting a single supplier could have devastating consequences, both in terms of security and operability, thus justifying the need for multiple suppliers. The provision meets a criterion of legitimacy in the context of National Security and Regulations since from a national security and regulatory compliance perspective, dependence on a single supplier can be problematic, especially if it involves critical infrastructures. Diversifying suppliers is a necessary measure to reduce risks, and this is an approach to layered security or defense in depth and cyber resilience. Considering the risks associated with dependence on a single supplier is a prudent and justified decision in cybersecurity. It addresses a critical need for resilience, is adequate for effective risk management, is proportional to the dangers intended to be mitigated, complies with national security considerations, and aligns with best practices to reduce the risk of concentrating everything in a single provider.

III.Risk scenarios related to the modus operandi of the main risk agents - R5: Intrusions by States through the 5G supply chain, when this may compromise the security, availability, integrity, and privacy of information. In the era of 5G technology, which promises massive, high-speed connectivity, supply chain security is critical. State intrusions can represent significant threats, such as the insertion of backdoors or the manipulation of equipment and software, which can compromise national security and the protection of sensitive data. Therefore, it meets the criterion of being necessary to identify and mitigate these risks to guarantee the integrity of 5G networks. Technically, protection against state intrusion requires sophisticated measures, such as reviewing and validating hardware and software security, continuous network monitoring, and implementing robust security controls. These technical measures are necessary to detect and mitigate any malicious activity that could compromise the 5G network. The assessment of these risks is suitable and adequate, as it addresses one of the most complex and critical challenges in current cybersecurity. The 5G supply chain involves multiple actors and components, and any vulnerability introduced by a State could have devastating implications. Therefore, it is adequate and essential to consider these risks in any cybersecurity strategy. Given the potential gravity of state intrusions in the 5G supply chain, the measures adopted to prevent or mitigate these risks are proportional. Protection against such threats may require significant investments in security, but these costs are justified compared to the possible damages to critical infrastructure, the economy, and data privacy. As a criterion of legitimacy in foreseeing this risk, it must be noted that many jurisdictions are implementing regulations to protect critical infrastructures, including 5G networks, from possible state intrusions. These regulations recognize the legitimacy of addressing these risks, and organizations have the legal responsibility to protect their networks and data. - R6: Exploitation of 5G networks by organized crime groups to attack end users. With the implementation of 5G networks, which offer greater speed and connection capacity, arises an increase in the number and sophistication of attack vectors available to organized criminals. These groups can exploit vulnerabilities in 5G networks to attack end users, making it necessary to identify and mitigate these risks to protect both the network and its users. The implementation of advanced intrusion detection and prevention technologies, security management at the radio interface, and the protection of user privacy and data are all crucial to counter the efforts of organized criminal groups. The assessment and mitigation of these risks meets the criterion of suitability due to the inherent nature and advanced capabilities of 5G networks. These networks facilitate greater interconnection of devices and services, expanding the scope and potential impact of attacks. Therefore, it is appropriate to focus on these specific threats to ensure comprehensive network security. The measures adopted to address the risks of attacks by organized criminals are proportional to the threat they represent. These groups can carry out devastating attacks, such as mass data theft, disruption of critical services, and the deployment of ransomware, thus justifying a significant investment in security measures. Addressing these risks is a legitimate and often necessary aspect of security management for 5G networks. Many national and international laws require service providers and companies to take reasonable measures to protect networks and data against criminal activities, which includes threats from organized criminals.

IV.Risk scenarios related to the interdependencies between 5G networks and other critical systems - R7: Significant damage to critical infrastructures or services. Critical infrastructures and services, such as power grids, health systems, financial services, and communications, are essential for the functioning of society. A successful attack on these infrastructures can have devastating consequences, including the disruption of vital services, significant economic damages, and, in extreme cases, endangering human lives. Therefore, it is imperative, and the criterion of necessity is met, to proactively identify and address these risks to guarantee the continuity and resilience of these essential services. Including these risks is suitable, adequate, and relevant, given the increasing sophistication and frequency of cyberattacks targeting critical infrastructures. Cybercriminals' techniques and tactics are constantly evolving, making the protection of these infrastructures a continuous and dynamic challenge that must be addressed comprehensively and specifically. The security measures implemented to protect critical infrastructures and services are proportional to the severity and potential impact of a security incident. Given the high cost of potential damages, investment in advanced security, robust controls, and incident response and recovery plans is justified and necessary.

From a legitimacy standpoint, the protection of critical infrastructures and services is a requirement in many jurisdictions. Laws and regulations often require organizations to implement adequate security measures to protect against cyber threats, which validates the need to include and address these risks as part of a comprehensive cybersecurity strategy. - R8: General network collapse due to interruption of the electrical power supply or other support systems. Communication and data networks are vital for the functioning of modern society, and their dependence on the electrical power supply and other support systems is a critical factor. The interruption of these services can lead to a general network collapse, resulting in significant economic losses, interruption of essential services, and in some cases, impacts on the safety and well-being of people. Therefore, there is a need to evaluate and mitigate these risks to ensure the continuity and resilience of the networks. Technically, protection against network collapse involves more than just cybersecurity. It requires a comprehensive understanding of the support infrastructure and the implementation of technical solutions that can maintain network operability in the event of the loss of critical services. This may include the diversification of energy sources, advanced control and monitoring systems, and redundancy strategies. Including these risks in cybersecurity management is suitable (idóneo) and adequate, as it recognizes the interconnected nature of modern systems and the critical importance of support infrastructure. This is particularly relevant in the context of critical infrastructures, where the failure of one system can have cascading effects on others. Measures to mitigate the risk of network collapses must be proportional to the potential impact of such incidents. Investment in backup systems, such as emergency generators and uninterruptible power supply (UPS) systems, as well as in business continuity planning and infrastructure redundancy, are justified given the importance of maintaining network operability. The inclusion of this risk is based on a criterion of legitimacy. From a legal and regulatory point of view, many jurisdictions require organizations to take measures to ensure the resilience and continuity of their operations. This includes preparation for interruptions in the electrical power supply and other support services, which makes the inclusion of these risks legitimate and, in many cases, a regulatory requirement. V. Risk scenarios related to end-user devices - R9: Abusive use of the Internet of Things, microtelephones, or smart devices. The proliferation of IoT (Internet of Things) devices and smart devices has significantly expanded the cyber threat landscape, since the vast majority of these devices do not incorporate security by design, increasing the likelihood of exploitation of vulnerabilities that can compromise essential service networks. These devices are usually connected to networks and can be vulnerable to exploits, which can lead to large-scale attacks, compromise of personal and corporate data, and abusive use for malicious purposes such as botnets and use in distributed denial-of-service (DDoS) attacks. The determination to address these risks is necessary to protect both individuals and organizations from potential harm. The protection of IoT devices and smart devices involves unique challenges due to their diversity, connectivity, and, in many cases, resource limitations. Technical considerations include the implementation of robust encryption, secure authentication, network segmentation, and the ability to receive security updates. Including these risks in cybersecurity assessment and management is suitable (idóneo) given the increasing integration of these devices into daily life and business operations. The suitability is reflected in the need to protect the integrity of networks and data, and to guarantee the reliability and security of connected devices. Measures to mitigate the risk of abusive use of IoT devices and smart devices must be proportional to the severity and potential impact of incidents. This includes implementing security in device design, regular update and patch management, and end-user education. These measures are fundamental given the potential scale and pervasive nature of attacks involving IoT devices. From a legitimacy perspective, protection against the misuse of IoT devices and smart devices is increasingly a regulatory concern. Laws and regulations around data security and cybersecurity in general recognize the importance of securing these devices, which legitimizes the inclusion of these risks in a comprehensive cybersecurity strategy. J. ON THE ADOPTION OF STANDARDS ACCORDING TO ARTICLE 6 OF DECRETO EJECUTIVO Nº 44196-MSP-MICITT "REGLAMENTO SOBRE MEDIDAS DE CIBERSEGURIDAD APLICABLES A LOS SERVICIOS DE TELECOMUNICACIONES BASADOS EN LA TECNOLOGÍA DE QUINTA GENERACIÓN MÓVIL (5G) Y SUPERIORES". The standards to be adopted are necessary because they provide guidance and best practices that must be applied or implemented on technological platforms to minimize potential security risks. Otherwise, failure to comply with the standards can cause or lead to deficiencies in the protection of the confidentiality, integrity, and availability of information, which are the pillars of cybersecurity. It must be taken into account that cybersecurity standards, like any other standard, involve a detailed process encompassing multiple stages and the participation of area experts from various countries and organizations in order to provide a guide of best practices, policies, and procedures to decrease security risks on technological platforms and combat the growing threats in cyberspace. It is worth mentioning that the list included in the decree is not exhaustive, so it is expected that these standards will be met in a complementary manner with other standards common to the industry and applicable to 5G networks, such as those indicated by the Superintendencia de Telecomunicaciones (Sutel) and other actors in the case of the 3GPP (Third Generation Partnership Project) and NESA (National Electronic Security Authority) standard. The importance and technical and legal reasonableness of each of the standards regulated in the Reglamento is developed below. a) On the SCS-9001 standard. Incorporating cybersecurity standards is essential to establish a solid and coherent framework that guarantees the effective protection of its information assets. These standards provide internationally proven and recognized guidelines for the prevention, detection, and response to cyber threats, thus ensuring the confidentiality, integrity, and availability of data. Furthermore, compliance with cybersecurity standards not only improves an organization's security posture against increasingly sophisticated threats but also strengthens trust and ensures conformity with legal regulations and compliance requirements, which is vital in today's highly interconnected and regulated digital landscape. The SCS 9001 standard is a process-based standard focused on supply chain security for the global ICT industry. It was actively developed over approximately two years during 2020 and 2021 by QuEST Forum, a business performance improvement community within TIA (Telecommunications Industry Association). TIA QuEST Forum follows international standards development procedures and guidelines. Therefore, TIA QuEST Forum followed the rigorous and well-structured process for the publication of the SCS 9001 standard to ensure it is global, relevant, and of high quality. This process involved security experts from the field, different organizations, and manufacturers from the sector who worked on the development of the SCS 9001 standard; therefore, this standard cannot be considered immature, as its development and publication have met the requirements and guidelines demanded by any ISO standard, a process that required its due time. Furthermore, it is important to highlight that this standard responds to a growing need in the sector, guaranteeing the application of security measures to minimize a risk that is increasing in the supply chain, as pointed out by the Gartner and ENISA report. SCS 9001 is a more comprehensive global standard for cybersecurity and supply chain security, adaptable to any type of communications network across all industries and sectors. Cyber threats are constantly evolving, as evidenced by the report from the European Union Agency for Cybersecurity (ENISA), an entity established by the European Union (EU) with the aim of improving cybersecurity throughout the region, on "Cyber Threats towards 2030," in which supply chain attacks will be in first place among cyberattacks. The dynamism and growing sophistication of these risks must be highlighted. Given this changing landscape, the implementation of standards like SCS 9001 becomes essential, especially to address supply chain security. This specific standard responds to the need to adapt to emerging and growing threats, providing a framework that guarantees robust and coherent security practices across all links of the supply chain. Its adoption is crucial for protecting critical infrastructures and maintaining the integrity, confidentiality, and availability in the security of systems in a rapidly evolving threat environment. Furthermore, the Gartner analysis, which predicts that by 2023, cyber risk will become a primary consideration in purchasing decisions within supply chains, highlights this issue. This increasing focus on cybersecurity reflects the need to improve protection between cybersecurity and the supply chain, highlighting the importance of adopting standards like SCS 9001. This standard responds to evolving cyber threats by providing a robust framework for securing and protecting the supply chain against emerging risks. The adoption of SCS 9001 not only improves security but is also a crucial step towards aligning supply chain practices with ever-changing cybersecurity needs, an aspect now recognized as fundamental by leaders in supply chain management. Security and protection controls must cover the entire product lifecycle, including the complete supply chain of software, hardware, systems, and the organization's own operational performance. The architecture model of the SCS-9001 standard is exemplified below: (…) - TECHNICAL REASONABLENESS EXERCISE. This standard responds to the need to adapt to emerging and growing threats, providing a framework that guarantees robust and coherent security practices across all links of the supply chain. Its adoption is crucial for protecting critical infrastructures and maintaining the integrity, confidentiality, and availability in the security of systems in a rapidly evolving threat environment. Cyber risk will become a primary consideration in purchasing decisions within supply chains. This increasing focus on cybersecurity reflects the need to improve protection between cybersecurity and the supply chain, highlighting the importance of adopting standards like SCS 9001. The adoption of SCS 9001 not only improves security but is also a crucial step towards aligning supply chain practices with ever-changing cybersecurity needs, an aspect now recognized as fundamental by leaders in supply chain management. Regarding the suitability (idoneidad) of mandating compliance with this standard in the Reglamento, it must be stated that cyber threats to the supply chain have increased in frequency and sophistication, including attacks to compromise software and hardware, and the manipulation of product integrity. SCS 9001 is specifically designed to address these vulnerabilities, establishing a framework that reinforces security at every link of the supply chain. From a risk analysis perspective, the SCS 9001 standard responds as a necessary measure to minimize the security risk from the emerging threat to the supply chain. This countermeasure reduces risk because it addresses the technical aspects of the supply chain links in more detail and all related aspects to reduce the latent risks that are increasingly evolving, as demonstrated by specialized international organizations on the matter. Regarding strict proportionality in determining the application of this standard, it must be stated that the implementation of the SCS 9001 standard in the cybersecurity supply chain is a necessary, justified, and adequate measure given the magnitude and severity of current threats and future projections of the evolution of attacks on supply chains. 5G networks, as critical infrastructures, are complex and highly interconnected, making them susceptible to a variety of cyberattacks that can have devastating repercussions on essential services and national security. According to the mentioned studies, the growing evolution of cyber threats to the supply chain increases the probability of suffering a security breach in the elements involved in the supply chains. The application of the standard also meets a criterion of legitimacy, as implementing these standards is a legitimate and widely accepted practice in the global community. These standards are the result of a broad consensus among security experts, the industry, and different expert organizations in the area, reflecting the current best practices in the field. From a technical point of view, the standards offer guidance on strengthening the supply chain. The standard builds upon existing work and aligns with government agency initiatives. It adds crucial requirements that had not been addressed for supply chain protection, an area where threats are growing. Non-conformity with these standards means that products and services could lack fundamental security measures, exposing users to significant risks and the country to national security risks. b) Standards of the ISO family. The ISO 27000 family of standards, developed by the International Organization for Standardization (ISO), comprises a series of standards focused on information security management. These standards provide a framework for establishing, implementing, maintaining, and continuously improving information security within organizations. The TECHNICAL REASONABLENESS EXERCISE for the ISO standards detailed in Article 6 of the Reglamento is presented below: b.1. ISO 27001:2022 Regarding the need for the implementation of this standard, it must be stated that in an environment where cyber threats are a constant and evolving reality, the implementation of an information security management system (SGSI) is more than necessary. ISO 27001 provides a framework for identifying, evaluating, and managing information security risks, crucial for protecting sensitive data and maintaining business continuity. ISO 27001 addresses the technical needs related to cybersecurity, offering a framework for the implementation of effective controls and continuous improvement. Its focus on risk assessment and evidence-based management is fundamental for adapting to changing cyber threats and technological evolutions. Regarding suitability (idoneidad) in the reasonableness exercise for the application of this standard, it must be said that ISO 27001 is widely recognized and adapted to organizations of different sizes and sectors. It offers a systematic and structured approach that is adequate for comprehensively managing information security, encompassing both technical and non-technical aspects (legal, physical, and human), which makes it suitable (idóneo) for the purpose of guaranteeing quality in the operation of the subjects indicated in Article 2 of the Reglamento. The adoption of ISO 27001 passes a strict proportionality analysis for the purposes it aims to safeguard, as it is proportional to the risks and potential consequences that organizations face in terms of cybersecurity. Investment in this standard helps prevent costly security incidents and reputational damage, which can be much more onerous than the implementation and maintenance of the SGSI. This is framed within the criterion of legitimacy, as an internationally recognized standard, ISO 27001 provides confidence in information security management, demonstrating an organization's commitment to optimal cybersecurity practices. This is fundamental for the trust of interested parties, including clients, partners, and regulators. b.2. ISO 27002:2022 Like the previous ISO standard, the use of this one is covered by a criterion of need, as in a digital environment where cyber threats are a constant, the need for effective information security management is imperative. ISO 27002 provides a set of information security controls, addressing critical needs such as the protection of confidential data, prevention of security breaches, and mitigation of cyberattacks. ISO 27002 provides detailed guidance for the implementation of effective security controls. These controls are fundamental for protecting against evolving technological threats and ensuring the integrity, confidentiality, and availability of information. It defines a set of best practices for the implementation of the SGSI, through 93 controls, structured into 4 major domains. This standard meets the condition of being suitable (idóneo) for the purpose of the Reglamento, as this standard is adequate for any type of organization, regardless of its size or sector, since it offers an adaptable and extensive approach to information security management. Its guidelines cover from operational security to access control and incident management, thus covering a wide range of security needs. The use of the standard meets a criterion of strict proportionality, as it is proportional to the benefits it offers. Although it implies an investment in terms of resources and time, the costs are justified by the significant improvement in security posture, the reduction of the risk of costly incidents, and protection against possible legal sanctions for security breaches. Likewise, regarding the legitimacy of the application of this standard, it must be said that ISO 27002 is an internationally recognized standard, which confers great legitimacy upon it. Its implementation is consistent with global best practices in cybersecurity and data protection, and helps organizations comply with legal and regulatory obligations. b.3. ISO 27003:2017 In a constantly evolving digital environment, characterized by sophisticated cyber threats, it is essential to have a robust information security management system (SGSI). ISO 27003, by providing detailed guidelines for the effective implementation of an SGSI according to ISO 27001, responds to this critical need, helping organizations protect their information assets against risks and vulnerabilities. Said ISO standard is essential for effectively addressing the technical complexities associated with protecting information in a constantly changing technological environment. This standard is suitable (idóneo) for any type of organization seeking to improve its information security. It offers a customizable and practical approach, making it adequate for a wide variety of operational contexts and types of organizations. The adoption of ISO 27003 is proportional to the security benefits it provides. Although it requires resources and effort for its implementation, the costs are widely justified by the significant improvement in risk management, the reduction of security incidents, and compliance with legal and regulatory obligations. ISO 27003 is an internationally recognized standard, which confers great legitimacy upon it. Its implementation is consistent with international best practices and is often viewed favorably by regulators and auditors, which is important for maintaining the trust of interested parties and complying with current regulations. b.4. ISO 27011:2016 ISO/IEC 27011 is a specific standard within the ISO/IEC 27000 family of standards, dedicated to information security in the telecommunications sector. This standard offers guidelines for the implementation of an information security management system (SGSI) specifically adapted to the needs of the telecommunications sector. It establishes the principles for implementing, maintaining, and managing an SGSI in telecommunications organizations, indicating how to implement controls efficiently. Given the critical nature of telecommunications in global infrastructure, the need to safeguard this area against cyber threats is paramount. ISO/IEC 27011:2016 provides specific guidelines for information security in this sector, addressing unique risks and operational challenges, and guaranteeing the protection of critical infrastructure and data. This standard is particularly suitable (idóneo) for organizations within the telecommunications sector, as it is designed taking into account their specific needs and challenges. It offers an adapted approach for the implementation of an information security management system (SGSI), aligned with the general standards of the ISO 27000 family but with a focus on telecommunications. The implementation of ISO/IEC 27011:2016 is proportional to the significant risks associated with information security in telecommunications. Effective protection against security breaches, fraud, and other cyber incidents justifies the investment in this standard, given the possible consequences of not doing so, including service interruptions, financial losses, and reputational damage. As part of the recognized ISO/IEC 27000 family of standards, ISO/IEC 27011:2016 enjoys high legitimacy. Its adoption reflects a commitment to international best practices and can improve the confidence of clients and regulators in an organization's ability to manage information security. K. ON THE HIGH-RISK PARAMETERS DEFINED IN ARTICLE 10 OF DECRETO EJECUTIVO N.º 44196-MSP-MICITT "REGLAMENTO SOBRE MEDIDAS DE CIBERSEGURIDAD APLICABLES A LOS SERVICIOS DE TELECOMUNICACIONES BASADOS EN LA TECNOLOGÍA DE QUINTA GENERACIÓN MÓVIL (5G) Y SUPERIORES". For a better understanding, the reasonableness exercise assessed in each case will be specified throughout each subsection, not only from a technical point of view but also its legal basis. A) When the subjects included in the scope of application of Article 2 of this Reglamento have a single hardware and software supplier in their supply chain, when this supplier is responsible for configuring and integrating all active equipment and software of the solution, or if the network is composed of active equipment and software from a single manufacturer." - TECHNICAL REASONABLENESS EXERCISE In this regard, the necessity of said measure is based on the fact that technological dependence or monoculture significantly increases the risk that the entire ecosystem could be compromised. If an attacker finds a vulnerability for one type of system, all network components are put at risk, and therefore, all the information passing through those devices, data, user information, and services transiting through them would be affected. At the level of security layers, security is not the same when dealing with systems and equipment with different specifications and components, making it more complex to find the vulnerability if there is diversity of manufacturers; therefore, the complexity of exploitation increases. Supplier diversity is necessary to mitigate risks, increasing the resilience of the system or systems against attacks and failures that may occur. Furthermore, it is determined that the inclusion of this provision meets a criterion of suitability (idoneidad), as dependence on a single supplier can create a single point of failure, since if an interruption is suffered, the entire system can be compromised. In contrast, having multiple suppliers allows the possibility of a single vulnerability or failure affecting the entire system to be reduced. Additionally, different suppliers can offer distinct capabilities and strengths in security, which improves overall protection. It must be considered that at the cybersecurity level, there are protection techniques called defense in depth, and applying multiple security and protection measures benefits the entire ecosystem, combining multiple barriers and eliminating a single dependency for protection. Diversifying suppliers helps ensure operational security and system resilience in the event of a supplier's failure. Now, from a strict proportionality perspective, the assessment of the imposed measure versus the safeguarded security purpose is based on the fact that there is a balance: having more than one supplier and not depending on a single one minimizes risk. The threat vector for that supplier is reduced; therefore, limiting having a single supplier is proportional to the intended technical purpose. Having multiple suppliers allows for reducing dependence on the security updates of a single supplier, with the advantage of improved and effective response times and availability of security options; therefore, the measure is proportional to the security purpose intended to be ensured. The impact of the countermeasure, therefore, is not greater than the risk caused by dependence on a single supplier, for the reasons noted. The measure as such technically has full legitimacy, also because it is technically possible for systems or components from different suppliers to interact with each other; therefore, it is not technically impossible nor does it predispose the generation of operational failures. Instead, coupled with the reasons previously described, it represents a legitimate purpose for safeguarding information and network security, as well as fulfilling the aims of cybersecurity. - LEGAL REASONABLENESS EXERCISE From a legal perspective, the necessity of the measure is emphasized, as it aims to guarantee the functionality of the technology and ensure that there is no level of dependence on the manufacturer such that, in the event of failures in network operation like those exemplified supra, it impacts the continuity and access to the service. The measure also prevents the impact on the legal regime of the rights and interests of the final telecommunications users, which derive precisely from the protection and safeguarding of fundamental rights and human rights to intimacy, privacy, and secrecy of communications, informational self-determination, access to free information, communication, health, among others. This measure is deemed suitable (idónea), as diversifying the number of suppliers in the supply chain decreases the risk that network functionality depends on the vulnerabilities that a single manufacturer might present in its Hardware or Software. The measure seeks to guarantee that the greater the number of suppliers, the greater the number of solutions for the final telecommunications service without needing to interrupt service continuity, benefiting the final user. In the event of a cybercrime incident with a single supplier, the criticality of the incident would increase as a result of the dependence on a single supplier.

Regarding the proportionality of the measure, the benefit pursued is to provide the population with an advanced and secure network, foreseeing that there is no dependence on a single supplier and therefore there is a risk of not obtaining components, hindered compatibility, factory closures, discontinuity of spare parts, problems in the production chain, among others. The primary objective is to prevent the materialization of risks associated with the network's operation from having consequences for end users of telecommunications, harming the exercise of their fundamental rights of constitutional rank. In that sense, the measure is proportional because it seeks to balance the possibility of continuous service against the trade difficulties that suppliers may face. The measure has legitimacy, given that inhabitants have the right to access telecommunications for their personal, cultural, educational development, among others. In that sense, the radio spectrum as a constitutional public domain asset deserves protection by the State, which must ensure the safe use and exploitation of the networks and services provided through this constitutional public domain asset, through the exercise of its public regulatory power, particularly provided in the Protection Regime for the rights of end users of telecommunications of numerals 41, 42, and following of the General Telecommunications Law (Ley General de Telecomunicaciones). The establishment of this measure is done on the basis of scientific and technical criteria provided in Article 16 of the General Law of Public Administration (Ley General de la Administración Pública), all while knowing that the existence of a single provider in the supply chain could mean that the network depends on a single element for its optimal functioning. B) When the subjects included within the scope of application of Article 2 of this Regulation or their hardware and software suppliers have any incident report published by CSIRT-CR regarding cybersecurity breaches in their systems that have not been addressed and therefore imply a risk to the security, availability, integrity, or privacy of end-user information." - TECHNICAL REASONABLENESS EXERCISE The aforementioned provision, regarding the guarantee that generated incidents have been addressed as appropriate, is necessary, as the consideration of not having addressed the published incident necessarily implies a risk; alerts must be addressed for the security, availability, and privacy of information. Failure to do so exposes the operator to significant security risks and data breaches; therefore, the consideration of not addressing alerts exposes them to cyberattacks with known breaches, these being means used by cyber attackers to compromise an infrastructure. The measure is necessary to prevent attackers from exploiting weaknesses that could compromise the confidentiality, availability, and integrity of the information housed within them. Not addressing alerts increases the risk of unauthorized access and malicious activities, as well as interruption of services, the accessibility of systems, alteration or corruption of the data traveling on that platform, and the exposure of private or personal sensitive data that transit through these infrastructures housing them. The measure is necessary to prevent the exploitation of a vulnerability that has already been identified by a trusted third party, due to the non-application of security patches, which can have economic implications in terms of mitigation costs, losses due to general interruption, both for the provider and for the users who use those platforms. The foresight of this risk meets a criterion of technical suitability, since addressing incident reports is an adequate measure because it attacks the root cause of many security breaches. Correcting known vulnerabilities is a fundamental step in protecting against cyberattacks and preserving the integrity, confidentiality, and availability of the information as well as the services housed or transiting through them. Not correcting these known breaches makes them an easy target for attackers, since when there is a security breach, there are always many ways to exploit them. Likewise, from a criterion of reasonableness in the strict sense, the consequences of not addressing these vulnerabilities are much greater than the efforts to correct these problems, it being simpler to resolve the incident than to deal with it after the impact; the losses, leakage, impact on services, and availability of information represent a much greater consequence. The probability of impact on these platforms is a high risk. The impact caused by a security breach affecting information will be much greater. At the proportionality level, probability is analyzed against impact minus countermeasures. The CSIRT-CR countermeasures must be applied to reduce the risk. When known security breaches exist, they increase the probability that an infrastructure can be compromised, and when a security incident materializes that took advantage of said security breach, which has not been remedied, the impact that a compromise of these platforms can produce is incalculable, since the damage extends not only to the provider but to all data, services, and information housed in and transiting through those platforms. The end user may be impacted in the non-use of essential services, in the exposure and leakage of sensitive information of the inhabitants of Costa Rica, and in economic costs to solve the problems caused by that security breach. Therefore, considering the non-addressing of incidents as a high risk is more than proportional to the consequences of not addressing them and the potential serious damages that would be caused. Regarding the legitimacy of this measure, it corresponds with technical best practices, which is legitimized in the Cybersecurity community, supported by international cybersecurity regulations and standards that emphasize the importance of properly managing vulnerabilities and cybersecurity incidents. Not addressing these vulnerabilities exposes organizations to security breaches, as they can be exploited by malicious actors to compromise the security of those systems. - LEGAL REASONABLENESS EXERCISE The criterion of necessity of this measure is based on the cyberattack that occurred in April 2022; the consequences for the country were disastrous, including loss of substantial information, impact on essential health services, losses to the public treasury, difficulties in registering and paying payroll, among others. All these impacts on the institutional framework, in turn, had a direct impact on the users of the different services. Consequently, one of the priorities of the competent Sectoral Authorities is to prevent new situations of such magnitude. Therefore, any identified incident must be addressed with the utmost speed, and all necessary immediate measures must be adopted to safeguard the protected legal interests (privacy, security, informational self-determination, health, culture, education, information, and communication, among others); therefore, the fight against cybercrime does not allow tolerating the presence of unaddressed incidents. Regarding suitability, this measure constitutes a means to an end, which, if not executed, would render the purpose for which the CSIRT was created completely meaningless, which in essence is to coordinate with the branches of the State, autonomous institutions, state companies, and banks everything related to computer and cybersecurity matters and to establish the team of information technology security experts that will work to prevent and respond to cyber and computer security incidents affecting government institutions. Hence, the mere detection of an incident (the regulation does not regulate permissibility levels) constitutes an imminent risk to security, with which there is no justification for the obligated subjects to ignore any alert issued by the CSIRT. Regarding proportionality, this parameter observes the criterion of proportionality insofar as the behavior pursued falls on the operator of the compromised network in a sound administration of the radioelectric resource (public domain asset). What is sought is to prevent any malicious interference that harms the fundamental rights and human rights of the end users of telecommunications, by establishing an action in the network's operation and thereby increasing the use of the opportunities provided by science and technology to be an effective enabler for the exercise of rights within the Information and Knowledge Society. Regarding legitimacy, this measure responds to the creation objectives of the CSIRT and also to all measures in the domestic and international legal order as part of the efforts in the fight against cybercrime, which of course involves identifying deliberate and illegitimate acts against computer systems. It is of special relevance in the deployment and operation of 5G networks, which, unlike previous technologies, involve the transit of large amounts of data, allowing the storage of personal and sensitive user information, such that any alert of transgression must be addressed immediately to avoid greater consequences. "C) When the subjects included within the scope of application of Article 2 of this Regulation or their hardware and software suppliers are susceptible to pressure from a foreign government by regulatory provision or official public policy of said foreign government, in relation to the location or execution of their operations." - TECHNICAL REASONABLENESS EXERCISE The consideration of high risk in this subsection is necessary because it is critical to guarantee that hardware or software providers operate independently of foreign governmental pressures, in order to protect the availability, confidentiality, and integrity of data. There is a risk that the government exerts pressure and obtains unauthorized access to confidential data or manipulates the hardware or software for espionage or sabotage purposes, which would compromise the availability, confidentiality, and integrity of these products or platforms. Therefore, generating the risk foresight is necessary to guarantee the security, availability, confidentiality, and integrity of information. Likewise, the foresight of this risk is suitable, since guaranteeing the independence of providers against the influence of foreign governments is adequate for security and the objective of preserving national security. The measure is suitable because, from the analysis of situations and detected incidents, threat actors linked to foreign governments that can exert pressure on the subjects of application of Article 2 have been found. The measure meets the criterion of being proportional in the strict sense, as the potential consequences of cyber espionage or sabotage are proportional to the measure that seeks to reduce the risk, since critical 5G services can be compromised, implying the need for rigorous security evaluations. Regarding the consideration of the legitimacy of this measure, the concern about the influence of foreign governments over said providers is legitimate and, at the same time, is based on national security criteria given the potential risk and the damages of various kinds that can materialize if an attack or sabotage occurs, directly or indirectly linked to the action of a foreign government that exerts influence over the operators. Therefore, it is exercised as a faculty of the State to guarantee the independence of the operators against pressures from foreign governments. - LEGAL REASONABLENESS EXERCISE For a better understanding, both parameters contained in this subsection and subsection d) will be analyzed jointly. Both parameters are qualified as necessary. In that sense, it is possible to affirm that, being in the Information and Knowledge Society (SIC), data holds high value. In that sense, the risks of computer networks and electronic information being used to commit crimes have multiplied. This transcends the sovereignty of each country due to the ease with which abuses can be committed. Therefore, measures like these are essential to guarantee that there is no impairment of the confidentiality, integrity, and availability of computer systems, networks, personal data, and traffic data, due to pressure from other States that require the information for purposes other than the objectives for which they were collected at the national level under the principle of informed consent and free information of users. This measure is suitable, given that the State is the only one called upon to weigh the existence of regulations in contravention of national fundamental rights. In this way, it is also the only one with the authority to establish differentiated conditions when the information is to transit outside its borders, a transit that must be compatible with the special protection regime that the constitution imposes on data. It is important to recognize that not all foreign legislation is compatible with or akin to national legislation, which is why these parameters have been considered to reinforce the importance of protecting the fundamental rights of end users of telecommunications. Regarding proportionality, I must note that the democratic Costa Rican State is called upon to act conservatively in two aspects: firstly, in safeguarding the sound use of the radio spectrum as a public domain asset, and secondly, in protecting the fundamental rights derived from the use and exploitation of said radio spectrum. Therefore, it is obliged to indicate the guidelines according to which the transfer of information will occur. That said, operators that do not have the legal possibility to guarantee the secure transit of data on their networks imply a high risk of compromise due to possible coercion by other governments. Performing a legitimacy exercise, we must start from the fact that, in accordance with international best practices, among them the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), restrictions can be imposed on some categories of personal data for which the national legal system includes specific regulations due to the nature of those data and that the other State does not consider similarly in its regulations. In that sense, it is interpreted that in the event of finding regulations that do not guarantee protection comparable to the national one, the Costa Rican State may establish restrictions on the transfer of data when the operators or their suppliers cannot substantially guarantee compliance with domestic regulations on data protection, intimacy, privacy, informational self-determination, and secrecy of communications. "D) When the subjects included within the scope of application of Article 2 of this Regulation or their hardware and software suppliers are based in a country, or, in some way, are subject to the direction of a foreign government with established laws or practices that may require them to share end-user information of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests." - TECHNICAL REASONABLENESS EXERCISE The foresight of this risk is necessary, because it is critical to guarantee that hardware or software providers operate independently of foreign governmental pressures, in order to protect the availability, confidentiality, and integrity of data. There is a risk that the government exerts pressure and obtains unauthorized access to confidential data or manipulates the hardware or software for espionage or sabotage purposes, which would compromise the availability, confidentiality, and integrity of these products or platforms. Therefore, generating the risk foresight is necessary to guarantee the security, availability, confidentiality, and integrity of information. If a foreign government has the possibility of introducing backdoors, it would have the possibility of conducting espionage, sabotage, and extracting national security and user information. Likewise, given the characteristics of the type of government, there is an absence of adequate guarantees for rights and interests. The measure meets the criterion of suitability, as indicated in the previous subsection, since the independence of providers against the influence of foreign governments is adequate for security and the objective of preserving national security. The measure is suitable because, from the analysis of situations and detected incidents, threat actors linked to foreign governments that can exert pressure on the subjects of application of Article 2 have been found. Similarly, it is proportional in the strict sense, as the potential consequences of cyber espionage or sabotage are proportional to the measure that seeks to reduce the risk, since critical 5G services can be compromised, implying the need for rigorous security evaluations. The foresight of this risk meets the criterion of legitimacy, as the concern about the influence of foreign governments over said providers is legitimate and, at the same time, is based on national security criteria given the potential risk and the damages of various kinds that can materialize if an attack or sabotage occurs, directly or indirectly linked to the action of a foreign government that exerts influence over the operators. - LEGAL REASONABLENESS EXERCISE For these purposes, please refer to the legal analysis indicated in subsection C) above. E) When the subjects included within the scope of application of Article 2 of this Regulation use hardware and software suppliers that have their headquarters in a country that has not expressed its consent to be bound by the Convention on Cybercrime (Budapest Convention). - TECHNICAL REASONABLENESS EXERCISE a. Particular considerations regarding the Budapest Convention It is fundamental in a world where cyber threats do not recognize geographical borders, and the decentralized and often anonymous nature of cyberspace has allowed malicious actors to launch attacks from anywhere in the world, greatly complicating prosecution and response efforts. In this context, emerging technologies such as 5G and superior networks present both significant opportunities and challenges. While 5G technology promises to revolutionize numerous sectors with its high speed and massive connection capacity, it also amplifies the risks associated with cybersecurity. The 5G infrastructure is critical and sensitive, given its implication in the connectivity of essential devices in sectors such as health, industry, and public services. An attack on these networks could not only have devastating consequences in terms of interruption of essential services but could also compromise the security and privacy of enormous volumes of data. The Budapest Convention, therefore, represents an essential framework for international cooperation in the fight against cybercrime. It facilitates collaboration and information exchange between countries, establishing procedures for the effective investigation and prosecution of cybercrimes. In an era where advanced networks like 5G will become the backbone of our critical infrastructure, this convention offers a fundamental tool to protect our globalized digital society against cross-border cyber threats. The Budapest Convention is a cybersecurity control measure that minimizes security risk, in this case, a national security risk. The convention acts as both a deterrent, preventive, and punitive control in the prosecution of crimes that threaten the triad of information security: confidentiality, integrity, and availability of computer systems, networks, and data. The cybersecurity discipline not only focuses on aspects such as monitoring, detection, and protection but also addresses crucial fields such as cybersecurity incident response and forensic analysis. The latter are of vital importance for obtaining digital evidence, such as system logs, which is essential to determine the root cause of incidents. Due to the cross-border nature of cyberattacks, international cooperation is often required to obtain this evidence, not only for the prosecution of the cybercriminal but also to identify the vulnerabilities exploited and thus resolve the security gaps in the shortest possible time so that cybercriminals do not exploit them again. In 2022, Costa Rica experienced a devastating episode in which a cybercriminal group known as CONTI, many of whose members reside in countries that are not signatories to the convention, could not be arrested despite being identified. This maintains a latent threat and elevates the probability of future damages. In cybersecurity, risk is measured as the product of impact and probability, minus the implemented countermeasures. An effective countermeasure to reduce national security risks is the application of our regulatory framework, reinforced by the Budapest Convention. Furthermore, there are confidential reports, which are provided as confidential evidence for being of national security, indicating that the infrastructures of several Costa Rican government institutions have been compromised by attacks originating in countries that are not signatories to the convention. The use of the Budapest Convention as a security measure or control to minimize risks is also based on the convention itself, which states: "Convinced that the present Convention is necessary to prevent acts that jeopardize the confidentiality, integrity, and availability of computer systems, networks, and data, as well as the abuse of such systems, networks, and data, by ensuring the criminalization of such acts, as defined in this Convention, and the adoption of powers sufficient to effectively combat such criminal offences, by facilitating their detection, investigation and prosecution at both the domestic and international levels, and by providing arrangements for fast and reliable international cooperation;" (Emphasis added). Source: Budapest Convention, page 2, paragraph 9 It is of vital importance to emphasize that the convention addresses the pillars of cybersecurity, which is the triad of information security (confidentiality, integrity, and availability) in technological platforms, including networks. By referring to "networks" in general, the law can be applied to a broader range of technologies, including those that currently exist and those that may emerge in the future. Technology evolves rapidly, and mentioning a specific technology, such as 5G, can make the law obsolete in a short time. In contrast, a law that refers to "networks" in general terms can remain relevant and applicable as new technologies emerge. Likewise, it is important to keep in mind that cybersecurity does not only consist of applying technical controls; these must be more holistic and transversal, encompassing not only technical aspects in order to achieve better results in protecting information assets. Among the examples of non-technical cybersecurity controls recommended by international standards are: • Acceptable Use Policies: Documents detailing which behaviors are acceptable and which are not on a network or system. The knowledge that certain actions are prohibited and may be grounds for sanctions can deter users from engaging in malicious activities. • Legal Warnings: Messages informing users that unauthorized access or misuse of systems is illegal and may lead to legal consequences. These warnings usually appear during the login process on computer systems. • Security Training and Awareness: Training programs that educate employees on the consequences of violating security policies. Awareness of the implications of security actions can deter users from making mistakes or security violations. • Sanctions for Security Breaches: Establishing and clearly communicating the consequences (such as employment sanctions or legal actions) of violating security policies can deter employees and users from acting insecurely. The International Telecommunication Union (ITU), which is a specialized agency of the United Nations, is dedicated to the regulation and development of information and communication technologies (ICT). It offers technical advice, training, and supports cybersecurity and data protection. Composed of 193 member countries and more than 900 entities, the ITU organizes global conferences and fosters international cooperation in the field of telecommunications. In its Global Cybersecurity Index (GCI), it evaluates the level of cybersecurity maturity of countries and describes the cybersecurity measures they have adopted. Among its evaluation components: legal measures, technical measures, institutional measures, and capacity building. Legal measures comprise a measurement of laws and regulations on cybercrime and cybersecurity. Therefore, the ITU indicates the importance of legal measures as a relevant aspect for measuring the level of cybersecurity maturity: "In this regard, the establishment of a legal and regulatory framework to protect society and promote a secure digital environment is indispensable and should be the first step of any national cybersecurity initiative. Legal and regulatory frameworks comprise the enactment of legislation that defines what constitutes illicit activities in cyberspace and the instruments necessary to investigate, prosecute, and enforce said legislation; the establishment of baseline cybersecurity parameters and enforcement mechanisms for a set of national actors; and procedures to ensure coherence with international obligations." (…) Source: https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2021-PDF-S.pdf Another point of reference from internationally recognized organizations, the IDB and the OAS produced a Cybersecurity 2020 report: risks, advances, and the way forward in Latin America and the Caribbean, and describe the report as follows: "This report provides a detailed and updated overview of cybersecurity policies and practices in the countries of Latin America and the Caribbean, offering a perspective on the progress achieved since its first edition in 2016. It includes essays on cybersecurity trends in the region, contributed by recognized international experts. It also examines the cyber maturity of each country through the application of the Cybersecurity Capacity Maturity Model (CMM). It identifies serious gaps in the five dimensions that define cybersecurity capacity, taking into account the importance of cybersecurity for economic growth and sustainability, while emphasizing respect for human rights. This objective view of the region’s strengths and room for growth aims to support the design of policies and initiatives that address the urgent task of increasing cyber resilience." (Emphasis added). This report applies the Cybersecurity Capacity Maturity Model (CMM) developed by the Global Cyber Security Capacity Centre (GCSCC) at the University of Oxford. The evaluation of maturity levels is divided into five dimensions that correspond to essential and specific aspects of cybersecurity, among them: (i) cybersecurity policy and strategy; (ii) cyber culture and society; (iii) cybersecurity education, training, and skills; (iv) legal and regulatory frameworks; and (v) standards, organizations, and technologies. These are subdivided into a set of factors that describe and define what it means to possess cybersecurity capacity in each factor, and indicate how to improve maturity.

Costa Rica, in the measurement of the legal and regulatory frameworks dimension, is one of the factors with the best rating, as was also noted in the ITU's GCI report: (…) As can be seen in the different reports, cybersecurity not only encompasses technical aspects but also includes different types of measures, both technical, administrative, and legal, among others, to safeguard information assets. b. Other assessment factors related to the Budapest Convention In the following table, the countries that have included the Budapest Convention in their national cybersecurity strategy are shown.

The Budapest Convention not only represents a crucial supralegal framework to combat cybercrime but is also a collective effort to strengthen cyber resilience globally. Its implementation and continuous adaptation, together with a holistic approach to cybersecurity, are key to protecting information assets in an increasingly interconnected digital world dependent on advanced technologies such as 5G. Therefore, in summary, the subsection complies with the principle of reasonableness from a technical perspective, for the following reasons: The need for the measure resides in preventing acts that endanger the confidentiality, integrity, and availability of computer systems, networks, and data, as well as the abuse of such systems, networks, and data, guaranteeing the criminalization of such acts. Conditioning the operation of subjects on the State that is the parent company of their operations being a party to the convention or predisposed to become a party guarantees the prosecution of crimes and the apprehension of cybercriminals. Cybersecurity is not only a technical element but also controls of different natures, including administrative, governance, and regulatory controls that function as deterrent controls. Furthermore, in the event of a cyberattack requiring information on vulnerabilities or event logs associated with hardware or software equipment from a supplier whose country of origin is obliged to cooperate under the Budapest Convention, the possibility of obtaining all necessary information to address the incident is enabled. This is crucial both for the prosecution and apprehension of cybercriminals, reducing the risk of future attacks, and for the security incident response. In accordance with international frameworks and standards for incident response, such as NIST 800-61 'Computer Security Incident Handling Guide' or ISO 27035 'Information security incident management', a crucial phase is the eradication of the threat and the correction of the vulnerabilities that caused the breach. However, this requires various analyses and obtaining the greatest amount of information possible in the shortest time to remedy the root cause and restore the service. (…) Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf The measure is suitable because the generation of a control environment in the States where the subjects of application of the Regulation have their parent company allows for a reduction in the risk of computer crimes against technological infrastructures, since they criminalize the offenses and thereby function as deterrent elements, in addition to the punitive part, and also analysis, since the Budapest Convention allows States to collaborate in the generation of forensic investigation elements to prevent new acts in the future. The convention offers a fundamental tool to protect digital security against cross-border threats. At the level of proportionality in the strict sense, technically the measure intended to be ensured with this provision is proportional to the situation experienced in Costa Rica with the attacks in 2022 by criminal groups from countries that are not signatories or are unwilling to accede to the Budapest Convention, given that these cybercriminals, although it is true they constantly change structures to continue committing crimes and attacking infrastructures, remain in the same non-signatory countries, meaning it is a risk that remains latent. Furthermore, at the cybersecurity level, there is a component called digital forensic cybersecurity, which seeks to find technical evidence of the abuse and how vulnerabilities are exploited in systems, and thereby find the root cause to resolve the problem through which the security breach was opened. Therefore, the Budapest Convention provides active communication with signatory countries to obtain fundamental evidence both to remedy the vulnerability and to prosecute the cybercriminals for the criminal act. Therefore, the measure is consistent and proportional to the benefit it intends to generate for the benefit of security, since there are corroborated facts of situations that occurred in the country, and it is fundamental for national security to provide both legal certainty in the prosecution of cybercriminals and in the remediation of said breaches by obtaining crucial information to resolve them. The convention is a cybersecurity countermeasure to reduce risks to national and computer security; therefore, the State has the power, in its risk analysis, to seek to reduce the potential impact of attacks, the measure being proportional since the convention is a deterrent, preventive, and punitive element, suitable for the purpose of guaranteeing network security and national security. The measure is legitimate because the convention is signed and ratified by Costa Rica, allowing collaboration among States Parties to guarantee the adequate prosecution of cybercriminals, the prevention of future attacks, as a deterrent (preventive) element, and when events have occurred, to be able to obtain vital information to determine the breaches through digital forensic analysis that can be obtained through these conventions. The application or conditioning on having headquarters in a signatory State or one that intends to accede is a legitimate measure to ensure adequate computer security and national security. Many countries, including Costa Rica, have included this convention within their national cybersecurity strategy. EXERCISE OF LEGAL REASONABLENESS It is a necessary norm to combat cybercrime and organized crime with authority superior to law in accordance with Article 7 of the Political Constitution; it was even ratified by the legislator itself through established constitutional mechanisms. As has already been indicated in the document, the European Convention on Cybercrime (Budapest, 2001) was approved by Costa Rica through Law No. 9452 "Approval of Accession to the Convention on Cybercrime," issued on May 26, 2017, and published in Alcance No. 161 to the Official Gazette La Gaceta No. 125 on July 3, 2017. In this way, said Convention forms part of the international regulations incorporated into the Costa Rican Legal System and its purpose is to guarantee respect for the Human and Fundamental Rights enshrined in the Political Constitution of Costa Rica and in other instruments such as the Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms (1950), the United Nations International Covenant on Civil and Political Rights (1966), the American Convention on Human Rights (Pact of San José) (1970), among others. It is proportional because this subsection e) of Article 10 does not expressly require the status of a State that has ratified and incorporated said instrument into its national legal system according to each country's internal procedures; rather, it considers the "Accession" process established to accede to this Convention. In relation to this topic, it should be noted that the "Accession" process to the Budapest Convention involves 3 steps, which are the following: 1. Once a draft law is available indicating that a State has already implemented or may be able to implement the provisions of the Budapest Convention in its national legislation, the Minister of Foreign Affairs (or another authorized representative) must send a letter addressed to the Secretary General of the Council of Europe expressing their State's interest in acceding to the Budapest Convention. 2. Once consensus exists among the current States Parties to the Convention, the State is invited to accede. 3. The authorities of that State must formalize their internal procedures, similar to the ratification of any international treaty, before depositing the instrument of accession with the Council of Europe. As can be inferred from the previous dealings, the Regulation only requires accreditation of the first stage, as opposed to demanding formal ratification according to domestic law; of course, this first step was selected given that it verifies the interest of other nations in protecting the same legal values protected by our country and the Community. In this way, the regulation contemplates the first stage (sic) of the procedure for acceding to the Convention, which in turn entails the manifestation of interest. In that sense, it is important to emphasize that the cited Regulation only contemplates high-risk parameters because it has been sought to keep state intervention minimal, such that the assessment and management of medium and low-impact risks be carried out by network operators or telecommunications service providers. The Council of Europe has classified it as the most comprehensive international standard to date, as it provides a comprehensive and coherent framework against cybercrime and electronic evidence. It serves as a guide for any country wishing to develop comprehensive national cybercrime legislation and as a framework for international cooperation among the States Parties to this Treaty. (COE, 2021). Thus, subsection e) of Article 10 of Executive Decree No. 44196-MSP-MICITT "Regulation on Cybersecurity Measures Applicable to Telecommunications Services Based on Fifth Generation Mobile Technology (5G) and Higher" must be considered based on the systematic application of a set of legal and regulatory norms related to telecommunications and public procurement matters, in the case of those Operators subject to this legal interpretation regime, and whose object is equipment for the use and exploitation of radio frequency spectrum segments. The foregoing, because the definition of the obligations and conditions for the exploitation of said public domain asset is the responsibility of the Executive Branch, including the risk management and mitigation measures contemplated in Executive Decree No. 44196-MSP-MICITT. Specifically, Article 2 of the Regulation includes within its scope of application operators and providers of telecommunications services based on 5G or higher technology subject to the public procurement regime whose object is technological equipment for the deployment of their networks and entails the use and exploitation of radio frequency spectrum bands, who must adopt the appropriate mechanisms so that their bidders have considered the management and mitigation of the regulation in their technical bid. This is because, in accordance with Article 121, subsection 4), sub-subsection c), regulatory principle IV called Allocation and use of scarce resources of Law No. 8622 (CAFTA), in relation to Articles 7, 10, 11, and 12 of the General Telecommunications Law, the Executive Branch issues the National Frequency Allocation Plan and grants concessions for the use and exploitation of the radio frequency spectrum, defining the obligations and conditions for their granting, including these types of measures via regulations, based on what is established in Article 42 of the General Telecommunications Law. For its part, Article 3, in its subsection o), of Executive Decree No. 44196-MSP-MICITT "Regulation on Cybersecurity Measures Applicable to Telecommunications Services Based on Fifth Generation Mobile Technology (5G) and Higher" establishes the concept of hardware and software supplier, which includes manufacturers of transmission telecommunications equipment, as well as other external suppliers. Subsequently, Article 4 contemplates the national risk scenarios for 5G and higher networks linked to the supply chain, some of which are directly linked and are the following: II. Risk scenarios related to the 5G supply chain: • R3: Low-quality products. • R4: Dependence on a single supplier in certain networks or lack of diversity at the national level, when this supplier is responsible for configuring and integrating all the active equipment and software of the solution, or if the network is composed of active equipment and software from a single manufacturer. III. Risk scenarios related to the modus operandi of the main risk agents: • R5: Interference by States through the 5G supply chain, when this could compromise the security, availability, integrity, and privacy of information. • R6: Exploitation of 5G networks by organized criminal groups to attack end users. • R7: Significant damage to critical infrastructures or services. Likewise, Article 6 establishes that operators regulated by its scope of application must adopt, implement, and maintain reference standards, among which is the SCS 9001 standard called "Supply Chain Security and Cybersecurity Standard"; and Article 7 of the Regulation determines, as an element to be considered by Operators subject to the public procurement legal regime in their risk analysis of 5G and higher networks, the following: "d) Dependencies on certain suppliers in critical elements of the 5G and higher network." Article 8, for its part, establishes the duty to adopt adequate measures to manage the risks identified in accordance with Article 7, specifically the following: "(...) e) Comply with the implementation of the standards indicated in Article 6 of this Regulation. (...) g) Require their hardware and software suppliers involved in 5G and higher networks to comply with cybersecurity standards, from the design of products and services to their commissioning. h) Control their own supply chain to guarantee a secure operation and exploitation of mobile telecommunications networks and their services. i) Design a diversification strategy in the supply chain of telecommunications equipment, transmission systems, switching or routing equipment, and other resources that allow the transport of signals in a 5G or higher network, in such a way that said equipment, systems, or resources are provided, at a minimum, by two different hardware and software suppliers." Also, numeral 9 in its last paragraph reiterates the need to consider the SCS 9001 (supply chain) standard in said public procurement procedures. Now then, Article 10, subsection e), of the Regulation under analysis defines as a high-risk parameter that Operators use hardware and software suppliers that have their headquarters (sede) in a country that has not manifested its consent to be bound by the compliance with the Convention on Cybercrime (Budapest Convention). Its "headquarters" (sede) must be understood as the main nucleus of the hardware and software supplier, or the main headquarters of its business organization, it being necessary to remember that Article 3, in its subsection o), includes as suppliers the manufacturers of telecommunications or transmission equipment, as well as other external providers. Therefore, it is a legal duty of the Operators subject to the scope of application of the "Regulation on Cybersecurity Measures Applicable to Telecommunications Services Based on Fifth Generation Mobile Technology (5G) and Higher" Executive Decree 44196-MSP-MICITT, who promote public procurement procedures that include within their object the equipment for the use and exploitation of the radio frequency spectrum that has been enabled through a concession title, to verify that their supply chain (manufacturers/suppliers) complies with the provisions for risk mitigation and management to guarantee a secure operation and exploitation of mobile telecommunications networks and their services, which implies that their suppliers have their headquarters in a country that has manifested its consent to be bound by compliance with the Convention on Cybercrime (Budapest Convention). In this regard, this Collegiate Body must assess that the petitioner does not currently hold an enabling concession title for the provision of telecommunications services, the operation of networks, or the provision of services under fifth-generation or higher 5G technology; therefore, it is not included within the scope of application of the regulatory norm; furthermore, given that it is a Costa Rican merchant, it would not be covered by said risk parameter, which demonstrates the impropriety of any alleged discrimination in this particular. It is legitimate because it seeks to guarantee national security and public order. In this regard, the European Convention on Cybercrime has been classified by the Council of Europe as the most comprehensive international standard in this matter, as it intensifies cooperation between countries, electronic evidence, and the prevention of cybercrime. Said Convention also arises in a context of a need to prevent acts directed against the confidentiality, integrity, and availability of computer systems, networks, and computer data, establishing obligations for signatory countries, as is the case of Costa Rica, which must adopt its regulations in adherence to the protection of the highest legal principle of human dignity. In this way, the Budapest Convention promotes a legal framework for international cooperation whose purpose is the protection of the human person and their rights in cyberspace. This Convention arises in a context of necessity and establishment to prevent acts directed against the confidentiality, integrity, and availability of computer systems, networks, and computer data, as well as the abuse of said systems, networks, and data, establishing obligations for signatory countries, as is the case of Costa Rica, which must adopt its regulations in adherence to the protection of the highest legal principle of human dignity. Now, it is important to specify that the Decree in question, in relation to the adoption of the Budapest Convention, defined among its parameters those of lesser impact. In this regard, it can be observed that within the measures, the Regulation requires the simple "manifestation of willingness to be bound by compliance with the Convention"; note that, from the literal wording of said provision, the quality of signatory country per se is not required. The Convention also behaves as an instrument with additional advantages in cybersecurity matters in favor of persons, and in this line, the following can be extracted: • The Convention provides a legal framework for international cooperation in cybercrime and digital evidence matters. • States Parties may be members of the Committee of the Convention on Cybercrime, which is currently the most relevant intergovernmental body dealing with cybercrime. • States Parties share information and experiences, evaluate the implementation of the Convention, or interpret it through Guidance Notes. • The Committee of the Convention on Cybercrime may also prepare additional Protocols to this treaty. Therefore, even if a State did not participate in the negotiation of the original treaty, a new State Party may participate in the negotiation of future instruments and the future evolution of the Budapest Convention. • States Parties to the Convention commit to each other for reliable and efficient cooperation. • States Parties that request accession or have acceded may become priority countries for capacity-building programs. Such technical assistance is to facilitate the full application of the Convention and improve international cooperation capacity. Thus, the Regulation under study introduces differentiating objective elements that are entirely permissible under domestic and international community law, which should not be classified as discriminatory, as they respond to the need to guarantee an environment of respect for the human rights regime of end users of telecommunications, which could only occur among countries that have manifested their intention to accede to the Budapest Convention, in the interest of not tolerating acts that threaten cybersecurity and human dignity. F) When the subjects included in the scope of application of Article 2 of this regulation use hardware and software suppliers that do not comply with the cybersecurity standards set forth in Article 6 of this Regulation. - EXERCISE OF TECHNICAL REASONABLENESS Standards are necessary because they provide a guide and best practices that must be applied or implemented in technological platforms to minimize security risks that may arise. Otherwise, the lack of compliance with standards can cause or lead to deficiencies in the protection of the confidentiality, integrity, and availability of information, which are the pillars of cybersecurity. It must be considered that cybersecurity standards, like any other standard, are a detailed process involving multiple stages and the participation of area experts from various countries and organizations in order to provide a guide of best practices, policies, and procedures to decrease security risks in technological platforms and combat growing threats in cyberspace. Suitability resides in that the standards address the main threats and risks in the provision of technological services for their mitigation and better management of security risks in the face of cyber threats that could compromise technological infrastructures and thereby affect the essential and critical services of the country, the information of the inhabitants, and the continuity of technological services. Said standards address an entire cybersecurity cycle in its different stages, including detection, protection, identification, response, and recovery of technological services, and thereby guarantee the existence of security controls to minimize existing risks in cyberspace. These measures are fundamental since they apply due care and due diligence when providing critical services.

Regarding proportionality in the strict sense, it is indicated that the severity and frequency of cyberattacks justify the need to adhere to cybersecurity standards, so the decision to consider providers that do not comply with the standards as high risk is proportional to the potential security risks that these providers may present, such as data breaches, malware attacks, and other threats that could have been avoided or minimized by complying with cybersecurity standards. The country has already suffered such attacks, and by merely having applied those standards, the impact that would have been had in terms of loss of information, continuity of services, leakage of sensitive information, unavailability of services, and economic damages and losses, would have been largely minimized. It is for this reason that different organizations, companies, and others implement this type of standards; to minimize these risks and comply with international regulations is appropriate and proportional to the benefit that can be obtained. Likewise, regarding the legitimacy of foreseeing this risk, implementing these standards is a legitimate and widely accepted practice in the global community. These standards are the result of a broad consensus among security experts, industry, and different expert organizations in the area, to reflect the current best practices in the field. From a technical point of view, the standards offer guidelines to strengthen systems and networks. These include aspects such as encryption, authentication, patch management, incident response, service continuity, among others. Non-compliance with these standards means that products and services could lack fundamental security measures, exposing users to significant risks and the country to national security risks.

- EXERCISE OF LEGAL REASONABLENESS In relation to the analysis parameter, due to its purely technical nature and given that this report extensively refers in other sections to the necessity, suitability, proportionality, and legitimacy of the standards required by Article 6 of the “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT, the already documented points are reiterated. Particularly, with respect to the supply chain, reference is made to what was already developed in the section on the exercise of legal reasonableness for subsection e).

L. ON THE WEIGHING OF THE GENERAL INTEREST OF NATIONAL SECURITY, THE GUARANTEE OF THE RIGHTS TO INTIMACY, PRIVACY, AND INFORMATIONAL SELF-DETERMINATION OF END USERS, AGAINST THE PARTICULAR INTEREST OF THE PLAINTIFF COMPANY IN RELATION TO THE DEVELOPMENT AND IMPLEMENTATION OF NETWORKS AND THE PROVISION OF SERVICES UNDER FIFTH GENERATION 5G5G AND SUPERIOR TECHNOLOGIES.

It is convenient to begin this section from the public perspective, where there is an element that should be analyzed in light of the Model of the Social State of Law and the Economic Constitution contained in our Fundamental Norm, which is the obligation to protect human and fundamental rights derived from Article 24 of the Constitution, extensively referred to in previous sections, since it is also of general interest. In this way, our Social State of Law is the result of a State that establishes social guarantees and individual rights, that maintains paternalistic features, but that seeks minimal intervention. In that sense, the Sala Constitucional, in Voto N° 311-1997 issued on January 15, 1997, indicated the following:

(…) The current Constitution, in its Article 50, enshrines an important criterion in this matter, giving constitutional foundation to a certain degree of State intervention in the economy, as long as it is not incompatible with the spirit and conditions of the "social market economy" model established constitutionally, that is, that norm, and its constitutional context, postulate economic freedom but with a certain reasonable, proportional, and non-discriminatory degree of state intervention, allowing the State, within such limits, to organize and stimulate production, as well as to ensure an "adequate" distribution of wealth. This Chamber in its ruling #1441-92, of 15:45 hours on June 2, 1992, ordered: ‘The basic general principle of the Political Constitution is enshrined in Article 50, by providing that "the State shall procure the greatest well-being for all the inhabitants of the country, organizing and stimulating production and the most adequate distribution of wealth" which, together with the declaration of adherence of the Costa Rican State to the Christian principle of social justice, included in Article 74 ibid., determines the very essence of the political and social system we have chosen for our country and which defines it as a Social State of Law’ (The highlighting is our own) For this reason, as a social guarantee within this Costa Rican Social State of Law, freedom of enterprise is noted as one of those fundamental rights that must be protected not only in the legal regulations issued by the ordinary Legislator, but also by all State institutions in the development of their administrative function, pursuant to the provisions of Article 46 of our Political Constitution. In that sense, the Sala Constitucional, in the cited Voto N° 311-1997, indicated:

“(…) Freedom of Enterprise: This freedom contained in Article 46 in relation to Article 28, both of the Political Constitution, guarantees every person the right to undertake any economic activity, provided that it does not threaten public order, good customs, or harm third parties. To the extent that the Political Charter enshrines this freedom as a constitutional right, it means that an interventionist policy by the State that ends up suppressing that right is intended to be avoided. This does not mean that the State is not empowered to control that activity, logically preserving a sufficient sphere of commercial freedom among private parties or between them and the State. In a democracy like Costa Rica's, in which a market economy was adopted, the State must make use of good planning to induce certain individuals to develop an economic activity it considers beneficial and convenient for the country's development. (…)” (The highlighting is our own) This is essential in accordance with the Economic Constitution, recognized by this esteemed Sala Constitucional in repeated pronouncements, as the set of values, principles, and precepts that regulate the economy and the market. In that order of ideas, through Resolución N° 3495-92 of November 19, 1992, said jurisdictional body ordered:

“In this matter –the economic one– the Constitution is particularly precise, establishing a regime composed of rules that safeguard the links existing between persons and the different classes of goods... Thus, the Constitution establishes an economic order of freedom that basically translates into the rights of private property (Article 45) and freedom of commerce, agriculture, and industry (Article 46) –which in turn imply free contracting–... and to these are added others, such as freedom of labor and others that complete the general framework of economic liberty (VI, Ibid.).” That is to say, the Costa Rican model promotes the protection of freedom and particularly, through the Economic Constitution, freedom of enterprise and free market competition with minimal state intervention, also considering the provisions of Article 46 of the Political Constitution, which recognizes a fundamental principle of our economic system, namely freedom of commerce and, particularly, the assurance of free competition as an element of the social market system.

The Procuraduría General de la República, regarding freedom of enterprise, stated in its legal opinion N° OJ-026-2002 of March 15, 2002, the following:

“(...) Freedom of Enterprise: This freedom contained in Article 46 in relation to Article 28, both of the Political Constitution, guarantees every person the right to undertake any economic activity, provided that it does not threaten public order, good customs, or harm third parties. To the extent that the Political Charter enshrines this freedom as a constitutional right, it means that an interventionist policy by the State that ends up suppressing that right is intended to be avoided. This does not mean that the State is not empowered to control that activity, logically preserving a sufficient sphere of commercial freedom among private parties or between them and the State. In a democracy like Costa Rica's, in which a market economy was adopted, the State must make use of good planning to induce certain individuals to develop an economic activity it considers beneficial and convenient for the country's development. However, a growing orientation in the State's economic policy has gradually produced limitations on freedom of commerce, justified in the social interest of avoiding certain dangers to the detriment of society itself” (...).”

Notwithstanding the foregoing, the Sala Constitucional and, in turn, the Procuraduría General de la República have highlighted that freedom of commerce possesses the character of a relative and not absolute freedom, since its unrestricted exercise is not possible when it involves a finite good, subject to constitutional limits. In this regard, see Dictamen C-149-2001 of May 24, 2001, where the Procuraduría indicated:

“(...) a situation regulated by Ley N. 2726, particularly regarding the protection of the national producer, the Chamber adds: \"(...) the State intervenes regulating one of the elements of that activity, out of strict public interest to protect the productive sector (...) which otherwise would be affected, also generating harm to the entire economic system. By virtue of the foregoing, the Chamber understands that regarding the authorization the law grants to the Executive Branch to set the minimum price of bananas, it is one of the exception cases of the second paragraph of Article 28 of the Constitution, since that measure is intended for the effective protection of freedom of enterprise and the fulfillment of the obligations incumbent upon the State in the equitable distribution of the benefits produced by the exploitation of that activity, in accordance with the protection of the public interest existing in the maintenance and improvement of the productive system and the national economy. (Ibid.). If freedom of commerce were an absolute freedom, one would have to conclude contrary to what was stated by the Chamber, meaning that such price setting is a denial of the principle of free competition as an adequate mechanism for allocating scarce resources in society. However, precisely because it is a relative freedom, because its content is delimited by the rest of the constitutional order, it follows that these limitations are constitutionally valid\".

This being so, Article 15 of Ley No. 2762, which prohibits processors from receiving coffee from those who are not producers, is just another of the State's necessary measures to provide protection and shelter to a sector that requires it: the national producer. And with this, not only is a measure established that is necessary for the weaker party of the coffee activity, but a benefit for the economy as a whole is guaranteed insofar as an activity is maintained that has traditionally constituted an important source of work and remuneration for the national population. It is, simply, one more realization of the Social State of Law in its function of procuring the greatest well-being for its inhabitants”.

Analogously to the antecedent transcribed above, the limit of freedom of commerce is appreciated in relation to the use and exploitation of the radio spectrum, and the correlative obligation of the Executive Branch to guarantee the safeguarding in 5G and superior networks of the fundamental rights to intimacy, privacy, and the secrecy of communications, and the right to informational self-determination, all of which are based on the dignity of the person and the conscious and responsible self-determination of one's own life, which entails the need to guarantee the free exercise of these human rights and fundamental rights alongside the exercise of freedom of enterprise. In this way, the measures adopted by the Executive Branch are aimed precisely at regulating the exercise of freedom of enterprise in a finite public domain good such as the radio spectrum, vis-à-vis the weakest link in the telecommunications service chain, that is, the end user, who after all will utilize the service and, in the face of an imminent risk, may see the regime of fundamental rights already cited and guaranteed by the legal framework of telecommunications undermined, through not only the recognition of said rights but also the delegation to the Executive Branch to establish, through regulations, the suitable technical and administrative measures to ensure their safeguarding and free exercise.

This position, in turn, is dimensioned by the Procuraduría General de la República, in Dictamen C-151-2011 of July 5, 2011, in the following terms:

“(...) the constitutional consecration of the spectrum as public domain determines that the exploitation of the good is not free. Private parties cannot base themselves on freedom of enterprise or the autonomy of will to seek to exploit such goods (Sala Constitucional, 3067-95 of 15:42 hrs. on June 13, 1995 and five. and 6053-2002 of 14:38 hrs. on June 19, 2002). As is known, said private exploitation requires an act of a public nature that founds and permits it. The immediate consequence of Article 121, subsection 14, of the Constitution resides in that private use of this good is not permitted and, therefore, the private individual cannot obtain a private utility in the absence of legal authorization. Which derives from a special concession granted by the Asamblea Legislativa or from an administrative act issued in accordance with the law that establishes the corresponding conditions and stipulations. The Constitutional Text has not undergone any variation, therefore the private exploitation of this good without a concession that founds it continues to be invalid, as established by the Sala Constitucional in its ruling N. 5386-93 of 16:00 hrs. on October 26, 1993. The foregoing because: \"... it is the constitutional norm itself that qualifies the electromagnetic spectrum as goods of the Nation, allocating it to certain public services –which correspond specifically to the Instituto Costarricense de Electricidad and to the company RACSA– but it does not authorize public use of it, for which reason it is a good that under no circumstances can leave the domain of State control, reason why such wireless services can only be exploited by private parties under the terms provided by the Constitution, since goods owned by the Nation are at stake. In this sense, it can be affirmed that there exists public or domain ownership over the use and exploitation of this good, which is affirmed by the need for public exploitation of the utility that the good may entail for society, insofar as it is a collective wealth. Thus, both the good –electromagnetic waves– and its use and exploitation are outside the commerce of men, so it is not any person who can exploit them based on their will and freedom of commerce, as the plaintiff intends, for which reason there is no infringement of Articles 28 and 46 of the Political Constitution. ..\", Sala Constitucional, N. 3067-95 of 15:42 hrs. on June 13, 1995. \"Wireless services do not constitute a good that the private individual has the innate right to use or over which they exercise some type of rights, or that the State has the obligation to make available to the private individual; what occurs is that if the State sees fit and considers that it can dispose of that good to be exploited by the private individual or by the Administration itself, it does so through the corresponding administrative or legislative concession granted temporarily, as the case may be, by virtue of the fact that airwaves form part of the spectrum, which is a domain good belonging to the Nation\". Sala Constitucional, ruling 6053-2002 of 14:38 hrs. on June 19, 2002”. (...)”

In this sense, the Sala Constitucional has already faced the need to carry out that weighing of interests, thus, for example, in Resolución Nº 07044-1996 of 10 hours 09 minutes on December 24, 1996, it contemplated that when it comes to public order and national security, the Executive Branch must have special sensitivity to opt for what is most beneficial for the community, thus it is extracted that:

V.- On the other hand, when confronting the questioned norms with the notion of public order that enables the legislator to restrict, among others, freedom of commerce, supposedly threatened by the creation of the fuel monopoly, the Chamber adopts the reasoning set forth both by the Procuraduría and by the Representative of RECOPE, in noting the enormous importance that petroleum derivatives have in the development of the country's life, not only in its economic aspects where they are practically a fundamental and indispensable part for the development of productive activities, but also regarding public safety, which implies the handling and control of a resource dangerous to the health and life of citizens, aside from the fact that, being neuralgic and valuable, it is an ideal target to achieve –through its malicious handling and control– the prostration of the country for the benefit of any type of interests. Thus, it is not even necessary to delve further into the concept of public order to conclude that it is undoubtedly involved in the import, refining, and wholesale distribution of petroleum derivatives; it suffices only to imagine what would happen if problems –provoked or not– were to arise in any of the monopolized facets and to realize how disastrous that would result for the country. For what has been said, the Chamber concludes that there is no transgression of the constitutional limit established for the legislator through the concept of public order, because it is indisputable that petroleum-derived fuels –as economic goods– have a particular characteristic, which is that of being a scarce and vital resource as explained, for which reason they are of public order and must be strictly controlled by the State, and in some cases, be subject to a monopoly, if deemed necessary and opportune for the country.” Due to all the foregoing, it is possible to affirm that the essential content of freedom of enterprise corresponds to guaranteeing the right of every person to undertake any economic activity, provided that it does not threaten public order. This Ministry deems it meritorious to appear before this honorable Sala Constitucional, so that the line of argument highlighted here may be assessed, insofar as the company [Name 002], within its claims, challenges the content of the “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT, in order to eliminate provisions that, in its view, are discriminatory and unjustifiably harm its participation in different tender processes. Specifically, it is recorded in the case file of the amparo appeal that the appellant company requested: “(...) to suspend the publication of any tender specifications or, if already published, the suspension of any bidding process by the ICE in which the Reglamento must be applied (...)”. Particularly, this Ministry observes that within the framework of the related case files, the plaintiff company attempts to elucidate the existence of serious damages and harm to its assets if any contracting procedure continues, since the losses to its company are closely related to the business it currently maintains with the Instituto Costarricense de Electricidad, for which, from its own statements: “the ICE represents 60% of Huawei's business in Costa Rica; if Huawei is prevented from participating in the tender, it would directly affect around 80 employees in Costa Rica, in addition to the financial losses for the company”. This argument is powerfully striking, given that in matters of administrative contracting, potential bidders may participate under a scheme of equality of conditions, and once their suitability is demonstrated, they may benefit from an award. As has been developed in this report, the principle of equality deriving from the Human Rights protection regime does not admit discriminatory forms, only differentiating elements whose distinction lies in the existence of an objective justification. This same legal interpretation applies to the principle of equality and free competition in administrative contracting matters, where the principle has two aspects. The broadest participation under equal conditions must be guaranteed, in the absence of unjustified restrictions. Conversely, bidders may also participate under a series of restrictions that have been duly motivated, ergo, justified, when the object of the contract so requires due to the technical specialty that characterizes it. “(...) although it is clear that the Administration is the one that best knows the need it seeks to satisfy through the promotion of a public tender, and for that reason it is the Administration’s responsibility to define it at its discretion, evidently in the exercise of said discretion, the Administration must respect the unequivocal rules of science and technique, as well as the elementary principles of justice, logic, and convenience, in application of the provisions of Article 16 of the Ley General de la Administración Pública, and the principle of efficiency, in the sense that the procedure should tend toward the selection of the most convenient offer for the public interest. So that the structuring of the public need to be satisfied through the realization of the tender must respond to a reasoned analysis supported from a technical and legal point of view that allows for adequately backing up the characteristics, functionalities, and technical requirements that the acquisitions it intends to make must satisfy. It should not be lost sight of that even it is possible that the definition of technical requirements may entail a limitation on free participation to the extent that it is adequately substantiated.” (The highlighting is our own) Hence, limitations on participation are totally legitimate as long as they adhere to the principles of conventionality, reasonableness, proportionality, the block of legality, and the rules of science and technique and legal logic, parameters which, as has been demonstrated, were observed when issuing said Reglamento and which consequently must be observed by any contracting Administration when bidding with public funds. Therefore, any company interested in bidding possesses at most an expectation of a right, so it cannot be expected that the Administration will adapt its actions and specifications to its interests. Thus, it is not possible to understand that Huawei's current business conditions confer upon it some sort of pre-constituted right, as the plaintiff seeks to present, which would seem to lead to the conviction that its business turnover must be maintained perpetually under such conditions to guarantee the financial sustainability of the company. Even it is seen that if 60% is dedicated to operations of this nature, it has another alternative of 40% as a possibility of income to exploit. It is by virtue of the foregoing and the interests at stake, which have been extensively set forth herein, that the Executive Branch has the legal and constitutional powers to regulate the conditions and obligations for the allocation of the spectrum in the country regarding its use and subsequent exploitation, and therefore its administrative conduct of establishing objective technical and administrative measures is protected by a superior public interest of maintaining order in telecommunications matters, safeguarding national security, and the effective protection of the rights to intimacy, privacy, and informational self-determination of the end users of telecommunications services. Consequently, the Chamber is respectfully requested to weigh this particular interest, and in the absence of serious damages and harm, against the public interests protected by the Executive Branch through the “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT. In this sense, the national security information that is provided must be assessed by this Collegiate Body for the purpose of truly weighing the national interests that are at risk.

M. ON OTHER EX OFFICIO CONSIDERATIONS REGARDING THE ARGUMENTS AND INPUTS PROVIDED BY [Name 002].

a. The plaintiff company does not have an enabling title for the operation of networks and provision of telecommunications services in 5G technology and superior according to Costa Rican sectoral regulations.

On this matter, it must be contextualized that, in accordance with Article 1 of Ley N°8642, natural or legal persons, public or private, national or foreign, that operate networks or provide telecommunications services that originate, terminate, or transit through national territory are subject to sectoral regulations. Specifically, it provides:

“ARTÍCULO 1.- Object and scope of application The object of this Law is to establish the scope and mechanisms of regulation of telecommunications, which includes the use and exploitation of networks and the provision of telecommunications services. Natural or legal persons, public or private, national or foreign, that operate networks or provide telecommunications services that originate, terminate, or transit through national territory are subject to this Law and to Costa Rican jurisdiction.” In that sense, the referenced Reglamento arises as part of the regulatory powers of the Executive Branch to regulate the activity that requires precisely the use or exploitation of the radio spectrum and that can only be carried out by those operators that, for this purpose, possess an enabling title. In that sense, the regulatory provisions discussed herein refer to the obligations of the Operators and Providers subject to regulation, regarding the management and mitigation of their risks in accordance with the defined scenarios for the operation of networks and the provision of their services. As has been well indicated, it is the operator who has the obligation to ensure that its supply chain complies with the parameters and standards established for these purposes. For informational purposes, it is clarified that the company [Name 002] does not currently possess a registered and valid enabling title before the Registro Nacional de Telecomunicaciones, for which purpose the registry certification N° 178-SUTEL-2023 is provided for the corresponding declaratory effects. Due to the foregoing, the Sala Constitucional must take into account that said company would not be subject to the scope of application established in Article 2 of the “Reglamento Sobre Medidas de Ciberseguridad Aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores”, Decreto Ejecutivo N.º 44196-MSP-MICITT. Note in this regard that in its Article 2, Decreto Ejecutivo N.º 44196-MSP-MICITT provides that “The active operation of networks and services based on fifth generation mobile technology (5G) and superior is subject to this regulation, by natural or legal persons, public or private, national or foreign, that operate networks or provide telecommunications services based on fifth generation mobile technology (5G) and superior that originate, terminate, or transit through national territory, excepting the operation of private telecommunications networks.”; it is for this reason that it lacks active legal standing, by seeking a regulatory impact that does not apply to it.

b. Regarding the study called “Evaluación del impacto económico de la exclusión de proveedores en las inversiones de la red 5G en Costa Rica” issued by the Centro Internacional de Política Económica para el Desarrollo Sostenible-UNA (CINPE) in October 2023.

The record of case files No. 23-023887-0007-CO (Amparo appeal) and No. 23-025158-0007-CO (Unconstitutionality action) includes the study submitted as evidence by the company Huawei titled "Evaluation of the Economic Impact of the Exclusion of 5G Network Providers" (Evaluación del Impacto Económico de la Exclusión de Proveedores de la Red 5G), prepared by the International Center for Economic Policy for Sustainable Development (CINPE) of the Universidad Nacional. In this regard, the following observations are issued with the purpose that they be considered by the Magistrates for a better provision, as follows: i. General aspects of the study • The study was prepared by five professionals in the field of economics, all with a master's degree in this social science. In this sense, it is not observed who or which technical engineering entity or organization advised on the development of the technical scenarios used as the basis for the study in question. • CINPE states that: “The research was requested by the company [Name 002] in light of the imminent exclusion of that company from providing 5G service in Costa Rica; however, it is essential to emphasize that the researchers worked with complete independence and without pressure of any kind.” Despite what was stated by the researchers regarding the impartiality, transparency, and objectivity of the study carried out as argued by the authors, it is not observed that the study has been validated by experts external to CINPE, which could support the stated independence of judgment, nor is the origin of the information used in the development of the technical engineering scenarios that served as the basis for the study's analysis observed. The absence of elements such as those indicated above, from a methodological point of view, does not allow for the possibility of any conflict of interest of the sponsor in relation to the outcome of the study under analysis to be ruled out at the outset. • The name and numbers of the tables described in the study's table of contents do not match the information recorded in the study. • Technical rigor of an impact evaluation: throughout the document, the term impact is used on multiple occasions, even in descriptive chapters. However, in the body of the document, no mention is made of the conceptualization of impact being used as a basis in the study, nor to which evaluation methodologies it corresponds. • It is important to emphasize that from what is described in the document, it seems that the intention of the research corresponds to an ex ante impact evaluation, however this is also not explained in the body of the document, which is considered important because ex ante is nourished by other evaluations, especially those addressing similar topics or areas that have already concluded or completed the final evaluation and received continuity (Gertler et al., 2016; OECD, 2001; Solano & Alonso, 2020). • Along these same lines of thought, it is highlighted that although the study is presented as an impact evaluation, the development of the document seems to correspond more to a projection analysis, especially since impact evaluations are long-term instruments, as a sufficiently significant collection of results is required precisely to determine the existence or not of an impact in scientifically strict terms (Gertler et al., 2016; OECD, 2001; Baker, 2000; Asian Development Bank, 2006). • Most of the tables presented in the report do not indicate their sources, but rather mention that they are "industry average data," "own elaboration," or simply do not indicate. Given the above, this Rectoría proceeded to request information on the information sources used, via official letter MICITT-DVT-OF-841-2023 dated November 1, 2023. In that order of ideas, CINPE, via official letter UNA-CINPE-OFIC-3442023 dated November 6, 2023, sent the results of the aforementioned study; however, it omitted sending the requested information sources. Given the above, MICITT reiterated the request made, this time via official letter MICITT-DVT-OF-850-2023 dated November 17, 2023. Subsequently, CINPE, via official letter UNA-CINPE-OFIC-358-2023 dated November 22, 2023, partially sent the requested information. It is important to clarify that, although CINPE sent four information sources and web links to address MICITT's request in official letter MICITT-DVT-OF-850-2023, it was not possible to corroborate the data from the CINPE study with these sources, since the methodological procedure for extracting that data was not detailed. • There are at least two versions of the CINPE study, the one found in case files No. 23-025158-0007-CO and 23-025158-0007-CO (subject to study by this Rectoría) and the one available at: https://www.cinpe.una.ac.cr/index.php/investigacion/nucleos-de-investigacion/exclusio-n-de-proveedores-para-5g which, according to CINPE's clarification, is the final and official document; put another way, it seems that the document found in the aforementioned case files and used as evidence in the Amparo Appeal and the Unconstitutionality Action filed by the company [Name 002] is considered by CINPE as a preliminary version, and not the final and official one. ii.- In relation to Chapter I on the evolution of cell phone generations and the impact of 5G technology on the Costa Rican economy The study begins with a first chapter addressing the evolution of cell phone generations and the impact of 5G technology on the Costa Rican economy. This chapter presents a description of the development of telecommunications at a general level, not necessarily only at the Costa Rican level. However, what draws attention is that the statements presented in this chapter, while seemingly a section built on secondary information, lack bibliographic references to support such statements, according to the principles of technical and scientific rigor expected of academic research. Likewise, in this section, criteria and recommendations are given for which no methodological framework is indicated as a basis, which seems to respond to value judgments and not to assessments that necessarily have evident support. Insistent mention is made of impacts generated by the implementation of policies in the telecommunications sector (especially focused on cybersecurity regulations); however, the following is also not mentioned: i) what definition of impact is being used as a basis in the study, which in turn directly affects the second missing element, which is ii) what methodological framework is used to determine the assertion of the impacts mentioned in this chapter. iii.- In relation to section 2.1 financial cost for mobile phone operators In this regard, CINPE mentions that: "(…) the investment estimate has three components, i) the capital expenditure on infrastructure, in which Huawei, having an installed base from the 2G, 3G, and 4G projects, has a comparative advantage over competitors; ii) the capital expenditure on services that includes the design, installation, configuration, integration, and maintenance for the 5G network. The latter is fundamental since the networks are interconnected such that the arrival of a new competitor would imply additional investments due to breaks in the economies of scale that Huawei has generated." (Highlighting is ours) However, as can be observed, only two components are presented; therefore, it is not possible to know what the third component is that CINPE claims. In this section, it is also spoken of as if the towers and sites where cellular infrastructure has been deployed belong to the HUAWEI provider, or at least that is how it seems, when in reality the sites where infrastructure has been installed belong to the operators directly, or are rented from third parties. Therefore, regardless of the provider or the technology, the operator already has its sites or must seek new ones for deployments according to coverage needs, and this is unrelated to the sites where Huawei brand equipment is currently installed for the three (3) mobile (cell phone) operators in Costa Rica. Also, in this same section of the report, CINPE mentions that "(...) on average Huawei offers a price 3.47 times lower than the rest of the distributors, leading to a significant impact in terms of financial planning for local operators." It should be emphasized that, in methodological terms, relying on the estimation of an average is not necessarily sufficient to assert the possibility of an impact, without methodological backing. Likewise, this can be contrasted with what is presented in subsection b of this section, where it is noted, for example, that there are lower offers than the one presented by the company Huawei. On the other hand, it is important to mention from an engineering perspective that, while it is true that equipment from any hardware and software supplier that does not comply with what is required in the referenced executive decree, such as radio base station and Core Network components, could, in some cases, be cheaper, the application of the decree does not mean they must be discarded. Therefore, this equipment can continue to operate as part of the 4G or earlier solution until it naturally degrades and requires component replacement, which at that time must normally consider the relevant quotations and the application of the decree's rules. The decision on how, when, and where the 5G network will be deployed and how resources from previous generations can or cannot be leveraged depends on each operator, on the development previously carried out to date, on its business model for 5G, on its commercial strategy, on its development plans, on its chosen 5G network topology, on the characteristics of its previous generation networks, among others, so that only the operator can determine what it wishes to do with its investments in 4G and earlier solutions. iv. In relation to section 2.2 economic cost to the country of restricting providers in 5G technology investments In this section, CINPE mentions that: "(…) That estimate was made for a 5-year horizon and the present value was calculated using a discount rate of 11.57% corresponding to that dictated by the Superintendencia de Telecomunicaciones" (Highlighting is ours). However, in section 3.2 Tariff approach based on "Cost-Plus analysis," it is stated that "(…) For the case of the rate of return for this exercise, a pre-tax rate of return of 12.82% is assumed. This is the rate of return on equity for the telecommunications industry indicated in File GCOTMA-00252-2021." Likewise, it is unavoidable to highlight that the Superintendencia de Telecomunicaciones, via resolution of its Board of Directors RCS-223-2022 "UPDATE OF THE RATE OF RETURN ON EQUITY FOR THE TELECOMMUNICATIONS INDUSTRY (CPPC)" file GCO-TMA-01367-2022, updated the rates cited in the previous paragraph for the 2020 period, establishing them as follows: post-tax rate at 10.94% and pre-tax rate at 11.61%. Subsequently, the Superintendencia de Telecomunicaciones again updated the WACC for the 2021 period via resolution of its Board RCS-120-2023, establishing the rates at 11.98% post-tax and 13.46% pre-tax. Finally, for the 2022 period, the Superintendencia, via resolution RCS-2522023, updated the rates at 13.91% post-tax and 15.26% pre-tax. The foregoing draws attention given that, although the study under analysis was prepared in 2023, data from the 2019 period were used, while recent data adjusted to the national reality and the country's telecommunications market were available, especially since according to CINPE "the tariff model used in the study corresponds to the regulatory model by Internal Rate of Return (IRR)." From an engineering perspective, it is clarified that, despite the technological advances presented by the company Huawei today, the companies that carried out, evaluated, and deployed the first 5G networks worldwide were Ericsson and Nokia in Europe. In addition to the above, it is necessary to mention that international consulting firms such as Gartner annually publish their findings and analysis regarding the 5G ecosystem and the behavior of solution provider companies in this field, and for the year 2023, a shared "leadership" is observed, as happened in previous years, among the companies Ericsson, Nokia, and Huawei, the same ones that are classified as "Leaders" of 5G in said market analysis. However, it is also observed that the company Ericsson has grown over time in its "ability to execute," leading in this aspect, understanding this ability as the evaluation carried out by the Gartner company of the providers' products, services, their financial health, their market response, and their customers' experience in the field of 5G networks. (…) The CINPE-UNA study also mentions that 5G technology does not "abruptly" replace previous technologies and networks, with which this Ministry technically agrees. However, the study points out in this regard that using a provider other than Huawei, speaking specifically of the case of ICE, which has its 2G, 3G, and 4G networks with said provider, they will practically have to make a "fresh start," according to what is stated in the reference study, which in the opinion of the authors of said study would imply ignoring or discarding the investments already made by ICE by eventually introducing equipment from other vendors, which is not accurate from a technical engineering perspective. In the first instance, it is important to note technically that the transition from 2G networks, to 3G, and subsequently to 4G and its 4.5G evolution is precisely that, the technological evolution of mobile networks, which base their operation on well-defined standards for the industry and the telecommunications sector. Historically, the modernization of cellular technologies has been developed with the sole purpose of improving and increasing their qualities; therefore, each of the generations was effectively created to gradually substitute the previous ones, which is technically normal and will continue in this way not only with cellular technologies but with the rest of the technologies that the human being uses. What is stipulated in the rules dictated by the International Telecommunication Union (ITU) and in the 3GPP standards is multi-vendor compatibility, so it is not necessary to buy the network from start to finish from a single brand. This means it is possible to have networks, whether of the same generation or different generations, coexisting and operating transparently for the end user. In the particular case of 5G networks, it is possible to have a network in a "Non Stand Alone" architecture from hypothetical equipment provider "A," but which, due to its network architecture, must use the existing core network of the 4G network, which itself may be from hypothetical equipment provider "B." In this sense, returning to what was indicated in the study, it is observed from the technical engineering perspective that, given the existence of general standardization in the operation of the different generations of mobile networks, and specifically in the different 5G network architectures, it is not accurate to point out that implementing a network or different interconnected networks from different vendors directly or necessarily means deployments with a "start from scratch," or that it proves financially unprofitable for an operator. In the following figure, it is observed that the coexistence of networks of both generations (4G and 5G), and from different vendors is technically feasible, even in scenarios with direct 5G type core equipment. (…) In this way, it is observed that what is technically asserted, from an engineering point of view, by the economists who formulated the study under analysis, is not accurate, and means that the study, from this point on, lacks solid technical bases to reach conclusions that can be considered technically valid, given that, as indicated in paragraphs above, it is technically possible, even from an investment profitability point of view, for networks of different generations and/or even provided by different vendors or suppliers to coexist, without this necessarily representing a disadvantage from the financial perspective of an operator, in this case ICE. Eventually, 2G, 3G, and 4G networks will be shut down due to obsolescence and disuse through a natural migration of users to new networks with better features, a situation that has already occurred in several countries around the world, with 3G type networks even being completely shut down in some countries, while other operators still maintain and strengthen their 2G type networks to provide connectivity for IoT type devices, which means that instead of seeking to replace networks, as the study suggests in its line of analysis, it is possible for operators to complement the operation of different telecommunications networks, from different generations, for different use cases. A contrary view, as a counterbalance to what was indicated by the study, would be the fact that a single vendor is used for equipping the entire network or networks of different generations under the argument of cost issues, whereas rather, from a market perspective, this same argument could open a path of competitive advantage for an incumbent provider and create an environment that does not allow, at the outset, for the evaluation of equipment offers from different vendors by having the idea that using an incumbent provider will always be the most financially profitable solution, when this may not necessarily be so, as has happened for other segments and network types of the same ICE. While it is true that the compatibility of 3G and 4G equipment is very high due to their very subtle changes at the core network and radio access network level, the new 5G networks have bandwidths well above the maximums that could be achieved with previous core network equipment, limiting these devices. Even though, for example, the vast majority of frequency bands used for 4G type networks can be used for 5G deployments, the latter have the possibility of using millimeter-wave bands above 24 GHz, which means that the radiating systems currently used for 3G and 4G will have to be replaced in many cases. For this reason, the new 5G network may reuse sites where other equipment is currently installed, but due to the usage characteristics of 5G frequencies, more sites will need to be installed. Hence, from an infrastructure point of view, the case of deploying a 5G type network per se results in a high investment for operators, in view of the need for densification of the location sites of the new infrastructure and the hardware modifications that these networks imply. The equipment in reference currently installed from vendor Huawei will necessarily not only require an update, change, or installation of new equipment, but its coexistence with new generation network equipment such as 5G must also be foreseen, which, in the case of different providers, does not directly or unequivocally imply a higher investment, especially considering that there are vendors other than Huawei that have equal economies of scale and market behavior and leadership. This situation has also occurred in other countries, such as Canada. On the other hand, if the deployment experience in our country is a great advantage due to the complexity of our terrain and urbanism, the experience of other providers worldwide is by no means negligible, with installations in other countries with terrain conditions very similar to or worse than ours, such as the experience of the operator Swisscomm in the steep topography of the Swiss Alps, Nepal Telecom in the areas of Kathmandu and Pokhara, or the deployments of the operator Telenor in the remote area of Svartnes and of Telia in some Norwegian fjords. v. Regarding section 3.2 Tariff approach based on "Cost Plus" analysis The CINPE-UNA study indicates that "The tariff approach is based on a 'cost plus' methodology that considers variables such as investment, operating costs, and rate of return. This methodology aims to estimate the income required to cover the costs of the operation and thus establish the percentage variation of the tariff. Exp No. 19,615 Digital scope number 63, Gazette number 154." (intentional highlighting); however, upon reviewing the bill in question, it seems that it concerns the approval of the Cooperation Agreement between the government of the Republic of Costa Rica and the government of the Republic of Ecuador for the protection, conservation, recovery, and restitution of cultural heritage assets that have been the subject of theft, robbery, looting, transport, trafficking, and/or illicit commercialization. Given the above, the relationship between the file in question and the indicated methodology is unknown. vi.- In relation to section 3.3.3 Analysis of Scenarios of Application or Non-application of the Decree. Regarding table 11, the CINPE-UNA study mentions: "Regarding operating costs, they are presented in the following table. It is observed that operation and maintenance expenses represent a representative proportion of the expenses. These represent 97% of the total expenses, table 11." (Intentional highlighting) However, upon verifying the information in the aforementioned table, it is observed that operation and maintenance expenses amount to $15.80 million and the total opex is $462 million; therefore, it seems that said expenses represent only 3% (15.80 / 462) and not 97% as CINPE claims. Likewise, it is observed that the expense-to-revenue ratio is 0.00, but it seems that the ratio is 86.81% (462 / 532.20). Below, the table in question is shown: (…) Source: CINPE, 2023 In this regard, it should be underlined that with the information from said table, CINPE proceeded to build a financial income statement to estimate the effect on the tariff that the application or non-application of the decree would have. Additionally, from an engineering point of view, it should be noted that in 5G networks, the Core Network elements are different in physical proportions and air conditioning requirements, since their sizes have decreased significantly compared to their predecessor generations. Similarly, Operation and Maintenance (O&M), as the equipment is much smaller, with a trend towards simple replacement of parts, and developed for outdoor conditions and the climatic conditions currently experienced on the planet, the allocated budget will vary and tend to decrease. Furthermore, table 11 provides estimated reference costs worldwide, which can be taken as a reference only and cannot be specified for a zone, as it will depend on multiple factors specific to each region, being so variable just by moving a few tens of kilometers, as is the case for our country. On the other hand, in table 14 called Sensitivity Analysis of the Remaining Value of the Investment, USD $, CINPE presents the results of the analysis of two scenarios, the first presents an approach without the decree and the second with the decree. However, inconsistencies were identified in the information presented, which make it impossible to determine with exactitude the increase in financial cost argued by CINPE in the scenario with the decree. Below, the table in question is shown: (…) Source: CINPE, 2023. Additionally, the way the information is presented is unclear, given that the data are superimposed. Regarding the data for the scenario without the decree, the following is observed: In the investment value row in the five-year period column, the amount is indicated as $1,293,328,911; however, upon summing the five years, it seems that the amount corresponds to $864,065,567. Likewise, in the operating expenses row in the five-year period column, the amount is mentioned as $261,000,000; however, upon performing the sum, the amount corresponds to $87,000,000. The same occurs in the profitability row in the five-year period column where it is observed that the amount is $692,332,536; yet upon reviewing the data, it seems that the amount is $230,777,510. In turn, in the required income row, in the five-year period column, the amount observed is $1,313,359,856; however, it seems the amount is $677,804,832. Put another way, of the information recorded in the five rows of the scenario without the Decree, four present alleged inconsistencies. Something similar occurs in the scenario with the decree: in the operating expenses row, it is observed that for all years it is $17,400,000, and the total in the five-year period column is $261,000,000 (same as in the scenario without the decree); however, upon performing the sum, the amount corresponds to $87,000,000. Additionally, it should be noted that in table 12, CINPE defined that for year 1 the amount is $19,140,000; assuming the value remains constant over the five years, the amount should be $19,140,000 for each year; therefore, the sum of the five-year period would amount to $95,700,000. The same happens in the five-year period column in the profitability row, which indicates that the amount corresponds to $996,95,852 (sic), but it seems the amount amounts to $332,319,615. In turn, in the required income row for year 1, the amount of $213,473,759 is observed; however, in table 12 called "Income Statement: 5G Results, year 1, USD $ (scenario)" it is mentioned that for the scenario with the decree, income required for the first year is $215,213,759. Consequently, it is not possible to know what the respective amount is. In other words, of five rows of information corresponding to the scenario with the decree, at least three present alleged inconsistencies. In order to illustrate the data described above, below is a more detailed table, in which the result of the sum of each of the five years is recorded in the five-year period column: (…) Source: own elaboration with data from CINPE, 2023. Additionally, the CINPE-UNA study highlights that "the financial economic cost of continuing with the implementation of Executive Decree No. 44196-MSP-MICIT is USD $463 million," which appears to come from the difference between the required income of the scenario with the decree ($1,776,398,193) minus the required income without the decree ($1,313,359.856) indicated in table 14 cited above. However, as can be seen in the previous table, the amount would be $268,654,123 ($946,458,955 - $677,804,832), using the values and assumptions set forth by the Center itself. In another order of ideas, it is worth mentioning that the study employs, in the authors' view, the cost-plus model for tariff analysis and projection of telecommunications services. This model considers, indeed, the issue of investment costs, operating expenses, and return on investment. As has been pointed out, the study uses the issue of investment costs under certain questionable technical models, but it does not address the problem that, from the OPEX perspective, implies not correctly sizing the usage scenarios and the densification of radiating systems, nor does it address the return on investment involved in developing the different 5G network use cases, which are not present as monetization models from previous generation networks, such as the virtualization of part of the mobile networks or the provision of cloud-type services, which means that the estimation of traditionally used tariffs may not be as directly applicable as the study determines. From the technical engineering perspective, it is emphasized that the implementation of any new network necessarily implies an investment by the operators, which is directly linked to the budget and the need to be met; therefore, the network will be as expensive as it is large and complex. Therefore, any assertion in the cited CINPE report that is linked to a "with decree" scenario misleads the reader, since said scenario evaluates and contemplates conditions that technically cannot be linked to the application of the executive decree under analysis.

Moreover, the study does not present evidence of the eventual negative impact on investment budgets, profitability, and CAPEX for those operators worldwide that have already decided to deploy 5G mobile networks with equipment suppliers other than Huawei, which also prevents contrasting the numerical exercise and the projections made for the case study of the Costa Rican operator. There is evidence that the current effects on CAPEX and investment levels globally for telecommunications operators are more related to the global economic situation and the slowdown of some large economies, which impacts the prices of goods and services, than to the choice of a network equipment supplier. In terms of the business model of mobile networks, it is known that the total cost of ownership (TCO) of a mobile network, and principally for those incorporating new technologies, is composed of the sum of capital expenditures and operating expenditures for the access, transport (backhaul), and core network. What is indicated by the authors of the study under analysis refers to a portion of the capital expenditures that, in their opinion, would imply using equipment from one supplier over another equipment offer. However, the study does not address or omits analyzing the aspects associated with the OPEX of a mobile solution, which directly has a high percentage associated with the energy consumption cost of the network and transmission equipment, as well as its cooling. In this sense, a 5G solution that employs radiating system densification equipment (Massive MIMO type) will result in higher costs from an OPEX perspective compared to less complex or dense radiating systems. On the other hand, whether or not to use dense or less dense schemes in the radiating system of a 5G solution is directly related to the operator's coverage objective, and to the traffic dimensioning carried out based on the number of users or data connections intended at each base station of the network. Hence, it is observed that the study (prepared solely by professionals in economic sciences) is based on the premise of using a 32T32R type solution, for example, for the "urban" case, and details that said solution can only be provided by the supplier Huawei, when in fact other suppliers have solutions of this type. This 32T32R scenario could indeed be used in urban use cases; however, it is observed that due to OPEX issues and some CAPEX components associated with the deployment of those solutions, it seems to have a positive impact on investment returns only in particular cases where there is intensive data demand by users that justifies the high electrical consumption of a solution of this nature. In this sense, the scenarios also proposed for the "national" and "rural" cases in said study, developed without the participation of a person responsible for advising on technical engineering aspects, do not seem to contemplate details such as those previously indicated, nor the technical dimensioning regarding traffic and coverage of the solutions used, as well as the impact on the CAPEX and OPEX of mobile operators in their development. From the technical engineering perspective, it is known that the different scenarios are developed by the different telecommunications operators in conjunction with the equipment suppliers they consider, taking into account, as noted in paragraphs above, elements such as coverage objectives, traffic, number of users, among many others, beyond the availability or not of a certain type of solution from the network equipment suppliers. It is reiterated at this point that calling the scenario developed by the study authors the scenario "with decree" by the authors induces serious errors from a technical perspective. Regarding Chapter IV: Conclusions and Recommendations Regarding the conclusions, the CINPE-UNA study mentions that: "The implementation of the decree could translate into the need for an investment increase of approximately USD 196.69 million over a period of 5 years." (the highlighting belongs to the original). However, on page 19 of the study, it mentions that: "(...) the implementation of the decree could translate into an investment increase of approximately USD 1,474.68 million (...)". Given the above, it is suggested that CINPE clarify which is the respective amount. In turn, CINPE indicates that: "(...) According to our research and the data presented in table 2.3, if the 5G deployment is carried out without restrictions, its investment would contribute USD 748.4 million to the Gross Domestic Product (GDP) of Costa Rica over a 5-year period. This represents a significant 3.19% of GDP. (...) this contribution plummets to just USD 419.1 million. We are talking about a reduction of USD 329.3 million in just five years (...)". In this regard, it is necessary to indicate that the CINPE study does not contain a table 2.3, so it is not possible to analyze the data they mention. Now, in table 5 of the study under analysis, it is indicated that the contribution of 5G investment to GDP amounts to USD 1,550.8 million. Given the above, there is no certainty as to what the contribution to GDP that CINPE mentions is. On the other hand, according to the technical engineering perspective, this point is far from the reality experienced in previous implementations of 2G, 3G, and 4G networks, because the initial deployment is where the strongest part of the investment occurs, and clearly the cost of obtaining new technologies is also paid. As time progresses, the cost of technological equipment decreases and network growth tends to decrease, not increase, because a point is reached where it is only operation and maintenance and no more expansion; if history is examined, cellular networks of a specific technology grow relatively little after the fifth year of their implementation, and this is because the target objective is already covered and also studies begin for the deployment of the new generation. However, it is important to consider that, contrary to what is indicated in the study, the "comparative advantage" of Huawei over other vendors may not be such, given that the study seems to be based on the premise that operating and maintenance costs will be lower in a scenario of using the incumbent supplier, which, in any case, is not a demonstrated or evidenced truth. Likewise, for this point, what was mentioned regarding the TCO of a mobile network detailed above must be considered. On the other hand, CINPE alludes to the concept or technical principle of "technological neutrality" to argue the supposed "such profound repercussions on the economy and well-being of the country" of the implementation of the regulatory guidelines on security in IMT-2020 mobile networks, including 5G, and beyond. However, in a careful, and technically rigorous, review of the definition provided by the General Telecommunications Law, Law No. 8642, on technological neutrality, it is observed that it is not breached in the terms indicated in the referenced Decree, given that said neutrality must be understood as the freedom that operators of telecommunications networks, or the service providers themselves, have to choose the most appropriate technologies for the provision of those end-user services, which allow the greatest social and technological benefit to be transferred to the country's population, without it being required or mandatory for the State to impose a vision for the deployment of a particular technology. In the field of wireless networks, this translates into the possibility that operators and providers have to use the most novel technologies, within the regulatorily enabled radiocommunication services. That is, regarding mobile networks, operators may deploy commercial/private networks of the 2G, 3G, 4G, and 5G type, without the State demanding the deployment of any of them in particular. However, as explained in previous sections of this writing, the same law indicates that this freedom must be delimited within the frame of reference demarcated by the standardization of telecommunications networks, in order to thereby ensure, through the deployments carried out by sector actors, the greatest social benefit to the population, and which also allows enjoying the benefits that economies of scale permit. This, in turn, in view of constitutional precepts, must also be carried out, not only in a standardized manner by operators and service providers, but also in a safe manner towards the population, so that end users can enjoy telecommunications services with the least possible risk, in a technological environment that allows compliance with this without detriment to the country's free trade, but that ensures the privacy of individual communications. Hence, the discussion of the topic of technological neutrality is not adequately addressed in the study from that academic center, but rather appears to be used to erroneously try to discredit the security provisions of the referenced Decree, relating technological neutrality to the choice of equipment suppliers; however, as previously indicated, technological neutrality is associated by definition with the need to deploy standardized technologies, to ensure the maximum social and technological benefit for the country, but this, in view of the country's legal provisions, must be done in a way that fosters a secure environment for the end users of telecommunications services. Importance of incorporating Cybersecurity into the analysis of 5G technologies CINPE mentions that, for the formulation of the scenarios used in its study, the assumption of operating with and without Executive Decree No. 44196-MSP-MICITT, titled Regulation on Cybersecurity Measures Applicable to Telecommunications Services Based on Fifth Generation Mobile Technology (5G) and Beyond, is used. Along these same lines, CINPE emphatically mentions that these types of cybersecurity measures, "(...) can limit competition in the deployment of 5G technologies" (CINPE, 2023), which is taken as a starting point for their argument. However, despite the fact that the study by CINPE is based on macroeconomic and microeconomic analyses, it at no point considers the costs that would be incurred if operating in an environment where cybersecurity is not considered a pillar for the protection of data and the privacy of telecommunications service users, this being a central focus in the global discussion around this topic. The consideration of cybersecurity and data protection in an analysis of 5G technologies is imperative due to the inherent risks of the advanced connectivity that this technology provides. The implementation of 5G networks not only accelerates data transmission speed but also expands the potential attack surface for cyber threats, making security a critical priority (Fonyi, 2020; Park et al., 2021; Stuchtey et al., 2020). Cybersecurity threats in a 5G environment can range from traditional attacks such as malware to more sophisticated threats such as identity theft and disruption of critical services (Stuchtey et al., 2020; Park et al., 2021). Furthermore, the increased number of connected devices and the transfer of large volumes of data increase the likelihood of privacy violations and loss of confidential information. The fast speed and low latency of 5G networks offer significant opportunities, but also increase exposure to potential vulnerabilities, meaning that the lack of adequate cybersecurity measures could allow more sophisticated attacks, such as network intrusions, theft of sensitive data, or service disruptions (Fonyi, 2020). Likewise, data protection becomes even more crucial with the increase in the amount of information transmitted over these high-speed networks. 5G facilitates communication between a variety of devices, from autonomous vehicles to connected medical devices, meaning that personal and confidential information circulates on an unprecedented scale. The loss or compromise of this data could have serious consequences, including violation of privacy, identity theft, and unauthorized access to sensitive information (Fonyi, 2020; Stuchtey et al., 2020). The costs associated with the non-inclusion of cybersecurity measures in an analysis of 5G technologies can be significant. The possible direct financial effects, such as loss of revenue due to service interruption, regulatory sanctions for data and privacy breaches that organizations may face (such as those contained in the General Data Protection Regulation of the European Union), as well as reputation repair and loss of customer trust, are also serious consequences that can have long-term effects (Fonyi, 2020; Park et al., 2021; Stuchtey et al., 2020). Following the line of Stuchtey et al. (2021), there may also be hidden costs that are important to consider in any analysis of 5G technology implementation. The analysis by Stuchtey et al. (2021) reveals the complexity of security in the implementation of 5G networks, especially in relation to the choice of suppliers. The authors point out that these costs are hidden because they occur either long after the technology's implementation, or because they are borne by persons or agents other than those who decide on the manner of implementing 5G technologies. The authors also indicate that, for society as a whole, these costs are highly relevant and must be considered when deciding whom to trust to build the next generation of network infrastructure. It is for this reason that, in the event of a possible refusal by the state and providers to opt for reliable sources, this could shift protection costs to companies and citizens; therefore, the importance of the state intervening preventively, even turning protection into a public good, is emphasized. In Stuchtey et al. (2021), it is mentioned that when it comes to policies for the implementation of 5G technologies, the approach should be with "security by design," as this would allow safeguarding from the outset even the most vulnerable economic agents. In this sense, the importance is highlighted that this type of analysis incorporate all possible costs for the economic agents involved, since a market decision for a good as particular as telecommunications should not be determined solely by the market price of said service, or by the cost of implementing the infrastructure. On the contrary, the value is stressed of considering all the variables that may affect the well-being of both consumers and operators. Final considerations from the economic perspective After reviewing the documents referring to the Procurement and Implementation of 5G NR networks by RACSA, and the study on the Evaluation of the Economic Impact of the Exclusion of 5G Network Suppliers in Costa Rica by CINPE, a series of observations are made that seek to understand what each of these documents presents. Regarding the review and analysis from the economic perspective of the procurement by Racsa, it is possible to visualize that DATASYS GROUP VINET (Datasys-Nokia) was the offeror that presented the offer with the lowest price for an amount of $2,455,798.27, which is 76% lower than the Consorcio ITS CR-ITS PA (ITS Huawei); thus, there is information that indicates, with real data, that there are even cheaper options than ITS Huawei, in contrast to what is indicated in the CINPE study based on projections. Furthermore, precisely regarding the CINPE study, inconsistencies are found in the information presented; calculations that apparently contain errors are detected, there is confusion about the source of information for some of the data presented there, and also, there are doubts about the theoretical and methodological framework that supports the technical and scientific rigor of the impact assessment that the study claims to perform. The foregoing prevents verifying the assertions and estimates made by CINPE throughout the study. There are at least two versions of the CINPE study, the one appearing in files No. 23-023887-0007-CO and No. 23-025158-0007-CO (subject to study by this Rector's Office) and the one available on the website of the Center for study, which according to clarification by CINPE, is the final and official document; in other words, it appears that the document appearing in the mentioned files and that is used as evidence in the Amparo Appeal and in the Unconstitutionality Action filed by the company [Name 002], is a preliminary and unofficial document from CINPE. Additionally, it should be noted that the documents present differences between them. Moreover, it is highlighted that although the CINPE study is based on macroeconomic and microeconomic analyses, the omission of considering the costs associated with the lack of cybersecurity stands out. Cybersecurity threats in 5G networks, from traditional attacks to more sophisticated risks, underline the importance of preventive measures. The lack of security not only implies risks to privacy and data loss, but also direct financial costs, regulatory sanctions, and loss of customer trust, which is why it is urged that this type of analysis can incorporate all those variables that may affect the well-being of consumers and operators, beyond the market price and infrastructure cost. It is important to emphasize that, despite the fact that CINPE provided four sources of information and web links to address the MICITT request in official letter MICITTDVT-OF-850-2023, it was not possible to verify the data of the CINPE study through these sources. This inconvenience arose due to the lack of specification of the methodological procedure used for the extraction of said data. This omission highlights the importance of complete methodological transparency to ensure the reliability and verifiability of the presented results. N. ANNEXED ELEMENTS 1. Certified administrative file No. MICITT-DGDCFD-EXP-003 2023, titled: REGLAMENTO SOBRE MEDIDAS DE CIBERSEGURIDAD APLICABLES A LOS SERVICIOS DE TELECOMUNICACIONES BASADOS EN LA TECNOLOGÍA DE QUINTA GENERACIÓN MÓVIL (5G) Y SUPERIORES. 2. CERTIFICACIÓN No. MICITT-DGDCFD-CER-006-2023, dated December 12, 2023, issued by the Director of the Directorate of Digital Governance and Digital Signature Certifiers of the Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones. 3. Plan General de Emergencia Ciberataques, by the Comisión Nacional de Emergencias, June 2022. Document retrieved from the website: https://www.cne.go.cr/recuperacion/declaratoria/planes/Plan%20General%2 0de%20la%20Emergencia%20por%20Ciberataques.pdf. 4. Official letter from the Contraloría General de la República No. DFOE-CAP-OS-00001-2023 dated May 01, 2023, called “Opiniones y sugestiones: “Emergencia cibernética: Obstáculo para la transformación digital y el bienestar social; retrocesos para la transparencia y rendición de cuentas. Document retrieved from the website: https://cgrweb.cgr.go.cr/apex/f?p=164:7:::NO. 5. Informe del Programa de Información y el Conocimiento de la Universidad de Costa Rica named “Hacia la Sociedad de la Información y el Conocimiento” December 2022, document retrieved from the website: http://www.prosic.ucr.ac.cr/sites/default/files/recursos/informe_2022_compl eto.pdf. 6. Digital communication from the Promotora de Comercio Exterior called “SECTOR TIC DE COSTA RICA MUESTRA SU OFERTA DE VALOR EN MIDSIZE ENTERPRISE SUMMIT 2023”, data retrieved from the website: https://www.procomer.com/noticia/sector-tic-de-costa-rica-muestra-suoferta-de-valor-en-midsize-enterprise-summit-2023/. 7. Document called “Caja de herramientas de la UE para la seguridad en redes 5G”. https://op.europa.eu/en/publication-detail/-/publication/7def1c03-da16-11eb-895a-01aa75ed71a1/language-es 8. Document called 5G en América Latina: Liberando el Potencial. https://www.gsma.com/latinamerica/wp-content/uploads/2023/06/2906235G-in-Latam-ESP.pdf . 9. Plan Nacional de Desarrollo de las Telecomunicaciones 2022-2027 “Costa Rica: Hacia la disrupción digital inclusiva”, which was approved by the Poder Ejecutivo through Decreto Ejecutivo N° 43843-MICITT published in the Diario Oficial La Gaceta N°5 dated January 13, 2023. 10. Acuerdo Ejecutivo Nº 031-2023-TEL-MICITT 11. Informe de Opinión Nº 4225-SUTEL-OTC-2021 dated May 19, 2021, “Informe sobre Asignación de Espectro para Despliegue Futuro de Redes 5G desde la Perspectiva de la Competencia” 12. Dictamen Técnico N° 05071-SUTEL-DGC-2020 dated June 09, 2020 13. Dictamen Técnico N° 02823-SUTEL-DGC-2021 dated April 8, 2021 14. Informe de Opinión N°09228-SUTEL-OTC-2022 dated October 20, 2022”. 15. Asian Development Bank (2006). Impact Evaluation: methodological and operational issues. Economic Analysis and Operations Support Division Economics and Research Department. Available at: https://www.adb.org/sites/default/files/institutionaldocument/33014/impactanalysis-handbook_0.pdf 16. Baker, Judy L. (2000). Evaluating the Impact of Development Projects on Poverty: A Handbook for Practitioners. Directions in development. Washington, DC: World Bank. Available at http://hdl.handle.net/10986/13949 17. Fonyi, S. (2020). Overview of 5G Security and Vulnerabilities. The Cyber Defense Review, 5(1), 117–134. Available at: https://www.jstor.org/stable/26902666 18. La Gaceta (2015) N°154. Alcance Digital N° 63. Expediente legislativo N° 19.615. Available at https://www.imprentanacional.go.cr/pub/2015/08/10/alca63_10_08_2015. pd f 19. Gertler, Paul J.; Martinez, Sebastian; Premand, Patrick; Rawlings, Laura B. and Vermeersch, Christel M. J. (2016). Impact Evaluation in Practice. International Bank for Reconstruction and Development / The World Bank. Available at: https://openknowledge.worldbank.org/server/api/core/bitstreams/4659ef23-61ff-5df7-9b4e-89fda12b074d/content 20. OECD (2001). Evaluation Network report, Evaluation Feedback for Effective Learning and Accountability. Report No 5, OECD Evaluation and Effectiveness Series. Available at: https://www.oecd.org/development/evaluation/2667326.pdf 21. Park, J., Rathore, S., Kumar, S., Salim, M., Azzaoui, A., Kim, T., Pan, Y. & Park, J. (2021). A Comprehensive Survey on Core Technologies and Services for 5G Security: Taxonomies, Issues, and Solutions. Human-Centric Computing and Information Sciences,Vol. 11, Jan-21. Available at: http://hcisj.com/data/file/article/202101282/11-03.pdf 22. Solano Ruiz, J. & Alonso Ubieta, S. (2020). Evaluación de impacto expost de acuerdos comerciales: síntesis de algunas aproximaciones teóricas y metodológicas. Cuaderno de Trabajo, CINPE-UNA, Heredia, Costa Rica. Available at: https://repositorio.una.ac.cr/bitstream/handle/11056/18286/Cuaderno%20004%202020%20Solano%20%26%20Alonso%20M%c3%a9todo.pdf?sequence=4 &isAllowed=y 23. Stuchtey, T., Dörr, C., Frumento, E., Oliveira, C., Panza, G., Rausch, S., Rieckmann, J. & Yaich, R. (2020). The Hidden Costs of Untrusted Vendors in 5G Networks. Brandenburg Institute for Society and Security, Policy Paper No.8, Dec-20. 24. SUTEL (2023). INFORME TÉCNICO PARA EL CÁLCULO DE LA TASA REQUERIDA DE RETORNO DEL CAPITAL O COSTO PROMEDIO PONDERADO DEL CAPITAL (CPPC) PARA EL PERÍODO 2022, Expediente: GCO-DGM-IFR-00487-2023 PETITORY Based on the facts and grounds presented, this Honorable Sala Constitucional de la Corte Suprema de Justicia is respectfully requested: 1.- Having reviewed ex officio the electronic file No. 23-023887-0007-CO, an amparo appeal filed by [Name 002] against the Instituto Costarricense de Electricidad is known, where various entities and bodies have been granted a hearing so that they can pronounce on the scope of the amparo appeal filed; therefore, in my capacity as head of the Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones and as a party subscribing to the Decreto Ejecutivo Nº44196-MSP-MICITT, I appear before you in the interest of objective truth, prompt and complete justice, and the technical, logical, and scientific rigor that must prevail in this process, which amply justifies the informational participation of the Governing Ministry under my charge, thus providing a complementary technical vision for the stated objectives. 2.- To request, based on the principle of procedural equality established in accordance with Articles 33, 39, and 41 of the Constitución Política, that a formal hearing be granted to the Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones in this amparo action to address each and every one of the facts, the legal basis, and the corresponding claims, in the exercise of transparency, accountability, justice, and legal certainty." 23.- Through a resolution issued at 14:39 hours on November 24, 2023, the instructing magistrate granted a hearing to the Minister of Ciencia, Innovación, Tecnología y Telecomunicaciones.

24.- Through a writing incorporated into the digital file on January 9, 2024, Paula Bogantes Zamora, Minister of Ciencia, Innovación, Tecnología y Telecomunicaciones, appears. She states the following: "Beforehand, I indicate to this Sala Constitucional that this hearing is addressed from the scope of functions of the Telecommunications Governing Body, for which reason I proceed to refer to the facts raised by the plaintiff in the amparo appeal filed against the Instituto Costarricense de Electricidad, as an Operator enabled for the operation of networks and the provision of telecommunications, in the interest of objective and technical defense, in relation to the provisions of a general nature issued by the Poder Ejecutivo through Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”, published in Alcance Nº 166 to La Gaceta Nº159 of August 31, 2023, and other norms that make up the framework of juridicity and legality of telecommunications. FACTS Regarding the facts and allegations raised in the writing of the AMPARO APPEAL, received in the Secretariat of the Sala on September 28, 2023, we proceed to indicate the following: 1.- My represented party is prepared to participate in the public tender that ICE will open to implement and operate 5G IMT technology in its networks, given that we are one of the main suppliers of that technology in Costa Rica. Response. It is not within my knowledge whether or not the company is prepared to participate in the tender it refers to; however, it is public knowledge that the company [Name 002] has expressed its interest and has formally presented an offer within the special competitive services procedure, with the object of contracting “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, processed on the platform of the Sistema Integrado de Compras Públicas (hereinafter, SICOP) and registered with electronic file number 2023XE000023-0000400001. This Ministry respects the stages that are part of the procurement cycle, and therefore must abide by what the contracting Operator resolves in the offer analysis and award stage as applicable within its sphere of action, for this and other companies that also participated in said tender. In that sense, it is not my place to issue any qualifying criterion that may interfere with the operator's position, in full respect of the principle of legality, impartiality, competition, and due administrative process. What I can refer to, and which will be specified infra in this report, is the fact that the company [Name 002] documented on two different occasions that its offer complies with the requirements of the procurement, which the appealed Operator must verify in the corresponding special competitive services procedure stage, it being understood that this offer is subject, like any other offer, to scrutiny during the offer analysis stage, to determine its suitability, so that the criterion of whether or not it is indeed prepared to assume the object of the procurement will be a conclusion that the operator must arrive at in its competitive process, for which due process and the verification exercise that ICE performs in order to determine if the company meets the conditions that it has thus established in the conditions document itself must be respected.

2.- On August 31 of last year, the Executive Branch enacted and published in La Gaceta the "Regulation on Cybernetic Measures applicable to Telecommunications Services Based on Fifth Generation Mobile Technology (5G) and Higher" (sic), which contains provisions that expressly prevent my represented party from participating in that public tender. Response. It is false that said regulation contains provisions that prevent the company [Name 002], given that, as indicated, it has expressed its interest and has submitted a formal offer within the special competitive services procedure, for the purpose of contracting "GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ON DEMAND", processed on the Integrated Public Procurement System (Sistema Integrado de Compras Públicas, hereinafter SICOP) platform and registered under electronic file number 2023XE-000023-0000400001. However, the truth is that the Executive Branch issued and published Executive Decree No. 44196-MSP-MICITT "Regulation on Cybersecurity measures applicable to telecommunications services based on Fifth generation mobile technology (5G) and higher" on the date and in the medium indicated, with the purpose of establishing general provisions applicable to Operators duly authorized for the operation of networks and provision of services based on fifth generation or higher technologies, who are subject to the application of cybersecurity measures to guarantee the secure use and exploitation, with protection of individuals' privacy, of telecommunications networks and services, as established in Article 1 of said regulatory body. These cybersecurity measures arise as part of the efforts to strengthen and adapt the sectoral regulatory framework—for reasons of national security for the defense of cyber sovereignty—by virtue of the cyberattacks suffered by our country in 2022 and more recently on January 18, 2023, against the Ministry of Public Works and Transport (MOPT). Given the magnitude and consequences of the attack, the Executive Branch, through Decree No. 43542-MP-MICITT, "Declares a state of national emergency throughout the entire public sector of the Costa Rican State, due to the cybercrimes that have affected the structure of information systems," a declaration that was based precisely on the immediate impact on the computer systems linked to the functioning of critical State services. It should not be overlooked that the attack suffered at the beginning of 2022 had significant repercussions on the confidentiality, integrity, and availability of computer systems, as well as on the information residing in these public computer systems, thereby interfering with the normal exercise of public functions by the affected institutions. Furthermore, the attack perpetrated by the cybercriminal group CONTI had an effect on the collection of public financial and fiscal information of transcendental importance for the country's decision-making. Lastly, and no less importantly, it must be remembered that said attack generated significant harm to the citizenry, as one of the sectors affected was precisely social security and public health, having substantially interfered with the provision of health services administered by the Costa Rican Social Security Fund (Caja Costarricense del Seguro Social). The most critical consequences of the attack were the impact on health services, the violation of the confidential health data of the Costa Rican population, and the delay in attending to people's well-being. This impact was mainly due to the reprogramming of systems and services, which negatively affected access to essential health services. These services require, for their effective provision, access to databases containing relevant clinical information of users, which were the targets of the cyberattacks that occurred. For further details, one may consult section -D- of technical report No. MICITT-DM-OF-1099-2023 dated December 12, 2023, submitted to this Constitutional Chamber ex officio by this Governing Body, in which the account of the damages motivating the need to adapt the sectoral regulatory framework in view of the cyberattack of 2022 and early 2023 is elaborated upon, along with other technical aspects developed regarding the issuance of Executive Decree No. 44196-MSP-MICITT "Regulation on Cybersecurity measures applicable to telecommunications services based on Fifth generation mobile technology (5G) and higher." Reference is made to said report and to the aspects set forth therein, which complementarily serve as input to better resolve this matter, a document that was submitted to the record of this amparo proceeding on December 13, 2023. Based on the impact on systems, the breach of citizens' sensitive information, the access to essential services for inhabitants, and the serious damages caused to individuals by the interruption of such access, it was decided to adopt at the national level, among other actions in addition to the emergency declaration, the referred Executive Decree No. 44196-MSP-MICITT "Regulation on Cybersecurity measures applicable to telecommunications services based on Fifth generation mobile technology (5G) and higher," which meets the highest standards and best international practices in this matter and incorporates security by design from the initial stages, in view of the competitive process for telecommunications services via IMT systems, including 5G. Of course, the scope of the Regulation is for the development of IMT2020 (5G) and higher networks, a segment in which the implementation of measures focused on reducing risks and impacts regarding cybersecurity becomes more critical due to its prominent technical characteristics, such as: • A higher data transfer rate experienced by the user (10 times higher than 4G). • Lower latency (10 times lower than 4G). • Higher connection densification (10 times more than 4G, up to 1M devices per square kilometer). • Mobility scenarios (up to 500 km/h). • Greater spectral efficiency (3 times greater). • "Network slicing" (capacity to segment networks). It is thus that the advantages of 5G technology over other generations of mobile networks enable a series of use scenarios, such as healthcare (telemedicine), management of critical infrastructures (such as generation and distribution of electrical energy, gas, or drinking water; the latter usually with national impact and great relevance in various productive sectors), industry in general, agriculture, smart cities, massive Internet of Things, Artificial Intelligence, autonomous vehicles, metaverse, virtual and augmented reality applications (industrial and educational uses), for example. All these particularities that separate 5G from other technologies are also developed in section -E- of technical report No. MICITT-DM-OF-1099-2023 dated December 12, 2023. In this regard, it is pertinent to inform the Justices of the Chamber that, even though the attack by the criminal group CONTI (2022) targeted infiltration into public computer systems and not telecommunications networks, it must be borne in mind that the implementation of IMT-2020 (5G) networks possesses a connection and linkage capacity to highly sensitive and critical sectors that increase the attack surface on networks and computer systems, for which reason they have a direct link to the country's security. It is by virtue of the evolution of mobile connectivity and its deep integration with the activities of society and industry, that precisely IMT-2020 (5G) networks generate a larger surface for cyberattacks, which is why cybersecurity measures gain relevance as part of the regulatory mechanisms in telecommunications to safeguard the secure use and exploitation of networks by operators. Therefore, the role of the Executive Branch is inherent, in the exercise of the powers delegated by the Legislator regarding the use and exploitation of the radio spectrum, in turn derived from the norms of public international law (Law No. 8622, CAFTA-DR) and the sectoral legal framework (Law No. 8642, General Telecommunications Law), which enable it to set the necessary conditions and obligations to guarantee the secure exploitation of networks that use the radio spectrum as a finite demanial asset through which so-called public telecommunications networks are implemented, which certainly include 5G networks. And, as part of these conditions, the Executive Branch possesses regulatory authority to adopt the necessary technical and administrative measures to guarantee the secure exploitation of telecommunications networks with the objective of safeguarding the legal regime for the protection of the human rights of end-users of telecommunications networks, in order to guarantee privacy, the secrecy of communications, and the informational self-determination of users (see Article 42 of Law No. 8642). This regulatory development can also be consulted in sections -A-, -B-, and -C- of technical report No. MICITT-DM-OF-1099-2023 dated December 12, 2023, and also in what will be indicated infra in this document. It should also be highlighted to the Justices of the Constitutional Chamber that even (sic) though Costa Rica is a republic whose national security and defense policy is based on the pillars of permanent neutrality and demilitarization before international conflicts—inspired by peace as a value that informs the Costa Rican Legal System—this legal situation does not prevent the Executive Branch, constitutionally called upon to maintain public order and the tranquility of the Nation by provision of Article 140(6) of the Political Constitution itself, from adopting reasonable preventive measures in situations that undermine or threaten national security, as occurred with the antecedent of the 2022 cyberattack by an organized criminal group of Russian origin. This has been indicated by the Attorney General's Office (Procuraduría General de la República) in Opinion No. C-94-86 of April 29, 1986: “The President of the Republic proclaimed Costa Rica perpetually neutral on November 17, 1983. Perpetual neutrality is defined as 'a freely accepted legal situation that commits the State never to declare war on another State. This legal provision does not inhibit the State from exercising legitimate defense in case of aggression. In accordance with the principles of Public International Law (sic), the permanently neutral State must remain on the sidelines of all wars that arise between third States'." Along the same lines, Legal Opinion No. O.J.-228-2003 of the Attorney General's Office of November 12, 2003, states where it indicated: “(...) the existence of a 'national conscience' that favors the preservation of peace. As a consequence, it is affirmed, concrete actions have been taken that recognize this collective sentiment, such as the abolition of the army in the 1949 Constituent Assembly; the Proclamation of Neutrality, adopted during the Monge Alvarez Administration (sic) (...) in view of the fact that Constitutional Law imposes on the Executive Branch the constitutional duty to assume a neutral position regarding the scourge of war, except in cases of legitimate defense (...) even the notion of classical neutrality conceived individual legitimate defense as possible, and it is possible for a perpetually neutral State to exercise its individual legitimate defense." It is based on the foregoing that this Ministry, together with the Ministry of Public Security, issues Executive Decree No. 44196-MSP-MICITT "Regulation on Cybersecurity measures applicable to telecommunications services based on Fifth generation mobile technology (5G) and higher," since, in the face of technological evolution, cyberspace is not a matter alien to national security; despite its intangible condition, it acquires a special character to be protected, just as with air, maritime, terrestrial, and outer space, from which significant damages to national sovereignty (cyber sovereignty) can arise, and therefore doctrine has recognized it as the "fifth domain of warfare." This conceptual precision can be consulted in section -F- of technical report No. MICITT-DM-OF-1099-2023 dated December 12, 2023. It is with this scope of prevention of criminal acts in cyberspace linked to 5G networks, that the issuance of the Cybersecurity Regulation for 5G and higher networks goes back to safeguarding a clear public interest. Inactivity and omission of measures by the Executive Branch in this regard could generate damages of a magnitude far exceeding the attack that occurred in 2022. In relation to the above, from the perspective of the Telecommunications Governing Body, it must be considered that, through Executive Decree No. 37052-MICIT, the so-called Computer Security Incident Response Center (CSIRT-CR) was established in Costa Rica, headquartered at the Ministry of Science, Innovation, Technology and Telecommunications (established since 2012). This Computer Security Incident Response Center (CSIRT-CR) has sufficient powers to coordinate with the branches of State, autonomous institutions, State companies, and banks on everything related to computer and cyber security matters and to bring together the team of Information Technology security experts who will work to prevent and respond to cyber and computer security incidents affecting government institutions. It is as part of this articulation of efforts between ministries that the Decree in question is issued. After this necessary explanation about the genesis of the regulation, it is also of special relevance to contextualize the scope of application of said regulatory body. It is thus that Article 2 establishes: “The active operation of networks and services based on fifth generation mobile technology (5G) and higher is subject to this regulation, by natural or legal persons, public or private, national or foreign, who operate networks or provide telecommunications services based on fifth generation mobile technology (5G) and higher that originate, terminate, or transit through the national territory, excepting the operation of private telecommunications networks. In the case of public procurement processes aimed at the authorization of networks and services based on fifth generation mobile technology (5G) and higher, as well as the active technological equipment necessary for their deployment (sic), for the use and exploitation of the radio spectrum, the Administration or contracting entity must adopt the suitable mechanisms to verify that potential offerors have considered all aspects alluding to the management and mitigation of risks contained in this regulation, when planning, designing, and implementing their technical offer. In the event of being awarded the contract, the provisions of this regulation shall be mandatory during the operation of the networks and provision of services based on fifth generation mobile technology (5G) or higher.” As an initial point, the article warns in its first paragraph that the security measures contemplated in said regulation and all applicable actions for risk management are mandatory and binding for all natural or legal persons, public or private, national or foreign, who possess an enabling title for the operation of networks and services based on fifth generation mobile technology (5G) and higher. Now, the assumption regulated in the second paragraph is applicable to a first stage of the public procurement cycle, which is precisely at the tender where potential offerors must construct their technical offer taking into consideration the security and risk management measures that will be binding and mandatory for them if they are awarded segments of radio spectrum frequency for the exploitation of networks and the provision of services based on fifth generation or higher mobile technology; or for those telecommunications operators that currently hold enabling concession titles allowing them the development and implementation of these networks and the provision of their services. It is for this reason that the regulation reserves, under the responsibility of the promoting Operator of the special competitive services procedure, the adaptation, under its discretionary authority, of the requirement to be set forth in the tender specifications, through which it will verify in its commercial sphere that said offerors are aware of the scope of this regulation in order to plan, design, and implement their technical offer. In this sense, under the sectoral principle of non-discrimination, it must be understood that any operator of networks and services based on fifth generation mobile technology (5G) and higher is obliged to respect the technical regulatory measures established by the Executive Branch in this matter, considering the due safeguarding of superior protected legal interests such as human dignity, intimacy, privacy, security, and self-determination of its users. Based on the foregoing analysis, the cited article must be interpreted in its entirety, in the sense that it is the operator of networks and services using 5G technology who will be strictly obligated to comply with the adoption of standards and risk analysis, since the regulation concerns the active operation of telecommunications networks, and consequently, it is the one called upon to guarantee the security of its own networks. From the above, it follows that the special subjection lies with the Operator holding the concession enabling it for these purposes, which in this specific case would be the Costa Rican Electricity Institute (Instituto Costarricense de Electricidad), the entity called upon to comply with the provisions of the regulation, while in the case of the petitioner company, it eventually participates in the supply chain, if it were to be awarded a contract within the special competitive services procedure. Taking into account the foregoing considerations, observe, as evidenced in the record, specifically in Certification No. 178-SUTEL-2023 issued by the National Telecommunications Registry of the Superintendency of Telecommunications (SUPERINTENDENCIA DE TELECOMUNICACIONES) (EVIDENCE No. 1), that the company [Name 002] currently does not hold an enabling concession title for the (sic) operation of public networks or the provision of services under fifth generation or higher 5G mobile technology that entails the exploitation and use of the radio spectrum, and therefore, it is not included within the scope of application of the regulatory provision referred to by said company. 3.- Both the President of the Republic, the Minister of MICITT, and the Executive President of ICE have publicly stated that the enactment of the cited Regulation was done for the specific purpose of preventing the participation of companies of various nationalities, especially those of Chinese origin, in the bidding processes aimed at obtaining and operating 5G IMT and Higher telecommunications technology for that institution's networks. Response. That is not true. As clearly seen from the response to the previous point, the issuance of Executive Decree No. 44196-MSP-MICITT "Regulation on Cybersecurity measures applicable to telecommunications services based on Fifth generation mobile technology (5G) and higher," is based on the need to have within the telecommunications sectoral legal framework a technical norm to safeguard superior legal interests, the legal regime of protection of intimacy, privacy, and informational self-determination of end-users, the protection of public order and national security from the perspective of cyberspace for the development of networks and provision of services based on 5G technology and higher, therefore it does not refer to any particular nationality, but to objective measures of a technical and administrative nature based on the highest applicable standards in this matter; the foregoing without prejudice to the undue circumstantiation (sic) of this fact, which results in a mere subjective appreciation by the petitioner. 4.- The President of ICE stated through the newspaper El Mundo CR last September 16 that the respective public tender will be published before the end of September of this year. Response. It is not for me to refer to apparent statements made by the President of the Costa Rican Electricity Institute. In any case, it is a matter of public knowledge and access that said Institute published, on November 9, 2023, the invitation to participate in the special competitive services procedure, for the purpose of contracting "GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ON DEMAND," processed on the Integrated Public Procurement System (SICOP) platform and registered under electronic file number 2023XE-000023-0000400001. As part of the review of said file, it is observed that in the context of said special competitive services procedure, the opening of offers took place on December 19, 2023, where the participation of 5 to 6 offerors is recorded, distributed across 6 line items, among which the offer of the company [Name 002] is observed for line items 1, 2, 3, 4, and 5. 5.- Additionally, and as irrefutable and absolute proof of the risk that exists for my represented party, on September 5, 2023, at 4:20 p.m., an email was received from Mr. Huberth Valverde Batista, ICE Contract Administrator, sending a questionnaire inquiring about compliance with the Cybersecurity Regulation No. 44196-MSP-MICITT. The email itself indicates the need to obtain this information within 4 business days. Response. I have no knowledge of this. It corresponds to internal procedures of the respondent Operator with the company [Name 002]. 6.- Said questionnaire, as can be seen from the notarial certification provided, is an exact copy of the requirements of the Regulation. Response. I have no knowledge of this. It corresponds to internal procedures of the respondent Operator with the company [Name 002]. 7.- The above is direct proof that, given the imminent publication of the tender, my represented party will be affected and unable (sic) to participate in it. Response. The truth is that on November 9, 2023, ICE processed the invitation to participate in the special competitive services procedure, for the purpose of contracting "GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ON DEMAND," processed on the Integrated Public Procurement System (SICOP) platform and registered under electronic file number 2023XE-000023-0000400001, with the result that the opening of offers in said tender took place on December 19, 2023, in which the offer of the company [Name 002] is observed for line items 1, 2, 3, 4, and 5. Therefore, despite what was stated, the company did participate in the procedure of interest, submitting a bid in which it even expressed its compliance with the conditions of the tender specifications of said competitive process. In this regard, it is relevant to consider what was stated by the respondent Operator itself in its Report No. 0060-456-2023, rendered for the purposes of this amparo proceeding, on October 6, 2023, in which it stated, in what is relevant: “On September 11, 2023, Mr. Marcel Aguilar Sandoval of the company Huawei Technologies (sic) Costa Rica, responded to the inquiries made, as shown in Annex No. 7 of the Technical Report, for which confidentiality is requested given that said data are protected under agreements safeguarding this type of information. 9. Regarding the responses from Huawei Technologies Costa Rica, as the Honorable Constitutional Court may verify, there is no evidence that said company had any kind of disagreement with what was consulted. (See Annex No. 7 of the Technical Report).” (The highlighting is ours and not from the original). The inconsistency in the company's statements is highlighted before this esteemed Constitutional Chamber, where at a stage prior to the publication of the tender, it did not inform the Operator of the disagreements that should have been raised in an administrative context, and which it now reveals in this jurisdictional venue. The good faith of its actions must therefore be assessed, given the omission of alerting about said situation from the outset, in response to the Operator’s inquiry, and not subsequent to the market verification processed by said Institute, which is now tendering and before which the suspension of said special procedure is requested. This reflects an inconsistency between the statements in the amparo petition and what is documented in its own offer, which is attached as EVIDENCE No. 3 and 4 to this report, so that the Constitutional Chamber may verify the ambivalence between what was stated prior to the tender, and the acceptance of compliance with the tender specifications of the competitive bidding process referred to ut supra. 8.- Given this situation, the direct, unquestionable, current, imminent, and real risk faced by the company I represent is more than clear, evident, and manifest." Describes threats in the following terms: "1.- The Executive President of ICE has clearly stated that at the end of September, that institution will put out to public tender the acquisition of 5G Mobile telecommunications technology and that, in said public tender, the requirements demanded in the "Regulation on Cybernetic Measures applicable to Telecommunications Services Based on Fifth Generation Mobile Technology (5G) and Higher" (sic) will apply. 2.- As cited by the digital news outlet \"El Mundo.CR\" on September 15 of this year, the Executive President of ICE expressly stated the following: \"the decree is already with the teams and they are reviewing it to see how it is included in the tender document. Also, we have some clarifications that we need to make. However, the answer is yes, we are going to have to include what is provided therein, since it is applicable public policy\" (https:elmundo.cr/costa-rica/licitaciónpara-5g-saldra-a-finales-desetiembrevetando-empresas-chinas/). 3.- The President of the Republic, Mr. Rodrigo Chaves Robles, had declared before the press while he was in the United States, shortly after having signed the cited Regulation prior to his departure, that its enactment aimed to prevent the participation of companies of diverse origin in the upcoming public tenders to be opened by ICE and SUTEL for the acquisition of 5G Mobile telecommunications technology, which can be verified at the following link https://dplnews.com/rodrigo-chaves-prohibeempresas-chinasen-el-desarrollo-de-5g-encosta-rica/ 4.- This criterion was ratified by the Minister of MICITT on Amelia Rueda’s radio program last Monday, September 4, as can be verified at the following link https://ameliarueda.com/noticia/huawei-china-5g-micitt-subastacosta-ricanoticias Response. Regarding the alleged threats described, I will respond in the order they are indicated: Regarding what is indicated in points 1 and 2 with respect to the Executive President of ICE, I reiterate that I have no knowledge of statements he may have made in public media or in actions not specifically recorded in writing addressed to this Ministry or not incorporated into the contract file of the aforementioned special competitive services procedure. Although I cannot attest to the veracity of the statements, what was apparently stated does not constitute a violation of any fundamental right of the petitioner, because the Operator would limit itself to complying with the objective law that regulates the regulatory conditions for the implementation of 5G and higher networks. The foregoing without prejudice to the offer submitted by the petitioner in the ongoing procurement process. Regarding what is referred to in point 3, apparently by the President of the Republic, this Ministry has no record of the existence of such statements, even though the presence of publications in different media outlets is alleged.

Executive Decree No. 44196-MSP-MICITT “Regulations on Cybersecurity measures applicable to telecommunications services based on Fifth-generation mobile technology (5G) and higher,” as has been well developed in previous sections and extensively in technical report No. MICITT-DM-OF-1099-2023 dated December 12, 2023, presented ex officio before the Constitutional Chamber on December 13, 2023, is a technical standard that contains no expression in its recitals or operative part to the detriment of any particular nationality, as the appellant company seeks to suggest. Regarding the allegation in point 4, this Collegiate Body must consider that the link provided does not lead to a publication where the appellant's claim can be verified, without prejudice to the fact that, as indicated, the regulatory standard responds to technical and administrative measures aimed at guaranteeing the legal framework for the protection of end users of telecommunications services.

5.- In line with all the above, my represented party received a questionnaire from ICE, requesting confirmation of compliance with the Decree, which refers specifically to 5G or higher technology, as clear and direct evidence of ICE's intention to promote this tender as soon as possible. Response. I have no knowledge of this. This corresponds to proceedings specific to the respondent Operator with the company [Name 002].

6.-It is evident that the questionnaire sent by ICE is directly related to the tender specifications (Pliego de Condiciones) that will be used for the bidding process targeting 5G technology. In accordance with the General Public Procurement Law, the Administration, prior to publishing the tender specifications of any nature, must conduct a market study to verify potential bidders. In this case, it is evident that ICE is complying with the market study established in Article 34 of the Public Procurement Law, by asking questions based on the Regulations, thus making it clear that they will incorporate said provisions into the 5G bidding process, because the Regulations are a current standard, and ICE does not have the authority to disapply it. Response. I have no knowledge of this. This corresponds to proceedings specific to the respondent Operator with the company [Name 002]. The only thing I can affirm in my capacity as the Governing Ministry of telecommunications, and as part of the Executive Branch responsible for defining the conditions and obligations for the use and exploitation of the radio spectrum, is that ICE is indeed a current frequency concession operator (e.g., Executive Agreement No. RT010-2010-MINAET and Executive Agreement RT-024-2009-MINAET, adaptation). Therefore, said operator, like any other Operator with an enabling concession title subject to said regulatory standard, must adapt its actions to the sectorial Legal System, and upon this, to the risk management and mitigation measures integrated into Executive Decree No. 44196-MSP-MICITT “Regulations on Cybersecurity measures applicable to telecommunications services based on Fifth-generation mobile technology (5G) and higher.” 7.- Therefore, we are in the presence of a certain, real, effective, and imminent threat, almost at the stage of execution, of an act harmful to the fundamental rights of my represented party. Response. The truth is that the Instituto Costarricense de Electricidad published, on November 9, 2023, the invitation to participate in the special procedure for competitive services, with the object of contracting “GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ACCORDING TO DEMAND,” processed on the Integrated Public Procurement System (SICOP) platform registered with electronic case file number 2023XE-000023-0000400001. From the review of said case file, it is observed that within the context of said special procedure for competitive services, the opening of bids took place on December 19, 2023, where the bid from the company [Name 002] is recorded for line items 1, 2, 3, 4, and 5 of said procurement process. Therefore, the argued risk, and consequently, the violations of the appellant's fundamental rights as a party to the public procurement process, are not materialized. It is strikingly noteworthy, as already indicated, that the company not only submitted a bid but also, from the very first moment prior to the publication of the tender specifications, during a supposed inquiry made by the Operator, the appellant company did not reference any impediment, impossibility, or circumstance that said Institute would have to assess beforehand. Given that the procurement process is currently underway and that, in this specific case, the appellant has submitted a formal bid subject to evaluation by the contracting Administration, it is necessary to respect, under the principles of legality, impartiality, competition, and due administrative process, the criteria that said Operator renders under equal conditions for this bid and the other bids submitted for the tender. However, this honorable Constitutional Chamber should note how, after the supposed exchange of communication with the contracting Operator, the company modifies its discourse, which is not maintained congruently over time, since in the bid document, it states that it "understands, accepts, and complies" with the conditions of the tender itself registered with electronic case file number 2023XE-000023-0000400001, while with its amparo action (recurso de amparo), it attempts to establish a conviction of a limitation that it did not reveal to the Operator.

8.- In effect, the public tender that ICE will open before the end of this month, as announced by its own officials, will prevent my represented party from participating, for the simple fact of being a company of Chinese origin. Response. The truth is that the elements comprising electronic case file number 2023XE-0000230000400001 must be evaluated objectively by this Collegiate Body. First, because it has already been noted that Executive Decree No. 44196-MSP-MICITT “Regulations on Cybersecurity measures applicable to telecommunications services based on Fifth-generation mobile technology (5G) and higher” applies to the network operator and provider of services based on 5G or higher technology, who will be strictly obligated to comply with the adoption of standards and risk analyses, since the purpose is to regulate the active operation of telecommunications networks, and consequently, it is the operator who is called to ensure its supply chain. Therefore, to be subject to its scope of application, an entity must hold a concession title for these purposes, which the appellant company lacks (see EVIDENCE No. 1). Second, even (sic) though the appellant company maintains that its origin constitutes an impediment to participation, it makes no connection to the specific provisions of Executive Decree No. 44196-MSP-MICITT applicable to such a circumstance, to assert that in this specific case, an injury to its sphere of fundamental rights could materialize. This is so because said regulatory standard does not establish any discrimination regarding the origin or nationality of any company. On this matter, it is worth highlighting that the proper substantiation and the burden of proof (onus probandi) fall upon the party alleging, in this specific case, the transgression of constitutionally protected rights. Notwithstanding the foregoing, and for the purpose of better resolving what is appropriate for the present amparo action, this Constitutional Chamber should observe that, despite the company claiming it is a company of Chinese origin, the case file evidence, contained within the evidentiary elements of the amparo action, includes literal certification number RNPDIGITAL-1458528-2023 dated September 28, 2023, which certifies that [Name 002] is registered and domiciled, according to the information recorded in the mechanized volumes and entries kept for this purpose by the Legal Entities Section of the National Registry of Costa Rica, of a constitutive nature, under legal identification number [Value 001]. From this factual premise, it can be determined from the code or class “3-101” that said legal entity is a corporation (sociedad anónima) incorporated in Costa Rica, according to the registration filed. Furthermore, the registration of said legal entity is displayed as a “corporation” by virtue of the provisions of the legal system. If it were a foreign company, the Chamber should note that the nomenclature would not only (sic) be different, that is, “3012”, but it would also be recorded as such in the literal certification under the principle of publicity that permeates the due registration of public documents according to Article 32 of the Law on the Registration of Documents in the Public Registry No. 3883, which does not occur in this specific case. Thus, the condition of being a foreign company is not documented and therefore has no opposable effects to third parties in that sense. In addition to the above, according to the written objection appeal filed by this same company against the tender specifications for special procedure number 2023XE-000023-0000400001 (see ATTACHED EVIDENCE No. 2), the following introduction reads: “The undersigned, [Name 001], with a single (sic) surname due to my Chinese nationality, of legal age, married, engineer, resident of San José, Rohrmoser, holder of Costa Rican residency card 115601034602 and passport from my country number EE1392531, in my capacity as General Manager with powers of general attorney-in-fact without limit of sum of [Name 002]., a Costa Rican corporation with legal identification number [Value 001], domiciled in San José, Pavas, Rohrmoser, Oficentro Torre Cordillera, 16th floor, I respectfully appear on behalf of my represented party to formally file an Objection Appeal (Recurso de Objeción) against the clauses and conditions to be stated, of the tender specifications that regulate the referenced public procurement procedure (...) (...) In this case, we must indicate that [Name 002] is a company incorporated and operating in accordance with the laws and the Costa Rican legal system, which has operated in the market for the sale and supply of equipment, hardware, and software to network operators and telecommunications service providers since 2007. As recorded in the referenced SICOP file, the participation in the tender promoted by ICE shows a formal bid from [Name 002], containing a statement entirely different from what is alleged here regarding its origin. In this sense, the Constitutional Chamber has already specified in previous pronouncements, as it did in Ruling No. 2014-007274 of 3:15 p.m. on May 27, 2014, recently reiterated in No. 2023-002894 of 10:40 a.m. on February 7, 2023, that: “(...), in this (sic) venue of constitutional protection and in this sense, the rule according to which the claimant must prove all the facts on which their amparo action is based must be applied flexibly because in the situation of vulnerability in which they find themselves, they only need to prove those facts that they are capable of demonstrating from their particular situation (...) These circumstances demonstrate that in this case we are facing a clear imbalance of procedural positions, which must be corrected by shifting the burden of proof, in order not to impede the equitable exercise of and access to justice and the discovery of the truth.” VII.- The criteria of the Chamber set forth in the partially transcribed ruling are based, as stated, on the principle of the dynamic burden of proof, which, doctrinally, is known as the possibility of transferring this burden of proving facts to the party who is in a better position to do so, such that the reversal of the proof aims “to determine upon whom the efforts of proving fall based on the possibilities of producing the evidence,” i.e., it starts from the question of who is in the best and worst condition to prove the facts; it implies an acknowledgment of the inequality the parties find themselves in regarding the fact to be proven and constitutes compensation in favor of the party for whom it is more difficult to prove it.” Based on the dynamic principle of the burden of proof, it (sic) falls upon the party alleging in this case to demonstrate what the origin of their company is, and how, in this specific case, said origin could cause them harm in light of the provisions of Executive Decree No. 44196-MSP-MICITT “Regulations on Cybersecurity measures applicable to telecommunications services based on Fifth-generation mobile technology (5G) and higher,” which is not developed in this allegation but rather presumes that the Constitutional Chamber must construct this exercise. This is despite the registry information accessible to the appellant to inform this Collegiate Body about the veracity of its origin, and thus avoid conduct that tends to confusion, contrary to the principle of good faith that should guide public procurement processes and these jurisdictional processes. In this vein, consider that as part of the bid documents that are publicly recorded in the current procurement case file, the Sworn Statement issued by representative [Name 001] is extracted, who under oath declares, among other aspects, that: “[Name 002]., a Costa Rican corporation with legal identification number three-one hundred one- four hundred ninety-nine thousand five hundred eighty-eight, with registered office in San José, Pavas, Rohrmoser, Oficentro Torre Cordillera, sixteenth floor” (see ATTACHED EVIDENCE No. 4). In this way, the aspect of the company incorporated in our country is reaffirmed. It is beyond the Ministry to verify a private aspect such as that pertaining to the company's specific business line or business structure, whose evidentiary jurisdiction falls directly on it to demonstrate if indeed its company possesses an origin different from that which has been registered and publicized, and in relation to this specific point, how its origin generates any harm derived precisely from the Regulations; when from public and notorious facts, what has been documented is that it is a company formed under the protection of the national legal system, registered as a corporation in the Legal Entities Section of the National Registry. Add to the above the highly changing position that the company has maintained when communicating with the different authorities. If in the case it identified a circumstance apparently harmful to its particular interests, it should have demonstrated this to the Operator before the conception of the tender specifications, when it was apparently consulted via the supposed “questionnaire” tool, and not at a later time, even after it was precluded, a reckless attitude that could serve to delay the process for its own convenience, and with it, cause substantial harm to the public interest of implementing telecommunications networks based on 5G and higher technologies in the country.

9.- It is important to indicate that my represented party cannot be held responsible for the fact that the Government of the People's Republic of China, within its sovereign powers, has not signed the Budapest Convention to date. Response. The truth is that, in accordance with what was indicated above, the appellant is a Costa Rican company, incorporated under the national Legal System, and governed by its provisions. Hence, no logical link is identified for the argued accusation in relation to the Government of the People's Republic of China. Nor does this Ministry have any record that said responsibility has been attributed to the appellant company by the Operator, according to the case file for special procedure number 2023XE-0000230000400001. Add to the above that it is not possible to understand what the true impact on the company is, derived from the terms of Executive Decree No. 44196-MSP-MICITT “Regulations on Cybersecurity measures applicable to telecommunications services based on Fifth-generation mobile technology (5G) and higher.” The foregoing is because the case file shows that no limitation to participate or impossibility of compliance in the public tender was mentioned to ICE, while it simultaneously filed the appeal action against the Operator's own action. Coupled with which, subsequently, the bid from the company [Name 002] is observed, for the purpose of contracting “GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ACCORDING TO DEMAND,” processed on the Integrated Public Procurement System (SICOP) platform registered with electronic case file number 2023XE-000023-0000400001, in which, despite what was stated, the company did participate and stated its adaptation to the conditions of the tender specifications for said competitive process. Furthermore, it alleges through the amparo action filing that it is a company of “Chinese origin,” when in its bid, it clearly states that it is a company incorporated in Costa Rica. Finally, this Ministry does not understand what the true impact is in this specific case, since, according to what occurred in an apparent exchange of communications with operator ICE prior to the publication of the tender, and what is documented in the SICOP file, it has maintained a consistent position before the different authorities in relation to the conditions referenced in the Regulations, which does not occur before the Chamber where it loosely manifests a violation of its rights, a discourse it has not reflected in the different procedural opportunities of the case. Far from reflecting a semblance of legal right, this leads instead to reckless statements removed from the principle of procedural good faith by the company, in an effort to interrupt the normal course of the current procurement procedure. By way of example, see the bid document (EVIDENCE No. 3) in which the company stated the following regarding the cited Convention: “3.4. The bidder must submit a sworn statement indicating that its headquarters is in a country that has expressed its consent to be bound by the Convention on Cybercrime (Budapest Convention). Supporting documentation must be attached. ICE reserves the right to verify the validity (sic) of the information provided. Response: We understand. Huawei fully complies with cybersecurity standards and industry best practices (sic) for the safeguarding and integrity of information. The Budapest Convention does not refer to a cybersecurity standard for 5G or similar mobile networks.” (Highlighting is our own) With total respect for the principles of legality, competition, due administrative process, and the competitive procedure currently underway, as well as for the administrative functions held by this Ministry, I could not generate any opinion regarding the substance of the company's bid. What I can point out to the Chamber—without prejudice to the analysis that the operator must perform regarding the statements and documents formally submitted with the bid—is that at the time of formulating said sealed bid, it also made no reference to the reasons why its company, which it considers incorporated in Costa Rica, is attributed any difficulty regarding the Budapest Convention, a requirement it has also stated it “understands.” This argumentation exercise is incumbent upon the company to carry out when setting forth a potential impact in the amparo filing. What emerges from the evidence provided, the bid, and the appeal filings are evident inconsistencies and incongruities in the outlined statements. However, I can specify to this honorable Constitutional Chamber what the context and the technical and legal reasons are for which Executive Decree No. 44196-MSP-MICITT “Regulations on Cybersecurity measures applicable to telecommunications services based on Fifth-generation mobile technology (5G) and higher” incorporated the Budapest Convention as part of the risk management and mitigation measures. In this sense, this Honorable Court can review section -K- of technical report No. MICITT-DM-OF-1099-2023 dated December 12, 2023, which delves into the decision for which the reference to said Convention has been included as part of the high-risk parameters regulated in the Regulations (Article 10, subsection E). In turn, it refers to the development carried out on this same topic in this response, specifically at the following point. For the moment, we limit ourselves to mentioning its incorporation into the Costa Rican Legal System through Law No. 9452 “European Convention on Cybercrime (Budapest, 2001).” 10.- The Budapest Convention was published 18 years before 5G technology was launched onto the market, so it is impossible that any of its considerations were related to that technology. An evaluation factor that is outdated and not directly related to cybersecurity is being used, in addition to violating the principle of technological impartiality enshrined in Chapter XIII of CAFTA. Response. The only certainty regarding this argument is that the European Convention on Cybercrime signed in Budapest in 2001 was ratified by the Legislative Assembly through Law No. 9452 “Approval of the Accession to the Convention on Cybercrime,” issued on May 26, 2017, and published in Supplement No. 161 to the Official Gazette La Gaceta No. 125 on July 3, 2017. It is important to highlight to the Chamber that the company's arguments lack proper substantiation, since the appellant company does not develop or clearly and precisely explain the reasons why it considers that: 1. The referenced Convention is outdated, given that its normative provisions remain current and applicable with authority superior to law in our Legal System; 2. The Convention bears no relation to cybersecurity, when its purpose is to provide a normative framework in the fight against cybercrime, which is improper for the technical reasons from the field of telecommunications and cybersecurity applied to its networks and services; 3. The Convention violates the principle of technological impartiality enshrined in Chapter XIII of CAFTA, when the content in CAFTA refers to “flexibility in technological options,” which in one area derives from the principle of technological neutrality, both subject to the legitimate interests of public policy regarding cybersecurity and guaranteed standards that allow full and secure enjoyment by end users. The burden falls on the company, as part of its substantiation exercise, to demonstrate the specific premise it alleges, from the perspective and experience of the company's business line, coupled with the particularities of the telecommunications sector, upon which Executive Decree No. 44196-MSP-MICITT “Regulations on Cybersecurity measures applicable to telecommunications services based on Fifth-generation mobile technology (5G) and higher” precisely applies, regarding which the argument is silent. Furthermore, it is not enough to assert a series of violations in three lines, when it also does not refer to the text of the Convention and the excerpts with which it would clearly, precisely, and unequivocally support why said legal instrument is inapplicable to the matter as it seeks to portray, and why it infringes certain principles. This not only (sic) lacks evidence and substantiation but consists of allegations with no legal or technical basis, as will be specified below. Now, given that the company's argument refers to two entirely different topics—the Convention as an “evaluation factor” and the violation of the principle of technological impartiality through the insertion of the Convention—we will proceed to explain what is necessary regarding these two topics, as indicated.

a. Regarding the Budapest Convention as a risk parameter. First, it is appropriate to explain to the Constitutional Chamber, as has been specified in this document and in the various inputs that have been provided ex officio to the processing file of this amparo action, that Executive Decree No. 44196-MSP-MICITT “Regulations on Cybersecurity measures applicable to telecommunications services based on Fifth-generation mobile technology (5G) and higher” incorporates the highest standards and best international practices in cybersecurity, in view of the competitive process for telecommunications services via International Mobile Telecommunications (IMT) systems, including fifth-generation 5G technology and higher. These elements constitute objective parameters to strengthen prevention against cybercrime, which, as has been well explained, has generated significant repercussions for public systems, public finances, and the users of these essential services in the country. As section -I- of technical report No. MICITT-DM-OF-10992023 dated December 12, 2023, well explains, the security measures contemplated in said regulation and all applicable actions for risk management are mandatory and binding for all natural or legal persons, public or private, national or foreign, who hold an enabling title for the operation of networks and services based on fifth-generation mobile technology (5G) and higher. Of course, this consideration obligates in this case the service Operator, i.e., ICE, to comply with the adoption of the standards and risk analyses set forth in the regulation, as it concerns the active operation of networks for these purposes. Now, Chapter II, Article 4, entitled “National Cybersecurity Risks in 5G and Higher Networks,” identifies the risk scenarios in cybersecurity that have been identified and grouped according to the recommendations and experience of the international community, specifically the European Union:

(Regarding this, see Report No. MICITT-DGDCFD-INF-011-2023/ MICITT-DERRT-INF-007- 2023/ MICITT-DCNT-INF-011-2023 provided as an Annex last December 14, 2023, as part of report MICITT-DM-OF-1099-2023.)

In this vein, the aforementioned Regulation continues in its Articles 6 and 7 to indicate the need for the subjects covered by the scope of application of the standard, ergo the operators, to adopt a series of standards and a risk analysis of the networks they operate, to determine if any of the network elements qualifies under the high-risk parameters, dimensioned in numeral 10, which literally states: “Article 10— High-risk parameters. The subjects covered by the scope of application of Article 2 of these Regulations must consider the following high-risk parameters for the operation of 5G or higher telecommunications networks and the provision of their services: a) When the subjects covered by the scope of application of Article 2 of these Regulations have a single supplier of hardware and software in their supply chain, when this single supplier is responsible for configuring and integrating all active equipment and software of the solution, or if the network is composed of active equipment and software from a single manufacturer. b) When the subjects covered by the scope of application of Article 2 of these Regulations or their hardware and software suppliers have an incident report published by CSIRT-CR regarding breaches in the cybersecurity of their systems that have not been addressed, and therefore imply a risk to the security, availability, integrity, or privacy of end-user information. c) When the subjects covered by the scope of application of Article 2 of these Regulations or their hardware and software suppliers are susceptible to pressure from a foreign government by normative provision or official public policy of said foreign government, in relation to the location or execution of their operations. d) When the subjects covered by the scope of application of Article 2 of these Regulations or their hardware and software suppliers are based in a country, or are, in some way, subject to the direction of a foreign government with established laws or practices that may require them to share the information of end users of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests. e) When the subjects covered by the scope of application of Article 2 of these Regulations use hardware and software suppliers whose headquarters are located in a country that has not expressed its consent to be bound by the Convention on Cybercrime (Budapest Convention).” f) When the subjects within the scope of application of article 2 of this regulation use hardware and software suppliers that do not comply with the cybersecurity standards set forth in article 6 of this Regulation." As the Chamber can see, it is in this article that the regulation associated with the Budapest Convention is derived, as a risk parameter within the operation of telecommunications networks based on 5G or higher technology, delimited in subsection e), which, in relevant part, states: "When the subjects within the scope of application of article 2 of this Regulation use hardware and software suppliers that have their headquarters (sede) in a country that has not manifested its consent to be bound by the Convention on Cybercrime (Budapest Convention)." For a better understanding by this Honorable Tribunal, it is appropriate to analyze this subsection from the spirit that has been conferred precisely on the elements of: • hardware and software supplier (suministrador de hardware y software), • headquarters (sede), • manifestation or consent to be bound. In the first order, article 3, in its subsection o) of Executive Decree No. 44196-MSP-MICITT "Regulation on Cybersecurity Measures Applicable to Telecommunications Services Based on Fifth Generation Mobile Technology (5G) and Higher" establishes the concept of software and hardware supplier (suministrador de software y hardware) in the following terms: "(...) o) Hardware and software suppliers (Suministradores de hardware y software): Entities that provide services or active equipment to the subjects included in article 2 of this regulation. This category includes: i) telecommunications equipment manufacturers; and ii) other external providers, such as cloud infrastructure providers, systems integrators, security and maintenance contractors, and transmission equipment manufacturers, when these are responsible for configuring and integrating the active equipment and software of the solution." The above concept must be integrated from the perspective of compliance with the risk parameter of the Budapest Convention, thus being that the manufacturers and suppliers of the operator must have their headquarters (sede) in a country that has manifested its consent to be bound by the Convention, such as Costa Rica, the country of origin in which the appellant was established as a Costa Rican merchant. In this line, the definition of headquarters (sede) was provided as the core or the main headquarters (sede principal) of the business organization, of its suppliers, that is, manufacturers and providers. Now, regarding the manifestation of consent, this subsection e) of article 10 does not expressly require the status of a State that has ratified and incorporated said instrument into its national legal system according to the internal procedures of each country; rather, it considers the "Accession" process established for acceding to this Convention. In relation to this topic, it is appropriate to indicate that the "Accession" process to Law No. 9452 "European Convention on Cybercrime (Budapest, 2001)", involves 3 steps, which are the following: 1. Once a draft law is available indicating that a State has already implemented or may be able to implement the provisions of the Budapest Convention into its national legislation, the Minister of Foreign Affairs (or other authorized representative) must send a letter addressed to the Secretary General of the Council of Europe expressing the interest of their State in acceding to the Budapest Convention. 2. Once there is a consensus among the current States Parties to the Convention, the State is invited to accede. 3. The authorities of that State must formalize their internal procedures similar to the ratification of any international treaty before depositing the instrument of accession with the Council of Europe. As can be deduced from the preceding steps, the Regulation only requires accreditation of the first level, as opposed to requiring formal ratification according to domestic law, and of course this first step was selected given that it proves the interest of other nations to protect the same legal values protected by our country and the Community. In that sense, it is important to emphasize that the cited Regulation only contemplates high-risk parameters, since it has been sought to ensure minimal state intervention, such that the assessment and management of medium and low-impact risks is carried out by the network operators or telecommunications service providers that have a enabling title for these purposes. With this clarification made, it is then necessary to clarify the reasons why there is a special connection between the Budapest Convention as part of the cybersecurity measures for networks and services based on 5G and higher technology. These reasons can be consulted in the development carried out in section -K- of technical report No. MICITT-DM-OF-1099-2023 dated December 12, 2023, regarding this subsection e) of the numeral under analysis). Said parameter was considered fundamental in a world where cyber threats do not recognize geographical borders, and the decentralized and often anonymous nature of cyberspace has allowed malicious actors to carry out attacks from anywhere in the world, greatly complicating prosecution, response, and sanction efforts. It is necessary to reiterate the core point of the Regulation: 5G technology and higher promise to revolutionize numerous sectors with their high speed and massive connection capacity, which amplifies the risks associated with cybersecurity. 5G infrastructure is critical and sensitive, given its implication in the connectivity of essential devices in sectors such as health, industry, and essential public services. An attack on these networks could not only have devastating consequences in terms of interruption of essential services but could also compromise the security and privacy of enormous volumes of data and critical infrastructures. It is true that the European Convention on Cybercrime (Budapest, 2001), approved by Law No. 9452, predates the Regulation in question, and therefore it becomes a necessary norm to combat cybercrime and organized crime, with authority superior to the law according to Article 7 of our Political Constitution. Thus, Costa Rica must implement the provisions of international instruments on Human Rights, which, in harmony with the mandates of the Political Constitution, view the person as the center of jurisdiction, and consequently, the regime of protection of their fundamental rights and freedoms must be guaranteed ex officio by public authorities. From this legal perspective, said Convention forms part of the international regulations incorporated into the Costa Rican Legal System and its purpose, together with the cited Regulation, is to guarantee, under the principle of progressivity, respect for the Human and Fundamental Rights enshrined in the Political Constitution of Costa Rica and in other instruments such as the Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms (1950), the United Nations International Covenant on Civil and Political Rights (1966), the American Convention on Human Rights (Pact of San José) (1970), among others. Of course, this reconciles with the true need for the issuance of Executive Decree No. 44196-MSP-MICITT "Regulation on Cybersecurity Measures Applicable to Telecommunications Services Based on Fifth Generation Mobile Technology (5G) and Higher," since it protects the aforementioned rights from an area that is highly vulnerable, such as the establishment of the telecommunications network itself and its services by Operators of 5G and higher technologies. Said regulatory body thus aims to safeguard the referred rights of the final telecommunications users derived from Article 24 of the Constitution (already cited), such as intimacy, inviolability of private documents, privacy of communications, informational self-determination, and therefore the quality of services received by final users, by establishing technical and objective measures in the deployment of 5G and higher networks, since these rights find their foundation in the dignity of the person and their exercise presupposes the conscious and responsible self-determination of one's own life. Therefore, it is correct to point out that the protection of human dignity and the enjoyment of the rights emanating from this value prevail over any other matter, and consequently, they are superior, as the Constitutional Chamber has noted in Voto N°034212020, of 12 hours 10 minutes, dated February 19, 2020, when reviewing that: "(...) it is important to recall an elementary question of Public International Law. Human Rights Treaties have, by their subject matter, an object and purpose very different from bilateral or multilateral international treaties on commercial topics, technical, scientific, cultural cooperation relations, etc. In these treaties, public international law subjects agree on mutual obligations among themselves on the respective agreed topics; however, in those related to human rights, States set as object and purpose the human person within their jurisdiction. In this sense, States grant, in accordance with the golden rule of international law, international obligations in favor of the human person, which must be fulfilled in good faith (in accordance with article 26. Pacta sunt servanda of the Vienna Convention on the Law of Treaties)." From the foregoing, the rule of international law pacta sunt servanda prevails, in accordance with article 26 of the Vienna Convention on the Law of Treaties, Law No. 7615, to fulfill international obligations in good faith, and in the specific case in favor of the human person, which is precisely what the Costa Rican State has sought with the implementation of the Regulation under analysis. All this understanding that the human being is the cornerstone in the Information and Knowledge Society, and therefore must be provided with every protection, especially when dealing with complex digital environments with greater exposure for final users and public institutions with the implementation of fifth-generation (5G) and higher technology. As has been well indicated in technical report No. MICITT-DM-OF-1099 2023 dated December 12, 2023 (section -B-), in the incorporation of supranational law into local law, the accession process to international instruments is not enough, but a progressive reading must be applied; in this way, the implementation of international instruments, the ex officio conventionality control between internal norms and international instruments within the framework of the respective competences of public bodies, allows the adaptability over time of the regulatory framework to new technological requirements and needs that are satisfied. This conventionality control materializes in the specific case, in the exercise of the regulatory powers of the Executive Branch to establish, via telecommunications matters, technical and administrative protection measures incorporated into the Cybersecurity Regulation for 5G, in favor of the legal regime for the protection of final users in the access to and effective enjoyment of telecommunications services, among which is precisely the manifestation referring to Law No. 9452 "European Convention on Cybercrime (Budapest, 2001)." Especially since Law No. 9452 "European Convention on Cybercrime (Budapest, 2001)" has been cataloged by the Council of Europe as the most comprehensive international standard to date, as it provides a comprehensive and coherent framework against cybercrime and electronic evidence. It serves as a guide for any country wishing to develop comprehensive national legislation on cybercrime and as a framework for international cooperation among the States Parties to this Treaty. It is thus how Law No. 9452 "European Convention on Cybercrime (Budapest, 2001)", from the technical and legal plane, acts as a deterrent, preventive, and punitive control in the prosecution of crimes that threaten the triad of information security: confidentiality, integrity, and availability of systems, networks, and computer data. The discipline of cybersecurity not only focuses on aspects such as monitoring, detection, and protection, but also addresses crucial fields such as cybersecurity incident response and forensic analysis. The latter are of vital importance for obtaining digital evidence, such as system records (logs), which is essential to determine the root cause of incidents. Given the cross-border nature of cyberattacks, international cooperation is often required to obtain this evidence, not only for the prosecution of the cybercriminal but also to identify what vulnerabilities were exploited and thus solve the security breach. This is how Law No. 9452 "European Convention on Cybercrime (Budapest, 2001)" states in its preamble: "(...) Convinced that the present Convention is necessary to prevent acts that endanger the confidentiality, integrity, and availability of systems, networks, and computer data, as well as the abuse of such systems, networks, and data, by guaranteeing the criminalization of such acts, as defined in this Convention, and the assumption of powers sufficient to effectively combat such crimes, facilitating their detection, investigation, and sanction, both at national and international levels, and establishing material provisions that allow for rapid and reliable international cooperation (...)" (Emphasis added) Therefore, it is of vital importance to reiterate that Law No. 9452 "European Convention on Cybercrime (Budapest, 2001)" addresses the pillars of cybersecurity (triad of information security: confidentiality, integrity, and availability) in technological platforms, including networks. In this regard, it is possible to analyze the content of article 3 relating to illegal interception; article 4 concerning data integrity; article 5 concerning system integrity; all the above, in addition to the content of chapter 3 on international cooperation mechanisms, mutual assistance, and the creation of a contact network that operates 24/7, on technological platforms including networks (a definition used throughout the convention with measures that can be identified as "traffic data"). Furthermore, by referring to "networks" in general, said regulatory framework effectively applies to a wider range of technologies, including those that currently exist and those that may emerge in the future. Technology evolves rapidly, and mentioning a specific technology, such as 5G, within the Convention would cause the norm not to adapt over time when its stability is actually sought, especially considering its supra-legal hierarchy. Instead, referring to "networks" in general terms abstractly maintains the applicability and validity of the norm as new technologies emerge. In view of the above, a collective effort has been developed in the international community to include the Convention within different national cybersecurity strategic plans, in order to strengthen cyber resilience. Examples of this are the Dominican Republic, Ecuador, Panama, Belize, Colombia, and Costa Rica.

In line with the above, it is then appropriate to reiterate to this Collegiate Body that in 2022, Costa Rica experienced a devastating episode in which a cybercriminal group known as CONTI, whose members reside in non-signatory countries of the Convention, could not be detained despite being identified. Additionally, in 2022 Costa Rica suffered a computer attack on the services of the Costa Rican Social Security Fund (CCSS) perpetrated by the cybercriminal group Hive. The operations of this group were dismantled by the United States Department of Justice in a joint operation with law enforcement from Germany and the Netherlands, members of the Budapest Convention. This international collaboration allowed for the provision of more than 1,300 decryption keys to the more than 1,500 victims of Hive in more than 80 countries around the world. In this way, technological evolution must keep this context in mind, for prevention purposes as a crucial element of the cybersecurity branch. In this sense, in the prevention of acts that endanger the confidentiality, integrity, and availability of systems, networks, and computer data, conditioning an environment in which the punitive aspect is also feasible—that is, the prosecution of crimes and the apprehension of cybercriminals—plays an important role. Cybersecurity is not only a technical element but also controls of different natures, including administrative, governance, and regulatory ones, which function as deterrent controls. In the event of a cyberattack, information is required on vulnerabilities or event records associated with hardware or software equipment from a provider whose country of origin must be obligated to collaborate under Law No. 9452 "European Convention on Cybercrime," in order to obtain all the information necessary to address the incident. The collection of evidence is crucial for generating an adequate response to the security incident, and in the second order, the prosecution and apprehension of cybercriminals, thereby reducing the risk of future attacks. According to international frameworks and standards for incident response, such as NIST 800-61 'Computer Security Incident Handling Guide' or ISO 27035 'Information security incident management', a crucial phase is the eradication of the threat and the correction of the vulnerabilities that caused the breach. That is why the examination and handling of information in the shortest possible time is required to remedy the root cause and restore service. It is from this angle that the Convention offers a fundamental tool to guarantee cooperation to protect digital security against cross-border threats, and not to depend solely on the goodwill of the counterparty. Thus, the principles of Law No. 9452 "European Convention on Cybercrime" urge active communication with signatory countries to obtain fundamental evidence both to remedy the vulnerability and to prosecute cybercriminals for the criminal act. Therefore, this Ministry considered that the measure is consistent, proportional, and appropriate to the benefit intended to be generated for the benefit of national security and the legal regime for the protection of the interests and rights of final users. Therefore, the appellant company's assessments are entirely incorrect. As the Chamber can see, the agreements under the Budapest Convention do correspond to the prevention component inherent to the science of cybersecurity, as part of the regime for the protection of the fundamental rights of users. Given that the fundamental pillar of the Information and Knowledge Society is the person and the protection of human dignity as a superior value of constitutional and supranational roots. As stated in the very preamble of Law No. 9452 "European Convention on Cybercrime (Budapest, 2001)", the States Parties are: "Aware of the profound changes brought about by the digitalization, convergence, and continuing globalization of computer networks"; "Concerned by the risk that computer networks and electronic information may also be used for committing criminal offences and that evidence relating to such offences may be stored and transferred by these networks." Therefore, although this Convention does not specifically specify technologies, such as Fifth-generation (5G) or higher mobile networks, it does not follow from this circumstance that the instrument is inapplicable; on the contrary, it is understood that the legal technique was to subscribe to the instrument with a view to the future and to avoid its obsolescence by restricting it to certain cases, given the technological evolution that has precisely been incorporated into its statement of motives. Therefore, the appellant company is also not correct in suggesting that the Convention is outdated, as it is in force and must be mandatorily complied with by the Costa Rican State in accordance with the rules of International Treaty Law. Nor is it true, as the company states, that the Budapest Convention figures as an "evaluation factor (factor de evaluación)". For the semantic expression "evaluation (evaluación)" is used in public procurement for those aspects subject to qualification and that grant added value to offers that satisfy precisely the minimum profile of the offeror, as well regulated by article 40 of the General Public Procurement Law, Law No. 9986, in the following manner: "The tender specifications must establish the admissibility requirements, the parameters to verify quality, and contain an offer evaluation system, it being possible to incorporate evaluation factors (factores de evaluación) other than price, such as term and quality, which, in principle, must be regulated as mandatory compliance requirements (...)." As has been made clear in previous lines, the risk parameters, measures, and management analyses contemplated in Executive Decree No. 44196-MSP-MICITT "Regulation on Cybersecurity Measures Applicable to Telecommunications Services Based on Fifth Generation Mobile Technology (5G) and Higher," which concerns us, do not constitute mere aspects subject to "evaluation" for a public procurement process, but rather are configured as regulatory provisions to which Network Operators with this technology are subject, and form part of the minimum conditions and obligations to which they are subject according to the objective sectoral law of telecommunications in relation to the use and exploitation of the radio spectrum as a constitutional demanial asset. As has been demonstrated, the incorporation of this parameter has a technical and legal justification and not an arbitrary or capricious criterion as the appellant company tries to suggest. b. On compliance with the principle of technological neutrality. As has been developed in section -H- of technical report No. MICITTDM-OF-1099-2023 dated December 12, 2023, Executive Decree No. 44196-MSP-MICITT "Regulation on Cybersecurity Measures Applicable to Telecommunications Services Based on Fifth Generation Mobile Technology (5G) and Higher" maintains a special subjection to the principle of flexibility in technological options, as well as the sectoral principle of technological neutrality.

Thus, the principle of flexibility in technological options (technological neutrality) arises within the framework of the telecommunications sector market-opening process, as part of the “IV. Regulatory Principles approved in Annex 13 of the 'Specific Commitments of Costa Rica on Telecommunications Services' of the Dominican Republic-Central America-United States Free Trade Agreement (CAFTA-DR) Law No. 8622,” which, where relevant, provides: “10. Flexibility in Technological Options Costa Rica shall not prevent public telecommunications service providers from having the flexibility to choose the technologies they use to supply their services, subject to the necessary requirements to satisfy legitimate public policy interests.” (Emphasis added) From this regulatory principle it follows that, in the area of telecommunications, operators and providers of services available to the public effectively enjoy the flexibility to choose the technologies they prefer to operate public networks and supply their services, for example, to provide International Mobile Telecommunications services, known as IMT (in any of their technically available generations), provided that legitimate public policy interests are satisfied. In this area, it is important to note that public policy on telecommunications is defined through the National Telecommunications Development Plan (Plan Nacional de Desarrollo de las Telecomunicaciones, PNDT) 2022-2027, “Costa Rica: Hacia la disrupción digital inclusiva,” which was approved by the Executive Branch through Executive Decree No. 43843-MICITT, published in the Official Gazette La Gaceta No. 5 on January 13, 2023, following the holding during 2022 of a participatory process through workshops and open working sessions in multiple areas of telecommunications, in which representatives of civil society, the various sectors of the country, including telecommunications operators and service providers, information service providers, social network representatives, among others, could freely participate, and could express and share their vision of the future of the telecommunications sector through the year 2027. Therefore, the public policy for the operation of networks and the provision of telecommunications services is embodied in the National Telecommunications Development Plan (PNDT) 2022-2027, “Costa Rica: Hacia la disrupción digital inclusiva,” with the objective of charting the sector's development from the perspective of sectoral public policy, allowing the challenges of telecommunications to be addressed in the coming years. It must be emphasized that in its section “3.3.3.3 Estrategia Nacional de Ciberseguridad Costa Rica,” the PNDT 2022-2027 indicates that “The cybersecurity strategy dates from 2017 and seeks the pursuit of actions leading to data assurance and online protection in different aspects, considering the person as a priority, respect for human rights and privacy, coordination with multiple stakeholders, and international cooperation.” Furthermore, the PNDT indicates that “regarding cybersecurity and the challenges this represents for different populations, from critical infrastructures, online services, financial services, MSMEs, populations in vulnerable conditions, among others, for which the issue must be considered transversally in the axes of sectoral planning with a vision towards 2027.” In this vein, in its section “3.3.4 Síntesis de los instrumentos publicados asociados al PNDT,” it adds that “there are various instruments in which Costa Rica has formulated guidelines and lines of action to address problems of public interest on issues related to the telecommunications sector, such as: infrastructure, radio spectrum and digital television; specific populations in the ICT area; science, innovation and technology, digital economy, digital transformation and cybersecurity; (...).” The foregoing is complemented by specifying that, according to the Global Cybersecurity Index (GCI), which is an initiative of the International Telecommunication Union established with the aim of measuring the commitment of countries on cybersecurity and helping them identify areas for improvement, Costa Rica's position relative to the member countries of the OECD is second to last on the list (position 37 out of 38), only surpassing Colombia. Based on this, and seeking to materialize the objectives established for our country from public policy, the “Regulation on Cybersecurity measures applicable to telecommunications services in fifth-generation mobile technology (5G) and higher” (Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores), Executive Decree 44196-MSP-MICITT, is approved, which forms part of the technical cybersecurity measures to guarantee the secure use and exploitation of networks while safeguarding the privacy of individuals. This regulation is aimed at satisfying a set of fundamental rights and legitimate interests of the end users of telecommunications services. This community is made up of those of us who access these services daily and who have the right to be guaranteed a secure provision regarding the privacy and confidentiality of information, the secrecy of communications, and the protection of personal data of any nature. Thus, there must be total clarity that cybersecurity in telecommunications is defined from public policy and the regulatory instruments that comprise it, such as the “Regulation on Cybersecurity measures applicable to telecommunications services in fifth-generation mobile technology (5G) and higher” (Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores), Executive Decree 44196-MSP-MICITT, as well as any other regulatory instrument, plan, or strategy approved for the satisfaction of the legitimate interests and protected subjective rights regarding the privacy and confidentiality of personal data and communications, in accordance with the regulatory principle of Flexibility in technological options (technological neutrality) established in CAFTA-DR, and it is therefore a matter that interests all of us as end users and beneficiaries of these rights. For my part, from a technical perspective, I would like to clearly establish that the issuance of Executive Decree 44196-MSP-MICITT, “Regulation on Cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher” (Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores): • Does not prohibit or mandate the use of any specific technology, such as fifth-generation mobile technologies, but rather establishes minimum security requirements that all telecommunications mobile network Operators that decide to implement telecommunications networks under this technology or higher must meet. • These requirements consider Law No. 9452, “Council of Europe Convention on Cybercrime,” and a series of standards related to information security, so that the Regulation seeks to ensure that Operators guarantee the secure operation of their networks and users can trust in the integrity, availability, and confidentiality of their networks and services, and fully enjoy the benefits of 5G technology without risks to their privacy, security, or human rights. • Does not limit competition or innovation in the telecommunications market under fifth-generation (5G) technology, but rather promotes an environment of effective competition and equal conditions for all Operators regardless of their origin or size, by requiring that Operators be subject to a legal framework that respects the principles of the Budapest Convention, as well as the other standards highlighted in the Regulation. • This level playing field of conditions and obligations for Operators seeks to prevent unfair competitive advantages or market distortions from being generated by those Operators that may potentially operate under more lax regulations or those incompatible with those required by the referenced Decree. • The Regulation also fosters diversity and interoperability of technologies and platforms for the deployment of IMT-2020 systems, including 5G and higher, by allowing Operators to choose from a variety of reliable equipment suppliers that meet the established security requirements. • Does not violate the supralegal principle of flexibility in technological options or the sectoral principle of technological neutrality, but rather attends to its guiding content in accordance with the public policy of the Costa Rican State. • The Regulation makes no distinction between the different technologies or platforms for the deployment of IMT-2020 systems, including 5G and higher, but applies equally to all of them. • The Regulation likewise imposes no restriction on the access to or use of these innovative mobile networks or services by users, but rather guarantees that they can exercise their freedom of expression, information, and communication through secure networks and means of communication. 11- It is completely discriminatory that my represented company is prevented from participating in a bidding process due to a decision that is not in its hands, being a decision entirely of the Chinese Government. Response. It is not true that the Regulatory provisions are discriminatory, especially considering the offer submitted by the company [Name 002], for the purpose of contracting “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA,” processed on the Integrated Public Procurement System (Sistema Integrado de Compras Públicas, SICOP) platform, recorded with electronic file number 2023XE-000023-0000400001, in which, despite what was indicated by the appellant, the latter (sic) did participate and stated its compliance with the conditions of the terms of reference for said competitive process. Furthermore, it alleges that it is a company of “Chinese origin,” when in its offer it makes clear that it is a company incorporated in Costa Rica. In this regard, I deem it appropriate to reiterate to this Honorable Court the registration made for [Name 002] in the National Registry of Costa Rica, Legal Persons Section, as a Costa Rican corporation, according to the offer document provided for the special competitive services procedure currently being promoted by the respondent Operator. In any case, note that the company declared in its offer (Exhibit No. 4), the following: “3.4. The bidder must submit a sworn statement indicating that its headquarters is in a country that has expressed its consent to be bound by the Convention on Cybercrime (Budapest Convention). For this purpose, it must attach the supporting documentation. ICE reserves the right to verify the validity (sic) of the information provided. Response: We understand. Huawei fully complies with cybersecurity standards and industry best practices (sic) for the safeguarding and integrity of information. The Budapest Convention does not refer to a cybersecurity standard for 5G mobile networks or similar.” (Emphasis in the original) From the foregoing transcription, this Constitutional Chamber must consider that the company stated it understood the requirement, and in a lax manner points out at the end that it does not refer to a cybersecurity standard, without addressing or developing the grounds to support said assertion, which constitutes a mere subjective appreciation without technical or legal backing. If in the case at hand there is an objective factual basis that allows for a difference in treatment, it is called differentiation of treatment and proves to be a perfectly feasible and valid scenario, based on the principle of equality. This conceptual precision implies that public authorities must treat those in equal factual conditions equally, in a reasoned manner. Consequently, the principle of equality is only (sic) violated when unequals are treated unequally in the absence of justification, which translates into discrimination. However, note in this regard that the regulation is non-discriminatory since it applies to all network Operators and service providers under fifth-generation or higher technology, who must ensure, under equal conditions, the suitability of their supply chain. Because, as we have pointed out, the regulatory provisions seek to safeguard the aforementioned rights of telecommunications service end users deriving from Article 24 of the Constitution (already cited), such as privacy, the inviolability of private documents, the privacy of communications, and the quality of services, by establishing objective technical and administrative measures for the deployment of the aforementioned public networks, in favor of the dignity of the person and its exercise entails the conscious and responsible self-determination of one's own life. Human dignity being the minimum legal standard that must be assured to end users in order to respect their condition and ensure, under objective parameters, the quality in the provision of the service that will ultimately redound to the quality of life of this community. Therefore, given that discrimination, from a legal point of view, consists of granting different treatment based on unjust or arbitrary inequalities that are contrary to the principle of equality before the law and the prohibition of discriminating on the basis of any personal or social circumstance; and conversely, when differentiation is carried out based on an objective and reasonable justification, the principle of equal treatment derived from the fundamental human rights protection regime admits the existence of differentiating elements. The differentiating element in this case is the parameter of the Budapest Convention, which responds to the need to guarantee a secure environment for the protection of the human rights regime of end users who will access this type of technology and its services, for the technical and legal reasons from the cybersecurity perspective that we have developed above. This thesis has also been clearly dimensioned in sections -B- and -K-, subsection E) of technical report No. MICITT-DM-OF-1099-2023 dated December 12, 2023. Finally, in accordance with what was argued by the appellant company, it must be noted that the sovereign decisions of an international State foreign to Costa Rica are not a matter that falls within the purview of this Constitutional body to resolve. 12- The only way to avoid a flagrant violation of the constitutional rights of free competition and equality of participation which, according to the jurisprudence of this Chamber, have constitutional rank (Voto 998-1998), as well as the right to non-discrimination, is through the immediate suspension of the public tender in question. Response. It is not true. According to (sic) what was indicated supra, the offer of the company [Name 002] is observed, for the purpose of contracting “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA,” processed on the Integrated Public Procurement System (SICOP) platform, recorded with electronic file number 2023XE-0000230000400001, in which the appellant participated and stated its compliance with the conditions of the terms of reference of said competitive process, in which it is reiterated that its offer also makes clear that it is a company incorporated in Costa Rica, without prejudice to the fact that, as we have previously stated, it is not within the purview of this Ministry to prejudge or qualify the content of the offer, which is a matter for the contracting Operator's scope of competence in this area. Thus, it is worth highlighting that in public contracting matters, the principles of equality and free competition have two aspects. In the first, the broadest participation under equal conditions must be guaranteed, in the absence of unjustified restrictions. A contrario sensu, bidders may also participate under a series of restrictions that have been duly reasoned, ergo, justified, when the subject matter of the contract so requires due to the technical specialty that characterizes it. On this point, the Office of the Comptroller General of the Republic has indicated that: “(...) while it is clear that the Administration is the entity that best knows the need it seeks to satisfy by promoting a public tender, and therefore it is the one responsible for defining it discretionarily, evidently, in exercising said discretion, the Administration must respect the univocal rules of science and technique, as well as the elementary principles of justice, logic, and convenience, in application of the provisions of Article 16 of the General Law on Public Administration, and the principle of efficiency, in the sense that the procedure should tend toward the selection of the offer most convenient to the public interest. Thus, the structuring of the public need to be satisfied through the tender must respond to a reasoned and sound analysis from a technical and legal point of view that adequately supports the characteristics, functionalities, and technical requirements that the acquisitions it intends to make must satisfy. It should not be overlooked that it is even possible for the definition of technical requirements to entail a limitation on free participation to the extent that this is adequately substantiated” (Emphasis added) Hence, limitations on participation are entirely legitimate as long as they conform to the principles of conventionality, reasonableness, proportionality, the legal framework (bloque de legalidad), and the rules of science, technique, and legal logic, parameters that, as has been demonstrated, were observed when issuing Executive Decree No. 44196-MSP-MICITT, “Regulation on Cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher” (Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores), and which must consequently be observed by any Operator of telecommunications services under 5G or higher technology. Regarding the immediate suspension it proposes, I refer to the development indicated in this report and the reasons why this Ministry believes that the precautionary protection in favor of the appellant company is not appropriate. 13- If the cited act were to materialize, the harm to my represented company would be irreversible and impossible to repair, such as reputational damages. For this reason, we are procedurally entitled to file this amparo action against the imminent threats from ICE, consisting of issuing a public tender to implement and operate 5G IMT technology on its networks, from which we are excluded in advance.” Response. It is not true. I reiterate what was stated regarding the observation of the offer of the company [Name 002], for the purpose of contracting “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA,” processed on the Integrated Public Procurement System (SICOP) platform, recorded with electronic file number 2023XE-0000230000400001, in which the appellant participated and stated its compliance with the conditions of the terms of reference of said competitive process, in which it is reiterated that its offer also makes clear that it is a company incorporated in Costa Rica. Furthermore, the appellant company claims that in the event, irreversible damage could occur, as well as damages derived from its reputation, which has no basis in public contracting due to the very nature of the procedure. It is worth remembering that bidders who meet the technical conditions specific to the subject matter participate and must be evaluated on a level playing field, so it has already been well indicated that each one participates with an expectation, not with a preconstituted (subjective) right to be favored. It has already been well stated that in a procedure in which different participants compete, the risk of not being awarded the contract is a possibility and therefore does not qualify as serious harm: “(...) one cannot attempt to derive serious harm from the non-awarding of the contract, when the Administration, in the use of its discretion, chooses the offer that best suits its interests in terms of price and quality. The appellant should recall that what it holds before the tender is a legitimate interest in being the successful bidder, not a subjective right. Therefore, one could hardly claim the causation of potential or actual serious harm derived from the awarding to another of the participants in the tender” (see Resolution of the Contentious-Administrative and Civil Treasury Appeals Court No. 00336 - 2020 of June 25, 2020, at 10:00 a.m.). (Emphasis is not original) On the other hand, only (sic) in the event that an actual exclusion of the offer in the tender occurs, should the substantiation that the Operator develops for that purpose be examined to validate the cause, and, in the event that the exclusion is motivated by non-compliance with any of the risk measures or parameters identified in the cited Regulation, it is necessary to indicate that the regulation is directed at network Operators duly authorized according to the sectoral legal framework, and in addition, what it regulates are technical and administrative measures, as well as technical standards inspired by international best practices, with technical and legal support that is extensively developed in technical report No. MICITT-DM-OF-1099-2023 dated December 12, 2023. Thus, what the Decree establishes are differentiating measures based on a technical and legal justification, for Operators interested in the development of 5G networks and services. As has also been well indicated in this report, the appellant company has stated on repeated occasions that the harm is irreparable, a circumstance that it has not been able to demonstrate, given the lack of congruence between its statements and its actions in the special competitive services procedure, and which apparently have arisen in the context of the competitive process promoted by the respondent Operator here. While it speaks of irreparable harm, such a circumstance is hardly apparent in a tender in which the company stated its subjection to the terms of reference without any problem, also understanding and accepting its conditions. It refers to the following violations of the fundamental rights of its represented company: “The appealed threat violates, to the detriment of my represented company, at least the following fundamental rights: a) the right of free competition and equality of participation in public tenders and b) the right not to be discriminated against based on the company's origin. A.- The violation of the fundamental rights of free competition and equality of participation in public tenders. 1.- The jurisprudence of this Chamber has established that 'if Article 182 of the Political Constitution establishes this principle - that of public tender -, then all the principles inherent to Government Procurement are encompassed within the concept. By virtue of the foregoing, it must be understood that all the constitutional principles and parameters governing the State's contractual activity derive from Article 182 of the Political Constitution. Some of these principles that guide and regulate the public tender are: 1.- free competition, which aims to secure the possibility of opposition and competition among bidders within the prerogatives of freedom of enterprise regulated in Article 46 of the Political Constitution, intended to promote and stimulate the competitive market, so that the greatest number of bidders participate, so that the Administration may have a wide and varied range of offers, so that it can select the one that offers the best conditions; 2.- equality of treatment among all possible bidders, a principle complementary to the former and which within the tender process has a dual purpose: to be a guarantee for the administered parties in the protection of their interests and rights as contractors, bidders, and as individuals, which translates into a prohibition for the State to impose restrictive conditions for access to the tender, whether through the enactment of legal or regulatory provisions for that purpose, or in its specific actions; and to constitute a guarantee for the administration, insofar as it increases the possibility of better selection of the contractor; all the foregoing, within the constitutional framework provided by Article 33 of the Fundamental Charter' (Voto 998-1998). Response. It is not true. I again reiterate what was stated regarding the offer of the company [Name 002], for the purpose of contracting “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA,” processed on the Integrated Public Procurement System (SICOP) platform, recorded with electronic file number 2023XE-0000230000400001, in which the appellant participated and stated its compliance with the conditions of the terms of reference of said competitive process, in which it is reiterated that its offer also makes clear that it is a company incorporated in Costa Rica. Therefore, the company [Name 002], according to its own statements before the Operator, has confirmed its compliance with the conditions and applicable regulations for the tender, including under oath. In this sense, the company has effectively exercised each and every one of the rights it argues have been violated, which reveals an inconsistency between what is stated here and the verifiable real facts as processed on the Integrated Public Procurement System (SICOP) platform, recorded with electronic file number 2023XE000023-0000400001. On the other hand, Executive Decree No. 44196-MSP-MICITT, “Regulation on Cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher” (Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores), contains objective parameters for the deployment of networks under fifth-generation or higher technologies by Operators authorized to exploit the radio spectrum, and also to strengthen prevention against cybercrime, which, as has been well explained, has caused significant damage to public systems, public finances, and the users of these essential services in the country. 2.- ICE's threat to issue a public tender in which it will apply Article 10, subsections c), d), e), and f), and Article 11 of the aforementioned Regulation implies a clear violation, to the detriment of my represented company, of its fundamental rights to free competition in public contracting and equality of treatment of bidders. 3.- Indeed, those regulations establish requirements so that companies of various nationalities, as well as those of Chinese origin, cannot participate in any public tender for the acquisition of 5G Mobile telecommunications technology and higher. 4.- In this way, the fundamental rights to freedom of competition and equality of treatment held by all potential interested parties in participating in public tenders for the acquisition of goods and services in our country, including my represented company, are grossly and obviously violated. 5.- In the case of my represented company, the terms of reference will prevent our participation in that public contract by applying what is stipulated in subsections c), d), e), and f) of Article 10 and Article 11 of the cited Regulation, which is the purpose pursued by that regulation according to statements from the Executive President of ICE, the Minister of MICITT, and the President of the Republic. To a confession of the party, release of proof. Response. It is not true. Because the company [Name 002], for the purpose of contracting “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA,” processed on the Integrated Public Procurement System (SICOP) platform, recorded with electronic file number 2023XE-000023-0000400001, participated and stated under oath its compliance with the conditions of the terms of reference of said competitive process, and confirms that it is a commercial company incorporated in Costa Rica and therefore under the precepts of the national Legal System. Furthermore, even (sic) though this Costa Rican company maintains that the origin or nationality of a company constitutes an impediment to participation, it makes no reference to the specific provisions of Executive Decree No. 44196-MSP-MICITT applicable to that circumstance, to assert that, in the specific case, harm to its sphere of fundamental rights could materialize, and this is so because said regulatory provisions do not establish any discrimination in relation to the origin or nationality of any company.

Despite having repeatedly stated that the provisions of the Regulation will prevent its participation in public procurement processes, circumstances that are entirely contrary are observed, grossly distorting the arguments presented, given that within the tender recently promoted by the ICE, what it recorded in writing was total subjection to and compliance with the rules of the tender, including the conditions derived from Decreto Ejecutivo Nº44196-MSPMICITT. Regarding the public statements it alleges by various senior officials, it is reiterated that they derive from a mere subjective assessment by the appellant. As is clearly evident from the response to previous points, the issuance of Decreto Ejecutivo N°. 44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”, is based on the need to have, within the sectorial telecommunications legal framework, a technical standard to safeguard superior legal interests within the legal regime for the protection of the intimacy, privacy, and informational self-determination of end-users, the protection of public order, and national security with respect to cyber sovereignty, from the perspective of cyberspace for the development of networks and provision of services based on 5G and higher technologies, and therefore it does not refer to preventing the participation of any particular nationality, but rather to objective measures of a technical and administrative nature based on the highest applicable standards in this matter.

B.- The violation of the constitutional principle of non-discrimination for any reason 1.- Article 33 of the Constitution enshrines the cardinal principle in Western Law that no person, physical or legal, may be discriminated against for any reason (sex, religious beliefs, ideology, nationality, etc.).

2.- In the present case, my represented party is openly discriminated against both for its alleged ideology and for its nationality, which implies a gross violation of Article 33 of the Political Constitution.

Response. It is not true. Because the company [Nombre 002]., has effectively participated in the bidding process to contract “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, which was processed on the platform of the Sistema Integrado de Compras Públicas (SICOP) and registered with electronic file number 2023XE-000023-0000400001; in which it also declared under oath its conformity to the conditions of the tender specifications of said competitive process, and confirms that it is a commercial company incorporated in Costa Rica, without any ideology being required of said corporate trader for its participation, and concerning which discriminatory acts by the Operator are identified. Nor does the appellant company in its statements make any connection to the specific provisions of Decreto Ejecutivo Nº44196-MSP-MICITT applicable to this circumstance, to assert that in the specific case a harm to its sphere of fundamental rights could materialize, and this is so because said regulatory standard does not establish any discrimination in relation to the origin or nationality of companies, proof of which is that the appellant has fully exercised its rights to freely bid in the cited competitive procedure. Which automatically causes its arguments to be distorted because it has freely subjected itself to the provisions of the tender specifications on an equal basis with other participants.

3.- For example, admitting that only (sic) companies from countries that have signed the Budapest Convention can participate in public tenders to acquire 5G technology is evidently discriminatory, since this Convention does not strictly refer to cybersecurity issues but rather its regulations are focused on the criminalization of computer crimes that include: fraud, intellectual property infringements, distribution and possession of child pornography, computer forgery, among others. Applying a common criminal policy among the signatory States. In this context, another characteristic of the Budapest Convention is international cooperation, an aspect that facilitates the investigation of cyber infringements and which is relevant due to the characteristics of computer crimes and the possibility that they are committed outside a country's borders, but with an impact on a specific territory.

4.- Let us remember that discrimination, from a legal point of view, means granting different treatment based on unjust or arbitrary inequalities that are contrary to the principle of equality before the law.

Response. It is not true. It is fallacious for a Costa Rican trader to argue any discrimination due to a supra-legal normative body that forms part of the Costa Rican legal system, such as Ley N° 9452 “Aprobación de la Adhesión al Convenio sobre la Ciberdelincuencia”, which by provision of Article 7 of the Constitution holds a higher authority than ordinary law. If this regulation, in its opinion, is discriminatory, any challenge aimed at expelling it from the local legal system must be filed directly against its provisions, and not against the infra-legal norms that ensure its compliance. In addition to the above, its statements are inappropriate, as the norm is of mandatory compliance for all network Operators covered by its scope of application, of which those companies that do not have an enabling concession title for such purposes are not a part (e.g., the company [Nombre 002].)

5.- The prohibition of discriminating covers the interdiction of doing so for any personal or social circumstance; that is, any differentiation that lacks objective and reasonable justification can be classified as discriminatory.

6.- Thus, inequalities of treatment based exclusively on reasons of sex, race, social condition, ideological motives, origin, nationality, etc., are contrary to the principle of non-discrimination.

7.- The regulation that the ICE intends to apply in the cited public tender implies a clear violation of the principle of non-discrimination to the detriment of my represented party, given that it is excluded from a public tender for supposedly ideological and nationality reasons”.

Response. It is not true. Because the company [Nombre 002]., has effectively participated in the bidding process to contract “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, which was processed on the platform of the Sistema Integrado de Compras Públicas (SICOP) and registered with electronic file number 2023XE-000023-0000400001; in which it also declared under oath its conformity to the conditions of the tender specifications of said competitive process, and confirms that it is a commercial company incorporated in Costa Rica, without any ideology being required of said corporate trader for its participation, and concerning which discriminatory acts by the Operator are identified. Nor does the appellant company in its statements make any connection to the specific provisions of Decreto Ejecutivo Nº44196-MSP-MICITT applicable to this circumstance, to assert that in the specific case a harm to its sphere of fundamental rights could materialize, and this is so because said regulatory standard does not establish any discrimination in relation to the origin or nationality of companies, proof of which is that the appellant, a trader of Costa Rican origin, has fully exercised its rights to freely bid in the cited competitive procedure. Which automatically causes its arguments to be distorted as incongruent, because it has subjected itself under the principles of freedom of enterprise and free competition to the provisions of the tender specifications on an equal basis with other participants; in this sense, what Decreto Ejecutivo Nº44196-MSP-MICITT establishes are minimum cybersecurity measures that all operators must comply with, and it is not discrimination based on origin or nationality, as any company from any country that meets the established security requirements can freely submit its offer within the ongoing special procurement procedure.

It formulates the following request for a precautionary measure: “1.- Given that we are facing an exceptional case, because if the execution of the future act harmful to our fundamental rights, which is almost in the execution phase, is not suspended, the prejudice to my represented party would be irreparable and irreversible because it could not participate in the cited public tender for the acquisition of 5G/IMT Mobile telecommunications technology. To understand this irreparability and irreversibility, it must be considered that the ICE represents 60% of Huawei's business in Costa Rica. Given this, if Huawei finds itself prevented from participating in the tender, approximately 80 employees in Costa Rica would be directly affected, in addition to the financial losses for the company. 2.- Therefore, we request that in application of article 41 of the Ley de la Jurisdicción Constitucional, the publication of any tender specifications be suspended, or in case they are already published, the suspension of any bidding process by the ICE in which the "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic) must be applied, until such time as this Sala Constitucional has ruled on the merits of this amparo appeal, and in case it were converted into an unconstitutionality action, until it has ruled on the merits of it”.

It proposes this petition: “1.- That my represented party cannot be prevented from participating in the cited public tender by introducing clauses that are impossible for it to fulfill, because this violates the fundamental rights to free competition, equal treatment, and the prohibition of discrimination exclusively for ideological and nationality reasons. 2.- That once the ICE is notified of the impossibility to proceed with the public tender cited many times, this amparo appeal be converted into an unconstitutionality action so that various norms of the challenged Regulation can be eliminated from the legal system and, therefore, cannot be applied in any present or future tender”.

Response. It is not true. First of all, considering the time elapsed and the facts stated, it is evident that at this moment no exceptional situation such as that which the appellant tries to alarm about is present, given the effective participation of the company [Nombre 002]., in the bidding process to contract “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, which was processed on the platform of the Sistema Integrado de Compras Públicas (SICOP) and registered with electronic file number 2023XE 000023-0000400001. Furthermore, in said process, the company has stated that it understands and complies with the conditions of the tender specifications, so the scenario described by the appellant, in which it has made an effective exercise of its rights to freedom of enterprise and free competition in the ongoing public procurement process, is not foreseen. Also, as we indicated above, the appellant company claims that in this specific case an irreversible damage could occur, which has no basis in public procurement given the inherent nature of the bidding procedure, in which the bidders who meet the technical conditions specific to the object for which they participate must be evaluated on a level playing field; it is for this reason that we have indicated that each one participates with an expectation, not with a pre-established (subjective) right to be favored. It also intends that in case it is not favored, the Costa Rican State must compensatorily assume the costs of its business operation. It is the opinion of this Ministry that the potential losses that would result for the telecommunications Operator company from the eventual suspension of its competitive process must be assessed with great expertise by this Honorable Sala Constitucional, especially considering that it is in a competitive market regime, in which inaction in its activity inherently entails an advantage for its competitors, who by their legal nature are not subject to public procurement processes, but are subject to the cybersecurity regulations of Decreto Ejecutivo in telecommunications networks. And to a greater degree, the impact on the end users of said Operator regarding access to new digital technologies and the full enjoyment of their services within the framework of the Information and Knowledge Society. The foregoing is without prejudice to the potential breach of contractual conditions and obligations by the Operator before the Conceding Administration, to the detriment of the public interest for which its special concessions were granted, recalling on this point that the Operator holding a concession title for the use and exploitation of the radioelectric spectrum is a qualified subject for the satisfaction of the public interest.

On this matter, we must consider the origin of precautionary protection, specified by this Sala Constitucional in its Resolution Nº 12684 of June 2, 2021, at 09:15, when stating as relevant: “IV.- CONTENT OF THE RIGHT TO PRECAUTIONARY PROTECTION. The right to precautionary protection, as enshrined in the essential content of the more general right to prompt and complete justice, includes the right to request and obtain from the jurisdictional body the necessary, suitable, and pertinent precautionary measures to guarantee the effectiveness of the judgment on the merits – the essential function of precautionary protection – if the prerequisites for it are met (appearance of a good right -fumus boni iuris- and danger in delay -periculum in mora-). Correlatively, the jurisdictional body has the obligation to order or issue the provisional measure if the prerequisites for its adoption are present. From the essential core of the fundamental right to precautionary protection, two consequences can be extracted, namely: a) The granting of a precautionary measure does not depend exclusively on the free and prudent discretion or judicial discretionality, and b) the ordinary legislator cannot deny, limit, restrict, or condition such a right. The extrinsic limits of this fundamental right are constituted by the principles of equality (article 33 of the Political Constitution), to prevent unjustified privilege or an objectively unfounded distinction, and of proportionality, in its various specifications of suitability, necessity, and proportionality in the strict sense, as well as by the fundamental right to defense and adversarial proceedings (article 39 ibidem). Under this interpretation, precautionary protection is constitutionally obligatory when the substantial legal situations of the parties, whether called subjective rights or legitimate interests, may disappear, be damaged, or be irremediably harmed, since the judge is called to protect and repair them (articles 41 and 49 of the Political Constitution)” (The emphasis is our own).

It follows exactly that precautionary protection, by its nature, derives from the right to prompt and complete justice, for which the jurisdictional authority may issue the measures it deems necessary when it perceives a risk of - disappearing, damaging, or irremediably harming, the substantial legal situations of the parties. Hence, precautionary protection has particular characteristics that must not be lost sight of: “V.- Characteristics of precautionary measures: (...) They are said to be instrumental in that their function is to guarantee the faithful and complete effectiveness of the ruling in the principal proceeding, for the benefit of the prevailing party therein. The precautionary measure does not constitute an end in itself but is, necessarily, linked to the judgment that may be issued in the principal process (and even to the process itself), due to the function of ensuring its practical effectiveness. (...) They are also attributed provisionality, meaning they are temporary and subject to what is definitively resolved in the final judgment of the process, which displaces them for all purposes. More simply, the measure is maintained until a judgment is issued. It is therein that the adopted measure is confirmed, or conversely, revoked. The definitive pronouncement replaces and extinguishes it (...) urgency is another distinctive note of the institute under comment, which translates into the need for them to be resolved immediately, without 'the leisurely forms of the process' (Calamandrei), which often prevents full knowledge of the assumptions that justify it. This urgency, reflected in the summary nature of the proceeding (summaria cognitio), entails a great limitation of deadlines, procedures, and evidentiary elements, so there is some possibility of error, a circumstance that justifies the broad powers of the Judge to be able to correct the ordered measure (if erroneous), or substitute it by virtue of new facts that make it illegitimate. Hence, this provisional remedy is revocable upon the appearance of new factual circumstances that lead the Judge to the conviction of the contrary, or at least of something different. This is nothing more than subjection to the rule rebus sic stantibus, which allows its modification at the pace of the circumstances that justified it. (...) in special and exceptionally urgent cases, where the damage is imminent (generally due to the immediate execution of the challenged administrative act, or due to its denial), adoption prima facie, that is, inaudita parte, is viable. Finally, it is affirmed that the precautionary measure must adapt perfectly to the nature of the right being exercised and sought. That is, it must be in function of the claim made, and this is what they call the functionality of the measure. The closer or more functional it is with respect to the final judgment, the better its purpose will be fulfilled, which in no way allows prejudging the principal matter. Its provisionality and functionality must be accompanied by respect for the final resolution on the merits, to which they owe full submission, because otherwise, it would be authorizing the total definition of the process through definitive and irreversible measures, thus converting precautionary justice into an improper and premature definitive justice”.

From the foregoing development, precautionary protection does not constitute an end in itself; rather, its utility is intrinsic to ensuring respect for the final resolution under discussion. Hence, the exercise of protection finds certain limits, these being the appearance of a good right -fumus boni iuris- and the danger in delay -periculum in mora-. “Periculum in mora: indeed, that reasonable and objectively grounded possibility of a serious and irreparable harm to the legal situation of the applicant, due to the passage of time necessary for the issuance of the principal judgment (periculum in mora), appears not only as the indispensable basis of the precautionary measure but as its basic and central presupposition, upon which its entire existence truly revolves. (...) b.-) Fumus Boni Iuris: But for the precautionary measure to be admissible, it is affirmed that there must also be seriousness in the claim, that is, a probability of the principal issue being upheld. This is the so-called principle of fumus boni iuris, which for legal doctrine is nothing other than the probable subsequent estimation of the plaintiff's substantive right in the judgment. That seriousness and consistency of the claims invoked by the plaintiff, which make the possible upholding of the claim in the definitive judgment. However, it must be kept in mind here that, due to the necessary summary nature of the precautionary process, it is virtually impossible for the Judge to determine with certainty the existence of that good right, which, moreover, must normally be defined in the judgment and not before. Thus, due to the precariousness of the cognitive elements, only the appearance of a good right may be required from the interested party, giving the Judge some indication of the seriousness of the claim. It is not, then, a matter of verifying the certain legal basis of the claim, nor of prejudging the merits, or even of establishing, as has been said, a 'summary criterion of the expectations of the appeal's success,' but only that it is not preposterous or reckless, so that the issuance of a precautionary measure to the detriment of the Administration or third parties, without any possibility of triumph in the intended right, may be avoided. That initial appearance of seriousness will be sufficient for the mentioned requirement to be considered fulfilled. Thus, the element of fumus boni iuris should be taken as a criterion for its denial, only in those cases where there is no evident and manifest basis for the claim, so that in the inner conviction of the Judge, there is the certainty that said claim is destined for failure” (see Resolution Nº 00041 - 2003 of the Tribunal Contencioso Administrativo Section II dated February 7, 2003, at 10:35) Therefore, the request for a precautionary measure is inadmissible, as the necessary elements for its configuration are not accredited, given that the same cannot originate from facts that are not true, which suffer from the essential prerequisites for their possible granting, since: • The Costa Rican company [Nombre 002]., has effectively participated in the bidding process to contract “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, which was processed on the platform of the Sistema Integrado de Compras Públicas (SICOP) and registered with electronic file number 2023XE-000023-0000400001. • Furthermore, it declared under oath its conformity to the requirements of the tender specifications of said competitive process. In that sense, the consideration of impossible fulfillment that it now asserts is not observed. • Nor is the instrumentality of the measure appropriate because it seeks to suspend a competitive procedure in which it participates on an equal basis with other bidders, meaning its suspension at this time would entail an impact on the legitimate interests of all bidders involved in the process. • The measure would not prevent any unjustified privilege or objectively unfounded distinction, given the equal condition of the appellant in the procurement process upon complying, according to its statements, with the conditions of the tender specifications, without any type of indication against or in line with what is argued here. • Similarly, the appearance of a good right cannot be accredited regarding facts that contradict the arguments presented by the company, insofar as it declared under oath its conformity to the requirements of the tender specifications of said competitive process. • It would not be proportional to suspend the Operator's tender, causing it a disadvantageous situation compared to its competitors, which is contrary to the sectorial principle of effective competition, and above all an impact on the Operator's users regarding the enjoyment and exercise of the human and fundamental rights that the full enjoyment of telecommunications services entails (e.g., Internet based on fifth-generation or higher technologies). • Nor would it be suitable to favor the appellant with a precautionary measure that is not suitable because it cannot be based on a nonexistent subjective right to be favored by the outcome of the procurement process. • Similarly, the measure is not necessary as the appellant company has stated its full subjection and acceptance to the conditions of the procurement specifications. • Finally, the exercise of the fundamental right to defense and adversarial proceedings must occur within the same bidding procedure, through the appeals regime.

It is therefore seen that regarding the essential prerequisites for precautionary protection to materialize, it is appropriate to assess not only the danger in delay but also the appearance of a good right that must maintain a component of seriousness in the claim, because the company has not been prevented from participating in the cited public tender, having carried out up to this moment an effective and full exercise of its fundamental rights to free competition, free access to the market, equal treatment, and the prohibition of discrimination for ideological and nationality reasons.

Given the inadmissibility of this precautionary measure, it is also not appropriate to convert the present amparo appeal into an unconstitutionality action, which seeks to place above the human and fundamental rights of users to access new technologies in a secure manner, the efficient and optimal exploitation of the radioelectric spectrum, and the development of telecommunications networks based on 5G and higher technologies, in order to favor the private interest of a company that exposes the constitution of a subjective right to be favored in a bidding process before said procedure concludes its formal course to establish its suitability to be the awardee. In this line, it must be considered that the intended suspension occurs within the framework of a special public procurement procedure, where precautionary protection must also weigh the satisfaction of the public interest and respect the level playing field in which offers must be analyzed: “It must be taken into consideration that here we are dealing with an administrative procurement procedure, where the plaintiff company is just another participant, and as such, what it holds is a legitimate interest and not a subjective right to be awarded the tender. The non-awarding alone, in this specific case, cannot constitute a presumption of serious harm in order to obtain precautionary protection; (...) they may be grounds for protection, but there is no causal link between the non-awarding and the alleged damages. Note that this is a tender in which all bidders participate on equal conditions and that not being favored with the award decision does not constitute damage; it is a possibility to which those who participate in a tender are subject. The fact that the plaintiff had a previous contract does not constitute a parameter to be assessed and is irrelevant for the purposes of analyzing the measure sought, as this is a new bidding procedure, in which the plaintiff enters to participate on equal conditions with the other bidders. (...) regarding the weighing of the interests involved in the case, it must be indicated that for the admissibility of a precautionary measure, the simultaneous verification of the three legal prerequisites established in article 21 of the Código Procesal Contencioso Administrativo is required; given that one of them has already been discarded, there is not sufficient merit to conduct a detailed analysis of this last element. Notwithstanding the foregoing, it must be indicated that in the present matter, the power held by the Administration to award an administrative contract must prevail, after respecting the constitutional and legal principles and guarantees of the bidders, to satisfy its public utility needs and in safeguarding the public interest (...)" (See Resolution Nº 00336 - 2020 of the Tribunal de Apelación Contencioso Administrativo y Civil de Hacienda of June 25, 2020, at 10:00) (The emphasis is our own) It is thus referred to the nature of the special procedure for services in competition promoted by the ICE, and the need to observe the principles that inform the matter of public procurement, to request that in this case the measure requested by the company not be granted, since said request clearly threatens the public interest. It is also timely to point out to this Sala Constitucional that when resorting to precautionary protection in matters of public procurement, it is inherent to assess the type of harm one intends to safeguard with the exceptional measures. It has already been well noted that in a procedure where different participants compete, the risk of not being awarded is a possibility and therefore does not qualify as serious harm: "(...) the administrative conduct subjected to the process produces serious, current, or potential damages or harms to the promoter's legal situation." ...it is evident that the plaintiff refers to serious harm suffered because the contract with its represented company expires on September 30, 2019, and that its represented company was not awarded the contract despite having a better offer submitted to the Administration and having performed in the best manner (without any infraction), and for purposes of demonstration, it provides as evidence a copy of the administrative file prepared for such purposes; from such documentation, no indications arise that would allow the Court to assess the existence of harm of a serious nature. Although by having a previous award with the administration, it could be inferred that the plaintiff received income, the percentage of that income relative to its entirety or the plaintiff's economic dependence on it to such a degree that it prevents it from honoring its liabilities, paying payroll, or that the situation described generates a state of bankruptcy is unknown; no evidence suitable for purposes of such determination is apparent to the Court, such as, for example, a certification from an authorized public accountant; that is, it proceeds from suppositions regarding the serious harm that would be caused to it without any evidence for its determination. It is necessary to reiterate that the precautionary proceeding is not exempt from the general procedural regulations regarding the burden of proof, so it is the moving party, when formulating its claim, that is obligated to prove its affirmations. In other words, precautionary protection is not an automatic mechanism that proceeds upon the party's mere request. Thus, it is not demonstrated that a situation of serious harm or injury to its legal situation exists that warrants granting the measure requested." (see Resolution No. 00336 - 2020 of the Tribunal de Apelación Contencioso Administrativo y Civil de Hacienda Tribunal de Apelación Contencioso Administrativo y Civil de Hacienda of June 25, 2020 at 10:00). (Highlighting added) In relation to the foregoing, the economic circumstances indicated by the appellant company are not admissible for seeking precautionary protection, since any company interested in bidding has only a legitimate expectation of a right, and therefore it cannot be expected that the Administration will adapt its actions and specifications to its particular interests. Accordingly, it is not possible to understand that the current business conditions of the appellant company confer upon it a sort of pre-constituted right, as it seeks to portray in its arguments, which appear to lead to the conviction that its business line must be maintained perpetually under such conditions to guarantee the financial sustainability of the company. In fact, note that if 60% is dedicated to operations of this nature, it has another alternative of 40% as a possibility of income to exploit. In addition to the foregoing, regarding the character of irreparability and non-compensability alleged by the appellant company if the special procedure is not suspended, the case law has been clear that the only harm subject to this temporary protection is irreparable harm, within which a potential award does not qualify: "The nature of the harm required for the granting of the precautionary claim has already been insisted upon, as obviously any harmful action is not sufficient; rather, it must be real and effective; material, moral, religious, or of any other nature; concrete and certain, although not necessarily current, as it may well be future. It is important to emphasize that said harm must be difficult or impossible to repair, not in the sense that it is non-compensable, but irreversible, since minor or easily reversible damages in their entirety cannot serve the purpose; conversely, there are injuries that, although compensable, are not necessarily reversible. Irreparability is not equivalent to non-compensability, since whoever seeks precautionary protection wants the protected legal interest to remain intact and not to be assured compensation." Based on the foregoing elements, the Sala Constitucional is requested to assess, in accordance with Article 41 of the Ley de la Jurisdicción Constitucional, the public interest in this case in this particular matter, and resolve on the need to continue the execution of the special procedure promoted by the ICE to avoid certain and imminent damages or injuries to public interests. Let us recall at this point that pursuant to the preamble of Annex 13 of Ley Nº 8622, our country committed to having an opening process for the benefit of the user and the modernization of the ICE, by providing: "(...) emphasizing that said opening process will be for the benefit of the user and will be based on the principles of gradualism, selectivity, and regulation, and in strict conformity with the social objectives of universality and solidarity in the provision of telecommunications services; and (...)" recognizing its commitment to strengthen and modernize the Instituto Costarricense de Electricidad (ICE) as a participant in a competitive telecommunications market and ensuring that the use of its infrastructure will be remunerated and also develop a regulatory entity to supervise market development;" As developed in the brief filed by this Ministry with the Sala Constitucional, specifically in Section -E- of the technical report No. MICITT-DM-OF-1099-2023 dated December 12, 2023, the deployment of networks and the provision of telecommunications services based on 5G technology represent a process of the utmost importance for the country due to the resulting improvements in the economic and social conditions of Costa Ricans. In this regard, the recent partial amendment to Article 24 of the Constitución Política through the sole article of Ley para reconocer como derecho fundamental al acceso a las telecomunicaciones, tecnologías de la información y comunicaciones en todo el territorio nacional, N° 10385 of November 29, 2023, must be recalled, in which the following text is added: "Every person has the fundamental right to access telecommunications, and information and communication technologies throughout the national territory. The State shall guarantee, protect, and preserve this right." There are also superior reasons of public interest and national convenience, derived from the public policies that guide the Telecommunications Sector set forth in the Plan Nacional de Desarrollo de las Telecomunicaciones 2022-2027 and the sectorial regulations, which seek, given the opening model of the Telecommunications market, to stimulate the participation of operators, enable the expansion of supply, and therefore the possibility of choice for users of telecommunications services in the country. At this point, the objectives sought by Ley General de Telecomunicaciones, Nº 8642, must be considered, which in its Article 2 provides: "The objectives of this Law are: a) To guarantee the right of inhabitants to obtain telecommunications services, under the terms established in this Law. b) To ensure the application of the principles of universality and solidarity of telecommunications service. c) To strengthen the mechanisms of universality and solidarity of telecommunications, guaranteeing access to those inhabitants who require it. d) To protect the rights of users of telecommunications services, ensuring efficiency, equality, continuity, quality, greater and better coverage, greater and better information, more and better alternatives in the provision of services, as well as to guarantee privacy and confidentiality in communications, in accordance with our Constitución Política. e) To promote effective competition in the telecommunications market, as a mechanism to increase the availability of services, improve their quality, and ensure affordable prices. f) To promote the development and use of telecommunications services within the framework of the information and knowledge society and as support for sectors such as health, citizen security, education, culture, commerce, and electronic government. g) To ensure the efficient and effective allocation, use, exploitation, administration, and control of the radio spectrum and other scarce resources. h) To incentivize investment in the telecommunications sector, through a legal framework containing mechanisms that guarantee the principles of transparency, non-discrimination, equity, legal certainty, and that does not encourage the establishment of taxes. i) To ensure that the country obtains the maximum benefits from technological progress and convergence. j) To achieve telecommunications development indices similar to those of developed countries." Proceeding with a precautionary measure in this case to suspend the special procedure for services under competition of the respondent Operator entails a direct impact on its users' access to more and better alternatives in the provision of services, the full satisfaction regarding the enjoyment of the services that current technology provides, the implementation of innovative networks for the satisfaction of the public interest embedded in the concession titles granted by the Poder Ejecutivo; it would also affect the sphere of legitimate interests of the other offerors under equal conditions, the fulfillment of the conditions and obligations set forth in the concession title for the respondent Operator, and a potential disadvantage in the development of its telecommunications activity compared to other competitors not subject to public procurement processes, and furthermore, it even harms the appellant company's own offer by suspending its own evaluation, due to circumstances that it itself did not clarify from the very beginning, in the administrative venue. II. On the facts and allegations raised in the RECURSO DE AMPARO in the brief received at the Secretariat of the Sala on October 6 and 25, 2023. "For the purposes of Article 75 of the Ley de la Jurisdicción Constitucional, I succinctly allege the unconstitutionality and unconventionality (sic) in toto and of some specific norms of 'El Reglamento sobre Medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones en la Tecnología de Quinta Generación Móvil (5G) y superiores', approved by Decreto Ejecutivo number 44196- MSP -MCITT, published in La Gaceta on August 31, 2023. Below, I briefly substantiate the alleged constitutional defects. I.- Defects of unconstitutionality 'El Reglamento sobre Medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones en la Tecnología de Quinta Generación Móvil (5 G) y superiores', approved by Decreto Ejecutivo number 44196- MSP-MCITT, published in La Gaceta on August 31, 2023, contains serious defects both of unconstitutionality and unconventionality, which we enumerate below succinctly. 1.- The Reglamento in toto violates Article 28 of the Constitución Política, because it regulates matters reserved by such norms to the domain of law. That is, only (sic) by law can the exercise of fundamental rights be regulated and, above all, restricted. Response. This is not true. In accordance with the provisions of Article 10 of Ley General de Telecomunicaciones, Nº 8642, it corresponds to the Poder Ejecutivo to issue the Plan Nacional de Atribución de Frecuencias to designate the specific uses attributed to each of the radio spectrum bands; and additionally, it corresponds to modify the Plan Nacional de Atribución de Frecuencias for reasons of convenience and opportunity. Likewise, it corresponds to the Poder Ejecutivo to assign, reassign, or reclaim frequencies of the radio spectrum, in accordance with the provisions of the Plan Nacional de Atribución de Frecuencias, in an objective, timely, transparent, and non-discriminatory manner, in accordance with the Constitución Política and the provisions of this Law. Therefore, as part of the powers conferred upon the Poder Ejecutivo in its capacity as granting administration, it is responsible for promoting the procedure imposed by the constituent power for the respective allocation of frequencies in the radio spectrum, which is applicable in the matter of network exploitation using the 5G technology of interest. In this sense, Articles 11 and 12 of Ley General de Telecomunicaciones, as relevant, provide: "ARTICLE 11.- Concessions. A concession shall be granted for the use and exploitation of radio spectrum frequencies required for the operation and exploitation of telecommunications networks. Said concession shall enable its holder for the operation and exploitation of the network. In the case of public telecommunications networks, the concession shall enable its holder for the provision of all types of telecommunications services available to the public. The concession shall be granted for a determined coverage area, regional or national, in such a way that the efficient utilization of the radio spectrum is guaranteed." (Highlighting added) Article 12.- Competitive procedure. Concessions of frequencies for the operation and exploitation of public telecommunications networks shall be granted by the Poder Ejecutivo through the public competitive procedure (procedimiento de concurso público), in accordance with the Ley de contratación administrativa and its regulations. The Sutel shall conduct the procedure, after carrying out the necessary studies, to determine the need and feasibility of granting the concessions, in accordance with the Plan nacional de desarrollo de las telecomunicaciones and sectorial policies." (Highlighting added) Hence, it follows that the use and exploitation of the radio spectrum as a constitutional public domain asset may be assigned under a regime of competition and free concurrence, as provided in Article 182 of the Constitución Política: "ARTICLE 182.- Contracts for the execution of public works entered into by the Powers of the State, the Municipalities, and the autonomous institutions, purchases made with funds from those entities, and the sales or leases of assets belonging to the same, shall be made through public bidding, in accordance with the law regarding the respective amount." In accordance with the foregoing, the assignment of new frequencies must observe the public bidding principle regulated in the cited Article 182 of our Constitución Política, in concordance with the provisions of Ley General de Telecomunicaciones, Ley Nº 8642, and the provisions sistematically set forth in Ley General de Contratación Pública, Ley N° 9986; and, at an infra-legal level, by the provisions of Article 21 of the Reglamento a la Ley General de Telecomunicaciones (by its acronym RLGT), Decreto Ejecutivo N° 34765MINAET, which, as applicable, states: "Article 21. —Concessions. A concession shall be granted for the use and exploitation of radio spectrum frequencies required for the operation and exploitation of telecommunications networks. (...) Concessions of frequencies shall be granted by the Poder Ejecutivo through the public competitive procedure (concurso público), (...) and it shall correspond to SUTEL to conduct the procedure." (Highlighting added) We have, then, that concessions of frequencies shall be granted by the Poder Ejecutivo through the public competitive procedure, a process that corresponds to be conducted by the Superintendencia de Telecomunicaciones, as the Regulatory Body established by law to technically determine the possibility of granting any requested frequency. This is stipulated in Article 23 of the RLGT, which establishes the requirements that must be accredited so that the Poder Ejecutivo may initiate a public competitive process for the granting of radio spectrum frequency concessions: "Article 23. —Initial Decision. Once the technical criterion from the prior studies has been issued by SUTEL and the need and feasibility of the concession have been verified, the Poder Ejecutivo shall issue the decision to initiate the respective competitive procedure, which it shall transfer to SUTEL for it to conduct. The administrative decision initiating the procurement procedure shall be issued by the Poder Ejecutivo. This decision shall be adopted once at least the following has been accredited: a) A justification for the appropriateness of the public competitive procedure, with an express indication of the need to be satisfied, considering for this the long- and medium-term plans, the Plan Nacional de Desarrollo de las Telecomunicaciones, and sectorial policies. b) The technical specifications and characteristics of the radio spectrum frequency to be granted in concession. c) The existence of the necessary studies and the feasibility of granting the concession must be accredited. SUTEL shall assess compliance with the foregoing requirements, prior to the initiation of the procedure, and shall arrange the preparation of a chronogram with tasks and those responsible for their execution and shall ensure due compliance with the procedure." Thus, and in adherence to the principle of legality, the Poder Ejecutivo only tenders the spectrum available registrally as dimensioned by the norms of the telecommunications sectorial legal system, in a sound investment of public funds, a legal maxim reiterated in Article 8, subsection e) of the LGCP, which precisely gathers the principles of constitutional rank that inform the matter: "(...) e) Principles of effectiveness and efficiency: the use of public funds and assets and the conduct of all subjects involved in public procurement activity must respond to the fulfillment of institutional purposes, goals, and objectives and to the satisfaction of the public interest. (...)". It is under the constitutional mandate and other special laws regulating public procurement that the State, in its capacity as Granting Administration, has the obligation to guarantee equality and the broadest participation in an environment of integrity, impartiality, and transparency, adhering to the general principles of public procurement. The foregoing, with special safeguarding also in the technical specificity of the contractual object in this case, as regulated by Article 23, subsection b) of the RLGT cited above. It is for this reason that the power of the Poder Ejecutivo must reconcile all aspects derived from the applicable legal regime with the necessary technical measures in order to protect, administer, and control the use and exploitation made of this constitutional public domain asset with strict adherence to fundamental rights, conditions that must be set forth in the specifications (pliego de condiciones) of the respective competitive procedure. As set forth in Section -A- of the technical report No. MICITT-DMOF-1099-2023 dated December 12, 2023, precisely regarding the powers that have been delegated to the Poder Ejecutivo for the establishment of conditions and obligations of the concession enabling titles granted to Telecommunications Service Operators for the use and exploitation of the radio spectrum, a legal regime that is analyzed below. On this matter, it is appropriate to start from the constitutional mandate of Article 121, paragraph 14), subsection c), which in effect states: "(...) The following may not definitively leave the domain of the State: c) Wireless services; The goods mentioned in subsections a), b), and c) above may only be exploited by the public administration or by private parties, in accordance with the law or through special concession" (Highlighting added) In that sense, the constituent power provided the two avenues for exploiting public domain assets, as occurs with wireless services: firstly, in accordance with the framework of legality and, secondly, by special concession. Regarding the sectorial regulations proper to Ley N° 8642, Ley General de Telecomunicaciones and its Reglamento, it is of interest to mention that, at the time said draft law was considered, the constituent power was emphatic about the priority objective of that text, which was to organize the Telecommunications Sector, specifically regarding the use and exploitation of the radio spectrum. The foregoing, given that a respectful regulatory framework was required, it was recorded in minutes that the discussion of the bill was for the purpose of regulating aspects such as the administration and allocation of a finite and limited resource such as the radio spectrum. Within this systematic model, the legislator took into account a series of axes that must be highlighted. First, within the objectives of the Ley General de Telecomunicaciones, Article 2, subsection g) stands out: "To ensure the efficient and effective allocation, use, exploitation, administration, and control of the radio spectrum and other scarce resources." As a finite asset, the spectrum must be disposed of in the most transparent manner possible. Therefore, a tripartite role separation model was established in said law, where the figures of the Governing Body (Ente Rector), the Regulatory Body (Órgano Regulador), and the Telecommunications Operator interact. This role disaggregation was set forth in the regulations consistent with the principles of transparency, equity, and legal certainty that inform the telecommunications field, where the State, in the figure of the Poder Ejecutivo, is the sole entity that grants, modifies, or extinguishes the enabling title to exploit said constitutional public domain asset. As a corollary to the foregoing, from Article 10 of the aforementioned Law (N° 8642), the definition of powers is read, where: "(...) The Poder Ejecutivo shall assign, reassign, or reclaim frequencies of the radio spectrum, in accordance with the provisions of the Plan nacional de atribución de frecuencias, in an objective, timely, transparent, and non-discriminatory manner, in accordance with the Constitución Política and the provisions of this Law. The Sutel shall be responsible for the technical verification of radio emissions, as well as the inspection, detection, identification, and elimination of harmful interference." As can be seen, the permanent power to assign the frequencies available according to the Plan Nacional de Atribución de Frecuencias (PNAF) was delegated by the constituent power to the Poder Ejecutivo, which it may do in accordance with the criteria of objectivity, transparency, and non-discrimination. It is here that the principle of protection and control of the radio spectrum is manifested, where the granting administration holds within itself the power to grant concessions, and along with this, exercises the powers of supervision and oversight to guarantee that the granted use is not only efficient, but also that its oversight guarantees the protection of the superior regime of human rights under the principle of progressivity and not to the detriment of private parties. Naturally, the Procuraduría General de la República emphasized this role of the Poder Ejecutivo during the discussion of the text of the law, on which Opinión Jurídica N° OJ-015-2007 of February 26, 2007, may be consulted, where it stated: "(...) The Procuraduría is of the opinion that functions such as the control and administration of the spectrum are proper to the State, which should exercise them through the Poder Ejecutivo. (...) The Procuraduría reaffirms its position regarding the power to grant concessions. Said power is proper to the Poder Ejecutivo. The electromagnetic spectrum is a national asset, a scarce asset, and today it is a strategic asset. Therefore, it must remain within the State's domain. (...)". As a corollary to the foregoing, Ley General de Telecomunicaciones in its Article 7 reiterates: "ARTICLE 7.- Planning, administration, and control The radio spectrum is a public domain asset. Its planning, administration, and control shall be carried out in accordance with the provisions of the Constitución Política, international treaties, this Law, the Plan nacional de desarrollo de las telecomunicaciones, the Plan nacional de atribución de frecuencias, and other regulations issued for this purpose." By virtue of the foregoing, and through an adequate legal hermeneutics, it must be noted that the highly specialized telecommunications matter at hand is governed, first, by the provisions of the constitutional regime and, in turn, by public international law, bearing in mind that Article 7 of the Constitución Política establishes that "public treaties, international conventions, and concordats, duly approved by the Asamblea Legislativa, shall have, from their enactment or from the day they designate, authority superior to the laws." (Highlighting added) In that sense, Ley N° 8622 "Tratado de Libre Comercio República Dominicana - Centroamérica-Estados Unidos (TLC)", in its CAFTA Annex 13 "Compromisos Específicos de Costa Rica en Materia de Servicios de Telecomunicaciones", observes in its Article 4 the principle of spectrum allocation that falls precisely on the figure of the Poder Ejecutivo: "Allocation and Use of Scarce Resources Costa Rica shall ensure that procedures for the allocation and use of scarce resources, including frequencies, numbers, and rights-of-way, are administered in an objective, timely, transparent, and non-discriminatory manner, by a competent domestic authority. The Republic of Costa Rica shall issue licenses directly to service providers for spectrum use, in accordance with Article 121, subsection 14 of the Constitución Política de la República de Costa Rica." (Highlighting added) Furthermore, Articles 6 and 10 mark the necessary guidelines for access to and use of networks, while considering: "6. Access to and Use of Networks (...) (b) Notwithstanding subparagraph (a), Costa Rica may take measures necessary to ensure the security and confidentiality of messages, or to protect the privacy of non-public personal data of subscribers of public telecommunications services, subject to the requirement that such measures are not applied in a manner that would constitute a means of arbitrary or unjustifiable discrimination, or a disguised restriction on trade in services. (c) Costa Rica shall also ensure that no conditions are imposed on access to and use of public telecommunications networks or services, other than those necessary to safeguard the public service responsibilities of providers of public telecommunications networks or services, in particular their ability to make their networks or services available to the public generally, or protect the technical integrity of the public telecommunications networks or services." (Highlighting added) (...) 10. Flexibility in Technological Choices Costa Rica shall not prevent suppliers of public telecommunications services from having the flexibility to choose the technologies they use to supply their services, subject to the requirements necessary to satisfy legitimate public policy interests." (Highlighting added) Thus, the special telecommunications regime imposed upon the Poder Ejecutivo a special duty of vigilance over the use and exploitation of the spectrum, as it is a scarce asset, not free for use, so its exploitation certainly falls outside the legal sphere of private parties and is only carried out under certain terms and conditions defined by the legal system, the regulatory power of the Poder Ejecutivo, and other technical regulations applicable to the specific case. On this matter, the Procuraduría General de la República, in its opinion N° C177-2023 dated September 18, 2023, has stated as relevant: "In coherence with the foregoing considerations, the LGT constitutes the general legal framework by which the competence of the Poder Ejecutivo to grant the concession for the use and exploitation of the radio spectrum and the conditions under which the frequencies shall be exploited and the corresponding services provided are regulated in our context, namely: requirements and procedure for granting the concession, obligations and rights of the concessionaire, powers of the Granting Administration, transfer of enabling titles, among other aspects. (...) Consequently, neither a private party nor the public Administration is authorized to exploit the spectrum without the respective concession granted by the Poder Ejecutivo (see pronouncement PGR-OJ059-2023, of May 23). The word concession in its very legal meaning implies exclusivity, that being the rule imposed by the LGT when it entails the 'reservation' of a specific use (in this case commercial) for the exclusive benefit of the holder. This also follows from Article 19 of the same law, when, as an exception to the competitive procedure, it contemplates the concession granted by the Poder Ejecutivo directly and in the order of receipt of the request by the interested party, in cases of 'frequencies required for the operation of private networks and those that do not require exclusive assignment for their optimal use' (underlining added)." Exclusive assignment thus implies that only the holder of the concession may use or exploit the spectrum frequency bands reserved for them by said act, to the point that the LGT classifies as a very serious infraction, "[u]sing (sic) or exploiting frequency bands of the radio spectrum without the corresponding concession or permit." This exclusive assignment also responds to technical reasons, insofar as shared use of the same frequency ranges by multiple operators could generate interference affecting service quality." In this regard, Title II, Chapter II, called the Regime for the Protection of Privacy and Rights of End Users of Law No. 8642, General Telecommunications Law (Ley General de Telecomunicaciones), establishes a special rule that regulates the privacy regime and the protection of the rights and interests of end users of telecommunications services, and specifically Articles 41 and 42 of this legal body provide: "ARTICLE 41.- Legal Regime This chapter develops the regime of privacy and protection of the rights and interests of end users of telecommunications services. Agreements between operators, the stipulations in concessions, authorizations, and, in general, all contracts for telecommunications services subscribed in accordance with this Law, shall take into account the due protection of privacy and the rights and interests of end users. Sutel is responsible for ensuring that operators and providers comply with the provisions of this chapter and what is established by regulation." (Emphasis added) "ARTICLE 42.- Privacy of communications and protection of personal data Operators of public networks and providers of publicly available telecommunications services must guarantee the secrecy of communications, the right to privacy, and the protection of the personal data of subscribers and end users, through the implementation of the necessary systems and technical and administrative measures. These protection measures shall be established by regulation by the Executive Branch (Poder Ejecutivo). (...)" (Emphasis added) In accordance with Article 42 of the same Law No. 8642, it is an obligation of public network Operators to guarantee the secrecy of communications, the right to privacy, and the protection of the personal data of subscribers and end users, through the implementation of the necessary systems and technical administrative protection measures that must be established by regulation by the Executive Branch. Therefore, the measures adopted in cybersecurity matters for telecommunications networks derive from the regulatory power conferred in this matter on the Executive Branch, without prejudice to the fact that it also corresponds to it to define the decision to initiate public tenders, the conditions and obligations of the concession titles for the use and exploitation of the radio spectrum. This delegation to regulate the pertinent measures naturally derives from Article 140 of the Political Constitution (Constitución Política), which establishes as pertinent: ARTICLE 140.- The duties and attributions belonging jointly to the President and the respective Government Minister are: (...) 3) To sanction and promulgate laws, regulate them, execute them, and ensure their exact compliance; From the foregoing mandate originates constitutionally the power of the Executive Branch to regulate laws, which the legislator in turn expressed in a derivative manner in the provision of numeral 42 of the General Telecommunications Law. Naturally, to exercise said power, it is also necessary to observe the importance of economic competition and free concurrence for the proper functioning of the market and for the benefit of consumers or users, which entails the due protection of their security and economic interests in accordance with Article 46 of the Political Constitution, as expressed by this Constitutional Chamber (Sala Constitucional), in its Resolution No. 01104 - 2017 of January 25, 2017. In this sense, it has been the desire of the Constituent that private parties participate in the exploitation of the radio spectrum, provided that the conditions stipulated in the Fundamental Norm itself are met, for which reason the supervision of the Executive Branch in this regard is an obstacle. (Constitutional Chamber, Resolution No. 04569 - 2008 of March 26, 2008). It is under the protection of the constitutional and legal competencies already outlined that the Executive Branch issued Executive Decree (Decreto Ejecutivo) No. 44196-MSP-MICITT "Regulation on Cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher" ("Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores") published in Supplement (Alcance) No. 166 of the Official Gazette (Diario Oficial La Gaceta) No. 159 of August 31, 2023, with the purpose of establishing cybersecurity measures to guarantee the secure use and exploitation, and with safeguarding of people's privacy, of networks and telecommunications services based on fifth-generation mobile technology (5G) and higher, based furthermore on the considerations detailed below. Thus, the measures adopted by the Executive Branch are aimed precisely at regulating the exercise of freedom of enterprise in a finite public domain (demanial) asset such as the radio spectrum, in relation to the weakest link in the telecommunications service chain, that is, the end user (usuario final), who ultimately will avail themselves of the service and, faced with an imminent risk, may see the regime of fundamental rights already cited and that are guaranteed by the legal regime of telecommunications diminished, through not only the recognition of said rights but also the delegation to the Executive Branch to establish by regulation the suitable technical and administrative measures to ensure their safeguarding and free exercise. 2.- The Regulation regulates the fundamental right to informational self-determination (autodeterminación informativa), the rights of free competition and equality of participation in public tenders, in addition to enshrining a sanctioning regime against those who violate provisions contained in the Regulation. All these aspects are removed from the domain of the Regulation because they must necessarily be regulated by law. Response. It is not true, insofar as it has already been indicated that the Executive Decree No. 44196-MSP-MICITT "Regulation on Cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher" establishes necessary technical and administrative measures to guarantee the secure exploitation of telecommunications networks with the objective of safeguarding the legal regime for the protection of the human rights of the end users of telecommunications networks, in order to guarantee privacy, the secrecy of communications, and the informational self-determination of users. Thus, the regulatory norm does not regulate the fundamental rights indicated by the appellant company, but rather regulates measures for the purpose of safeguarding these same rights. Regarding what is alleged about the sanctioning regime, reference is made to what is indicated in the following points, since the Regulation does not enshrine a new sanctioning regime ex novo as the appellant company herein attempts to make it appear, but rather is based on the provisions of the General Telecommunications Law based on the provisions of Articles 22, 65 and following of said legal body. 3.- As a consequence of the above, the principle of the division of powers enshrined in Article 9 of the Political Constitution is also violated, according to which no Power may interfere in the competencies constitutionally guaranteed to another Power. 4.- In the specific case, the Executive Branch invaded the competencies belonging to the Legislative Assembly (Asamblea Legislativa), since according to Article 121, subsection 1) of the Constitution, it is the responsibility of the legislative body to approve, authentically interpret, and repeal laws. Response. It is not true that the constitutional norm, nor the principle of division of functions among the different powers of the Republic, has been violated in any sense. As was developed for the preceding point, Executive Decree No. 44196-MSP-MICITT "Regulation on Cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher" is issued in total compliance with the competencies that have been constitutionally granted to the Executive Branch for the establishment of conditions and obligations of the enabling concession titles granted to telecommunications service operators for the use and exploitation of the radio spectrum, and with this, the technical and administrative measures of a regulatory nature derive from the very administrative functions delegated by the Legislator to the Executive Branch in this matter, for which reason the cited principle has not been violated in the slightest. 5.- Article 13 violates Article 39 of the Political Constitution, a norm that enshrines the principles of legality and specificity (tipicidad) in matters of administrative and criminal sanctions. 6.- According to the first principle, sanctioning provisions must be established by law, while the principle of specificity requires that the conduct subject to a possible sanction must be specified in the norm. Response. It is not true that Executive Decree No. 44196-MSP-MICITT "Regulation on Cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher" violates the principles of legality and specificity for the following reasons. As a first aspect, it is convenient to contextualize for the Constitutional Chamber what the provision of Article 13 of the referenced Regulation establishes, which literally states: "Article 13.— Sanctions and infractions. The administrative sanctioning regime applicable for non-compliance with the provisions contained in this Executive Decree shall be governed by the provisions of Law No. 8642, General Telecommunications Law." (Emphasis added) As can be seen from the transcribed norm, it does not come to constitute a sanctioning regime by regulatory means but is entirely respectful of the one already determined by the legislator through special Law No. 8642, whose scope concerns precisely the use and exploitation of networks and the provision of telecommunications services, by provision of Article 1 of said Law, which also incorporates the mechanisms for regulating telecommunications, comprising the use and exploitation of networks and the provision of telecommunications services that originate, terminate, or transit through national territory. It is thus that the Executive Branch, in the construction of the preceding article, was totally respectful of the principles of legality and specificity, insofar as the Constitutional Chamber has already referred that sanctioning matter is of an odious nature, therefore, of restrictive interpretation and its establishment reserved to law: "Regarding regulatory power, it indicated that it is not unlimited, and that one of its most important substantial limits is the reservation of law, which implies the prohibition of the regulation -secondary norm- from originally regulating the aspects included in the reservation. As freedom and the sanctioning regime are matters reserved to law, it is concluded that in this area only executive regulations are possible, which cannot establish new norms or restrict public freedoms beyond what is permitted by laws. Thus, the sanctioning regime could only be validly regulated by regulation insofar as there is a prior law that regulates those aspects, establishing the causes, in accordance with the principle of specificity, for the exercise of sanctioning power and the sanctions the Administration can apply, a situation which in its judgment is not present in the case under study, since there is no prior law that establishes the sanctioning regime of the co-contractors of the Administration, for which it must be concluded that the Regulation of Administrative Contracting innovates in that field. Consequently, a violation of Articles 121 subsection 1 and 39 in relation to 140, subsections 3 and 18 of the Political Constitution occurs, for which it is the criterion of the Attorney General's Office that Article 260 of the Regulation... Constitutional Chamber No. 6114 - 1996, of November 12, 1996 at 15:15) Given then that the Regulation in question does not impose any novel sanctioning regime, and is limited to making a direct remittal to the regime constituted by the legislator in the General Telecommunications Law itself, which by normative hierarchy is at a higher level than the cited Regulation, the arguments of the appellant company are unfounded as there is no transgression of Article 39 of the Political Constitution. 7.- Article 13 of the Regulation does not specify the infractions or the sanctions, but limits itself to referring to what is provided on the matter in the General Telecommunications Law. Response. The appellant company is correct, in the sense that the regulatory norm does not exceed the powers that have been reserved to the legislator to constitute new types or sanctions. It is important to bring to the attention of the Constitutional Chamber the contradiction in the appellant company's arguments, since in a prior point it presumes that the regulation violates a series of principles against the creation of new sanctioning provisions, while in the present allegation it alludes to a contrary situation. In any case, it is reiterated that for the issuance of Executive Decree No. 44196-MSP-MICITT "Regulation on Cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher", the Executive Branch did not exceed its regulatory powers, but rather in the definition of Article 13, it refers to the application of the sectoral regulations applicable to the case. 8.- Articles 9 and 10 subsections c), d), e) and f) violate the constitutional principles of freedom of competition and equality of participation in public procurement (contratación pública) procedures, by impeding free competition among all possible bidders who possess 5G technology and by limiting that participation for reasons unrelated to strictly technical criteria. Response. It is not true. I reiterate once more the technical nature of Executive Decree No. 44196-MSP-MICITT "Regulation on Cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher"; furthermore, we have been pointing out that the company [Name 002]. has, at the time of this report and as recorded in the case file, effectively participated in the tender process for contracting "GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ACCORDING TO DEMAND", conducted on the Integrated Public Procurement System (Sistema Integrado de Compras Públicas, SICOP) platform and registered under electronic file number 2023XE 0000230000400001; and moreover, it declared under oath its compliance with the requirements of the terms of reference (pliego de condiciones) of said tendering procedure. In this sense, no violation of the principles of free competition and equality of participation is observed. Neither do the cited articles violate the principles that inform the matter of public procurement, for the following reasons. ● The high-risk standards and parameters for the operation of 5G or higher telecommunications networks and the provision of their services indicated in the Regulation, have technical and legal support as has been well developed in sections -J- and -K- of technical report No. MICITT-DM-OF-1099-2023 dated December 12, 2023. ● As they are standards and parameters that obey a series of criteria of necessity, suitability, proportionality, reasonableness, and legitimacy, they do not unjustifiably violate free concurrence. ● This Ministry has provided ex officio a report containing technical and legal justification, which determines adherence to the elements of science and technology that guide the broad cybersecurity matter for telecommunications services, even considered for each of the subsections claimed by the appellant company here. a. Regarding the SCS-9001 standard. In particular, it is important to indicate to the Constitutional Chamber that Article 9 of Executive Decree No. 44196-MSP-MICITT "Regulation on Cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher" establishes the following: "Article 9.- Analysis and Risk Management in the Supply Chain (Cadena de Suministro). The subjects included in the scope of application of Article 2 of this Regulation must request from their hardware and software suppliers who are involved in the functioning and operation of 5G and higher networks and their services, the definition of the requirements, controls, and measurements of the supply chain cybersecurity management system for the design, development, production, delivery, installation, and maintenance of hardware, software, and services in accordance with the SCS 9001 standard 'Supply Chain Security and Cybersecurity Standard'. Said information must be presented taking into account the particularities of the processes established by the Executive Branch and the Superintendency of Telecommunications (Sutel), each in accordance with its scope of competence, without detriment to the exercise of the powers of control and superior oversight to verify compliance with these provisions. In the case of public procurement processes promoted by contracting entities, aimed at the operation of telecommunications networks and services based on fifth-generation mobile technology (5G) or higher, they shall incorporate the provisions of this article in the rules of procurement in order to guarantee the secure use and exploitation of telecommunications networks and services, safeguarding the intimacy and privacy of end users." In relation to the preceding norm, the Network Operator must verify that its suppliers and manufacturers in its supply chain attend to the definition of the requirements, controls, and measurements of the supply chain cybersecurity management system for the design, development, production, delivery, installation, and maintenance of hardware, software, and services in accordance with the SCS 9001 "Supply Chain Security and Cybersecurity Standard." The foregoing in view of the purpose specified in the regulatory norm itself "to guarantee the secure use and exploitation of telecommunications networks and services, safeguarding the intimacy and privacy of end users." The SCS 9001 standard is a standard focused on supply chain security for the global ICT industry; it was actively developed during the years 2020 and 2021 by QuEST Forum, a business performance improvement community within TIA (Telecommunications Industry Association). TIA QuEST Forum follows international standards development procedures and guidelines. Therefore, TIA QuEST Forum followed a rigorous and well-structured process for the publication of the SCS 9001 standard, to ensure it is global, relevant, and of high quality. This process involved security experts from the field, different organizations, and manufacturers from the sector who worked on the development of the SCS 9001 standard; therefore, this standard cannot be considered immature, since its development and publication have complied with the requirements and guidelines demanded by any ISO standard, a process that required its due time. It is also important to highlight that this standard responds to a growing need in the sector, guaranteeing the application of security measures to minimize a risk that is increasing in the supply chain, as pointed out by the Gartner and ENISA report.[^6] SCS 9001 is a more comprehensive global standard for cybersecurity and supply chain security, adaptable to any type of communications network across all industries and sectors. Cyber threats are constantly evolving, as evidenced by the report from the European Union Agency for Cybersecurity (ENISA), an entity established by the European Union (EU) with the aim of improving cybersecurity throughout the region, on "Cyber Threats towards 2030," in which the supply chain attack will be in first place among cyberattacks. The dynamism and growing sophistication of these risks must be emphasized. Given this changing landscape, the implementation of standards such as SCS 9001 becomes essential, especially to address supply chain security. This specific standard responds to the need to adapt to emerging and growing threats, providing a framework that guarantees robust and coherent security practices at all links of the supply chain. Its adoption is crucial for protecting critical infrastructures and maintaining integrity, confidentiality, and availability in the security of systems in a rapidly evolving threat environment. Furthermore, the Gartner analysis predicts that by 2023, cyber risk will become a paramount consideration in purchasing decisions in supply chains. This growing focus on cybersecurity reflects the need to improve protection between cybersecurity and the supply chain, highlighting the importance of adopting standards like SCS 9001. This standard responds to evolving cyber threats, providing a robust framework to secure and protect the supply chain against emerging risks. As an example thereof, it can be observed that in the past month of September 2023, a cyberattack was registered against IFX Networks, a telecommunications provider that offered cloud services to various governmental institutions and companies in Colombia, Chile, and Argentina, a scenario that reaffirms the need to ensure supply chain security. This incident had a serious impact, especially because IFX Networks was one of the main telecommunications providers of the Colombian government. Therefore, the adoption of SCS 9001 not only responds to a current context but also improves security; it implies a crucial step to align supply chain practices with constantly changing cybersecurity needs, an aspect now recognized as fundamental by leaders in supply chain management. Security and protection controls must cover the entire lifecycle of products, including the complete supply chain of software, hardware, systems, and the operational performance of the organization itself. This standard responds to the need to adapt to emerging and growing threats, providing a framework that guarantees robust and coherent security practices at all links of the supply chain. Its adoption is crucial for protecting critical infrastructures and maintaining the integrity, confidentiality, and availability in the security of systems in a rapidly evolving threat environment. The adoption of SCS 9001 not only improves security but is also a crucial step to align supply chain practices with constantly changing cybersecurity needs, an aspect now recognized as fundamental by leaders in supply chain management. Regarding the suitability of providing for compliance with this standard in the Regulation, it must be indicated that cyber threats to the supply chain have increased in frequency and sophistication, including attacks to compromise software and hardware, and the manipulation of product integrity. SCS 9001 is specifically designed to address these vulnerabilities, establishing a framework that reinforces security at every link of the supply chain. From the perspective of risk analysis, this standard responds as a necessary measure to minimize the security risk from the emerging threat to the supply chain. This countermeasure reduces the risk because it addresses the technical aspects in more detail of the supply chain links and all related aspects to reduce latent risks that are in growing evolution, as demonstrated by specialized international organizations in the field. Regarding proportionality strictly speaking in determining the application of this standard, it must be indicated that the implementation of the SCS 9001 standard in the cybersecurity supply chain is a necessary, justified, and adequate measure given the magnitude and severity of current threats and future projections of the evolution of attacks on supply chains, without prejudice to the damages caused to our country in the year 2022, and subsequently, at the beginning of the year 2023 as identified against the Ministry of Public Works and Transport (Ministerio de Obras Públicas y Transportes). In the field of telecommunications, networks based on 5G technology, as critical infrastructures, are complex and highly interconnected, making them susceptible to a variety of cyberattacks that can have devastating repercussions on essential services and national security. According to the mentioned studies, the growing evolution of cyber threats to the supply chain increases the probability of suffering a security breach in the elements that participate in the supply chains. The application of the standard also meets a criterion of legitimacy, insofar as the implementation of these is a legitimate practice widely accepted in the global community, as they are the result of a broad consensus among security experts, the industry, and different organizations expert in the area, to reflect the best current practices in the field. From a technical point of view, standards offer guides in strengthening the supply chain. The standard builds upon existing work and aligns with initiatives of government agencies. It adds crucial requirements that had not been addressed for supply chain protection, where threats in this field are growing. Non-conformity with these standards means that products and services could lack fundamental security measures, exposing users to significant risks and the country to national security risks. b. Regarding the parameters of Article 10, subsections c), d), e), and f) It is convenient to contextualize, as has been well developed in this report, that Article 10 of Executive Decree No. 44196-MSP-MICITT "Regulation on Cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher" establishes that the subjects included in the scope of application of the Regulation must consider among the high-risk parameters for the operation of telecommunications networks under 5G or higher technology and the provision of their services: "c) When the subjects included in the scope of application of Article 2 of this Regulation or their hardware and software suppliers are susceptible to pressure from a foreign government by regulatory provision or official public policy of said foreign government, in relation to the location or execution of their operations "d) When the subjects included in the scope of application of Article 2 of this Regulation or their hardware and software suppliers have their base in a country, or, in any way, are subject to the direction of a foreign government with established laws or practices that may require them to share information of end users of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests." The criteria of reasonableness and proportionality that the appellant company misses were considered by the Executive Branch for the issuance of the regulatory norm, as is evident in section -K- of technical report No. MICITT-DM-OF-1099-2023 dated December 12, 2023, in relation to the present subsection of the analysis numeral. The necessity of these two parameters lies in the fact that we find ourselves in the Information and Knowledge Society (SIC), for which reason data is of high value. In this sense, the risks that computer networks and electronic information are used to commit crimes have multiplied.

Of course, this issue transcends the sovereignty of each country, as we can even speak here of the defense of cyber sovereignty, due to the ease with which abuses can be committed through this means, which is why these measures are essential to guarantee that there is no impairment of the confidentiality, integrity and availability of computer systems, networks, personal data and traffic data, from the pressure of other States that require the information for purposes other than the objectives for which they were collected at the national level under the principle of informed consent and free information of users.

This measure is appropriate since the Costa Rican State is competent to protect its telecommunications users, who enable improper access to their data transiting through telecommunications networks, in violation of the fundamental rights that are intended to be protected with the regulatory standard under analysis. In this way, the Costa Rican State, through the Executive Branch, has been delegated to establish differentiated conditions when the information is to transit outside its borders, a transit that must be compatible with the special protection regime that the constituent has imposed on the data. It is important to recognize that not all foreign legislation is akin to or compatible with national legislation, which is why these parameters have been considered to reinforce the importance of protecting the fundamental rights of end users of telecommunications in the field of telecommunications cybersecurity.

It is understood that the measure is proportional from a technical perspective, since the potential consequences of cyber espionage or sabotage are proportional to the measure that seeks to reduce the risk, as critical 5G services can be compromised, implying the need for rigorous security evaluations. It is worth noting that the Costa Rican democratic State is called to act conservatively on two fronts: firstly, in safeguarding the healthy use of the radio spectrum as a public domain asset, and secondly, in the protection of the fundamental rights derived from the use and exploitation of said radio spectrum, so that it is obliged to indicate the guidelines according to which the transfer of information will be carried out. That said, operators that do not have the legal possibility to guarantee the secure transit of data in their networks imply a high risk of violation due to possible coercion by other governments.

Carrying out an exercise of legitimacy, we must start from the fact that, in accordance with good international practices, among them the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), restrictions may be imposed on some categories of personal data, for which the national legal system includes specific regulations due to the nature of those data and because the other State does not consider them similarly in its legislation. In that sense, in the event of finding regulations that do not guarantee protection comparable to national regulations, the Costa Rican State may establish restrictions on the transfer of data when operators or their suppliers cannot substantially guarantee compliance with domestic regulations on data protection, intimacy, privacy, informational self-determination and secrecy of communications, obligations that even constitute a guiding sectoral principle for public network Operators. See in this regard, Article 3, subsection j) "Privacy of Information" of the General Telecommunications Law, Nº8642.

Regarding the consideration of the legitimacy of this measure, the concern about the influence of foreign governments over said providers is legitimate and, at the same time, is based on national security criteria given the potential risk and the diverse damages that could materialize if an attack or sabotage occurs directly or indirectly linked to the actions of a foreign government that exerts influence over the operators. Therefore, it is exercised as a power the State has to guarantee the independence of operators from pressure by foreign governments in order to protect the data transiting through their networks with user information that is constitutionally protected.

Now then, with regard to subsection f), which, as relevant, states: “f) When the subjects included in the scope of application of Article 2 of this regulation use hardware and software suppliers that do not comply with the cybersecurity standards set forth in Article 6 of this Regulation.” In relation to this subsection, it must be considered that standards are necessary because they provide a guide and good practices that must be applied or implemented in technological platforms to minimize the security risks that may arise. Otherwise, failure to comply with the standards can lead to deficiencies in the protection of the confidentiality, integrity and availability of information, which are the pillars of cybersecurity.

It must also be taken into account that cybersecurity standards, like any other standard, are a detailed process involving multiple stages and the participation of area experts from various countries and organizations in order to provide a guide of good practices, policies and procedures to reduce security risks on technological platforms and combat growing threats in cyberspace. The suitability of the measure lies in the fact that the standards address the main threats and risks in the provision of technological services for their mitigation and better management of security risks against cyber threats that could compromise technological infrastructures and thereby affect the country's essential and critical services, the information of the inhabitants, and the continuity of technological services.

Said standards address a whole cycle of cybersecurity in its different stages, both in the detection, protection, identification, response and recovery of technological services, and thereby guarantee that security controls exist to minimize the risks present in cyberspace. These measures are fundamental because they apply due care and due diligence when providing critical services. Regarding proportionality in the strict sense, it is indicated that the severity and frequency of cyberattacks justify the need to adhere to cybersecurity standards, so the decision to consider providers that do not comply with the standards as high risk is proportional to the potential security risks that these providers may present, such as data breaches, malware attacks and other threats that would have been avoided or minimized by complying with cybersecurity standards.

The country has already suffered the real consequences of attacks where, if only those standards had been applied, the impact that would have occurred in terms of loss of information, continuity of services, leakage of sensitive information, unavailability of services, damages and economic losses, would have been minimized to a large extent. It is for this reason that different organizations, companies, etc., implement this type of standards; to minimize these risks and comply with international regulations, it is adequate and proportional to the benefit that can be obtained. Likewise, regarding the legitimacy of the provision for this risk, implementing these standards is a legitimate and widely accepted practice in the global community, as these standards are the result of a broad consensus among security experts, industry and different expert organizations in the area, to reflect the best current practices in the field.

From a technical point of view, standards offer guides to strengthen systems and networks. These include aspects such as encryption, authentication, patch management, incident response, service continuity, among others. Non-conformity with these standards means that products and services could lack fundamental security measures, exposing users to significant risks and the country to national security risks. Considering all the elements previously set forth, the appellant company is not correct in the assertion that the definition of the articles was made on the basis of technical premises that justify the different measures incorporated into the text of the Regulation.

9.- Finally, Article 9, first paragraph, and Article 11, subsection f), violate the constitutional principle of technical reasonableness, which requires, as the jurisprudence of this Chamber has established, that every norm and, in general, every act emanating from public institutions must be founded on technical criteria regarding the subject matter they regulate.

Response. It is not true. In the first order, it should be noted, as contextualized for the preceding point, that Article 9 of Executive Decree Nº44196-MSP-MICITT “Regulation on Cybersecurity measures applicable to telecommunications services based on the fifth generation mobile technology (5G) and higher” establishes compliance with the SCS 9001 standard “Supply Chain Security and Cybersecurity Standard,” whose definition, as part of the cybersecurity measures, is due to the criteria of technical reasonableness specified therein.

Furthermore, Article 11 of Executive Decree Nº44196-MSP-MICITT “Regulation on Cybersecurity measures applicable to telecommunications services based on the fifth generation mobile technology (5G) and higher” does not contain any subsection f) in its text:

“Article 11. Measures applicable upon identification of high risk. When any of the subjects included in the scope of application of Article 2 of this Regulation identifies the presence of any one or several of the high-risk parameters set forth in the preceding article, they must inform the Superintendencia de Telecomunicaciones (Sutel) in accordance with the provisions of Article 42 of the General Telecommunications Law, Nº8642, within 3 (three) calendar days following its identification and adopt the appropriate technical and administrative measures to guarantee the security of their networks and services. When the presence of any one or several of the high-risk parameters is identified by the subjects included in the scope of application of Article 2 of this Regulation, it will be subject to the immediate adoption of the following technical cybersecurity measures: 1) They may not be used in critical network elements, telecommunications equipment, transmission systems, switching or routing equipment, and other resources that allow the transport of signals, as they represent a high cybersecurity risk for 5G and higher networks, and national security. For this purpose, the following are declared critical elements of the 5G and higher network: i. Those related to the functions of the network core. ii. Control and management systems and support services. iii. The access network in those geographical areas and locations that provide coverage to centers linked to national security and the provision of essential public services. 2) Carry out the replacement of equipment, products and services of the 5G and higher network when necessary, for which purpose, they must take into account the market situation of hardware and software suppliers, the viable alternative equipment and product supply options, the implementation of those equipment and products in the 5G and higher network, especially in the critical elements of the network, the intrinsic difficulty of carrying out equipment replacement, equipment update cycles, as well as its economic impact. In no case may the equipment replacement period exceed five years, counted from the classification as high risk. Compliance with these regulatory provisions must be considered for the operation of 5G and higher networks and their services, in accordance with the provisions of Article 49, numerals 1 and 3 of Law N°8642, General Telecommunications Law.” Given that the article does not possess the subsection that the appellant party indicates, its analysis is therefore impertinent.

10.- In the species, the challenged articles lack technical foundation and the requirements established in them do not conform to duly proven, accepted and adopted international standards. For example, Article 9, first paragraph, provides that “The subjects included in the scope of application of Article 2 of this Regulation must request their hardware and software suppliers, which are involved in the functioning and operation of 5G and higher networks and their services, to define the requirements, controls and measurements of the supply chain cybersecurity management system for the design, development, production, delivery, installation and maintenance of hardware, software and services in accordance with the SCS 9001 standard ‘Supply Chain Security Standard’ without justifying why this standard is specifically required. The SCS 9001 Standard (Supply Chain Security 9001) was recently created, in 2022, by the TIA (Telecommunications Industry Association), which is a U.S. association of ICT (Information and Communication Technologies) providers. The SCS 9001 Standard lacks sufficient data to allow verification of its effectiveness, since it is still in the pilot plan phase for carrying out the corresponding technical evaluation. The current ecosystem of Cybersecurity standards, which has been developed by ISO, GSMA and 3GPP, is recognized, accepted, verified and implemented by the Cellular Mobile Telephony Services industry worldwide, for several years now.

Response. It is not true. The justifications to this point have been abundant as to why Executive Decree Nº44196-MSP-MICITT “Regulation on Cybersecurity measures applicable to telecommunications services based on the fifth generation mobile technology (5G) and higher” contains a technical and objective basis, which derives from the proper powers for establishing the conditions and obligations for the exploitation of the radio spectrum; the foregoing without detriment to the regulatory power in this matter derived from Article 42 of the General Telecommunications Law.

Specifically, for the standard set in Article 9 referred to in its allegation, the technical considerations already incorporated into this report and the complementary technical input of reference are referred to, specifying the following:

● It is a standard that was built on the TIA QuEST Forum methodology to ensure it is global, relevant and of high quality. ● Its preparation is the result of input from security experts in the field, different organizations and manufacturers from the sector that worked on the development of the SCS 9001 standard. ● This process complies with the requirements and guidelines demanded by any ISO standard. ● The SCS 9001 standard was actively developed for approximately two years during 2020 and 2021. SCS 9001 was approved for launch in December 2021. ● SCS 9001 responds to a need for new threats facing cyberspace. ● The comparison between SCS 9001 and ISO 27001 lies in the detailed supply chain security measures and benchmarking of SCS 9001. ● SCS 9001 is accredited by the American National Standards Institute (ANSI). ● TIA has more than 1,000 volunteers contributing from approximately 400 companies in more than 20 countries. ● The Regulation does not mention in its articles that the risk management measures displace or invalidate in any way other cybersecurity standards developed such as ISO, GSMA and 3GPP; rather, they come to serve as complementary measures, of mandatory compliance for operators that hold an enabling license for telecommunications services based on fifth-generation or higher technologies.

11.- Article 8, subsection i) and Article 10, subsection a) violate the constitutional principle of proportionality. 12.- As the jurisprudence of this Chamber has established, a state act that limits fundamental rights must be necessary, suitable and proportional. 13.- The aforementioned articles of the Regulation are not necessary, suitable or proportional. Indeed, they are not necessary because the telephone network has operated in the country from its beginnings through a vertically integrated system, which is the most efficient methodology and therefore the most widely used worldwide, to guarantee a balance of providers that ensures network security in a cost-effective manner. If something works well, there is no reason to change. Therefore, there is no imperative need to adopt the model indicated in Article 8, subsection i) and Article 10, subsection a) of the challenged Regulation. 14. Finally, there is no proportionality between the supposed benefit that the public interest would obtain according to the model indicated in Article 8, subsection i) and Article 10, subsection a) of the challenged Regulation.” Response. The appellant company's claims are not true for the following reasons. It is convenient to contextualize what is indicated in Article 8 of Executive Decree Nº44196MSP-MICITT “Regulation on Cybersecurity measures applicable to telecommunications services based on the fifth generation mobile technology (5G) and higher,” which states:

“Article 8.- Risk Management of 5G and Higher Networks. The subjects included in the scope of application defined in Article 2 of this Regulation must adopt the appropriate measures to manage the risks identified in accordance with Article 7 of this regulation. For these purposes, the following measures must be included: (...) Design a diversification strategy in the supply chain of telecommunications equipment, transmission systems, switching or routing equipment, and other resources that allow the transport of signals on a 5G or higher network, such that said equipment, systems or resources are provided, at a minimum, by two different hardware and software suppliers.” As has been well developed in this report, the risk management measures regulated in Executive Decree Nº44196-MSP-MICITT “Regulation on Cybersecurity measures applicable to telecommunications services based on the fifth generation mobile technology (5G) and higher” allow the identification in article 10 of what the high-risk parameters of the network are. In that sense, subsection a) is delimited, as relevant stating:

“a) When the subjects included in the scope of application of Article 2 of this Regulation have a single hardware and software supplier in their supply chain, when it is responsible for configuring and integrating all the active equipment and software of the solution, or if the network is composed of active equipment and software from a single manufacturer.” Regarding this matter, it is reiterated that, for the definition of these parameters, the Executive Branch indeed carried out an entire exercise of reasonableness and proportionality that the appellant company misses. This construction of criteria has been outlined in sections -B- and -K- subsection E) of technical report No. MICITT-DM-OF-1099-2023 dated December 12, 2023, and which are brought up below.

It is also important to inform this Constitutional Chamber that IMT 2020 systems are much more complex than a telephone system, so the company is not correct in the assertions it maintains, given its technical limitations. In any case, it is the Executive Branch, in its capacity as Granting Administration, that best knows the need to be satisfied, and in that sense is responsible for defining the contractual object and with it, the conditions under which operators must provide the corresponding service under their concession title, and not vice versa, as the appellant company seeks to do in this case, by intending for the use and exploitation of the radio spectrum for network operation and the provision of this type of services to conform to a specific model that benefits the interests of a private party.

It must also be reflected upon that the implementation of measures focused on reducing cybersecurity risks is becoming critical due to the advanced technical characteristics of said technology, which, as has been well noted, are:

● Data transfer rate experienced by the user (10 times greater than 4G), ● Latency (10 times less than 4G), ● Connection densification (10 times more than 4G, up to 1M devices per square kilometer), ● Mobility scenarios (up to 500 km/h), ● Spectral efficiency (3 times greater), ● “Network slicing” (ability to segment networks).

It is thus that the necessity of said measure is evident, since technological dependency or monoculture significantly increases the risk of the entire ecosystem being compromised. If an attacker finds a vulnerability for one type of system, all network components are put at risk and, therefore, it would affect all the information passing through those devices, data, user information and services that transit through them. At the level of security layers, the security is not the same if dealing with systems, equipment with different specifications and components, making it more complex to find vulnerability given the diversity of manufacturers. Supplier diversity is necessary to mitigate risks, increasing the resilience of the system or systems against attacks and failures that may occur.

From a legal perspective, the necessity of the measure is emphasized, as it seeks to guarantee the functionality of the technology for the sake of safeguarding the continuity and access to the service. With the measure, it also prevents the affectation of the legal regime of the rights and interests of end users of telecommunications, which derive precisely from the protection and safeguarding of fundamental rights and human rights to intimacy, privacy and secrecy of communications, informational self-determination, access to free information, communication, health, among others.

On the other hand, it is determined that the provision of this rule meets a criterion of suitability, since dependence on a single provider can bring a single point of failure, as if an interruption is suffered, the entire system can be compromised. In contrast, having multiple providers allows reducing the possibility that a single vulnerability or failure affects the entire system. Diversifying providers helps ensure operational security and system resilience in case of failure of a provider. The present measure is considered suitable, as it seeks to guarantee that, the greater the number of providers, the greater the number of solutions for the final telecommunications service without interrupting service continuity to the benefit of the end user. Faced with a cybercrime incident with a single supplier, the criticality of the incident would escalate, as a result of dependence on a single supplier.

Now then, from a proportionality perspective, having multiple providers allows for reducing dependence on security updates from a single provider, with the advantage of improved and effective response times and availability of security options; therefore, the measure is proportional to the security goal sought to be ensured. The impact of the countermeasure, therefore, is no greater than the risk caused by dependence on a single provider, for the reasons noted. The benefit sought is to equip the population with an advanced and secure network by foreseeing that there is no dependence on a single supplier and, therefore, a risk of not obtaining components, hindered compatibility, factory closures, discontinuity of spare parts, problems in the production chain, among others. The primary objective is to prevent the materialization of the risks associated with the network's operation from having consequences for end users of telecommunications, harming the exercise of their fundamental rights of constitutional rank. In that sense, the measure is proportional because it seeks to balance the possibility of continuous service against the trade difficulties that suppliers may face; it is therefore a measure in favor of the continuity of the service provided.

The measure as such technically has full legitimacy, since it is feasible for systems or components from different providers to interact with each other; therefore, it is not technically impossible nor does it predispose the generation of failures in operation, and rather, coupled with the reasons previously described, represents a legitimate end for the safeguarding of information and network security, as well as for compliance with the goals of cybersecurity.

Finally, it has been considered that the inhabitants have the right to access telecommunications for their personal, cultural, educational development, among others. In that sense, the radio spectrum as a constitutional public domain asset deserves protection by the State, which must ensure the safe use and exploitation of networks and services provided through this constitutional public domain asset, through the exercise of its public regulatory power, particularly as established in the Protection Regime of the rights of end users of telecommunications of articles 41, 42 and following of the General Telecommunications Law. The establishment of this measure is made on the basis of the science and technology criteria set forth in Article 16 of the General Law of Public Administration, Nº 6227, all this knowing that the existence of a single provider in the supply chain could mean that the network depends on a single element for its optimal functioning, with the risks that this entails for the continuity of the service and, therefore, the corresponding access to it by end users.

It is also appropriate to add that the risk scenarios in cybersecurity, among which is dependence on a single provider, have been identified and grouped according to the recommendations and experience of the international community, specifically the European Union in a document titled “EU Toolbox for 5G Security.”

III.On the facts and allegations raised in the AMPARO APPEAL in a document received at the Chamber's Secretariat on October 10, 2023.

“Based on Article 41 of the Law of Constitutional Jurisdiction, I reiterate my request to suspend the execution of the tender that ICE will promote in a few days for the acquisition of 5G/IMT Mobile telecommunications technology, based on the following factual and legal reasons.

1.- The purposes of the amparo appeal 1.- As is known, the institution of amparo was taken by our 1949 Constituent Assembly from the ephemeral 1940 Cuban Constitution. This model, unlike what happens in the rest of the legislation, establishes the amparo appeal exclusively against administrative conduct (acts, omissions, threats). 2.- This system has the advantage of fulfilling the main objective of the amparo appeal, which is to prevent the violation of fundamental rights when it is filed against threats, or to restore the violated fundamental right before the damage becomes irreversible. To achieve this objective, the institute of precautionary measures is precisely used, and in the Costa Rican case, of suspending the effects of the execution of the challenged conduct, in accordance with the letter and spirit of Article 41 of the Law of Constitutional Jurisdiction. 3.- When the amparo is established only against judicial resolutions, as occurs in most legislation, it only has an indemnifying effect, since the violation or threat of violation has already materialized irreversibly, making it legally impossible to restore the petitioner to the effective exercise of their violated fundamental right, or the threat of violation resulted in an irreversible violation of their right. 4.- Therefore, when in our system the execution of the challenged act or threat is not suspended due to the seriousness of its implications, the cited procedural remedy ends up having only indemnifying effects, since it would have renounced fulfilling its primary vocation of restoring the violated fundamental right or preventing one from being violated.

5.- Therefore, this Chamber must assess, case by case, when it is essential to suspend the present execution (when dealing with acts) or future execution (when we are in the presence of threats), given that if, in certain cases, it does not do so, the failure to suspend could produce irreversible violations of fundamental rights and their holders would have to resign themselves to collecting the damages and losses suffered through the contentious-administrative process. Response. It is not true. At this moment, no fundamental right has been violated, in view of the effective participation of the company [Name 002]., in the bidding process to contract “GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ACCORDING TO DEMAND”, which was processed on the Integrated Public Procurement System (SICOP) platform and registered with electronic file number 2023XE-000023-0000400001. Furthermore, the company in said process has stated that it understands and complies with the conditions of the tender specifications (pliego cartelario), so the scenario described by the petitioner is not foreseen, given that it has carried out an effective and full exercise of its rights to freedom of enterprise, free competition, and equality of conditions in the ongoing public procurement process. Also, as we stated above (ut supra), the petitioner company affirms that in this specific case, an irreversible damage could be configured, as well as damages derived from its reputation, which, besides lacking the pertinent evidentiary elements, has no basis in public procurement matters, given the very nature of the bidding procedure. This is because bidders who meet the technical conditions specific to the object for which they are participating must be evaluated on a level playing field, which is why we have indicated that each one participates with an expectation, not with a pre-constituted (subjective) right to be favored. Furthermore, it is attempting that if the company is not favored, the Operator must assume a compensatory burden by virtue of prior contractual relationships, or because of the percentage of the local market that the respondent Operator represents. Consider also what this Ministry has already stated, regarding the inadmissibility of granting the company the requested interim measure (medida cautelar), since each of the merit requirements to suspend the ongoing procurement is not accredited in this specific case, with the consequences for the Operator and its users that we have pointed out. As has been well mentioned, the petitioner company's request possesses a series of inconsistencies that undermine the requirements for granting the requested interim measure (medida cautelar), as for example regarding the requirement of appearance of good law (apariencia de buen derecho): ● The Costa Rican company [Name 002]., has effectively participated in the bidding process to contract “GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ACCORDING TO DEMAND”, which was processed on the Integrated Public Procurement System (SICOP) platform and registered with electronic file number 2023XE-000023-0000400001. ● Furthermore, it declared under oath its compliance with the requirements of the conditions specifications (pliego de condiciones) of said competitive process. In this sense, the consideration of impossible compliance that it now affirms is not observed. ● Nor is the instrumentality of the measure apparent, as it seeks to suspend a competitive procedure in which it participates under equal conditions with other bidders, meaning its suspension at this moment would imply an affectation of the legitimate interests of all bidders involved in the process, the Operator, and its users. ● The measure would not prevent any unjustified privilege or objectively unfounded distinction, given the petitioner's condition of equality in the procurement process by complying, according to its statements, with the conditions of the tender specifications (pliego cartelario), without any type of indication against or in line with what is argued here. ● Likewise, the appearance of good law (apariencia de buen derecho) cannot be accredited on facts that contradict the arguments presented by the company, insofar as this company declared under oath its compliance with the requirements of the conditions specifications (pliego de condiciones) of said competitive process. ● It would not be proportional to suspend the Operator's competitive process, causing a situation of disadvantage against its competitors, which is contrary to the sectoral principle of effective competition. ● Above all, a direct affectation to the Operator's users regarding the enjoyment and exercise of the human and fundamental rights that access to new technologies and the full enjoyment of telecommunications services entail (e.g., Internet based on fifth-generation or higher technologies). ● Nor would it be suitable to favor the petitioner with an interim measure (medida cautelar) that seeks to originate from a (nonexistent) subjective right to be favored by the result of the particular public procurement process. ● In the same way, the measure is not necessary, as the petitioner company has stated its full subjection and acceptance of the conditions of the procurement specifications (pliego de la contratación). ● Finally, the exercise of the fundamental right to defense and to an adversarial proceeding (contradictorio) must occur within the bidding procedure itself, through the appeals regime. Certainly, all these weaknesses render the request filed by the company ineffective. In addition to this, what the company's request demonstrates is that it seeks to have its own interest prevail over the public interest, with which it intends to leave the citizenry deprived of new technologies in a secure manner, the efficient and optimal exploitation of the radio spectrum, and the development of telecommunications networks based on 5G and superior technologies, based merely on its expectation of being awarded the contract, which without intending to prejudge, could incur in two uncertain alternatives as of today: to be awarded the contract or not to be favored with the award at all. Since the injury it claims to its fundamental rights has not yet materialized, it would be harmful to proceed with an interim measure of suspension (medida cautelar de suspensión) to the detriment of the special procedure for services in competition of the Operator. This is because the direct impact is on the users, who would not have access to more and better alternatives in the provision of services, full satisfaction regarding the enjoyment of the services that current technology offers, the implementation of innovative networks for the satisfaction of the public interest immersed in the concession titles granted by the Executive Branch, it would also affect the sphere of legitimate interests of the other bidders under equal conditions, the fulfillment of the conditions and obligations set forth in the concession title for the respondent Operator, and a potential disadvantage in the development of its activity in telecommunications matters against other competitors not subject to public procurement processes, and it also harms even the petitioner company's own offer by suspending its own evaluation, due to circumstances that it itself did not clarify from an initial moment, in the administrative venue. 6.- Under such circumstances, the writ of amparo ceases to be a procedural remedy to reinstate the violated right or prevent its violation from materializing, to become a jurisdiction for repairing damages and losses. This latter function is accessory and must yield to the primary purpose of the amparo, which is the effective protection of fundamental rights. II.- The elements to decree an interim measure 1.- In the present case, we are in the presence of an exceptional case, because if the execution of the future act harmful to our fundamental rights, which is almost in the execution phase, is not suspended, the harm to my represented party would be irreparable and irreversible, as it could not participate in the cited public competitive process for the acquisition of 5G/IMT Mobile telecommunications technology. 2.- Therefore, it is clear that in this case the three elements that administrative procedural doctrine considers necessary for the granting of an interim measure (medida cautelar) are present, namely: a) appearance of good law (apariencia de buen derecho), b) danger in delay (peligro en la demora), c) bilaterality of the periculum in mora. 3.- The appearance of good law (apariencia de buen derecho) is amply demonstrated in the file with the evident violations of the fundamental rights to free competition and equality of participation in public competitive processes to the detriment of my represented party. 4.- The danger in delay (peligro en la demora) consists of the objectively founded and reasonable fear that the substantial legal situation alleged may result seriously damaged or harmed in a grave and irreparable manner, during the time necessary to issue a judgment in the main process. 5.- This requirement requires the presence of two elements: grave damage or harm and the delay in the main process, without ignoring that within this requirement lies what doctrine calls the “bilaterality of the periculum in mora” or as it is commonly known, the weighing of the interests at stake. 6.- The requirement of danger in delay (peligro en la demora) refers to two aspects: first, to the damages that are alleged and that are susceptible to occur currently or potentially if the required measure is not adopted. Damages that must be established as grave, in addition to being considered as derived from the alleged situation. Response. It is not true that in this case all the necessary elements and requirements have been configured for the interim protection (tutela cautelar) requested by the petitioner company to proceed; on the contrary, the reality of the facts is that at the time of rendering this report, the company had the opportunity to participate in the special procedure for services in competition, to contract “GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ACCORDING TO DEMAND”, which was processed on the Integrated Public Procurement System (SICOP) platform and registered with electronic file number 2023XE-000023-0000400001. Even as has been demonstrated earlier, the company stated its total understanding and conformity with the requirements regulated in the conditions specifications (pliego de condiciones), without any reservation or protest whatsoever. Therefore, it is not observed what (sic) the damage is that it has constantly mentioned, even to request protection through interim suspension (suspensión cautelar), since its participation in a process of the broadest competition would allow two results, the award or the non-award, taking into account not only the rules fixed in advance for the procurement, but also the prerogatives of the Administration to assess whether in the specific case the procedure will end normally with the award, or abnormally, through another decision. That is why, given the possibilities that may arise from the selection procedure, participation constitutes a mere expectation and the result cannot be considered an irreparable damage as the company wishes to present it. On the contrary, it seems to sustain the position that its company must maintain a perpetual award, which not only enervates the purpose of the procedure, but also this circumstance of contracting ad perpetuam with the administration is not feasible in the Costa Rican legal system. 7.- Regarding the damages, it is clear that, if the effects of the conduct challenged in this writ of amparo are not suspended, my represented party could suffer damages and losses that are difficult or even impossible to repair, by being prevented from participating in the cited bidding procedure aimed at the acquisition of 5G Mobile telecommunications technology. 8.- For the Instituto Costarricense de Electricidad alone, the costs for the exclusion of [Name 002]., which is the current hardware and software supplier for that entity, would be $1.5 billion. The foregoing is a public and notorious fact that appears in the La República news of September 11, 2023 “Excluding Asian companies from 5G network competition would cost the country $1.5 billion in technology” available at https://www.larepublica.net/noticia/excluir-a-empresas-asiaticasdeconcurso-de-redes-5g-le-costaria-al-pais-15-billones-en-tecnologia Response. It is not true. Access to the indicated website does not correspond to the information; furthermore, as we have pointed out in this case, it is not accredited and lacks evidentiary elements that it was prevented from participating, which consequently does not warrant granting the petitioner company the interim protection (tutela cautelar) it has requested, for the following reasons: ● At the time of rendering this report, the petitioner company had the opportunity to participate in the special procedure for services in competition, to contract “GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ACCORDING TO DEMAND”, which was processed on the Integrated Public Procurement System (SICOP) platform and registered with electronic file number 2023XE-000023-0000400001. Even as has been demonstrated earlier, the company stated its total understanding and conformity with the requirements regulated in the conditions specifications (pliego de condiciones), without any reservation or protest whatsoever. ● The non-existence of the damage that it has constantly mentioned, even to request protection through interim suspension (suspensión cautelar), since its participation in a process of the broadest competition would allow two results, the award or the non-award, taking into account not only the rules fixed in advance for the procurement. ● The prerogatives of the contracting Operator through a special procedure for services in competition to assess whether in the specific case the procedure will end normally with the award, or abnormally, through another decision. ● Participation constitutes a mere expectation and the result cannot be considered an irreparable damage as the petitioner company wishes to present it. ● The position that its company must maintain a perpetual award, or that it must be favored prior to a competitive procedure, is inadmissible. ● This position enervates the purpose of the ongoing special procedure for services in competition, and the inadmissibility of seeking an ad perpetuam contract with the contracting Operator, which is legally improper. Regarding the supposed quantification of exclusion costs in the amount of $1.5 billion to the detriment of the operator, let the Constitutional Chamber take note that it is a premise without support, since the company's assessment is based on a communication whose technical support has not been provided to the specific case, and therefore lacks an objective technical basis and fails to provide the pertinent evidentiary element for these purposes. 9.- Secondly, this requirement refers to the situation generated by jurisdictional processes that require, for their development and subsequent completion, the realization of a series of acts through which not only (sic) due process is guaranteed, but also the issuance of a ruling that, if it cannot be carried out promptly, is at least fair. 10.- Putting an end to a process, whose judgment will depend on a prior resolution of an unconstitutionality action against norms that necessarily must be applied in it, demands time and it is precisely where interim protection (tutela cautelar) acquires special relevance, because while that decision of the process arrives, the production of grave damages is avoided, which, in the event of occurring, would render the right claimed ineffective. 11.- This writ of amparo cannot be resolved before this same Chamber votes on the merits of the unconstitutionality action that will be filed based on it, which could take at least two years. 12.- The bilaterality of the periculum in mora refers to the weighing of the interests at stake, linked to the public interest that may be in need of protection, against the interest of third parties and, of course, the interest of the person who comes forward through an interim measure (medida cautelar), and these must be comparatively assessed, with the derogation of the measure imposed when the harm suffered or susceptible to being produced to the community or third parties is greater than that which the Applicant of the measure could experience. Response. It is not true. We have previously accredited how the requirements and necessary elements in this case are not met to grant the petitioner company the interim protection (tutela cautelar) it has requested. This Constitutional Chamber must assess the potential damages in the event of granting said interim measure (medida cautelar) on the commercial activity of the Operator under a competitive regime, access to new technologies and full and secure enjoyment of services by end users, and the objectives of the ongoing public procurement process in accordance with Article 182 of our Political Constitution. 13.- The public interest would also be affected because the impact on operators with the exclusion of Huawei in 5G would have very harmful effects. The implementation of the decree could translate into the need for an investment increase of approximately USD196.69 million over a period of 5 years. But beyond the direct monetary impact, this situation could generate a delay in the implementation of 5G technology, extending the duration of its deployment up to an additional 4 years. These delays, in addition to the additional financial costs, can have repercussions on the country's competitiveness and on the adaptability of local industries to global technological trends. 14.- From the point of view of the internal impact, significant damages would also be caused. For example, ICE would have to increase its external debt due to the additional investments it would have to make to make the new system compatible. 15.- GDP would decrease due to the reduction of economic activities driven by advanced technologies that require 5G for their development, such as autonomous driving, autonomous manufacturing, artificial intelligence, etc. 16.- The costs of acquiring equipment by network operators and telecommunications service providers will increase as they have to acquire them at a higher price from US and European companies (a public and notorious fact that appears in news from press media Semanario Universidad, September 6, 2023 “President Chaves’ Decree leaves out five of the leading companies in 5G” available at https://semanariouniversidad.com/pais/decreto-de-presidentechaves-deja-fuera-a-cincode-las-empresas-lideres-en-5g/ and Diario Extra, September 6, 2023 “Government decision would increase the price of Internet” https://www.diarioextra.com/Noticia/detalle/504206/decisi-n-de-gobiernosubir-a-preciodel-internet-).

17.- The higher costs in acquiring equipment by network operators and telecommunications service providers would be passed on to the consumers and end users of such services (A public and notorious fact that appears in news from press media Semanario Universidad, September 6, 2023 “President Chaves’ Decree leaves out five of the leading companies in 5G” available at https://semanariouniversidad.com/pais/decretode. presidente-chaves-deja-fuera-a-cincode-las-empresas-lideres-en-5g/ and Diario Extra, September 6, 2023 “Government decision would increase the price of internet” https://www.diarioextra.com/Noticia/detalle/504206/decisi-n-de-gobiernosubir-a-preciodel-internet-).

18.- There would also be a loss of fair opportunities for system users to gain access to advanced 5G technologies due to the inevitable increase in telephone rates. Indeed, the additional cost of less advanced technologies and the market with insufficient competition will ultimately be transferred to users. The price of rates would increase by about 40%.

19.- If the 5G deployment is carried out without restrictions, its investment would contribute USD 748.4 million to Costa Rica's Gross Domestic Product (GDP) over a 5-year period. This represents a significant 3.19% of GDP. However, under the limitations of the decree, this contribution plummets to just USD 419.1 million. We are talking about a reduction of USD 329.3 million in just five years, a figure that is not insignificant for any economy and highly significant for Costa Rica.

20.- In any case, the economic study carried out by CINPE of the Universidad Nacional, in which 5 prestigious researchers from that educational center participated, reaches the following conclusions: Chapter IV: Conclusions and Recommendations. Throughout this research, we have proposed to calculate the financial and economic impact that the decision to implement Executive Decree No. 44196MSP-MICITT has for Costa Rica. We have made clear in chapter 1 of the research the importance and effects that the transition from 4 and 4.5 G internet to usage platforms based on 5G will have. This transformation process of the digital economy has important effects on the competitiveness of companies, on employment and technological development of key industries for the country, and on the generation of innovation opportunities. For all the above, we must attach the greatest importance and transcendence to the process ahead for the country with the deployment of 5G networks. In chapters 2 and 3 of this study, based on the results obtained from applying the methodology for financial impact and economic impact analysis, as well as the distribution of said amounts in rates, we can conclude that the restrictions on Asian suppliers and particularly on the company Huawei from participating in the bidding for equipment and maintenance of 5G networks in Costa (sic), has significant financial effects for cellular telephone operators and a very high economic and social impact for the country. It is concluded that: 1. The implementation of the decree could translate into the need for an investment increase of approximately USD196.69 million over a period of 5 years. But beyond the direct monetary impact, this situation could generate a delay in the implementation of 5G technology, extending the duration of its deployment up to an additional 4 years. These delays, in addition to the additional financial costs, can have repercussions on the country's competitiveness and on the adaptability of local industries to global technological trends. 2. Regarding the impact on the economy of said effects of the deployment of 5G technology, it can be forcefully seen when comparing the scenarios with and without the implementation of this decree. According to our research and the data presented in table 2.3, if the 5G deployment is carried out without restrictions, its investment would contribute USD 748.4 million to Costa Rica's Gross Domestic Product (GDP) over a 5-year period. This represents a significant 3.19% of GDP. However, under the limitations of the decree, this contribution plummets to just USD 419.1 million. We are talking about a reduction of USD 329.3 million in just five years, a figure that is not insignificant for any economy and highly significant for Costa Rica. 3. The most affected industries are the manufacturing industry, the ICT sector, the commercial sector, and public administration. The manufacturing industry is a sector closely linked to the dynamism of free zones and has historically been a pillar of Costa Rica's economic growth, and this will be the one that would absorb about a third of that economic cost (USD 117.0 million), which is alarming. This industry is not only vital for its contribution to GDP, but also because it is a crucial source of employment for Costa Ricans. Additionally, the information and communication sector is not far behind, projecting a negative impact of USD 39.18 million during the same period, as a direct consequence of the decree. In third place is the economic cost for the commercial sector, totaling USD 29.9 million. In some way, the estimated impact for this industry would be the best possible scenario, that is, there could be a greater cost resulting from the depth that 5G technology has and would have in access to new products for consumers, as is the case with digital platforms. In fourth place is the impact on public administration for a total of USD 24.6 million, which would limit the government in general and local governments in particular, in their ability to accelerate the process of smart cities. This is complemented by technological improvements to enhance citizen security and the coverage of public service rates, as is the case with water and electricity. 4. By integrating the effects of additional investment costs into an average industry rate model, we find that rates could rise by up to an additional 40 percent with the implementation of the decree. The effect for users tends towards digital exclusion in a very significant way; however, it will depend on the pricing strategy developed by 5G service providers and/or the intervention of the Costa Rican State to cushion this impact on Costa Ricans' income resulting from the increase in costs and prices of telecommunications services. 5. The exclusion of clients in rural areas and in segments of lower relative income is of great concern. The currently existing gap could widen significantly with nefarious implications for the excluded persons. Additionally, the non-implementation in time will have effects of loss of investment and employment opportunities. 6. As a whole, we see that the financial, economic, and social impact of the decree accounts for a significant loss for the country by implementing this measure. It is clear that there are opposing positions on the subject, but the magnitude of the effects requires a deep, critical, and coherent analysis with the country's reality. To exemplify the size of the economic impact, we can compare it with three large investment items: a. Eurobond Issuance: The loss of USD 329.3 million is approximately equivalent to 33% of what the Government of Costa Rica would obtain through the issuance of a eurobond. These bonds are crucial tools that the government uses to finance its operations and infrastructure projects. b. Sports Infrastructure: The amount in question could finance the construction of almost four National Stadiums. These venues serve not only for sporting events, but also for cultural and social activities that benefit the population. c. National Security: The figure also represents double the annual budget allocated to the Judicial Investigation Agency (Organismo de Investigación Judicial, OIJ), a vital entity for maintaining security and order in the country. Response. It is not true. First of all, it must be emphasized that this is evidence that was contracted by the petitioner company in exchange for an economic consideration of forty thousand US dollars in favor of the Centro Internacional de Política Económica para el Desarrollo Sostenible (hereinafter CINPE), as reported by the professionals themselves when attending the summons to the hearing set by the Permanent Special Commission on International Relations and Foreign Trade on December 13, 2023. In this same vein, this Constitutional Chamber must assess that, according to the report "Evaluation of the Economic Impact of the Exclusion of Suppliers in 5G Network Investments in Costa Rica" prepared by the Centro Internacional de Política Económica para el Desarrollo Sostenible (hereinafter CINPE), it states on page 8 the following: "The research was requested by the company [Name 002]., in view of the imminent exclusion of that company from providing the 5G service in Costa Rica; however, it is essential to emphasize that the researchers worked with total independence and without pressure of any kind." Said evidentiary element is therefore not pertinent given the absence of impartiality in the information used and its analysis. Therefore, without prejudice to the technical deficiencies it presents, it would not be appropriate to consider this document to validate the economic impact alleged by the petitioner. Even note, Constitutional Chamber, how the sources of said study are omitted, given that the source of information for the data used in the preparation of the tables mentioned below does not appear in said report: - TABLE 1. MAIN CHARACTERISTICS OF CELLULAR TELEPHONY GENERATIONS. - TABLE 2. RELATIVE PRICE OF DISTRIBUTORS VERSUS HUAWEI. COMPETITOR/ HUAWEI PRICE. - TABLE 3. ACCUMULATED 5G INVESTMENT PLAN IN OPERATORS. USD MILLIONS. - TABLE 4. 5G NETWORK COVERAGE MODEL ACCORDING TO HUAWEI AND COMPETITORS. - TABLE 5. CONTRIBUTION OF 5G INVESTMENT TO GDP IN 5 YEARS. USD MILLIONS. - TABLE 10. AVERAGE INDUSTRY OPERATING AND CONSTRUCTION EXPENSES. - TABLE 11. ESTIMATION OF OPERATION AND MAINTENANCE EXPENSES, COST FUNCTION. - TABLE 12. INCOME STATEMENT: 5G RESULTS, YEAR 1, USD$ (SCENARIO). - TABLE 13. SCENARIOS OF IMPACT ON RATES. - TABLE 14. SENSITIVITY ANALYSIS OF THE RESIDUAL VALUE OF THE INVESTMENT, USD$. - TABLE 15.

DISTRIBUTION OF THE NUMBER OF USERS ON THE 5G NETWORK, BY TYPE OF SERVICE. -TABLE 16. IMPACT ON THE RATE ACCORDING TO OPERATOR AND INTERNET AND TV PACKAGES. The elaborated industry average data, which are specified in the prose of the document, are also missing. It is mentioned as a source in some of the presented tables; however, the direct source of information for said data is unknown. The study mentions that "(...) in the case of Huawei (...) in the urban area its coverage is 44% greater (...)", (page 21 of the report), however, the source of this data is not specified. Along the same lines, the study mentions that "(...) This foregoing justifies the conservative additional cost of 44% of the investments expected by the operators (...)", (page 22 of the report), being another data point whose source is unknown. The source of the data used for extracting Costa Rica's Domestic Product and the total investment used for the econometric modeling is also not recorded (as mentioned on page 23). The document indicates that "(...) for the case of Costa Rica, the scope of 5G in mobile connections will be 6%", however, the source of the information is not presented (page 36 of the report). In addition to the lack of information identified previously, other substantive inconsistencies are observed that imply the evidence is not suitable to support the damages mentioned. Specifically, the following is observed: • Regarding the review and analysis from an economic perspective of the recent contracting by Racsa for 5G equipment, it can be seen that, DATASYS GROUP VINET (Datasys-Nokia) was the offeror that submitted the bid with the lowest price for an amount of $2,455,798.27, which is 76% lower than the Consorcio ITS CR-ITS PA (ITS Huawei); thus, information is available, with real and recent data applicable to Costa Rica, indicating that there are even cheaper options to ITS Huawei, in contrast to what is stated in the CINPE study based on projections. • Furthermore, precisely in relation to the CINPE study, inconsistencies are found in the information presented; calculations containing errors are detected, there is confusion about the source of information for some of the data presented therein, and additionally, there are doubts about the theoretical and methodological framework supporting the technical and scientific rigor of the impact assessment the study claims to perform. The foregoing does not allow the affirmations and estimates made by CINPE throughout the study to be verified. • There are at least two versions of the CINPE study, the one recorded in case files No. 23-023887-0007-CO and No. 23-025158-0007-CO and the one available on the study Center's website, which according to CINPE's clarification, is the final and official document; in other words, it appears that the document recorded in the mentioned case files, and which is used as evidence in the Amparo Appeal and the Unconstitutionality Action filed by the company [Name 002], is a preliminary and unofficial CINPE document. Additionally, it is worth noting that the documents present differences between them. • Likewise, it should be highlighted that, although the CINPE study is based on macroeconomic and microeconomic analyses, the omission of considering the costs associated with the lack of cybersecurity stands out. Cybersecurity threats in 5G networks, from traditional attacks to more sophisticated risks, underscore the importance of preventive measures. The lack of security not only implies risks to privacy and data loss, but also direct financial costs, regulatory sanctions, and loss of customer trust, which urges that this type of analysis incorporate all those variables that may affect consumer and operator well-being, beyond market price and infrastructure cost. It is important to emphasize that, even though CINPE provided four sources of information and web links to address MICITT's request in official communication MICITTDVT-OF-850-2023, it turned out that it was not possible to verify the CINPE study data through these sources. This inconvenience arose due to the lack of specification of the methodological procedure used for the extraction of said data. • This omission highlights the importance of complete methodological transparency to ensure the reliability and verifiability of the presented results. All the deficiencies noted above imply that the evidentiary element lacks the necessary technical support to establish, with scientific rigor, the conclusions of the analysis carried out in said study, and consequently, it is not tenable for determining the economic impact that the appealing company intends to argue. All these inconsistencies can be observed in section -M- subsection b of technical report No. MICITT-DM-OF-1099-2023 dated December 12, 2023, where these aspects are further elaborated upon. 7. These examples illustrate the severity of the financial and economic consequences implied by the decree and emphasize the need to reconsider policies that may have such profound repercussions on the economy and well-being of the country. All of the foregoing makes us think about the need to discuss technological neutrality in 5G supplier policy and, above all, the need to disregard criteria based on unproven political prejudices, as they affect critical market factors, namely: • Promotion of Competition: A technological neutrality policy ensures a level playing field for all suppliers, promoting competition, which can result in lower prices and more innovative solutions. • Security and Resilience: Depending on a variety of suppliers can increase network security and resilience by reducing dependence on a single supplier or technology. • Inclusive Technological Development: A neutral policy avoids technological exclusion, ensuring that the country has access to the full range of SG (sic) advances and solutions available globally. In sum, it is imperative that Costa Rica and other countries adopt a technological neutrality policy when considering the implementation of SG technology. This neutrality will not only guarantee efficient and economical adoption but will also position the country optimally to capitalize on the opportunities of the next digital era and all those to come in the future. The effective and timely implementation of the SG (sic) can be one of the most critical decisions that leaders make to guarantee progress and prosperity in the modern era. 21.- With the purpose of correcting the substantial legal situation at hand and preventing further, serious, and irreparable harm while the constitutionality and validity of the content of the challenged conduct is being discussed, we request the suspension of the bidding procedure cited so many times. Response. The financial and economic consequences alleged by the appealing company here are not true, given that said allegation is based on an economic study sponsored by the company [Name 002] itself and does not gather the information with the necessary technical and scientific rigor to ensure adequate traceability between the sources and the findings cited in said report, specifically in section -M- subsection b of technical report No. MICITT-DM-OF-10992023 dated December 12, 2023, which delves into these aspects. Lacking sufficient information to accredit the conclusions indicated in the evaluation study prepared by CINPE, it is not feasible to assume the economic scenarios posed by said evidentiary element. Added to the foregoing, the company's arguments regarding the need to strengthen technological neutrality policy considering the economic results obtained in CINPE's evaluation also lack technical grounding, given the deficiencies of the study itself, and what we have pointed out regarding the subjection of technological neutrality or flexibility in technological options to the legitimate interests of public policy and guaranteed standards in favor of the full enjoyment of the service by end users. In any case, it has already been developed in preceding paragraphs of this report that the issuance of Executive Decree 44196-MSP-MICITT "Regulation on Cybersecurity measures applicable to telecommunications services based on Fifth-generation mobile technology (5G) and higher": ● Does not prohibit or mandate the use of any specific technology, such as fifth-generation mobile technologies, but rather establishes minimum security requirements that all telecommunications mobile network Operators deciding to implement telecommunications networks under this or higher technology must comply with. ● These requirements consider Law No. 9452 "European Convention on Cybercrime," and a series of standards relating to information security, so that the Regulation seeks to ensure that Operators guarantee the secure operation of their networks and users can trust in the integrity, availability, and confidentiality of their networks and services, and fully enjoy the benefits of 5G technology without risks to their privacy, security, or informational self-determination. ● Does not limit competition or innovation in the telecommunications market under fifth-generation (5G) technology, but rather promotes an environment of effective competition and equal conditions for all Operators regardless of their origin or size, by requiring that Operators be subject to a legal framework that respects the principles of the Budapest Convention, as well as the other standards highlighted in the Regulation. ● This equality of conditions and obligations for Operators seeks to prevent unfair competitive advantages or market distortions by those Operators who might eventually operate under more lax regulations or ones incompatible with those required by the referenced Decree. ● The Regulation also fosters diversity and interoperability of technologies and platforms for the deployment of IMT-2020 systems, including 5G and higher, by allowing Operators to choose among a variety of reliable equipment suppliers that meet the established security requirements. ● Does not violate the supra-legal principle of flexibility in technological options nor the sectorial principle of technological neutrality, but rather attends to its guiding content in accordance with the Costa Rican State's public policy defined in the PNDT 2022-2027. ● The Regulation makes no distinction between the different technologies or platforms for the deployment of IMT-2020 systems, including 5G and higher, but applies equally to all of them. ● The Regulation also does not impose any restriction on the access to or use of these innovative networks or mobile services by users, but rather guarantees that they can exercise their freedom of expression, information, and communication through secure communication networks and media. All these inconsistencies can be observed in section -M- subsection b of technical report No. MICITT-DM-OF-1099-2023 dated December 12, 2023, where these aspects are further elaborated upon. 22.- This measure maintains total proportionality with the public interest, given that the eventual precautionary measure would provide us with comprehensive protection as we would have the possibility to participate in the public tender for the acquisition of 5G telecommunications technology that ICE will promote in the coming days and in which, beforehand, we are prevented from participating. 23.- Therefore, the harm that the bidding act will produce is greater and more real than what the public interest would presumably suffer. In this way, the imperative need that exists to adopt this precautionary measure is demonstrated, which constitutes the only remedy to prevent and avoid further harm to our right to conduct a business activity highly beneficial for the country. 24.- The foregoing confirms the suitability of the measure being requested, which is also proportionate to the aim sought in this amparo appeal, that is, the evident and manifest unconstitutionality of any public tender promoted by ICE for the acquisition of 5G Mobile telecommunications technology for violating the fundamental rights of free competition and equality of participation in public tenders. Response. It is not true. As has been well mentioned, the request of the appealing company has a series of deficiencies that show the inadmissibility of the intended precautionary protection, thus we have highlighted that: • That the Costa Rican company [Name 002] has effectively participated in the bidding process to contract "GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ACCORDING TO DEMAND", the same that was processed on the Integrated Public Procurement System (SICOP) platform and recorded under electronic file number 2023XE-000023-0000400001. • Declared under oath its adaptation to the requirements of the terms and conditions of said competitive process. In that sense, the consideration of impossible compliance it comes to affirm is not appreciated. • The instrumentality of the measure is also not fulfilled as it aims to suspend an initiated competitive procedure, in which it participates under equal conditions with other bidders, whereby its suspension at this time would imply an impact on the legitimate interests of all bidders involved in the process. • The measure would not prevent any unjustified privilege or an objectively unfounded distinction, given the condition of equality of the appellant in the contracting process upon complying, according to its statements, with the conditions of the tender document, without any type of indication to the contrary or in line with what is argued here. • The company declared under oath its adaptation to the requirements of the terms and conditions of said competitive process. • It would not be proportionate to suspend the Operator's tender, causing it a situation of disadvantage compared to its competitors, which is contrary to the sectorial principle of effective competition, and above all an impact on the Operator's users regarding the enjoyment and exercise of human and fundamental rights that the full enjoyment of telecommunications services entails, against the sectorial principle of user benefit. • There is no subjective right to be favored by the result of the contracting process; this is inadmissible. • A measure that sought to suspend ex ante an ongoing contracting procedure is inadmissible, whereby the measure is no longer necessary, the appealing company having also expressed full subjection and acceptance to the conditions of the contract terms and conditions. • The exercise of the fundamental right to defense and adversarial proceedings must occur within the same bidding procedure, through the appeals regime, as part of the due administrative procedure. All these aspects make the intended precautionary protection inadmissible, coupled with this, what the company seeks also aims for its own interest to prevail over the public interest, by leaving the Operator's users devoid of new technologies in a secure manner; matters related to the efficient and optimal exploitation of the radio spectrum and the development of telecommunications networks based on 5G technology and higher, against its mere expectation of being awarded, which without prejudice to prejudging, could incur in two alternatives uncertain as of today: to be awarded or not to be favored at all with the award. As the injury it attributes to its fundamental rights has not yet materialized, proceeding with a precautionary suspension measure to the detriment of the special service procedure in competition of the Operator would be harmful. This because the direct impact is for the users who would not have access to more and better alternatives in the provision of services, full satisfaction regarding the enjoyment of the services that current technology provides, the implementation of innovative networks for the satisfaction of the public interest embedded in the concession titles granted by the Executive Branch, it would also affect the sphere of legitimate interests of the other bidders under equal conditions, the fulfillment of the conditions and obligations set forth in the concession title for the appealed Operator, and a potential disadvantage in the development of its telecommunications activity compared to other competitors not subject to public procurement processes. It even harms the appealing company's own offer by suspending its own evaluation, due to circumstances that it itself did not clarify from an initial moment, in the administrative venue. PETITION 1.- Therefore, we request that in application of article 41 of the Law of Constitutional Jurisdiction, the publication of any tender terms and conditions be suspended, or in the event it is already published, the suspension of any bidding process by ICE in which the "Regulation on Cyber Measures applicable to Telecommunications Services Based on Fifth Generation Mobile Technology (5G) and Higher" (sic) must be applied, until this Constitutional Chamber has ruled on the merits of this amparo appeal and, in case it were converted into an unconstitutionality action, until it has ruled on the merits of the latter (sic). Response. It is inadmissible. I reiterate for these purposes the arguments stated in the previous point and will limit myself to pointing out that the adoption of this precautionary measure entails a direct impact for the users of the appealed Operator who would not have access to more and better alternatives in the provision of services, an impact on the degree of satisfaction in the enjoyment of the services that current technology provides. Furthermore, the future implementation of innovative networks for the satisfaction of the public interest embedded in the concession titles granted by the Executive Branch for the use and exploitation of the radio spectrum for public networks is affected, and on the other hand, it has effects on the legal sphere of legitimate interests of the other bidders under equal conditions, the fulfillment of the conditions and obligations set forth in the concession title for the appealed Operator, and a potential disadvantage in the development of its telecommunications activity compared to other competitors not subject to public procurement processes, but subject to this regulatory norm on cybersecurity matters. IV. Regarding the facts and allegations raised in the AMPARO APPEAL in the brief received at the Secretariat of the Chamber on November 9, 2023. "1.- ICE published today, November 9, 2023, the TERMS AND CONDITIONS FOR THE ACQUISITION OF: GTACQUISITION (sic) OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ACCORDING TO DEMAND". Response. It is true that the Instituto Costarricense de Electricidad published, on November 9, 2023, the invitation to participate in the special service procedure in competition, with the purpose of contracting "GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ACCORDING TO DEMAND", processed on the Integrated Public Procurement System (SICOP) platform, recorded under electronic file number 2023XE-000023-0000400001. From the query made to said file, it is observed that, in the context of said special service procedure in competition, the opening of bids was carried out on December 19, 2023, where the bid of the company [Name 002] is recorded for items 1, 2, 3, 4, and 5 of said contracting process. 2.- The tender document contains requirements that are impossible for my represented party to fulfill because its parent company is located in the People's Republic of China. Response. It is not true. We have pointed out that at the time this report is rendered, the appealing company had the opportunity to participate in the special service procedure in competition, to contract "GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ACCORDING TO DEMAND", the same that was processed on the Integrated Public Procurement System (SICOP) platform and recorded under electronic file number 2023XE-000023-0000400001, in which the company: ● Stated its total understanding and conformity to the requirements regulated in the terms and conditions, without any reservation or protest whatsoever. ● The non-existence of the damage it has mentioned on constant occasions to request even protection through precautionary suspension, since its participation in a process of the broadest concurrence would allow two results, the award or non-award, taking into account not only the rules set in advance for the contracting. ● The prerogatives of the contracting Operator through a special procedure for services in competition to assess whether in the specific case the procedure will end in a normal manner with the award, or in an abnormal manner, through another decision. ● Participation constitutes a mere expectation, and the result cannot be deemed as irreparable damage as the appealing company tries to portray it. ● The position that its company must maintain a perpetual award or must be favored prior to a competitive procedure is inadmissible. ● This position weakens the purpose of the ongoing special service procedure in competition, and the inadmissibility of seeking an ad perpetuam contracting with the contracting Operator, which is legally not admissible. Another aspect already extensively developed in this report is that, even though the appealing company maintains that its company presumably resides in another country and that this constitutes an impediment to participate, it makes no reference to the specific provisions of Executive Decree No. 44196-MSP-MICITT applicable to said circumstance, to assert that in the specific case a lesion to its sphere of fundamental rights could materialize, and this is so because said regulatory norm does not establish any discrimination in relation to the origin or nationality of any company. The lack of substantiation prevailing in the amparo appeal in question has also been reiterated, because the company maintains that its company is of Chinese origin or has its parent company in China from the wording of this particular point, when none of these circumstances was alerted in the different evidentiary elements attached to the amparo appeal file, and conversely, from the company's statements, its Costa Rican origin is evident, as well as the understanding and acceptance of the terms of the tender recorded under electronic file number 2023XE-000023-0000400001. Along these lines, consider what is documented in the company's own bid, where no protest, reservation, or observation has been made regarding the origin and/or parent company it raises here and how this condition could entail any injury to its sphere of fundamental rights. No less important, how said affectation derives precisely from the Regulation; when from public and notorious facts, what has been documented is that it is a company formed under the protection of the national legal system, registered as a sociedad anónima in the Legal Entities Section of the National Registry. Specifically, Section 3, 5G Mobile RAN-CORE Cybersecurity, which, in what is relevant, indicates: "3. 5G MOBILE RAN-CORE CYBERSECURITY SECTION. 3.1. The bidder must comply with all aspects alluding to risk management and mitigation contained in the Costa Rica Cybersecurity Regulation No. 44196-MSP-MICITT, when planning, designing, and implementing its technical offer, for which it must provide, together with the bid, the risk management and mitigation plan in accordance with the aforementioned regulations. 3.2. The bidder must submit a sworn statement indicating that it complies with the adoption of the following cybersecurity standards:

Response. The truth is that the Instituto Costarricense de Electricidad published, on November 9, 2023, the invitation to participate in the special service procedure in competition, with the purpose of contracting "GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ACCORDING TO DEMAND", processed on the Integrated Public Procurement System (SICOP) platform, recorded under electronic file number 2023XE-000023-0000400001. From the query made to said file, it is observed that, in the context of said special service procedure in competition, the opening of bids was carried out on December 19, 2023, where the bid of the company [Name 002] is recorded for items 1, 2, 3, 4, and 5 of said contracting process. Specifically, the following statements of conformity, set forth by the company itself, are read from the bid document (EVIDENCE No. 3), where it literally indicated: "Response: The sworn statement is attached in Annex #2 indicating the adoption of the mentioned standards as detailed below. ISO/IEC 27001:2022: We understand, accept, and comply. We have the certification. ISO/IEC 27002:2022: We understand, accept, and comply. Huawei fully complies with the adoption of this reference guide for the implementation of ISO27001 controls. ISO/IEC 27003:2017: We understand, accept, and comply. Huawei fully complies with the adoption of this reference guide for the implementation of ISO27001 requirements. ISO/IEC 27011:2016: We understand and accept. This standard is an extension of ISO 27001 based on the controls of ISO 27002 adding controls that are aimed at Telecommunications Service Providers. SCS 9001: Huawei fully complies with and adopts the technical requirements of this standard following the industry's best practices, which is demonstrated through certifications (ISO9001, ISO27001, ISO28000, and NESAS). Certifications are attached in Annex #10. GSMA NESAS: We understand, accept, and comply. The certificates are attached in Annex #10 and additionally the link for verification https://www.gsma.com/security/nesas-results/ ISO/IEC 27400: We understand, accept, and comply. Huawei fully complies with the technical requirements of this standard following the industry's best practices. Product datasheets are attached showing the functionalities to improve network security. 3GPP 33.501: We understand, accept, and comply. Huawei fully complies with the technical requirements of this standard following the industry's best practices. NIST 1800-33B: We understand, accept, and comply. Huawei's 5G solution fully complies with the technical requirements of this guide, following the industry's best practices." (Emphasis is ours) In turn, the Sworn Statement (EVIDENCE No. 4) that was provided as part of the bid documents is recorded, in which the legal representative of the company [Name 002] declared under oath that: "That my represented party complies with and adopts the technical requirements of the cybersecurity standards, guides, and recommendations (ISO/IEC 27001:2022, ISO/IEC 27002:2022, ISO/IEC 27003:2017, ISO/IEC 27011:2016, SCS 9001, GSMA NESAS, ISO/IEC 27400, 3GPP 33.501, NIST 1800-33B), following the industry's best practices." (Emphasis is ours) From the specific allegation and the responses documented in the tender file itself, no non-conformity is observed on the part of the appealing company in this aspect. 3.3. In accordance with article 10 of the Costa Rica Cybersecurity Regulation No. 44196MSP-MICITT, where it is indicated that there cannot be a single supplier for hardware and software in critical network elements, ICE may not award to the same bidder the Mobile CORE (items 3 and 4) and the mobile access network (items 1 and 2). In the event that the bid participates for the Mobile CORE (items 3 and 4) and the mobile access network (items I and 2) and complies with all technical, financial, and legal aspects and ranks first in price for all the mentioned items, ICE will award only items I and 2 (mobile access network) to this bidder, and items 3 and 4 (Mobile Core) will be awarded to the second place in price, in order not to have a single supplier for hardware and software in critical network elements, in compliance with article 10 of the Costa Rica Cybersecurity Regulation No. 44196-MSP-MICITT. Response.

The truth is that on November 9, 2023, the Instituto Costarricense de Electricidad published the invitation to participate in the special competitive services procedure, with the purpose of contracting "GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA," processed on the Sistema Integrado de Compras Públicas (SICOP) platform and registered under electronic file number 2023XE-000023-0000400001. In that special competitive services procedure, the opening of bids took place on December 19, 2023, where the bid of the company [Name 002] for items 1, 2, 3, 4, and 5 of said contracting process is recorded. As for the award model, it is an aspect whose definition is the exclusive province of the contracting Operator, on which it is not for me to opine. What I can emphasize to this Constitutional Chamber, as has been specified above, is the need to diversify the supply chain to reduce the risks of impairing network functionality by depending on vulnerabilities that a single manufacturer may present in its hardware or software. A greater number of suppliers means a greater number of solutions for the final telecommunications service without the need to interrupt service continuity for the benefit of the end user. Diversifying the supply chain not only constitutes a sound practice (sic) in the technology sector and specifically in telecommunications, but by ensuring that the network will not depend on a single supplier, it also reduces the criticality gaps of incidents resulting from interconnection complexity. 3.4. The bidder must submit a sworn statement indicating that its headquarters is in a country that has expressed its consent to be bound by compliance with the Convention on Cybercrime (Budapest Convention). For this purpose, supporting documentation must be attached. ICE reserves the right to verify the validity (sic) of the information provided. Response. The truth, at the time of rendering this report, is that on November 9, 2023, the Instituto Costarricense de Electricidad published the invitation to participate in the special competitive services procedure, with the purpose of contracting "GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA," processed on the Sistema Integrado de Compras Públicas (SICOP) platform and registered under electronic file number 2023XE000023-0000400001. From the review of said file, it is observed that, in the context of said special competitive services procedure, the opening of bids took place on December 19, 2023, where the bid of the company [Name 002] for items 1, 2, 3, 4, and 5 of said contracting process is recorded. Specifically, the following statements of conformity set forth by the company itself are read from the bid document (PRUEBA N°3), which literally stated: "The bidder must submit a sworn statement indicating that its headquarters is in a country that has expressed its consent to be bound by compliance with the Convention on Cybercrime (Budapest Convention). For this purpose, supporting documentation must be attached. ICE reserves the right to verify the validity (sic) of the information provided. Response: We understand. Huawei fully complies with cybersecurity standards and industry best practices (sic) for the safeguarding and integrity of information. The Budapest Convention does not refer to a cybersecurity standard for 5G mobile networks or similar." Substantial compliance with this requirement is a matter within the exclusive province of the contracting Operator. However, let the Chamber observe, as has been pointed out on repeated occasions, that the appellant company here consented in writing to the requirement and its subjection to all the conditions of the tender documents. From the specific argument and the responses documented in the competition file itself, no disagreement on this point is apparent from the appellant company. 3.5. The bidder must submit a sworn statement indicating whether or not the factory headquarters is susceptible to pressure from a foreign government by normative provision or official public policy of said foreign government, in relation to the location or execution of its operations. Response. The truth is that on November 9, 2023, the Instituto Costarricense de Electricidad published the invitation to participate in the special competitive services procedure, with the purpose of contracting "GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA," processed on the Sistema Integrado de Compras Públicas (SICOP) platform and registered under electronic file number 2023XE-000023-0000400001. From the review of said file, it is observed that, in the context of said special competitive services procedure, the opening of bids took place on December 19, 2023, where the bid of the company [Name 002] for items 1, 2, 3, 4, and 5 of said contracting process is recorded. Specifically, the following statements of conformity set forth by the company itself are read from the bid document (PRUEBA N°3), which literally stated: The bidder must submit a sworn statement indicating whether or not the factory headquarters is susceptible to pressure from a foreign government by normative provision or official public policy of said foreign government, in relation to the location or execution of its operations. Response: We understand, we accept, and we comply. A file named "Sworn Statement" is attached in Anexo #2, which is located in the "Legal Documents" folder. (Highlighting is ours) In turn, the Sworn Statement (PRUEBA N°4) provided as part of the bid documents is recorded, in which the legal representative of the company [Name 002] declared under oath that: "That the factory headquarters of my represented party is not susceptible to pressure from a foreign government by normative provision or official public policy of said foreign government, in relation to the location or execution of its operations." From the specific argument and the responses documented in the competition file itself, no disagreement on this point is apparent from the appellant company. 3.6. The bidder must submit a sworn statement indicating whether it is based in a country, or is in any way subject to the direction of a foreign government with established laws or practices that may require them to share end-user information of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests." As can be seen from the preceding quote, the discriminatory elements contained in the Reglamento Ciberseguridad Costa Rica Nº 44196-MSPMICITT are involved in the present contracting, which are mandatory conditions for the qualification of the bidder to participate in the tender process, which excludes my represented party from access to the tender and loses the opportunity to compete, by reason of the origin of its parent company. All of the foregoing, as was duly reasoned, supported, and proven in the principal Amparo Action under file 23-023887-0007-CO. Response. The truth is that on November 9, 2023, the Instituto Costarricense de Electricidad published the invitation to participate in the special competitive services procedure, with the purpose of contracting "GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA," processed on the Sistema Integrado de Compras Públicas (SICOP) platform and registered under electronic file number 2023XE-000023-0000400001. From the review of said file, it is observed that, in the context of said special competitive services procedure, the opening of bids took place on December 19, 2023, where the bid of the company [Name 002] for items 1, 2, 3, 4, and 5 of said contracting process is recorded. Specifically, the following statements of conformity set forth by the company itself are read from the bid document (PRUEBA N° 3), which literally stated: "The bidder must submit a sworn statement indicating whether it is based in a country, or is in any way subject to the direction of a foreign government with established laws or practices that may require them to share end-user information of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests. Response: We understand, we accept, and we comply. A file named "Sworn Statement" is attached in Anexo #2, which is located in the "Legal Documents" folder. (Highlighting is ours) In turn, the Sworn Statement (PRUEBA N°4) provided as part of the bid documents is recorded, in which the legal representative of the company [Name 002] declared under oath that: "That the factory headquarters of my represented party is not susceptible to pressure from a foreign government by normative provision or official public policy of said foreign government, in relation to the location or execution of its operations. 13. That my represented party is in no way subject to the direction of a foreign government with established laws or practices that may require it to share end-user information of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests." From the specific argument and the responses documented in the competition file itself, no disagreement on this point is apparent from the appellant company. 3.- In this manner, the violation of our fundamental rights was imminently materialized, as we had indicated in the filing brief of this amparo action. (...) LAW I.- The violations of my represented party's fundamental rights The ICE public tender documents cited violate at least the following fundamental rights to the detriment of my represented party: a) the right of free competition and equality of participation in public tenders, and b) the right not to be discriminated against by reason of the company's origin. A.- The violation of the fundamental rights of free competition and equality of participation in public tenders 1.- The jurisprudence of this Chamber has established that "if Article 182 of the Political Constitution establishes this principle - that of the tender - then all the principles inherent to Administrative Contracting are immersed in the concept. By virtue of the foregoing, it must be understood that all the constitutional principles and parameters governing the State's contractual activity derive from Article 182 of the Political Constitution. Some of these principles that guide and regulate the tender are: 1.- free concurrence, which aims to strengthen the possibility of opposition and competition among bidders within the prerogatives of freedom of enterprise regulated in Article 46 of the Political Constitution, intended to promote and stimulate the competitive market, so that the greatest number of bidders participate, allowing the Administration to have a broad and varied range of offers, so that it can select the one that offers it the best conditions; 2.- equal treatment among all potential bidders, a principle complementary to the former and which within the tender has a dual purpose: that of being a guarantee for the administered in the protection of their interests and rights as contractors, bidders, and as individuals, which translates into the prohibition for the State to impose restrictive conditions for access to the competition, whether through the promulgation of legal or regulatory provisions with that purpose, or in its specific actions; and that of constituting a guarantee for the administration, insofar as it increases the possibility of a better selection of the contractor; all within the constitutional framework provided by Article 33 of the Fundamental Charter" (Voto 998-1998). Response. It is not true. I reiterate what was stated regarding the bid of the company [Name 002], with the purpose of contracting "GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA," processed on the Sistema Integrado de Compras Públicas (SICOP) platform and registered under electronic file number 2023XE-0000230000400001, in which the appellant participated and expressed its compliance with the conditions of the tender documents for said competitive process, in which it is also reiterated that its bid also states that it is a company incorporated in Costa Rica. Therefore, the company [Name 002], according to its own statements before the Operator, has confirmed its compliance with the applicable conditions and regulations for the competition, including under oath. Consequently, the company has effectively exercised each and every one of the rights it argues were violated, which reveals an incongruity between what is stated herein and the verifiable real facts as processed on the Sistema Integrado de Compras Públicas (SICOP) platform registered under electronic file number 2023XE-000023-0000400001. On the other hand, the Decreto Ejecutivo Nº44196-MSP-MICITT "Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores" contains objective parameters for the deployment of networks under fifth-generation or higher technologies by Operators enabled to exploit the radio spectrum, and also to strengthen prevention against cybercrime, which, as has been well explained, has caused significant damage to public systems, public finances, and to the users of these essential services in the country. 2.- The tender documents published by ICE for the acquisition of "GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA" imply a clear violation, to the detriment of my represented party, of its fundamental rights to free concurrence in public contracting and equal treatment of bidders, given that articles 10) subsections c), d), e), and f) and numeral 1 1 of the "Reglamento Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic) are directly applied in that public tender, norms that establish discriminatory regulations contrary to the cited fundamental rights of free competition and equal treatment in public tenders. Response. It is not true. Inasmuch as the company [Name 002], with the purpose of contracting "GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA," processed on the Sistema Integrado de Compras Públicas (SICOP) platform and registered under electronic file number 2023XE-000023-0000400001, participated and stated under oath its compliance with the conditions of the tender documents for said competitive process, and confirms that it is a commercial company incorporated in Costa Rica and therefore under the precepts of the national Legal System. Furthermore, even though this Costa Rican company maintains that the origin or nationality of a company constitutes an impediment to participation, it makes no connection to the specific provisions of the Decreto Ejecutivo Nº44196-MSP-MICITT applicable to that circumstance, to assert that in the specific case, an injury to its sphere of fundamental rights could materialize, and this is so because said regulatory norm does not establish any discrimination in relation to the origin or nationality of any company. Despite having repeatedly stated that the provisions of the Reglamento will prevent its participation in public contracting processes, completely contrary circumstances are observed that grossly distort the arguments put forth, given that within the competition recently promoted by ICE, what it set forth in writing was total subjection and compliance with the rules of the competition, including the conditions derived from the Decreto Ejecutivo Nº44196-MSPMICITT. 3.- Indeed, those norms establish requirements for the specific case, so that companies of different origins, especially Chinese, cannot participate in any public tender for the acquisition of 5G Mobile and higher telecommunications technology. Response. It is not true. Inasmuch as the company [Name 002] has effectively participated in the tender process to contract "GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA," which was processed on the Sistema Integrado de Compras Públicas (SICOP) platform and registered under electronic file number 2023XE-000023-0000400001; in which it also declared under oath its compliance with the conditions of the tender documents for said competitive process, and confirms that it is a commercial company incorporated in Costa Rica, without any ideology being specified for said corporate trader for its participation, and on which discriminatory acts by the Operator are identified. Nor does the appellant company in its statements make any connection to the specific provisions of the Decreto Ejecutivo Nº44196-MSP-MICITT applicable to that circumstance, to assert that in the specific case an injury to its sphere of fundamental rights could materialize, and this is so because said regulatory norm does not establish any discrimination in relation to the origin or nationality of companies, proof of which is that the appellant has fully exercised its rights to bid freely in the cited competitive procedure. Which automatically causes its arguments to be distorted, given that it has freely subjected itself to the provisions of the tender documents on an equal footing with other participants.4.- In that manner, the fundamental rights to freedom of competition and equal treatment held by all potential interested parties in participating in public tenders for the acquisition of goods and services in our country are grossly and evidently violated. Response. It is not true. Inasmuch as the company [Name 002] has effectively participated in the tender process to contract "GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA," which was processed on the Sistema Integrado de Compras Públicas (SICOP) platform and registered under electronic file number 2023XE-000023-0000400001; in which it also declared under oath its compliance with the conditions of the tender documents for said competitive process, and confirms that it is a commercial company incorporated in Costa Rica, without any ideology being specified for said corporate trader for its participation, and on which discriminatory acts by the Operator are identified. Nor does the appellant company in its statements make any connection to the specific provisions of the Decreto Ejecutivo Nº44196-MSP-MICITT applicable to that circumstance, to assert that in the specific case an injury to its sphere of fundamental rights could materialize, and this is so because said regulatory norm does not establish any discrimination in relation to the origin or nationality of companies, proof of which is that the appellant has fully exercised its rights to bid freely in the cited competitive procedure. The foregoing distorts its arguments, given that it has freely subjected itself to the provisions of the tender documents on an equal footing with other participants.5.- In the case of my represented party, the tender documents prevent our participation in that public contracting by applying the stipulations in subsections c), d), e), and f) of article 10 and numeral 1 1 of the cited Reglamento, which is the purpose pursued by that regulation according to statements, at the time, of the Executive President of ICE, the Minister of MICITT, and the President of the Republic. To a party's confession, relief from proof. B.- The violation of the constitutional principle against discrimination for any reason 1.- Article 33 of the Constitution enshrines the cardinal principle in Western Law that no person, physical or legal, may be discriminated against for any reason (sex, religious beliefs, ideology, nationality, etc.). 2.- In the present case, my represented party is openly discriminated against both for its alleged ideology and for its nationality, which implies a gross violation of Article 33 of the Political Constitution. 3.- Let us recall that discrimination, from a legal point of view, means granting different treatment based on unjust or arbitrary inequalities that are contrary to the principle of equality before the law. 4.- The prohibition against discriminating encompasses the interdiction of doing so for any personal or social circumstance; that is, any differentiation lacking objective and reasonable justification can be classified as discriminatory. 5.- In this manner, inequalities of treatment based exclusively on reasons of sex, race, social condition, ideological motives, origin, nationality, etc., are contrary to the principle of non-discrimination. Response. It is not true. Inasmuch as the company [Name 002] has effectively participated in the tender process to contract "GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA," which was processed on the Sistema Integrado de Compras Públicas (SICOP) platform and registered under electronic file number 2023XE-000023-0000400001; in which it also declared under oath its compliance with the conditions of the tender documents for said competitive process, and confirms that it is a commercial company incorporated in Costa Rica, without any ideology being specified for said corporate trader for its participation, and on which discriminatory acts by the Operator are identified.Nor does the appellant company in its statements make any connection to the specific provisions of the Decreto Ejecutivo Nº44196-MSP-MICITT applicable to that circumstance, to assert that in the specific case an injury to its sphere of fundamental rights could materialize, and this is so because said regulatory norm does not establish any discrimination in relation to the origin or nationality of companies, proof of which is that the appellant has fully exercised its rights to bid freely in the cited competitive procedure. Ergo, its statements on these points are unfounded. 6.- The regulation that ICE intends to apply contains discriminatory elements as mandatory requirements in the cited public tender, implying a clear violation of the principle of non-discrimination to the detriment of my represented party, given that it is excluded from a public tender from the outset for allegedly ideological and nationality reasons. Response. It is not true. Inasmuch as the company [Name 002] has effectively participated in the tender process to contract "GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA," which was processed on the Sistema Integrado de Compras Públicas (SICOP) platform and registered under electronic file number 2023XE-000023-0000400001; in which it also declared under oath its compliance with the conditions of the tender documents for said competitive process, and confirms that it is a commercial company incorporated in Costa Rica, without any ideology being specified for said corporate trader for its participation, and on which discriminatory acts by the Operator are identified, and its statements omit any connection between the specific provisions of the Decreto Ejecutivo Nº44196-MSPMICITT applicable to that circumstance, to assert that in the specific case an injury to its sphere of fundamental rights could materialize, without prejudice to the evidentiary deficiency in this regard, given the facts presented that contradict what was stated by the appellant. PRECAUTIONARY MEASURE 1.- Given that we are facing an exceptional case, since if the execution of the future act harmful to our fundamental rights is not suspended and it is in the execution phase, the harm to my represented party would be irreparable and irreversible as it prevents its participation in the cited public tender for the acquisition of 5G/IMT Mobile telecommunications technology. 2.- Therefore, we request that in application of Article 41 of the Ley de la Jurisdicción Constitucional, the processing of the tender process indicated in the challenged announcement be suspended, given that the "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic) is being applied in it, until such time as this Constitutional Chamber has ruled on the merits of this amparo action and on the unconstitutionality action timely filed against that decree. Response. It is unfounded. I reiterate for these purposes the arguments stated in previous points and will limit myself to pointing out that the adoption of this precautionary measure entails a direct impact on the users of the respondent Operator, who would not have access to more and better alternatives in the provision of services, affecting the degree of satisfaction in the enjoyment of the services that current technology provides. Furthermore, it affects the future implementation of innovative networks for the satisfaction of the public interest inherent in the concession titles granted by the Executive Branch for the use and exploitation of the radio spectrum for public networks, and on the other hand, it has effects on the legal sphere of legitimate interests of the other bidders under equal conditions. The foregoing, without prejudice to the potential to affect the fulfillment of the conditions and obligations set forth in the concession title for the respondent Operator, and a possible competitive disadvantage in the development of its activity in the field of telecommunications compared to other competitors not subject to public contracting processes, but subject to this regulatory norm on cybersecurity matters. PETITION Based on the facts invoked, evidence offered, and legal considerations stated, I request that the judgment declare: 1.- That my represented party cannot be prevented from participating in the cited public tender by introducing clauses impossible for it to fulfill, because this violates the fundamental rights of free competition, equal treatment, and the prohibition of discrimination exclusively for ideological and nationality reasons. 2.- I reiterate the request to order ICE to pay the damages and costs of this action." Response. It is not true. According to (sic) what was stated above, the bid of the company [Name 002] is observed, with the purpose of contracting "GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA," processed on the Sistema Integrado de Compras Públicas (SICOP) platform and registered under electronic file number 2023XE-0000230000400001, in which the appellant participated and expressed its compliance with the conditions of the tender documents without noting any element impossible to fulfill within said competitive process, in which it is reiterated that its bid also states that it is a company incorporated in Costa Rica. As has been extensively specified, the publicly available documents and the company's own statements made within the framework of the competitive procedure reveal the Costa Rican origin of the company, which is why the limitations to participation it alleges are not understood. It is reiterated furthermore that, in this case, the company has also not demonstrated that the provisions of the Reglamento in question discriminate in any way on the basis of ideologies and/or nationality, since the definition of measures included therein was not based on these subjective considerations.

In any case, this report has developed the point that, in matters of public procurement procedures, it is entirely feasible to incorporate legitimate restrictions provided they conform to the principles of conventionality, reasonableness, proportionality, the legality block (bloque de legalidad), and the rules of science, technique, and legal logic—parameters that, as has been demonstrated, were observed when issuing Executive Decree No. 44196-MSP-MICITT, "Regulation on Cybersecurity Measures Applicable to Telecommunications Services Based on Fifth-Generation Mobile Technology (5G) and Higher" (Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”), and which, consequently, must be observed by any Operator of telecommunications services under 5G technology or higher.

V.Regarding the facts and allegations raised in the AMPARO PETITION in the brief received at the Secretariat of the Chamber on November 14, 2023. "1. With the attached technical document, the losses that both my represented party and the country would suffer if we were prevented from participating in the ICE tender." Response. The technical document referred to is irrelevant for these purposes, since it has already been dimensioned in this brief that the company's claims concern its participation in a specific procurement procedure, in which the company [Name 002], for the purpose of contracting "GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA," processed on the Integrated Public Procurement System (Sistema Integrado de Compras Públicas, SICOP) platform and registered under electronic file number 2023XE-000023-0000400001, in which the petitioner participated and stated its adaptation to the conditions of the tender specifications of said competitive process, reiterating that in its offer it also makes clear that it is a company incorporated in Costa Rica. In the case at hand, respecting the principles of due process, transparency, impartiality, and equality of conditions for all participants that have bid in said competition, the prudent course is to await the criterion of the contracting Operator so that those who deem any grievance may activate the applicable recourse regime. Of course, given the nature of the public procurement process, in order to guarantee the broadest participation, the contracting Administration is the one that, under its discretionary powers, awards the contract, meaning that not everyone will benefit from that result. Therefore, as has been specified for previous points, what the potential bidder holds is merely an expectation and not a pre-existing subjective right (derecho subjetivo). In that sense, the Administrative Dispute Tribunal has stated: "“Bidders in any competitive process carried out by the Administration (...) do not have a subjective right to be awarded the contract (since the award must be made to the offer that meets all legal requirements and is the most convenient for satisfying the general interest and fulfilling the purposes and tasks of the Administration (...) or, alternatively, the tender may be declared void) but only a legitimate interest (interés legítimo). It must be recalled that, in public law, a legitimate interest is an expectation of obtaining or preserving a substantial benefit, through the exercise of the powers of the Public Administration, so the legal system does not guarantee the interested party the suitable conduct for the satisfaction of their interest, but makes that satisfaction dependent on the acts of exercising administrative powers. In other words, when one has a legitimate interest, one cannot demand from the Administration conduct that satisfies this interest, as the holder of a subjective right could. (...) Only the holder of a subjective right can request the annulment of an administrative act, the restoration of the individualized legal situation, and compensation for damages (Articles 10.3, 23, and 62 of the Law Regulating the Administrative Dispute Jurisdiction). (...) the fact that this Tribunal may uphold the argument that the CCSS administration erroneously evaluated the offer of the awarded company M.R. Pintores, S.A., does not allow the conclusion that a correct evaluation of its proposal would have inevitably led to the tender being granted to the plaintiff's offer. Indeed, a different weighting of the factors could well have led, for example, to declaring the tender void. Thus, the plaintiff here did not have then – nor does it have now – a subjective right to be awarded the execution of the works subject to the tender; it was merely the holder of a legal expectation, a legitimate interest. From this perspective, the granting of the claimed damages is not appropriate: since its legitimate interest never materialized into a subjective right, it was never in a position to experience compensable harm either." (see resolution of the Administrative Dispute Tribunal, Section VII, No. 56 - 2009 of May 27, 2009). From the preceding excerpt and the premises already constructed in this report, the company cannot claim any right over the procurement carried out by ICE, as no award has been granted in its favor and, consequently, any profit is of an eventual nature, which is also not a certain and definitive fact for the company, as it must await the evaluations that the contracting Operator finally generates as part of the course of the selection procedure. Therefore, it is improper to assert that said special procedure could result in harm to the company's economic situation, since the company's returns are not linked by way of subjective right to the operator at this moment. Otherwise, there would be no need whatsoever to subject the contractual object to competition, thus rendering nugatory the principles that inform the matter of public procurement, by admitting a thesis that not only prejudges in favor of [Name 002], but also seeks to maintain a contract perpetually, thereby invalidating the rights of other bidders to be evaluated on the same level of equality.

VI.Regarding the facts and allegations raised in the AMPARO PETITION in the brief received at the Secretariat of the Chamber on November 24, 2023. "I hereby expand the amparo petition filed and processed under file 230238870007-CO, based on the following FACTS 1.- That by a brief sent to this Constitutional Chamber on November 9, 2023, the amparo petition filed was expanded for the first time, because ICE published on November 9, 2023, the TENDER SPECIFICATIONS FOR THE ACQUISITION OF: GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA." Response. It is true that the Costa Rican Institute of Electricity (Instituto Costarricense de Electricidad, ICE) published on November 9, 2023, the invitation to participate in the special procedure for services in competition, for the purpose of contracting "GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA," processed on the Integrated Public Procurement System (Sistema Integrado de Compras Públicas, SICOP) platform and registered under electronic file number 2023XE-000023-0000400001. From the consultation made to said file, it is observed that, in the context of said special procedure for services in competition, the opening of bids took place on December 19, 2023, where the offer from the company [Name 002] for items 1, 2, 3, 4, and 5 of said procurement process is recorded. 2.- The tender document contains requirements that are impossible for my represented party to fulfill because its parent company (casa matriz) is located in the People's Republic of China. Specifically, Section 3, 5G Mobile RAN-CORE Cybersecurity, which can be reviewed in the brief of November 9, 2023. Response. That is not true. We have indicated that at the time this report is rendered, the recurring company had the opportunity to participate in the special procedure for services in competition, to contract "GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA," which was processed on the Integrated Public Procurement System (Sistema Integrado de Compras Públicas, SICOP) platform and registered under electronic file number 2023XE-000023-0000400001, in which the company: ● Expressed its full understanding and conformity with the requirements regulated in the tender specifications, without any reservation or protest. ● The non-existence of the harm it has constantly mentioned to request even protection through precautionary suspension (suspensión cautelar), since its participation in a process of the broadest participation could yield two results, the award or the non-award, taking into account not only the rules fixed in advance for the procurement. ● The prerogatives of the contracting Operator through the special procedure for services in competition to assess whether, in the specific case, the procedure will end normally with an award, or abnormally, through another decision. ● Participation constitutes a mere expectation and the result cannot be deemed irreparable harm as the recurring company wishes to portray. ● It is improper to take the position that its company must maintain a perpetual award, or that it must be favored prior to the competitive procedure. ● This position enervates the purpose of the ongoing special procedure for services in competition, and the impropriety of seeking a contract ad perpetuam with the contracting Operator, which is legally not proper.

Another aspect already extensively developed in this report is that, even though the recurring company maintains that because its company is allegedly based in another country, this constitutes an impediment to participation, it makes no reference to the specific provisions of Executive Decree No. 44196-MSP-MICITT applicable to that circumstance, to assert that in the specific case a violation of its sphere of fundamental rights could materialize, and this is so because said regulatory rule does not establish any discrimination regarding the origin or nationality of any company. Furthermore, the lack of foundation prevailing in the amparo petition in question has been reiterated, since the company maintains that its company is of Chinese origin or has its parent company in China in the wording of this particular point, when none of these circumstances was alerted in the various evidentiary elements attached to the amparo petition file. In this line, consider what is documented in the company's own offer, where no protest, reservation, or observation has been made regarding the origin and/or parent company it raises here and how this condition could entail any violation of its sphere of fundamental rights. No less important is how this affectation derives precisely from the Regulation; when it is a public and notorious fact that what has been documented is that it is a corporation formed under the protection of the national legal system, registered as a corporation (sociedad anónima) in the Legal Persons Section of the National Registry.

3.- That against said tender specifications, for being discriminatory and preventing the participation of [Name 002], an objection to the specifications (recurso de objeción al pliego) was filed in a timely manner. Response. Any subjective consideration against the cited tender specifications is rejected, since the definition of the conditions regulated therein is the exclusive purview of the contracting Operator. According to the actions recorded in the electronic procurement file "GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA," processed on the Integrated Public Procurement System (Sistema Integrado de Compras Públicas, SICOP) platform under number 2023XE-000023-0000400001, it is observed that on 11/14/2023 20:20, the company indeed filed the objection mechanism. However, notwithstanding the foregoing, the petitioner participated in said special procedure and stated its adaptation to the conditions of the tender specifications of said competitive process.

4.- That by official letter 5201-250-202 of November 21, 2023, ICE proceeded to partially admit the objection, however, it proceeded to absolutely reject all objections related to Section 3, 5G Mobile RAN-CORE Cybersecurity, which precisely excludes Huawei from the tender. Response. According to the actions recorded in the electronic procurement file "GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA," processed on the Integrated Public Procurement System (Sistema Integrado de Compras Públicas, SICOP) platform under number 2023XE-0000230000400001, it is observed that on 11/14/2023 20:20, the company indeed filed the objection mechanism. Whatever the contracting Operator resolved regarding the points raised in said challenge is a matter of its sole competence, on which I do not consider it appropriate to comment. However, notwithstanding the foregoing, the petitioner participated in said special procedure and stated its adaptation to the conditions of the tender specifications of said competitive process. Therefore, this Ministry finds it strange, and thus brings it to the attention of the Constitutional Chamber, that, if it had any reservation or objection to the conditions, it should have so stated in its offer, clearly subject to the corresponding evaluation by the Operator. To the contrary, what is observed in the offer are statements conforming to the specifications, so no injury to its rights is deemed. No harm could be analyzed when the company itself did not express its disagreement with the competition rules.

5.- In this manner, my represented party demonstrates the timely use of all available legal mechanisms to seek to guarantee its constitutional rights, and yet, the violation of our fundamental rights materialized as we had indicated in the brief filing this amparo petition. Thus, the discrimination against my represented party and the current conditions of Costa Rica against Chinese companies, discriminating against them due to their nationality, is now configured — no longer a possible violation but a consummated violation —. EVIDENCE 1.- Copy of the filed objection and ICE's response. IN LAW I.- The violations of the fundamental rights of my represented party. The tender specifications of the cited ICE public tender are consolidated, and given the rejection of the objection, there are no more legal remedies that my represented party can use to seek the protection of its legitimate (sic) constitutional rights. It is based on this that we can assure that, with the exhaustion of that administrative avenue, the specifications violate, to the detriment of my represented party, at least the following fundamental rights: a) the right to free competition and equality of participation in public tenders and b) the right not to be discriminated against based on the company's origin, all of the above, as was duly explained and founded in the brief of November 9, 2023. Response. It is not true that in this case any injury or discrimination has been consummated; the recurring company had the opportunity to participate in the special procedure for services in competition, to contract "GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA," which was processed on the Integrated Public Procurement System (Sistema Integrado de Compras Públicas, SICOP) platform and registered under electronic file number 2023XE-000023-0000400001. Even as has been demonstrated above, the company expressed its full understanding and conformity with the requirements regulated in the tender specifications, without any reservation or protest. Nor is it truthful to state that it timely used all available legal mechanisms to warn of any disagreement with the cited tender specifications, since it has been extensively argued in this report that the company, of Costa Rican origin and incorporated in accordance with national laws, maintained a compliant posture from the first approach that the Operator apparently made to it through a supposed "questionnaire." In its offer, it is also observed that it consented to all the conditions that the amparo petition seeks to portray as impossible to fulfill or discriminatory, a criterion it has not maintained throughout the different stages of the competition registered under electronic file number 2023XE-000023-0000400001, also lacking pertinent evidentiary elements, without prejudice to the inconsistency that exists between its statements and the facts presented.

PRECAUTIONARY MEASURE 1.- We reiterate in this act that we are facing an exceptional case requiring extremely urgent precautionary protection (protección cautelar), given the fact that currently, and having exhausted the procedural remedies, it is impossible to stop the tender. Once the tender receives offers and my represented party is unable to present its own, for not complying with Section 3, 5G Mobile RAN-CORE Cybersecurity, the serious, manifest, imminent, and irreparable harm will be configured, by being completely excluded from the tender and without standing to claim. Likewise, it has been amply demonstrated in this amparo process that there is an appearance of good law (apariencia de buen derecho) in the claim, supported by constitutional norms, constitutional principles, comparative law, and also by documentation and technical analysis, which demonstrate that our claim has due foundation. Finally, in weighing the interests at stake, the suspension does not generate direct harm to the Administration, as it would be a provisional precautionary measure (medida cautelar provisional). 2.- Therefore, we request that, in application of Article 41 of the Law of Constitutional Jurisdiction, the processing of the tender procedure indicated in the challenged tender document be suspended, given that the "Regulation on Cybersecurity Measures Applicable to Telecommunications Services Based on Fifth-Generation Mobile Technology (5G) and Higher" (Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores) (sic) must be applied therein, until this Constitutional Chamber has ruled on the merits of this amparo petition and on the unconstitutionality action filed against that decree in a timely manner. Response. That is not true. It has been clearly evidenced that the extremely urgent situation on which the sought-after precautionary measure is based has not prevented it from participating in the procedure for services in competition processed by the respondent Operator, which causes the granting of what is requested to be improper, further expanded upon for the following reasons: • At the time this report is rendered, the recurring company, registered and incorporated under national laws, had the opportunity to participate in the special procedure for services in competition, to contract "GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA," which was processed on the Integrated Public Procurement System (Sistema Integrado de Compras Públicas, SICOP) platform and registered under electronic file number 2023XE-0000230000400001. Even as has been demonstrated above, the company expressed its full understanding and conformity with the requirements regulated in the tender specifications, without any reservation or protest. • The non-existence of the harm it has constantly mentioned to request even protection through precautionary suspension, since its participation in a process of the broadest participation would allow two results, the award or the non-award, taking into account not only the rules fixed in advance for the procurement. • The prerogatives of the contracting Operator through the special procedure for services in competition to assess whether, in the specific case, the procedure will end normally with an award, or abnormally, through another decision. • Participation constitutes a mere expectation and the result cannot be deemed irreparable harm as the recurring company wishes to portray. • It is improper to take the position of seeking a perpetual award based on pre-existing legal relationships prior to the special procedure in competition or that it must be favored and compensated prior to the final result of the competitive procedure. • This position is contrary to the purposes of the ongoing special procedure for services in competition, and the impropriety of seeking a contract ad perpetuam with the contracting Operator, which, according to the Legal System on public procurement matters, would also be unlawful.

PETITION Based on the facts invoked, evidence offered, and legal considerations indicated, I request that in the judgment it be declared: 1.- That my represented party cannot be prevented from participating in the cited public tender by introducing clauses impossible for it to fulfill, because this violates the fundamental rights to free competition, equal treatment, and the prohibition of discrimination exclusively for ideological and nationality reasons. 3.- I reiterate the request to order ICE to pay damages and costs of this action". Response. It is not true that in this instance it was prevented from participating, which consequently does not merit granting the recurring company the precautionary measure it has requested, for the following reasons: • At the time this report is rendered, the recurring company had the opportunity to participate in the special procedure for services in competition, to contract "GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA," which was processed on the Integrated Public Procurement System (Sistema Integrado de Compras Públicas, SICOP) platform and registered under electronic file number 2023XE-000023-0000400001. Even as has been demonstrated above, the company expressed its full understanding and conformity with the requirements regulated in the tender specifications, without any reservation or protest. • The non-existence of the harm it has constantly mentioned to request even protection through precautionary suspension, since its participation in a process of the broadest participation would allow two results, the award or the non-award, taking into account not only the rules fixed in advance for the procurement. • The prerogatives of the contracting Operator through the special procedure for services in competition to assess whether, in the specific case, the procedure will end normally with an award, or abnormally, through another decision. • Participation constitutes a mere expectation and the result cannot be deemed irreparable harm that must be compensated or redressed as the recurring company wishes to portray. • It is improper to take the position that its company must maintain a perpetual award, or that it must be favored prior to the competitive procedure. • This position enervates the purpose of the ongoing special procedure for services in competition, and the impropriety of seeking a contract ad perpetuam with the contracting Operator, which is legally not proper.

PETITION Based on the facts and grounds set forth, we request of this Honorable Constitutional Chamber of the Supreme Court of Justice: 1. To accept, in all its parts, this report responding to the hearing granted by Resolution at 14:39 on December 15, 2023, within electronic file No. 23-023887-0007-CO, in which the amparo petition filed by [Name 002] against the Costa Rican Institute of Electricity is known. 2. To declare without merit, in all its parts, the amparo petition filed by the company [Name 002] against the Costa Rican Institute of Electricity (ICE), within electronic file No. 23-023887-0007-CO. 3. To declare without merit, in all its parts, the precautionary measure requested by the company [Name 002] against the Costa Rican Institute of Electricity (ICE) for the purpose of suspending the special procedure for services in competition, to contract "GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA," processed on the Integrated Public Procurement System (Sistema Integrado de Compras Públicas, SICOP) platform and registered under electronic file number 2023XE-000023-0000400001. 4. To declare inadmissible, in all its parts, the unconstitutionality action filed by the company [Name 002] against Executive Decree 44196-MSP-MICITT "Regulation on Cybersecurity Measures Applicable to Telecommunications Services in Fifth-Generation Mobile Technology (5G) and Higher" (Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores) published in La Gaceta on August 31, 2023, under file 23-025158-0007-CO, given the objective truth, technical, logical, and scientific rigor of said regulation, and by virtue of the impropriety of the precautionary measure requested to which said claim is subject." 25.- By a brief added to the digital file on January 10, 2024, Silvia Patricia Castro Montero appears, in her capacity as president of the Costa Rican North American Chamber of Commerce (Amcham) (Cámara Costarricense Norteamericana de Comercio, Amcham). She indicates that she is formulating a passive joinder (coadyuvancia pasiva) in this proceeding, based on the following grounds: "INDIRECT INTEREST IN THE OBJECT OF THE PROCEEDING AMCHAM is a Private Chamber of the Commerce Sector. In that capacity, my represented party maintains an indirect interest in relation to the security of the users of the future fifth-generation telecommunications services, as well as the consequences that would arise from the eventual granting of the petition. Consequently, my represented party appears on this occasion as an intervener (coadyuvante) in defense of the interests of the respondent, which has the right to execute public procurement processes to provide fifth-generation telecommunications services to its users. Regarding the substantive issue, on September 18, 2023, AMCHAM issued a press release, attached as a reference, in which it highlighted our belief that "the implementation of 5G must occur under three main principles: speed, respect for legal provisions, and security." In that context, our focus on security considers the following: • It is necessary to include rigorous security considerations in the regulation of 5G networks. Costa Rica has greatly benefited from its attractiveness for foreign direct investment. AMCHAM represents both multinational companies responsible for the creation of tens of thousands of Costa Rican jobs, as well as some of Costa Rica's most successful national companies. The proper handling of personal and business data is essential to preserve the dynamic business environment and our country's attractiveness for foreign direct investment (FDI). • Costa Rica's success in attracting high-tech industries has made the protection of business data more essential than ever. AMCHAM works closely with MICITT, COMEX, and other government entities to promote Costa Rica as a destination for industries such as semiconductors, medical devices, and cybersecurity. All these sectors depend on the protection of intellectual property commercial information and research and development efforts. The extraordinary capabilities of 5G networks will facilitate growth in all these sectors, but will also bring risks that must be properly managed through security guidelines. • 5G networks will also transform how Costa Rican citizens interact with educational, medical, and government institutions. The networks that enable these essential services and manage citizens' sensitive personal data must be reliable. • The focus on security considerations for 5G networks is consistent with the decisions made by Costa Rica's main economic partners. Countries such as the United States, the United Kingdom, Japan, and several member states of the European Union have taken steps to ensure the current and future security of their 5G networks. In each case, the details of the approach are adapted to national legal considerations but share the common goal of ensuring that the equipment and software supporting essential services do not present risks. • We also note that the country has firsthand experience with this challenge. The ransomware attacks against government institutions in 2022 were very damaging for businesses, cost taxpayers millions of dollars, and underscored the importance of ensuring that the country's information and communications technology is reliable and secure. In this context, the press release dated September 18, 2023, titled "Medidas de ciberseguridad deben ser indispensables para el despliegue de 5G en el país" ("Cybersecurity Measures Must Be Indispensable for the Deployment of 5G in the Country"), visible on the website https://www.amcham.cr/medidas-de-ciberseguridad-deben-ser-indispensables-para-el-despliegue-de-5g-en-el-pais/ is transcribed. • They will generate confidence to retain and attract Foreign Direct Investment (FDI) San José, September 18, 2023.

The Costa Rican-American Chamber of Commerce (AmCham) endorses the guiding principles recently issued by the Government of Costa Rica regarding cybersecurity for the development of works and services related to 5G technology in the country. AmCham considers that the implementation of 5G must occur under three major principles: speed, respect for legal provisions, and security. This technology must comply and be deployed with reliable and rigorous measures, governed by the provisions of international agreements and guaranteeing adequate processing of personal and corporate data. "From a business perspective, high security standards, competitive prices, and network reliability are fundamental to guarantee success and protect the sensitive information of our clients and collaborators. Costa Rica must recover lost ground compared to other developed nations and those in the region that have already begun to tender and deploy this technology," detailed Silvia Castro, president of AmCham. AmCham considers that the deployment of this technology must be carried out as soon as possible to improve the investment climate. The Chamber will continue collaborating with authorities and local and international companies to promote a secure and prosperous business environment in Costa Rica." Based on the foregoing, my client considers that the actions executed by the Instituto Costarricense de Electricidad in the context of public procurement procedures to acquire equipment comply with the legal framework and the security measures of the current legal system, so the claim raised by the appellant, at best, should be reviewed in the contentious-administrative jurisdiction, not the constitutional one. PRAYER: Based on the legal reasons indicated above, I request that the judgment declare the amparo appeal without merit or, failing that, that the effects of the judgment be dimensioned so that they do not revert upon the bidding procedures executed by the respondent entity." 26.- By written submission incorporated into the file on January 11, 2024, Rubén Hernández Valle appears, special judicial attorney-in-fact for the plaintiff. He expounds the following: "I refer below to the appearance by request of the court of MICITT, as well as to the response presented by reason of the hearing granted by this Chamber so that it could refer to the arguments presented by my client in the amparo appeal in question and the related unconstitutionality action. I.- Generalities 1.- The first writing is a vain attempt by MICITT to demonstrate the supposed technical foundations of the Reglamento sobre Medidas de Ciberseguridad aplicables a los Servicios de Telecomunicaciones basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores, approved by Decreto Ejecutivo número 44196-MSP-MICITT. In the second writing, it presents arguments against the legal and technical basis of the actions filed by my client that lack technical and legal sense and are contrary to the most elementary logic. 2.- In any case, MICITT's intention is clear: to divert attention from the object of this amparo, which is the flagrant and gross violation of the fundamental rights to freedom of competition and equality of participation in public tenders to the detriment of my client, and on the other hand, to try to channel the discussion onto merely technical matters that are not relevant for the resolution of this proceeding, as well as aspects that do not correspond to the real truth. 3.- In any case and as stated in the file of the appeal that occupies us, both SUTEL and INFOCOM, two independent entities with technical suitability, in their respective communications, highlighted how both the aforementioned Reglamento and the ICE tender promoted based on it violate elementary technical principles, especially the requirement that offerors belong to countries that have signed the Convenio de Budapest, as well as the obligation to use the technical standard SCS 9001. II.- The Convenio de Budapest 1.- MICITT tries vainly to demonstrate that the Convenio de Budapest is a fundamental instrument for the country's cybersecurity. 2.- MICITT admits that the Convenio de Budapest provides a legal framework for international cooperation on cybercrime and digital evidence. 3.- Within this order of ideas, MICITT indicates that '(1) The Convention provides a legal framework for international cooperation on cybercrime and digital evidence. (2) States Parties may be members of the Committee of the Convention on Cybercrime, which is currently the most relevant intergovernmental body dealing with cybercrime. (3) States Parties share information and experiences, evaluate the implementation of the Convention, or interpret it through Guidance Notes. (4) The Committee of the Convention on Cybercrime may also prepare additional Protocols to this treaty. Therefore, even if a State did not participate in the negotiation of the original treaty, a new State Party may participate in the negotiation of future instruments and the future evolution of the Budapest Convention. (5) States Parties to the Convention commit to each other for reliable and efficient cooperation. MICITT-DM-OF-1099-2023 DESPACHO MINISTERIAL 185. (6) States Parties that apply for accession or that have acceded may become priority countries for capacity-building programs. Such technical assistance is to facilitate the full implementation of the Convention and improve the capacity for international cooperation. This is how the Regulation under study introduces elements.' 4.- If these arguments are read carefully, none refutes our assertion that the Convenio de Budapest HAS NOTHING TO DO AS A CYBERSECURITY STANDARD. Both SUTEL and INFOCOM reached the same conclusion. 5.- In that same sense, as previously indicated, SUTEL and INFOCOM themselves confirmed with total objectivity and technical suitability that the Convenio de Budapest has no connection that justifies its imposition as a requirement for operators and providers of telecommunications in Costa Rica regarding cybersecurity, much less in the development and implementation of 5G technology in the national territory. This can be easily verified in the reports presented by INFOCOM on 12-5-2023, page 8 of the submitted report (PDF file) and presented by SUTEL on 12-7-2023, especially pages 1 to 5, 11-12, 18 to 20, and 32). 6.- Therefore, everything that MICITT says in this regard is simple subjective conjecture. III.- The technical standard SCS 9001 1.- In this case, MICITT's argument is more extensive and supposedly tends to demonstrate, which of course it does not achieve, that it is a mature technical standard, as specialists in the field say. 2.- However, they do not succeed, as demonstrated in the technical expert opinion we offer as evidence for a better resolution (Technical Analysis of the SCS9001 Standard prepared by Ing. Francisco Vargas Navarro, MSc, MED, vicepresidente of the Junta Directiva of the Colegio de Profesionales en Informática y Computación). 3.- SCS9001 has a basis of geopolitical discrimination. Nothing they allege in MICITT's argument can hide the existence of chapter 4.2.SC.2, dedicated to the evaluation of geopolitical factors of the manufacturer's countries of origin, as a parameter for measuring a supplier's level of trust. The standard requires compliance with criteria that are not technical and fully escape the scope of action of a private company since they are geopolitical factors, which are worth noting, are unilaterally promoted by the government of the United States. 4.- The technical expert opinion called 'Análisis técnico del Estándard SCS900,' prepared by the expert Ing. Francisco Vargas Navarro, MSc., MEd, Vicepresidente of the Colegio de Profesionales en Informática y Computación, which we offer as evidence for a better resolution, coincides with our argument. The cited technical report concludes conclusively that 'Based on the previous analysis, we reach the following specific conclusions: a) The SCS9001 standard uses the criterion of geographical origin incorrectly, erroneously, without applying any valid technical criterion; b) It is a mistake to change the current scheme for the novel SCS9001; c) The SCS9001 standard is totally immature, it lacks experience in the world market; d) The SCS9001 standard has not been used in our mobile digital ecosystem; e) The replacement of the current scheme by the SCS9001 standard does not obey technical criteria; f) The SCS9001 standard does not have enough training providers; g) The different specialized technical organizations in the country do not recommend the change; h) The SCS9001 standard is barely in its testing and correction phase; i) Given the short time it has been active, we do not have reliable statistics and/or metrics on the performance of the SCS9001 standard' (Pages 8 and 9). 5.- The Costa Rican government is the first in Latin America to obligate providers to comply with the SCS9001 standard, as mentioned by TIA itself on its website (https;//tiaonline.org/press-release/costa-rica-takes-bold-and-decisive-stance-on-cybersecurity), and its application in the rest of the world is uncertain, due to the lack of information and understanding surrounding it. IV.- On Huawei's participation in the special tender promoted by the ICE for 'GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA', processed on the Sistema Integrado de Compras Públicas platform 1.- On this particular topic, it is necessary to clarify that Huawei did present its offer in the special contracting procedure number 2023XE000023-0000400001 as concrete evidence of the 'Current and Tangible Interest' it holds as a telecommunications infrastructure provider for the implementation of 5G technology, which is the object of the contract. As established in the excerpt that the Ministry itself cited from resolution No.00336-2020 of June 25, 2020, which indicates that an offeror 'holds a legitimate interest in being awarded the contract (...)' 2.- Notwithstanding the foregoing, we wish to emphasize the fact that HUAWEI's participation in said tender by no means omits and/or remedies the violation of the principles of free participation under equal conditions and free competition (of constitutional order in matters of public procurement). This is because these principles are being tangibly and flagrantly breached during the procurement procedure as a result of the application of Decreto Ejecutivo número 44196-MSPMICITT. 3.- The foregoing, because the ICE pre-set discriminatory requirements against my client and other companies whose manufacturers are of Chinese origin, based on the application of Decreto Ejecutivo número 44196-MSP-MICITT, which is also subject to constitutional control in the unconstitutionality action filed by this representation and processed under file 23-025158-007-CO. As can be verified in the same written objection to the tender specifications presented by MICITT, the cartel conditions based on the norms of the repeatedly cited Decreto that harm the fundamental rights of my client and are unconstitutional were expressly challenged. Therefore, it cannot be interpreted, as the Ministry seeks to suggest, that my client has not taken the necessary legal actions for the protection of its rights and the constitutionality of the legal system. 4.- What MICITT really intends with its report is to delegitimize my client with crude arguments and without any elementary logic. The Ministry attempts to confuse this honorable Court with the supposed argument that Decreto Ejecutivo número 44196-MSP-MICITT does not apply directly to Huawei because it is allegedly not a network operator authorized by SUTEL. When it is notorious that the Decreto itself aims to obligate operators to apply arbitrary criteria to exclude telecommunications infrastructure providers of Chinese origin like HUAWEI, or from any other country that has not signed or intends to sign the Convenio de Budapest. This is provided in subsection e) of Article 10 of the repeatedly cited Decreto and object of the referenced unconstitutionality action. 5.- What MICITT really intends with its report is to delegitimize my client with crude arguments and without any elementary logic. The Ministry attempts to confuse this honorable Court with the supposed argument that Decreto Ejecutivo número 44196-MSP-MICITT does not apply directly to Huawei because it is allegedly not a network operator authorized by SUTEL. When it is notorious that the Decreto itself aims to obligate operators to apply arbitrary criteria to exclude telecommunications infrastructure providers of Chinese origin like HUAWEI, or from any other country that has not signed or intends to sign the Convenio de Budapest. This is provided in subsection e) of Article 10 of the repeatedly cited Decreto and object of the referenced unconstitutionality action. 6.- Likewise, it is necessary to clarify the false argument noted by the Ministry regarding Huawei presenting its offer to the aforementioned competitive bidding process promoted by the ICE, supposedly stating that it fully complies with all the criteria imposed by the cybersecurity Decreto in question. When the truth is that my client presented its offer based on its legitimate, current, and tangible interest in the object of the contract. But precisely for this reason, even before the submission of the tenders for the competition, it sought the protection of its fundamental rights before this Constitutional Chamber and requested the precautionary measure pending resolution. This is to prevent the application of the conditions in the specifications of said procedure that violate the fundamental rights of equality of participation and free competition. It is unthinkable that if the requested precautionary measure is not granted, or the amparo appeal in question fails, the ICE in the offer evaluation process will proceed to apply to my client's offer the arbitrary criteria imposed by Decreto Ejecutivo número 44196-MSPMICITT, since based on the tender documents, it will require compliance with the Adhesion to the Convenio de Budapest and the SCS9001 standard certification already mentioned. 7.- As evidenced in the same partial transcription of the response to the tender specifications in my client's offer for the repeatedly cited procurement procedure, it is not true that Huawei declared under oath to comply with the requirements challenged in the actions that occupy us. 8.- Regarding the sworn statement required in point 3.4 of the tender specifications, the response was as follows: '3.4. The offeror must submit a sworn declaration indicating its headquarters is in a country that has expressed its consent to be bound by the Convention on Cybercrime (Convenio de Budapest). For which it must attach supporting documentation. ICE reserves the right to verify the validity of the information provided. Response: Understood. Huawei fully complies with cybersecurity standards and industry best practices for the safeguarding and integrity of information. The Convenio de Budapest does not refer to a cybersecurity standard for 5G mobile networks or similar.' (Highlighting is ours) 9.- As evidenced and can be verified by viewing our offer in the electronic file on SICOP, the response was precisely what has been argued both by my client and by SUTEL and INFOCOM, that the Convenio de Budapest does not refer to a cybersecurity standard. But this clarifying statement in our offer does not in any way constitute the sworn declaration required in that clause of the tender specifications. The same happens with the requirement for SCS 9001 certification, in which it is expressly indicated as follows: '(…) SCS 9001: Huawei fully complies with and adopts the technical requirements of this standard following industry best practices, which is demonstrated through the certifications (ISO9001, ISO27001, ISO28000 and NESAS). Certifications are attached in Annex #10.' 10.- That is, our offer stated that my client complies with the technical requirements, but through the ISO9001, ISO27001, ISO28000 and NESAS certifications, which are the globally recognized certifications in the industry, as has been demonstrated both by the evidence presented by Huawei and by what was indicated by SUTEL and INFOCOM. 11.- As is abundantly clear, it is false that my client declared under oath, or in any other way, that it fully accepts the conditions of the tender specifications that harm its fundamental rights and are contrary to the constitutional principles regulating public procurement. 12.- All this has been done by MICITT with the sole aim of diverting attention from the object of the proceeding, being unable to objectively, suitably, and technically justify the reasons underlying the imposition of arbitrary requirements for telecommunications providers, such as the Budapest Convention and the SCS9001 certification, which ultimately were set by the Government with the sole purpose of excluding Asian companies, like HUAWEI, from participating and competing under equal conditions with the rest of the providers in the telecommunications market for the implementation of 5G technology in the country. 13.- In a laughable way, and seemingly with sarcastic humor, the Ministry indicates that the Decreto's restrictions do not apply to my client because it is a Costa Rican company. But what it does not say is that the same Decreto, in subsection e of Article 10, expressly indicates that the restrictions established by the Decreto apply to 'hardware and software suppliers that have their headquarters in a country that has not expressed its consent to be bound by the Convention on Cybercrime (Convenio de Budapest).' 14.- As is publicly and notoriously known worldwide, as has been pointed out and verified with the documentation presented in the amparo and unconstitutionality action that occupies us, as well as in the offer for the tender promoted by the ICE, my client's parent company and equipment manufacturer, [Name 002], has its main headquarters in the People's Republic of China, which has not expressed its consent to be bound by the Convenio de Budapest. V.- Conclusions 1.- From what has been said, it is concluded, without any doubt whatsoever, that both Decreto Ejecutivo 44196-MSP-MICITT and the specifications of the public tender promoted by the ICE for the acquisition of 5G technology violate Huawei's fundamental rights to free competition and equality of participation in public tenders, given that they impose satisfaction of two requirements that are not necessary to choose the best technical offer. 2.- Indeed, the requirement that the country of origin of the offeror be adhered to the Convenio de Budapest is absurd and contrary to the most elementary logic, since that Convention, as has been demonstrated ad nauseam, HAS NO RELATIONSHIP WHATSOEVER WITH A CYBERSECURITY STANDARD. 3.- Regarding the requirement that offerors comply with the technical standard SCS 9001, it is not acceptable because, firstly, it was not designed to be applied to the particular scenario of 5G networks; secondly, it is irresponsible to change a mature security protocol for one that is in an experimental phase, as well as other arguments set forth above in this writing. 4.- The arguments presented by the Ministry in response to the hearing granted by this honorable Court, as has been reliably demonstrated, lack all legal, technical, and logical basis and are contrary to the real truth. 5.- Let us remember the wise words of the Costa Rican master of Administrative Law, the late Eduardo Ortiz Ortiz, who used to say 'in the face of technique, there is no discretion,' as well as 'the Administration is prohibited from doing empirically what it must do technically.' Consequently, we request that the petitions indicated in the various writings by MICITT be dismissed in their entirety for lack of standing and logical, technical, and legal basis. Likewise, that this amparo be declared with merit in all its extremes." 27.- By written submission incorporated into the digital file on January 15, 2024, Rubén Hernández Valle appears, in his capacity as special judicial attorney-in-fact for the plaintiff. He indicates that the notarial certification of the Technical Analysis of the SC 9001 Standard mistakenly recorded it as issued by the vicepresidencia of the Colegio de Profesionales en Informática y Computación; however, he clarifies that this document was issued by Francisco Vargas Navarro, in his personal capacity as an expert from the company FVNcr.org. He notes that the notary public made the corresponding correction.

28.- By written submission incorporated into the digital file on January 16, 2024, Paula Bogantes Zamora, ministra of Ciencia, Innovación, Tecnología y Telecomunicaciones, appears. She requests: "An oral hearing be granted to this Ministry under the terms of Article 10 of the Ley de la Jurisdicción Constitucional, so that the undersigned may formulate before the magistrates a series of aspects related to the issuance of Decreto Ejecutivo Nº44196-MSP-MICITT 'Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores', published in Scope Nº 166 to La Gaceta Nº159 of August 31, 2023. The foregoing, in the context of the challenge brought by the company [Name 002]., aspects that deserve to be elucidated prior to the issuance of the final resolution of the specific case." She states: "For the purposes of what is requested, I respectfully inform the Magistrates that I will be out of the country attending to commitments inherent to my position from Saturday, January 20, 2024, to Thursday, January 25, 2024. Due to the foregoing, I indicate my availability to attend the oral hearing on the days from January 16 to 18, 2024, and from January 26, 2024, onwards, on the date your Authority determines." 29.- By written submission incorporated into the digital file on January 16, 2024, Paula Bogantes Zamora, ministra of Ciencia, Innovación, Tecnología y Telecomunicaciones, appears. She requests: "That the certification of email, dated January 15, 2024, signed by Mr. Gezer Molina Colomer, with identity card number 1-1239-0030, Director de Ciberseguridad of MICITT, attached to this writing, be received and held as evidence within the Amparo Appeal being processed under file No. 23-023887-0007-CO of this Honorable Chamber, and by which the authenticity is certified of the email sent at 10:08 a.m. on January 14, 2023, among others to the official MICITT email of Mr. Molina Colomer: [email protected], sent by Mr. Francisco Vargas Navarro, with identity card number 9-0099-0713, and through which Mr. Vargas Navarro clarified that he signed the document called 'ANÁLISIS TÉCNICO DEL ESTÁNDARD SCS9001' dated December 11, 2023, in his personal capacity, and not as Vicepresidente of the Junta Directiva of the Colegio de Profesionales en Informática y Computación (CPIC), as was indicated in the cited document, which was certified by Notary Public Roberto José Esquivel Cerdas, registration number 6910, according to the certification of copies made on January 11, 2024, carried out at the request of the company [Name 002]., with legal entity identification number [Value 001], presented before this Court as evidence within the Amparo Appeal. The foregoing so that it is not considered that said document was issued as the official position of said professional on behalf of the Colegio de Profesionales de Informática y Computación." 30.- By written submission incorporated into the digital file on January 17, 2024, Natalia Díaz Quintana, ministra de la Presidencia, appears. She mentions the following: "In response to official letter MICITT-DM-OF-026-2024, dated January 15th of the current month, this Office is informed about the amparo appeal, processed under File 23-023887-0007-CO, against Decreto Ejecutivo 44196-MSP-MICITT 'Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores' and submits for my consideration the need for the Dirección de Inteligencia y Seguridad Nacional (DIS) to appear under the terms of Article 10 of the Ley de Jurisdicción Constitucional, Ley No. 7135, in order to formulate aspects related to the area of national security. In that sense, taking into account what is indicated in the Technical Report sent to them on December 13, 2023, via document number MICITT-DM-OF-1099-2023, and signed by the Ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones, Paula Bogantes Zamora, which states, in relevant part: '(…) The implementation of 5G networks has generated concerns about national security, as there is a possibility that confidential and sensitive information could be intercepted and used by foreign agents in an unauthorized manner, or that these networks could be compromised to affect public security. For this reason, safeguarding national security must be a priority in the implementation of 5G networks, and the Government must work in close collaboration with operators and providers to guarantee the security and integrity of the information transmitted through these networks. (…)' It must be considered, regarding the concerns expressed by MICITT, that the DIS is the '(…)informative body of the President of the Republic, regarding national security (…)' and grants it powers to: '(…) a) Detect, investigate, analyze, and communicate to the President of the Republic or the Ministro de la Presidencia, the necessary information to prevent events that imply a risk to the independence or territorial integrity or endanger the stability of the country and its institutions. (Articles 13 and 14 of Ley 7410, Ley de Policía) It is for this reason that, due to these competencies, the DIS is the informative instance of the President of the Republic in matters of National Security; however, in accordance with Article 1 of the Reglamento de organización y funcionamiento de la Dirección de inteligencia y Seguridad Nacional, Decreto Ejecutivo Nº 32522, it is administratively and budgetarily subordinate to the Ministerio de la Presidencia. That due to the foregoing and in view of the request sent by the Ministerio de Ciencia y Tecnología y Telecomunicaciones, with all respect I request the honorable Magistrates of the Constitutional Chamber to consider granting an oral and private hearing to its Director, Mr. Jorge Torres Carrillo, so that he may present aspects of importance related to the present proceeding and that are closely related to events that may affect national security, territorial integrity, and/or the stability of the country and its institutions." 31.- By written submission incorporated into the digital file on January 17, 2024, Rubén Hernández Valle appears, special judicial attorney-in-fact for the plaintiff. He states: "I refer to the writings of MICITT and the Ministro de la Presidencia. I.- The writings of MICITT 1.- In the first one, it is requested that a public appearance be ordered pursuant to the provisions of Article 10 of the LJC. 2.- In amparo appeals, granting the hearing is optional and only proceeds in very qualified cases. 3.- In the present case, the hearing is requested to refer to the Decreto Ejecutivo C44196-MSP-MICITT, which, however, is not the object of this proceeding. What is challenged here is the ICE's act that opened the bidding process. 4.- The validity of the cited Decreto is challenged in the unconstitutionality action, which is the process in which the hearing could potentially be appropriate. However, in this case, granting the hearing would also not proceed for the simple reason that it has not even been processed. 5.- Therefore, the request for a hearing is legally impertinent. 6.- On the other hand, the impertinence of the lady Minister who demands that the Chamber adjust to her schedule is striking. It has never been seen that a court has to accommodate its schedule to that of other public officials who have cases pending before it. In essence, such a request is a lack of respect for the members of this Chamber. 7.- Regarding the certification provided in the second writing, my client has already clarified the error contained in the original certification, so this document is also impertinent.

II.- The brief of the Minister of the Presidency 1.- With limitless shamelessness, he requests A PRIVATE HEARING for the Director of the DIS. In no Costa Rican court are such hearings possible, since the counterparty must always be present. Otherwise, one could speculate that improper propositions will be made therein. 2.- As we stated in the previous section, this amparo action is not discussing the issue of cybersecurity, but solely and exclusively the violation of the rights of free competition and equality of participation in a public tender promoted by ICE. 3.- The issue of cybersecurity is discussed in the unconstitutionality action and not in this amparo appeal. Consequently, such a private hearing is legally improper. III.- Conclusion 1.- The request for public and private hearings, without any legal basis, has only one very clear purpose: to prevent the Chamber from ruling on the merits and, in this way, to allow the legal and regulatory deadlines to continue running so that ICE can carry out the legal admissibility of the offers and leave Huawei out of the tender because at this moment it does not meet two unconstitutional requirements contained in the tender specifications that flagrantly violate my represented party's fundamental rights to free competition and equal participation in the ICE tender that is the subject of this amparo appeal.” 32.- By brief incorporated into the digital case file on January 17, 2024, Mario Zamora Cordero, Minister of Public Security, appears. He requests: “That an oral hearing be granted to this Ministry under the terms of Article 10 of the Law of Constitutional Jurisdiction (Ley de la Jurisdicción Constitucional), so that the undersigned may present to the magistrates a series of aspects related to the issuance of Executive Decree No. 44196-MSP-MICITT ‘Regulation on Cybersecurity measures applicable to telecommunications services based on Fifth-generation mobile technology (5G) and higher’ (Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores), published in Scope No. 166 to La Gaceta No. 159 of August 31, 2023. The foregoing, in the context of the challenge filed by the company [Name 002]., aspects that deserve to be elucidated prior to the issuance of the final resolution of the specific case. For the purposes of what is requested, I await the summons that Your Authority may order.” 33.- By brief incorporated into the digital case file on January 18, 2024, Rubén Hernández Valle, special judicial representative of the plaintiff, appears. He states the following: “I refer again to the briefs of MICITT and the Minister of the Presidency and to the request of the Ministry of Public Security. 1.- The latest request for an oral hearing is improper because the Ministry of Security wishes to refer to the issue of cybersecurity, which is not the subject of this process. Therefore, it completely lacks legal sense to grant a hearing to refer to a topic that is not the subject of discussion in this amparo appeal. 2.- That hearing could make sense in the unconstitutionality action because the issue of cybersecurity is indeed discussed therein. 3.- In reality, none of their requests can be taken into consideration because, in addition to the previous legal reasons, neither MICITT, nor the Ministry of the Presidency, nor the Ministry of Security are parties to this process. 4.- These are third parties who appeared in the proceedings without being holders of a legitimate interest under the terms of Article 35 of the LJC, given that the judgment rendered in these proceedings will have no effect either for or against those Ministries. 5.- Indeed, none of them is a party in the bidding process and, therefore, in this amparo process.” 34.- By brief incorporated into the digital case file on January 18, 2024, Paula Bogantes Zamora, Minister of Science, Innovation, Technology and Telecommunications, appears. She requests that technical report MICITT-DGDCFD-DRII-INF-0058-2024, dated January 16, 2024, be incorporated into this case file for the analysis related to the expert report “Análisis Técnico del Estándar SCS 9001” signed by Engineer Francisco Vargas Navarro.

35.- By brief incorporated into the digital case file on January 22, 2024, Rubén Hernández Valle, special judicial representative of the plaintiff, appears. He states the following: “1.- I file a request for prompt dispatch, given that on Friday the 26th the deadline to submit clarifications in the ICE tender that is the subject of this amparo appeal will expire, which is the phase prior to issuing the award act. 2.- If within said deadline the clarifications governed by the tender conditions based on Decree No. 44196-MSP-MICITT, the subject of the respective unconstitutionality action, are not submitted, their automatic application will represent the materialization of the violation of my represented party's fundamental rights that are the subject of this amparo appeal.” 36.- By brief incorporated into the digital case file on January 23, 2024, Marco Vinicio Acuña Mora, executive president of ICE, appears. He states: “I hereby provide, on an ex officio basis, the requests for technical criteria that this Institute has requested through official letters No. 0060-0021-2024, 0060-0022-2024 and 0060-0023-2024 to the National Public Security Council (Consejo Nacional de Seguridad Pública), the Ministry of Science, Innovation, Technology and Telecommunications (MICITT) and the Data Protection Agency of the Inhabitants (Agencia de Protección de Datos de los Habitantes, PRODHAB), which are explained below: I. CONTEXT A. REQUEST FOR TECHNICAL CRITERION TO THE NATIONAL PUBLIC SECURITY COUNCIL Through official letter No. 0060-0023-2024 of January 23, 2024, the National Public Security Council was requested to rule on the actions being taken in public policy in favor of national security, which have substantiated the issuance of the ‘Regulation on Cybersecurity measures applicable to telecommunications services based on Fifth-generation mobile technology (5G) and higher’ (Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores), published on August 31, 2023 in the Official Gazette La Gaceta, Executive Decree No. 44196-MSP-MICITT. B. REQUEST FOR TECHNICAL CRITERION TO MICITT AS THE GOVERNING BODY Through official letter No. 0060-0022-2024 of January 23, 2024, the Ministry of Science, Innovation, Technology and Telecommunications (MICITT), in its capacity as Governing Body, was requested to rule on the potential economic implications for the Telecommunications Sector and the country, should the operation of networks and the provision of services based on fifth-generation mobile technology (5G) and higher be suspended or made impossible in the country. C. REQUEST FOR TECHNICAL-LEGAL CRITERION TO PRODHAB Through official letter No. 0060-0021-2024 of January 23, 2024, a technical and legal criterion was requested from the Data Protection Agency of the Inhabitants (PRODHAB), so that, based on the provisions of the Law for the Protection of the Person against the processing of their personal data (Ley de Protección de la Persona frente al tratamiento de sus datos personales), Law No. 8968, and within the scope of its administrative functions, it may refer to the importance of Executive Decree No. 44196-MSP-MICITT and its provisions for the protection of personal data regarding the operation of networks and the provision of services based on fifth-generation mobile technology (5G) and higher by network operators, and in favor of the legal regime protecting the rights and legitimate interests of end users. Given that the provisions of the aforementioned Decree derive from a legal hierarchy based on the provisions of Article 42 of the General Telecommunications Law (Ley General de Telecomunicaciones), Law No. 8642, which regulates technical and administrative measures for the protection of the personal data of subscribers and end users, it is deemed pertinent for the respective procedural purposes to grant a hearing to PRODHAB in accordance with the powers conferred on it in this matter by Law No. 8968, so that, from this technical and legal perspective, it may refer to the provisions of the Executive Decree in question, and any other aspect linked to the subject of this process, within the framework of its legal competencies. Therefore, this Honorable Constitutional Court is respectfully requested that, once said technical criteria are issued by the National Public Security Council, MICITT and PRODHAB, they may be considered as evidence for a better resolution within this judicial case file, and that they be granted a hearing so that, within the scope of their legal attributions, they may refer directly before Your Authority; both requests in accordance with Article 47 of the Law of Constitutional Jurisdiction (Ley de Jurisdicción Constitucional). II. PRAYER Based on the foregoing, and based on the mentioned principle of procedural collaboration, the request is reiterated that the Amparo Appeal and the precautionary measure be declared without merit in all its aspects and without special condemnation in costs relating to the Institute, and I further respectfully request this Honorable Constitutional Court: 1. That the technical criteria requested from the Public Security Council, MICITT and PRODHAB, once issued, be accepted as evidence for a better resolution. 2. That a hearing be granted to the National Public Security Council so that they may rule on the actions being taken through public policy in matters of national security that substantiate the issuance of the ‘Regulation on Cybersecurity measures applicable to telecommunications services based on Fifth-generation mobile technology (5G) and higher’ (Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores), published on August 31, 2023 in the Official Gazette La Gaceta, Executive Decree No. 44196-MSP-MICITT. 3. That a hearing be granted to the Ministry of Science, Innovation, Technology and Telecommunications (MICITT), regarding the potential economic implications for the Telecommunications Sector and the country, should the operation of networks and the provision of services based on fifth-generation mobile technology (5G) and higher be suspended or made impossible in the country. 4. That a hearing be granted to the Data Protection Agency of the Inhabitants (PRODHAB) in accordance with the powers conferred on it in this matter by the provisions of the Law for the Protection of the Person against the processing of their personal data (Ley de Protección de la Persona frente al tratamiento de sus datos personales), Law No. 8968, regarding the protection of the personal data of subscribers and end users of fifth-generation mobile services (5G) and higher.” 37.- By brief incorporated into the digital case file on January 24, 2024, Rubén Hernández Valle, special judicial representative of the plaintiff, appears. He states the following: “1.- In the present case, we are in the presence of one of the typical amparo appeals against self-executing norms (normas autoaplicativas) referred to in Article 30 of the LJC. 2.- Indeed, self-executing norms (normas autoaplicativas) are only challengeable in amparo proceedings when they are challenged jointly with the individual application acts. Therefore, the jurisprudence of this Chamber has stated that the judgment, in these cases, has as its purpose ‘the restitution of the aggrieved party to the full enjoyment of their fundamental right, trying as far as possible to restore things to the state they were in before the violation, in some cases, or to perform the act whose omission gave rise to the filing in others, but never the declaration of absolute nullity with a declaratory character of a normative provision’ (Voto 506-I-1996). 3.- Therefore, Executive Decree No. 44196-MSP-MCITT, published in La Gaceta of August 31, 2023, which grounds the act challenged in this amparo, cannot be annulled with erga omnes and retroactive effects. However, being a self-executing norm (norma autoaplicativa), it can be declared violatory of the fundamental rights of the amparo petitioner and, therefore, inapplicable in the case that gave rise to the amparo process. 4.- In this vein, Argentine doctrine points out, among the possible hypotheses of self-executing norms (normas autoaplicativas), ‘when it comprises persons determined by concrete circumstances’ (BIDART CAMPOS). 5.- Likewise, Mexican jurisprudence and doctrine have indicated that self-executing norms (normas autoaplicativas) are ‘laws (norms in general) that take a general form, designate persons or comprise unnamed individuals, but well defined by the conditions, circumstances, and position in which they find themselves, and the designation of the norm, have the character of aggrieved parties by it and standing to bring the amparo trial against it;… the norms, on some occasions, comprise determined persons, by concrete circumstances that determine them clearly’ (IGNACIO BURGOA). 6.- This is exactly what occurs with Executive Decree No. 44196-MSP-MCITT, which is a self-executing norm (norma autoaplicativa) because it contains provisions that directly harm the rights of freedom of competition and equality of participation in public tenders of certain legal entities, as they establish conditions that are known in advance that those specific companies cannot meet. 7.- The self-executing norm (norma autoaplicativa) of the executive decree is designed so that [Name 002]. cannot participate in public bids for the acquisition of 5G and higher telecommunications technology, by demanding two requirements that it is known in advance we cannot meet: a) that the country where our parent company is located is a party to the Budapest Convention and b) that we comply with the technical standard SC 9001, which is not technically demonstrated as robust. 8.- The regulation in question was issued to exclude my represented party from public tenders for the acquisition of 5G and higher telecommunications technology, thereby clearly and grossly violating our fundamental rights to freedom of competition and equality of participation in public tenders. 9.- Therefore, in the present case, Article 30 subsection a) of the LJC must be applied and it must be expressly declared that the cited executive regulation violates the two fundamental rights cited to the detriment of my represented party, and therefore the clauses of public tender number 2023XE-000023-0000400001 promoted by ICE based on that cited Regulation are void. 10.- Given that the Chamber is in a legal position to resolve the amparo without ruling on the unconstitutionality action for the reasons previously indicated, we submitted the Prompt Dispatch filing. It is important that this process be decided no later than Friday, the date on which the deadline granted by ICE to my represented party to submit clarifications to our offer expires.” 38.- In the proceedings followed, the legal prescriptions have been observed.

Drafted by Magistrate Castillo Víquez; and,

Considering:

I.- Regarding the joinders filed. In accordance with Article 34 of the Law of Constitutional Jurisdiction (Ley de la Jurisdicción Constitucional), third parties to the process may file a request for joinder (coadyuvancia), which is a form of adhesive intervention that occurs when a person acts in a proceeding, adhering to the claims of some of the main parties. Consequently, anyone who holds a direct interest in the outcome of the appeal is legitimized to act as a joined party (coadyuvante); however, not being a principal party, the joined party (coadyuvante) will not be directly affected by the judgment, that is, the effectiveness of the judgment cannot directly and immediately affect them, nor does the res judicata condition of the ruling affect them (See, among others, Judgment number 3235 of 9:20 hours on October 30, 1992, and Judgment 2010-000254 of 11:28 hours on January 8, 2010). In this case, the passive joinder (coadyuvancia pasiva) of Silvia Patricia Castro Montero, president of the Costa Rican-American Chamber of Commerce (Cámara Costarricense Norteamericana de Comercio), is admitted, given that, by its nature, it could indeed have a direct interest in the outcome of this process.

II.- Regarding the hearing requests filed. The Minister of Science, Innovation, Technology and Telecommunications, the Minister of the Presidency (on behalf of the Intelligence and Security Directorate, Dirección de Inteligencia y Seguridad) and the Ministry of Security requested an oral hearing in this process. Likewise, the executive president of ICE requested that a hearing be granted to the National Public Security Council regarding “the actions being taken through public policy in matters of national security” that substantiate the issuance of the regulation; to MICITT regarding the “potential economic implications for the Telecommunications Sector and the country, should the operation of networks and the provision of services based on fifth-generation mobile technology (5G) and higher be suspended or made impossible in the country”; and to PRODHAB regarding the “protection of the personal data of subscribers and end users of fifth-generation mobile services (5G) and higher.” However, the Chamber has sufficient elements to resolve the sub iudice in a substantiated manner without the need to resort to any other proceeding, and therefore rejects such requests.

III.- Object of the appeal. The plaintiff indicates that [Name 002]. is prepared to participate in the public tender that ICE will open to implement and operate 5G IMT technology in its networks, given that it is one of the main suppliers of that technology in this country. It points out that, on August 31, 2023, the Executive Branch enacted and published in La Gaceta the “Regulation on Cybersecurity Measures Applicable to Telecommunications Services Based on Fifth-Generation Mobile Technology (5G) and Higher” (Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores), which contains provisions that expressly prevent the participation of its represented party in that public tender. It notes that the President of the Republic, the Minister of Science, Innovation, Technology and Telecommunications, and the executive president of ICE, have publicly stated that the enactment of the cited regulation was done with the specific motive of preventing the participation of companies of various nationalities, especially those of Chinese origin, in the bidding procedures aimed at obtaining and operating 5G IMT and higher telecommunications technology for the networks of the Institute being appealed. It adds that, at 16:20 hours on September 5, 2023, its represented party received an email from Huberth Valverde Batista, contract administrator of ICE, with a questionnaire regarding compliance with Cybersecurity Regulation No. 44196-MSP-MICITT. It adds that in said communication they were granted a period of four business days to provide the information. It asserts that the questionnaire is an exact copy of the requirements of the aforementioned regulation, which is direct proof of the imminent publication of the tender and the affectation of its represented party, as it will be prevented from participating. It refers that the foregoing corresponds to the market study required by the Public Contracting Law (Ley de Contratación Pública), prior to the publication of the tender specifications (pliego de condiciones). It mentions that the president of ICE stated that at the end of September he will issue a public tender for the acquisition of 5G Mobile telecommunications technology and that they will apply the requirements demanded in the ‘Regulation on Cybersecurity Measures Applicable to Telecommunications Services Based on Fifth-Generation Mobile Technology (5G) and Higher’ (Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores). It affirms that the President of the Republic has declared that the enactment of the regulation aimed to prevent the participation of companies of diverse origin in the upcoming public tenders that ICE and SUTEL will open for the acquisition of 5G Mobile telecommunications technology. It adds that the foregoing was ratified by the minister of MICITT. It maintains that the direct and manifest risk faced by its represented party is more than notorious. It asserts that there is a certain, real, effective, and imminent threat, almost in the execution phase, which harms the rights of its represented party. It mentions that the tender that ICE will open will prevent [Name 002]. from participating because of its Chinese origin. It asserts that the company cannot be blamed for the fact that the Government of the People's Republic of China, within its sovereign powers, has not signed the Budapest Convention. It adds that such instrument was published 18 years before 5G technology was launched on the market, so it is impossible that any of its recitals were related to it. It refers that the evaluation factor is outdated and is not directly related to cybersecurity; furthermore, it violates the “principle of technological impartiality” contained in Chapter XIII of CAFTA. It deems it discriminatory that its represented party is prevented from participating due to a decision of the Chinese government. It maintains that the only way to avoid the transgression of the constitutional rights of free competition, equality of participation, and non-discrimination, is by suspending the tender, since if it were to materialize, it would cause its represented party an irreversible harm of impossible reparation, as well as reputational damages and losses. It refers that the threat from ICE to issue a public tender in which it will apply Article 10 subsections c), d), e) and f) and numeral 11 of the alluded regulation implies a clear violation of the fundamental rights to free competition in public procurement and equal treatment of bidders, since the tender specifications will prevent the participation of its represented party in the public procurement. It argues that, according to Article 33 of the Constitution, no individual or legal entity can be discriminated against for any reason (sex, religious beliefs, ideology, nationality, etc.); however, its represented party is discriminated against both for its ideology and its nationality. It argues that it is discriminatory to admit only companies from countries that have signed the Budapest Convention, since this does not refer strictly to cybersecurity issues but focuses on the criminalization of computer crimes including: fraud, infringements of intellectual property, distribution and possession of child pornography, computer forgery, among others, to apply a common criminal policy among states. It adds that another characteristic of that instrument is international cooperation, an aspect that facilitates the investigation of cybercrimes and which is relevant due to the characteristics of computer crimes and the possibility that they are committed outside a country's borders, but with impact on a specific territory. It explains that discrimination means granting different treatment based on unjust or arbitrary inequalities that are contrary to the principle of equality before the law. It notes that the prohibition of discriminating covers the interdiction of doing so for any personal or social circumstance; that is, any differentiation that lacks objective and reasonable justification can be classified as discriminatory. It formulates the following prayer: “1.- That my represented party cannot be prevented from participating in the cited public tender by introducing clauses impossible for it to meet, because this violates the fundamental rights to free competition, equal treatment, and the prohibition of discrimination exclusively for ideological and nationality reasons. 2.- That once ICE is notified of the impossibility of continuing with the oft-cited public tender, this amparo be converted into an unconstitutionality action so that several norms of the challenged Regulation can be eliminated from the legal system and, therefore, cannot be applied in any present or future tender.” In subsequent briefs, the representative of the plaintiff points out that on November 9, 2023, the ‘TENDER SPECIFICATIONS FOR THE ACQUISITION OF: GT-ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ACCORDING TO DEMAND’ (PLIEGO DE CONDICIONES PARA LA ADQUISICIÓN DE: GT-ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA) was published, which contains requirements impossible for its represented party to meet because its parent company is located in the People's Republic of China. Furthermore, compliance is imposed with the aspects alluding to the management and mitigation of risks contained in the ‘Regulation on Cybersecurity Measures Applicable to Telecommunications Services Based on Fifth-Generation Mobile Technology (5G) and Higher’ (Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores), as well as the standards contemplated therein. It asserts that the foregoing violates its represented party's rights to free competition and equality of participation in public tenders and not to be discriminated against based on the company's origin. It adds that its represented party cannot comply with section 3 “CiberSeguridad RAN-CORE Móvil 5G”, which excludes Huawei from the tender by demanding: ““3. CYBERSECURITY SECTION RAN-CORE MOBILE 5G. 3.1. The bidder must comply with all aspects alluding to the management and mitigation of risks contained in Costa Rica Cybersecurity Regulation No. 44196-MSP-MICITT, when planning, designing, and implementing its technical offer, for which it must provide, along with the offer, the risk management and mitigation plan in accordance with the aforementioned regulation. 3.2. The bidder must submit a sworn statement indicating that it complies with the adoption of the following cybersecurity standards:

3.3. In accordance with Article 10 of Costa Rica Cybersecurity Regulation No. 44196-MSP-MICITT, which indicates that there cannot be a single supplier for hardware and software in critical network elements, ICE may not award the Mobile CORE (items 3 and 4) and the mobile access network (items 1 and 2) to the same bidder. If the offer participates for the Mobile CORE (items 3 and 4) and the mobile access network (items I and 2) and meets all the technical, financial, legal aspects and ranks first in price for all the mentioned items, ICE will award only items I and 2 (mobile access network) to this bidder and items 3 and 4 (Mobile Core) will be awarded to the second place in price, in order to not have a single supplier for hardware and software in critical network elements, the foregoing in compliance with Article 10 of Costa Rica Cybersecurity Regulation No. 44196-MSP-MICITT. 3.4. The bidder must submit a sworn statement indicating that its headquarters is in a country that has expressed its consent to be bound by the Convention on Cybercrime (Budapest Convention). For which it must attach supporting documentation. ICE reserves the right to verify the validity (sic) of the information provided. 3.5. The bidder must submit a sworn statement indicating whether or not the factory headquarters is susceptible to pressure from a foreign government by normative provision or official public policy of said foreign government, in relation to the location or execution of its operations. 3.6. The bidder must submit a sworn statement indicating whether it is based in a country, or, in any way, is subject to the direction of a foreign government with established laws or practices that may require them to share the information of end users of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests.” It refers that they filed an objection appeal; however, the allegations related to the mentioned section were rejected. It maintains that, based on the foregoing, discrimination against the plaintiff based on its nationality was configured.

IV. Proven facts.- Of importance for the decision of this matter, the following facts are deemed duly demonstrated

The company [Name 002]. with legal identification number [Value 001] is registered in the National Registry of Costa Rica. (Certification provided by the plaintiff and consultation on the National Registry website).

In Scope No. 166 to La Gaceta No. 159 of August 31, 2023, Executive Decree No. 44196-MSP-MICITT was published, by which the ‘Regulation on Cybersecurity Measures Applicable to Telecommunications Services Based on Fifth-Generation Mobile Technology (5G) and Higher’ (Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores) was issued.

(Consultation on the National Printing Office website and evidence provided by ICE). On September 5, 2023, the Telecommunications Management of ICE, through the Contract Administration Area, sent an electronic communication to Huawei, Nokia, Ericsson, GBM Costa Rica, and Rakuten, with the following inquiries:

“Good afternoon:

In view of the regulations issued regarding the issue of cybersecurity for 5G technology in Costa Rica, you are requested to indicate compliance with the following points by your represented company, for the purpose of conducting a market study:

1. The supplier will be able to comply with all aspects related to risk management and mitigation contained in this regulation, when planning, designing, and implementing its technical offer.

2. Indicate compliance with the following cybersecurity standards:

3. That the offered solution does not rely on a single supplier for hardware and software. Hardware and software suppliers are understood as: Entities that provide services or active equipment to the subjects covered in Article 2 of this regulation. This category includes: i) telecommunications equipment manufacturers; and ii) other external suppliers, such as cloud infrastructure providers, system integrators, security and maintenance contractors, and transmission equipment manufacturers, when these are responsible for configuring and integrating the active equipment and software of the solution.

4. Indicate if your headquarters is in a country that has expressed its consent to be bound by the Convention on Cybercrime (Budapest Convention).

5. Whether the supplier is or is not susceptible to pressure from a foreign government by regulatory provision or official public policy of said foreign government, in relation to the location or execution of its operations.

6. Indicate if it is based in a country, or is in any way subject to the direction of a foreign government with established laws or practices that may require them to share end-user information of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests. The requested information must be answered by the coming September 8, 2023.” (Evidence provided by ICE).

On September 11, 2023, from the address <[email protected]>, the following was sent to the email <[email protected]>:

“Dear Huberth, I hope you are very well.

Through this medium, I am providing a response to the inquiries sent on the past September 5.

1. The supplier will be able to comply with all aspects related to risk management and mitigation contained in this regulation, when planning, designing, and implementing its technical offer.

Huawei has the capacity to comply with all the technical and security requirements defined, standardized, adopted, and tested by the industry, regarding the Design, Implementation, and Operation of mobile networks (3G, 4G, and 5G).

2. Indicate compliance with the following cybersecurity standards:

More information can be found at the following links. https://www-file.huawei.com/-/media/corp2020/pdf/trust-center/huawei-5g-security-white-paper-2021-en.pdf?la=en https://www.huawei.com/en/trust-center/transparency/standard-certification https://www.gsma.com/security/nesas-results/ Table No.1

3. That the offered solution does not rely on a single supplier for hardware and software.

Hardware and software suppliers are understood as: Entities that provide services or active equipment to the subjects covered in Article 2 of this regulation. This category includes: i) telecommunications equipment manufacturers; and ii) other external suppliers, such as cloud infrastructure providers, system integrators, security and maintenance contractors, and transmission equipment manufacturers, when these are responsible for configuring and integrating the active equipment and software of the solution.

Given that the wording of the article referred to in this question lends itself to interpretations, we recommend clarifying with the relevant authorities which of the following types of diversity they are considering:

• a)Horizontal, which indicates two manufacturers in the same network layer (Access, Core, etc.). For example, assigning the mobile access (RAN) of one region to one manufacturer and in another region to another manufacturer.
• b)Hybrid, which indicates having manufacturers for the Hardware and others for the software in each layer of the network.

4. Indicate if your headquarters is in a country that has expressed its consent to be bound by the Convention on Cybercrime (Budapest Convention).

[Nombre 002] is a company incorporated under the laws of the Republic of Costa Rica; our global manufacturing headquarters is in China.

5. Whether the supplier is or is not susceptible to pressure from a foreign government by regulatory provision or official public policy of said foreign government, in relation to the location or execution of its operations.

Huawei is an independent private company. The operation, decision-making, and management of Huawei are not controlled by any government or third party.

6. Indicate if it is based in a country, or is in any way subject to the direction of a foreign government with established laws or practices that may require them to share end-user information of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests.

Huawei is an independent private company. The operation, decision-making, and management of Huawei are not controlled by any government or third party. Additionally, our line of business is the supply of Telecommunications equipment and its installation. The telecommunications service provider is the one who manages User data.

I remain at your disposal for any comment or additional inquiry.” (Evidence provided by ICE).

The director of the General 5G Program of the Infrastructure and Spectrum Planning Directorate of the Telecommunications Management of ICE, in internal technical report 9191-1520-2023 of October 6, 2023, stated:

“1. Executive Decree No. 44196-MSP-MICITT called “Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher”, issued by the Presidency of the Republic, the Minister of Public Security, and the Minister of Science, Innovation, Technology and Telecommunications, as previously mentioned, came into effect on August 31, 2023. (See Annex No. 1)” 2. This Regulation, as indicated in Article 1, "aims to establish cybersecurity measures to guarantee the safe use and exploitation, with the safeguarding of people's privacy, of networks and telecommunications services based on fifth-generation mobile technology (5G) and higher." Likewise, Article 2 establishes the following: (See Annex No. 1) "Article 2—Scope of Application. The active operation of networks and services based on fifth-generation mobile technology (5G) and higher, by natural or legal persons, public or private, national or foreign, who operate networks or provide telecommunications services based on fifth-generation mobile technology (5G) and higher that originate, terminate, or transit through the national territory, is subject to this regulation, excepting the operation of private telecommunications networks.

In the case of public procurement processes aimed at enabling networks and services based on fifth-generation mobile technology (5G) and higher, as well as the active technological equipment necessary for their deployment, for the use and exploitation of the radio spectrum, the Administration or contracting entity must adopt the suitable mechanisms to verify that potential bidders have considered all aspects related to the risk management and mitigation contained in this regulation, when planning, designing, and implementing their technical offer. If awarded the contract, the provisions of this regulation shall be mandatory during the operation of the networks and provision of services based on fifth-generation mobile technology (5G) or higher." (The highlighting, with the exception of the article title, is provided).

3. Given the entry into force of said Regulation, mandatory for operators and providers of telecommunications services, on September 5, 2023, the Telecommunications Management of ICE, through the Contract Administration Area, and for the purposes of a market study, sent an electronic communication to potential interested parties (Huawei, Nokia, Ericsson, GBM Costa Rica, and Rakuten) with the following wording and inquiries: (See Annex No. 2) “Good afternoon:

In view of the regulations issued regarding the issue of cybersecurity for 5G technology in Costa Rica, you are requested to indicate compliance with the following points by your represented company, for the purpose of conducting a market study:

1. The supplier will be able to comply with all aspects related to risk management and mitigation contained in this regulation, when planning, designing, and implementing its technical offer.

2. Indicate compliance with the following cybersecurity standards:

3. That the offered solution does not rely on a single supplier for hardware and software.

Hardware and software suppliers are understood as: Entities that provide services or active equipment to the subjects covered in Article 2 of this regulation. This category includes: i) telecommunications equipment manufacturers; and ii) other external suppliers, such as cloud infrastructure providers, system integrators, security and maintenance contractors, and transmission equipment manufacturers, when these are responsible for configuring and integrating the active equipment and software of the solution.

4. Indicate if your headquarters is in a country that has expressed its consent to be bound by the Convention on Cybercrime (Budapest Convention).

5. Whether the supplier is or is not susceptible to pressure from a foreign government by regulatory provision or official public policy of said foreign government, in relation to the location or execution of its operations.

6. Indicate if it is based in a country, or is in any way subject to the direction of a foreign government with established laws or practices that may require them to share end-user information of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests. The requested information must be answered by the coming September 8, 2023” 4. On September 8, 2023, at 12:24 p.m., via email, Mr. Juan Carlos Blanco Infante of the company NOKIA responded to the inquiries made, as shown in Annex No. 3 of the Technical Report, for which confidentiality is requested given that said data are protected by agreements safeguarding this type of information.

5. On September 8, 2023, at 3:46 p.m., via email, Mr. Mustafa Syed of the company Rakuten responded to the inquiries made, as shown in Annex No. 4 of the Technical Report, for which confidentiality is requested given that said data are protected by agreements safeguarding this type of information.

6. On September 8, 2023, at 6:29 p.m., via email, Mr. Neil Baute of the company Ericsson responded to the inquiries made, as shown in Annex No. 5 of the Technical Report, for which confidentiality is requested given that said data are protected by agreements safeguarding this type of information.

7. On September 8, 2023, via official communication UL-2023-0460, Mr. Eduardo Blanco González of the company GBM of Costa Rica responded to the inquiries made, as shown in Annex No. 6 of the Technical Report, for which confidentiality is requested given that said data are protected by agreements safeguarding this type of information.

8. On September 11, 2023, Mr. Marcel Aguilar Sandoval of the company Huawei Technologies Costa Rica responded to the inquiries made, as shown in Annex No. 7 of the Technical Report, for which confidentiality is requested given that said data are protected by agreements safeguarding this type of information.

9. Regarding the responses from Huawei Technologies Costa Rica, as the Honorable Constitutional Court may verify, there is no evidence that said company had any type of disagreement with what was consulted. (See Annex No. 7 of the Technical Report).

10. To date, what ICE has carried out is a market study, in accordance with Article 85 of the Regulation to the General Public Procurement Law, with the potential suppliers of 5G telecommunications network technology, to verify market conditions and check their compliance in cybersecurity matters, in accordance with the provisions of the aforementioned Decree; that is, there is currently no publication of a statement of conditions for a specific tender, as stipulated in the General Public Procurement Law.

(…)

• The inquiries made by ICE, in the market study phase, are consistent with the provisions established in Executive Decree No. 44196-MSP-MICITT called “Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher” issued on August 25, 2023, by the Presidency of the Republic, the Minister of Public Security, and the Minister of Science, Innovation, Technology and Telecommunications, published in Supplement No. 166 of the Official Gazette La Gaceta of August 31, 2023, effective as of that date.

• Said regulation issued by the Executive Branch is mandatory for ICE, as explained previously.

• If ICE fails to comply with the provisions of the Regulation, it will be subject to the administrative sanctioning regime of the General Telecommunications Law No. 8642 (LGT).

• In accordance with the response to fact five, there is no evidence that Huawei Technologies Costa Rica had any type of disagreement at the time of responding to ICE's inquiries concerning the Regulation in question within the framework of the market study carried out.

(…) to date, what ICE has carried out is a market study, in accordance with Article 85 of the Regulation to the General Public Procurement Law, with the potential suppliers of 5G telecommunications network technology, to verify market conditions and check their compliance in cybersecurity matters, in accordance with the provisions of the aforementioned Decree; that is, there is currently no publication of a statement of conditions for a specific tender, as stipulated in the General Public Procurement Law.

(…)”. (Evidence provided by ICE).

On November 9, 2023, ICE published on SICOP the “STATEMENT OF CONDITIONS FOR THE ACQUISITION OF: GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ACCORDING TO DEMAND”, which states accordingly:

“3. 5G MOBILE RAN-CORE CYBERSECURITY SECTION.

3.1. The bidder must comply with all aspects related to risk management and mitigation contained in the Costa Rica Cybersecurity Regulation No. 44196-MSP-MICITT, when planning, designing, and implementing its technical offer, for which it must provide, along with the offer, the risk management and mitigation plan in accordance with the aforementioned regulation.

3.2. The bidder must submit a sworn statement indicating that it complies with the adoption of the following cybersecurity standards:

Mandatory Compliance Standards

3.3. In accordance with Article 10 of the Costa Rica Cybersecurity Regulation No. 44196-MSP-MICITT, which states that there cannot be a single supplier for hardware and software in critical network elements, ICE may not award the Mobile CORE (items 3 and 4) and the mobile access network (items 1 and 2) to the same bidder.

In the event that the bid participates for the Mobile CORE (items 3 and 4) and the mobile access network (items 1 and 2) and meets all the technical, financial, and legal aspects and ranks first in price for all the mentioned items, ICE will award only items 1 and 2 (mobile access network) to this bidder, and items 3 and 4 (Mobile Core) will be awarded to the second place in price, in order to not have a single supplier for hardware and software in critical network elements, in compliance with Article 10 of the Costa Rica Cybersecurity Regulation No. 44196-MSP-MICITT.

3.4. The bidder must submit a sworn statement indicating that its headquarters is located in a country that has expressed its consent to be bound by the Convention on Cybercrime (Budapest Convention). For which it must attach supporting documentation. ICE reserves the right to verify the validity of the information provided.

3.5. The bidder must submit a sworn statement indicating whether or not the factory headquarters is susceptible to pressure from a foreign government by regulatory provision or official public policy of said foreign government, in relation to the location or execution of its operations.

3.6. The bidder must submit a sworn statement indicating whether it is based in a country, or is in any way subject to the direction of a foreign government with established laws or practices that may require them to share end-user information of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests.

3.7. For the 5G requirements that specifically apply to the CORE, the following must be complied with:

3.7.1 The contractor must execute, within the contractual execution period, the backups of all systems involved in the CORE; these backups must be performed on the institutional systems provided for this purpose.

3.7.2 There must be execution of periodic penetration tests, which must be negotiated between the manufacturer and the contractor with ICE; these tests will be performed by ICE's cybersecurity areas designated for these matters.

3.7.3 There must be integration with a cyber-risk-based vulnerability management system, which must allow integration with the solutions provided at the institutional level.

3.7.4 There must be patch management and updates involving the manufacturer and the contractor, for which a defined update schedule is required that allows closing cybersecurity gaps within a period negotiable with ICE.

3.7.5 Replication of logs in CEF or Syslog format to the institutional event correlation or SIEM solution, which allows for the detection and analysis of possible suspicious activities or attacks and response to cybersecurity incidents.

3.7.6 For the 5G CORE element, the bidder must present solutions aimed at protecting an IP-based service architecture, preventing common botnet attacks or vulnerabilities over the internet, so that critical services are not degraded and remain available to legitimate users.

3.7.7 For the 5G CORE element, the bidder must present solutions aimed at protecting the main network functions, namely:

• a)Access and Mobility Management Function (AMF).
• b)Authentication Server Function (AUSF).
• c)Unified Data Management Function (UDM).

These solutions must protect stored authentication and subscription data against similar threats like botnets and DDoS attacks.

3.7.8 For the 5G CORE element, the bidder must present solutions aimed at allowing the use of encryption for the secure internet protocol (IPSec) for non-3GPP access types, preventing common botnet attacks or vulnerabilities over the internet or DDoS attacks. Considering the 5G requirements specifically those that apply to the Radio Access Network (RAN).

3.8 For the 5G requirements that specifically apply to the RAN, the following must be complied with:

3.8.1 The contractor must execute, within the contractual execution period, the backups of all systems involved in the RAN; these backups must be performed on the institutional systems provided for this purpose.

3.8.2 There must be execution of periodic penetration tests, which must be negotiated between the manufacturer and the contractor with ICE; these tests will be performed by ICE's cybersecurity areas designated for these matters.

3.8.3 There must be integration with a cyber-risk-based vulnerability management system, which must allow integration with the solutions provided at the institutional level.

3.8.4 There must be patch management and updates involving the manufacturer and the contractor, for which a defined update schedule is required that allows closing cybersecurity gaps within a period negotiable with ICE.

3.8.5 Replication of logs in CEF or Syslog format to the institutional event correlation or SIEM solution, which allows for the detection and analysis of possible suspicious activities or attacks and response to cybersecurity incidents.

3.8.6 For the 5G RAN element, the bidder must present solutions aimed at protecting 5G systems and networks that use antennas for Multiple-Input Multiple-Output (MIMO), ensuring the spectrum of bands assigned to this function.

3.8.7 For the 5G RAN element, the bidder must present solutions aimed at protecting transmission and reception data and signaling through encryption that protects their integrity.

3.8.8 For the 5G RAN element, the bidder must present solutions aimed at protecting against possible threats of malicious base stations (RBS), which could generate man-in-the-middle (MiTM) attacks between the user equipment (UE) and the mobile network, preventing common DDoS attacks or vulnerabilities.

3.9 For the 5G requirements that specifically apply to the UE, the following must be complied with:

3.9.1 For the 5G UE element, the bidder must present solutions aimed at protecting against possible threats such as mobile botnet networks, DDoS attacks, device infection attacks (viruses, worms, etc.), and malicious content download from the internet. (…)”. (Evidence provided by the plaintiff and consultation in the Integrated Public Procurement System).

On December 18, 2023, the company [Nombre 002] submitted a bid for five of the six items of electronic file 2023XE000023-0000400001 with the description “GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ACCORDING TO DEMAND”. (Consultation on the page https://www.sicop.go.cr/ and response from the Micitt to the granted hearing).

V. Regarding the specific case: In the sub lite, the plaintiff indicates that [Nombre 002]

is prepared to participate in the public bidding process that ICE will open to implement and operate 5G IMT technology in its networks, given that it is one of the main suppliers of that technology in this country. It points out that, on August 31, 2023, the Executive Branch enacted and published in La Gaceta the “Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher” (Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores), which contains provisions that expressly prevent its represented party from participating in that public bidding process. It notes that the President of the Republic, the Minister of Science, Innovation, Technology and Telecommunications, and the Executive President of ICE have publicly stated that the enactment of the cited regulation was done with the specific purpose of preventing the participation of companies of various nationalities, especially those of Chinese origin, in the bidding procedures aimed at the acquisition and operation of 5G IMT and higher telecommunications technology for the networks of the respondent institute. It adds that, at 4:20 p.m. on September 5, 2023, its represented party received an email from Huberth Valverde Batista, contract administrator of ICE, with a questionnaire regarding compliance with the Cybersecurity Regulation No. 44196-MSP-MICITT. It adds that in that communication they were granted a period of four business days to provide the information. It asserts that the questionnaire is an exact copy of the requirements of the aforementioned regulation, which is direct proof of the imminent publication of the bidding process and the impact on its represented party, since it will be rendered unable to participate. It states that the foregoing corresponds to the market study required by the Public Procurement Law (Ley de Contratación Pública), prior to the publication of the tender specifications. It mentions that the President of ICE stated that at the end of September he will put the acquisition of 5G Mobile telecommunications technology out to public bidding and that they will apply the requirements demanded in the ‘Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher’ (Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores). It affirms that the President of the Republic has declared that the enactment of the regulation had the objective of preventing the participation of companies of diverse origin in the upcoming public bidding processes that ICE and SUTEL will open for the acquisition of 5G Mobile telecommunications technology. It adds that the foregoing was ratified by the Minister of MICITT. It maintains that the direct and manifest risk faced by its represented party is more than notorious. It asserts that there is a certain, real, effective, and imminent threat, almost at the execution stage, which injures the rights of its represented party. It mentions that the bidding process that ICE will open will prevent [Name 002] from participating because it is of Chinese origin. It asserts that the company cannot be blamed for the fact that the Government of the People's Republic of China, within its sovereign powers, has not signed the Budapest Convention. It adds that such instrument was published 18 years before 5G technology was launched on the market, so it is impossible that any of its recitals were related to it. It states that the evaluation factor is outdated and is not directly related to cybersecurity; furthermore, it violates the “principle of technological impartiality” (principio de imparcialidad tecnológica) contained in Chapter XIII of CAFTA. It considers it discriminatory to prevent its represented party from participating because of a decision by the Chinese government. It maintains that the only way to avoid the transgression of the constitutional rights of free competition, equality of participation, and non-discrimination is by suspending the bidding process, since if it were to materialize it would cause its represented party irreversible harm that is impossible to repair, as well as reputational damages and losses. It states that ICE's threat to issue a public bidding process in which it will apply subparagraphs c), d), e), and f) of Article 10 and clause 11 of the aforementioned regulation implies a clear violation of the fundamental rights to free competition in public procurement and equal treatment of bidders, since the tender specifications will prevent the participation of its represented party in the public procurement. It argues that, pursuant to Article 33 of the Constitution, no individual or legal entity may be discriminated against for any reason (sex, religious beliefs, ideology, nationality, etc.); however, its represented party is discriminated against based on both its ideology and its nationality. It alleges that it is discriminatory to admit only companies from countries that have signed the Budapest Convention, since it does not strictly refer to cybersecurity issues but rather focuses on the punishment of cybercrimes that include: fraud, intellectual property infringements, distribution and possession of child pornography, computer forgery, among others, in order to apply a common criminal policy among states. It adds that another characteristic of that instrument is international cooperation, an aspect that facilitates the investigation of cyber infractions and is relevant due to the characteristics of cybercrimes and the possibility of them being committed outside the borders of a country, but with an impact on a specific territory. It explains that discrimination means granting different treatment based on unjust or arbitrary inequalities that are contrary to the principle of equality before the law. It points out that the prohibition of discrimination covers the interdiction of doing so for any personal or social circumstance; that is, any differentiation that lacks objective and reasonable justification can be classified as discriminatory. It formulates the following request: “1. That my represented party cannot be prevented from participating in the cited public bidding process by introducing clauses impossible for it to comply with, because this violates the fundamental rights to free competition, equal treatment, and the prohibition of discrimination exclusively for ideological and nationality reasons. 2. That once ICE is notified of the impossibility of continuing forward with the repeatedly cited public bidding process, this amparo action be converted into an unconstitutionality action so that several provisions of the challenged Regulation can be eliminated from the legal system and, therefore, cannot be applied in any present or future bidding process.” In subsequent submissions, the legal representative of the plaintiff states that on November 9, 2023, the ‘TENDER SPECIFICATIONS FOR THE ACQUISITION OF: GT-ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK DELIVERY ON DEMAND’ (PLIEGO DE CONDICIONES PARA LA ADQUISICIÓN DE: GT-ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA) was published, which contains requirements impossible for its represented party to comply with because its parent company is located in the People's Republic of China. In addition, compliance with the aspects alluding to risk management and mitigation contained in the ‘Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher’ (Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores), as well as the standards contemplated therein, is imposed. It asserts that the foregoing violates its represented party's rights to free competition and equal participation in public bidding processes and to not be discriminated against based on the origin of the company. It adds that its represented party cannot comply with subsection 3 “Ciberseguridad RAN-CORE Móvil 5G,” which excludes Huawei from the bidding process by requiring: ““3. CIBERSECURITY SUBSECTION 5G MOBILE RAN-CORE. 3.1. The bidder must comply with all aspects alluding to risk management and mitigation contained in the Costa Rica Cybersecurity Regulation No. 44196-MSP-MICITT, when planning, designing, and implementing its technical offer, for which it must provide, along with the bid, the risk management and mitigation plan in accordance with the aforementioned regulations. 3.2. The bidder must submit a sworn declaration stating that it complies with the adoption of the following cybersecurity standards:

3.3. In accordance with Article 10 of the Costa Rica Cybersecurity Regulation No. 44196-MSP-MICITT, which indicates that there cannot be a single supplier for hardware and software in critical network elements, ICE may not award the Mobile CORE (items 3 and 4) and the mobile access network (items 1 and 2) to the same bidder. In the event that the bid participates for the Mobile CORE (items 3 and 4) and the mobile access network (items I and 2) and meets all technical, financial, and legal aspects and ranks first in price for all the mentioned items, ICE will award only items I and 2 (mobile access network) to this bidder and items 3 and 4 (Mobile Core) will be awarded to the second place in price, in order not to have a single supplier for hardware and software in critical network elements, in compliance with Article 10 of the Costa Rica Cybersecurity Regulation No. 44196-MSP-MICITT. 3.4. The bidder must submit a sworn declaration stating that its headquarters is in a country that has expressed its consent to be bound by the Convention on Cybercrime (Budapest Convention). For which it must attach supporting documentation. ICE reserves the right to verify the validity (sic) of the information provided. 3.5. The bidder must submit a sworn declaration stating whether or not the factory headquarters is susceptible to pressure from a foreign government by normative provision or official public policy of said foreign government, in relation to the location or execution of its operations. 3.6. The bidder must submit a sworn declaration stating whether it has its base in a country, or is in any way subject to the direction of a foreign government with established laws or practices that may require it to share the information of end users of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests.” It states that they filed an objection appeal; however, the arguments related to the mentioned subsection were rejected. It maintains that, based on the foregoing, discrimination against the plaintiff based on its nationality was configured.

From the study of the case record, it has been proven that the company [Name 002], with legal identification number [Value 001], is registered in the National Registry of Costa Rica. In Scope No. 166 to La Gaceta No. 159 of August 31, 2023, Executive Decree No. 44196-MSP-MICITT was published, whereby the ‘Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher’ (Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores) was issued. On September 5, 2023, the Telecommunications Management of ICE, through the Contract Administration Area, sent to Huawei, Nokia, Ericsson, GBM Costa Rica, and Rakuten, an electronic communication with the following inquiries: “Good afternoon: In view of the regulations issued regarding the topic of cybersecurity for 5G technology in Costa Rica, please indicate compliance with the following points on behalf of your represented party, for the purpose of conducting a market study: 1. The supplier will be able to comply with all aspects alluding to risk management and mitigation contained in this regulation, when planning, designing, and implementing its technical offer. 2. Indicate compliance with the following cybersecurity standards:

3. That the offered solution is not from a single supplier regarding hardware and software. Hardware and software suppliers are understood as: Entities that provide active services or equipment to the subjects included in Article 2 of this regulation. This category includes: i) manufacturers of telecommunications equipment; and ii) other external suppliers, such as cloud infrastructure providers, system integrators, security and maintenance contractors, and transmission equipment manufacturers, when these are responsible for configuring and integrating the active equipment and software of the solution. 4. Indicate if your headquarters is in a country that has expressed its consent to be bound by the Convention on Cybercrime (Budapest Convention). 5. Whether or not the supplier is susceptible to pressure from a foreign government by normative provision or official public policy of said foreign government, in relation to the location or execution of its operations. 6. Indicate if it has its base in a country, or is in any way subject to the direction of a foreign government with established laws or practices that may require it to share the information of end users of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests.” The required information must be responded to by next September 8, 2023.” On September 11, 2023, from the address <[email protected]>, the following was sent to the email <[email protected]>: “Dear Huberth, I hope you are very well. By this means, I take the liberty of providing a response to the inquiries sent on last September 5. 1. The supplier will be able to comply with all aspects alluding to risk management and mitigation contained in this regulation, when planning, designing, and implementing its technical offer. Huawei has the capacity to comply with all technical and security requirements defined, standardized, adopted, and tested by the industry, regarding the Design, Implementation, and Operation of mobile networks (3G, 4G, and 5G). 2. Indicate compliance with the following cybersecurity standards:

| SCS 9001 | Supply Chain Security and Cybersecurity Standard | Huawei exceeds the principles and security requirements in the supply chain, incorporated in international standards such as those listed in Table No. 1. In the following links you can find more information about it. https://www-file.huawei.com/-/media/corp2020/pdf/trust-center/huawei-5g-security-white-paper-2021-en.pdf?la=en https://www.huawei.com/en/trust-center/transparency/standard-certification https://www.gsma.com/security/nesas-results/ Table No.1

3. That the offered solution is not from a single supplier regarding hardware and software. Hardware and software suppliers are understood as: Entities that provide active services or equipment to the subjects included in Article 2 of this regulation. This category includes: i) manufacturers of telecommunications equipment; and ii) other external suppliers, such as cloud infrastructure providers, system integrators, security and maintenance contractors, and transmission equipment manufacturers, when these are responsible for configuring and integrating the active equipment and software of the solution. Given that the wording of the article, to which this question refers, lends itself to interpretations, we recommend clarifying with the pertinent instances which of the following types of diversity they are considering: a) Horizontal, which indicates two manufacturers in the same network layer (Access, Core, etc). For example, assigning the mobile access (RAN) of one region to one manufacturer and in another region to another manufacturer. b) Hybrid (sic), which indicates having manufacturers for the Hardware and others for the software in each network layer. 4. Indicate if your headquarters is in a country that has expressed its consent to be bound by the Convention on Cybercrime (Budapest Convention). [Name 002] is a company incorporated under the laws of the Republic of Costa Rica, our global manufacturing headquarters is in China. 5. Whether (sic) the supplier is or is not susceptible to pressure from a foreign government by normative provision or official public policy of said foreign government, in relation to the location or execution of its operations. Huawei is an independent private company. The operation, decision-making, and management of Huawei are not controlled by any government or third party. 6. Indicate if it has its base in a country, or is in any way subject to the direction of a foreign government with established laws or practices that may require it to share the information of end users of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests. Huawei is an independent private company. The operation, decision-making, and management of Huawei are not controlled by any government or third party. Additionally, our line of business is the supply of Telecommunications equipment and its installation. The telecommunications service provider is the one who manages the User data. I remain at your service for any additional comment or inquiry.” The director of the General 5G Program of the Infrastructure and Spectrum Planning Directorate of the Telecommunications Management of ICE, in internal technical report 9191-1520-2023 of October 6, 2023, stated: “1. Executive Decree No. 44196-MSP-MICITT entitled “Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher” (Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores) issued by the Presidency of the Republic, the Minister of Public Security, and the Minister of Science, Innovation, Technology and Telecommunications, as previously mentioned, entered into force on August 31, 2023. (See Annex No. 1)” 2. This Regulation, as indicated in Article 1, “has the purpose of establishing cybersecurity measures to guarantee the use and safe operation, with protection of people's privacy, of networks and telecommunications services based on fifth-generation mobile technology (5G) and higher.” Likewise, Article 2 establishes the following: (See Annex No. 1) “Article 2—Scope of application. The active operation of networks and services based on fifth-generation mobile technology (5G) and higher is subject to this regulation, by individuals or legal entities, public or private, national or foreign, that operate networks or provide telecommunications services based on fifth-generation mobile technology (5G) and higher that originate, terminate, or transit through the national territory, except for the operation of private telecommunications networks. In the case of public procurement processes aimed at enabling networks and services based on fifth-generation mobile technology (5G) and higher, as well as the active technological equipment necessary for their deployment, for the use and exploitation of the radioelectric spectrum, the Administration or contracting entity must adopt the appropriate mechanisms to verify that potential bidders have considered all aspects alluding to risk management and mitigation contained in this regulation, when planning, designing, and implementing their technical offer. If awarded, the provisions of this regulation will be mandatory to observe during the operation of networks and the provision of services based on fifth-generation mobile technology (5G) or higher.” (The highlighting, with the exception of the article title, is provided). 3. Given the entry into force of said Regulation, mandatory for operators and providers of telecommunications services, on September 5, 2023, the Telecommunications Management of ICE, through the Contract Administration Area, and for the purposes of a market study, sent to potential interested parties (Huawei, Nokia, Ericsson, GBM Costa Rica, and Rakuten) an electronic communication with the following wording and inquiries: (See Annex No. 2) “Good afternoon: In view of the regulations issued regarding the topic of cybersecurity for 5G technology in Costa Rica, please indicate compliance with the following points on behalf of your represented party, for the purpose of conducting a market study: 1. The supplier will be able to comply with all aspects alluding to risk management and mitigation contained in this regulation, when planning, designing, and implementing its technical offer. 2. Indicate compliance with the following cybersecurity standards:

3. That the offered solution is not from a single supplier regarding hardware and software. Hardware and software suppliers are understood as: Entities that provide active services or equipment to the subjects included in Article 2 of this regulation. This category includes: i) manufacturers of telecommunications equipment; and ii) other external suppliers, such as cloud infrastructure providers, system integrators, security and maintenance contractors, and transmission equipment manufacturers, when these are responsible for configuring and integrating the active equipment and software of the solution. 4. Indicate if your headquarters is in a country that has expressed its consent to be bound by the Convention on Cybercrime (Budapest Convention). 5. Whether or not the supplier is susceptible to pressure from a foreign government by normative provision or official public policy of said foreign government, in relation to the location or execution of its operations. 6. Indicate if it has its base in a country, or is in any way subject to the direction of a foreign government with established laws or practices that may require it to share the information of end users of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests” The required information must be responded to by next September 8, 2023” 4. On September 8, 2023, at 12:24 p.m., via email, Mr. Juan Carlos Blanco Infante from the company NOKIA responded to the inquiries made, as demonstrated in Annex No. 3 of the Technical Report, for which confidentiality is requested as said data is protected under agreements that safeguard this type of information. 5. On September 8, 2023, at 3:46 p.m., via email, Mr. Mustafa Syed from the company Rakuten responded to the inquiries made, as demonstrated in Annex No. 4 of the Technical Report, for which confidentiality is requested as said data is protected under agreements that safeguard this type of information. 6. On September 8, 2023, at 6:29 p.m., via email, Mr. Neil Baute from the company Ericsson responded to the inquiries made, as demonstrated in Annex No. 5 of the Technical Report, for which confidentiality is requested as said data is protected under agreements that safeguard this type of information. 7. On September 8, 2023, by official letter UL-2023-0460, Mr. Eduardo Blanco González from the company GBM de Costa Rica responded to the inquiries made, as demonstrated in Annex No. 6 of the Technical Report, for which confidentiality is requested as said data is protected under agreements that safeguard this type of information. 8. On September 11, 2023, Mr. Marcel Aguilar Sandoval from the company Huawei Tecnologies (sic) Costa Rica responded to the inquiries made, as demonstrated in Annex No. 7 of the Technical Report, for which confidentiality is requested as said data is protected under agreements that safeguard this type of information. 9. Regarding the responses from Huawei Tecnologies (sic) Costa Rica, as the Honorable Constitutional Chamber will be able to verify, there is no evidence that said company had any type of disagreement with what was consulted. (See Annex No. 7 of the Technical Report). 10.

Up to now, what ICE has done is a market study, in accordance with Article 85 of the Regulation to the General Public Procurement Law (Reglamento a la Ley General de Contratación Pública), with potential suppliers of 5G telecommunications network technology, to verify market conditions and check their compliance regarding cybersecurity, pursuant to the provisions of the aforementioned Decree; that is, to date there is no publication of a set of tender documents (pliego de condiciones) for a specific procurement, as provided by the General Public Procurement Law (Ley General de Contratación Pública). (…) • The consultations carried out by ICE, in the market study phase, are consistent with the provisions of Executive Decree No. 44196-MSP-MICITT, entitled “Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher” (Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores), issued on August 25, 2023, by the Presidency of the Republic, the Minister of Public Security, and the Minister of Science, Innovation, Technology and Telecommunications, published in Alcance No. 166 of the Official Gazette La Gaceta on August 31, 2023, and effective as of that date. • Said regulation issued by the Executive Branch is mandatory for ICE, as explained above. • If ICE fails to comply with the provisions of the Regulation, it will be subject to the administrative sanctioning regime of the General Telecommunications Law No. 8642 (Ley General de Telecomunicaciones, LGT). • As indicated in the response to fact five, there is no evidence that Huawei Technologies Costa Rica [sic] had any kind of disagreement at the time of responding to ICE’s consultations regarding the Regulation in question within the framework of the market study conducted. (…) up to now, what ICE has done is a market study, in accordance with Article 85 of the Regulation to the General Public Procurement Law, with potential suppliers of 5G telecommunications network technology, to verify market conditions and check their compliance regarding cybersecurity, pursuant to the provisions of the aforementioned Decree; that is, to date there is no publication of a set of tender documents for a specific procurement, as provided by the General Public Procurement Law. (…)”. On November 9, 2023, ICE published on SICOP the “SET OF TENDER DOCUMENTS FOR THE ACQUISITION OF: GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK ON-DEMAND DELIVERY” (PLIEGO DE CONDICIONES PARA LA ADQUISICIÓN DE: GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA), which, in relevant part, states: “3. CYBERSECURITY SECTION 5G MOBILE RAN-CORE. 3.1. The bidder must comply with all aspects related to the management and mitigation of risks contained in the Costa Rica Cybersecurity Regulation No. 44196-MSP-MICITT (Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT), when planning, designing, and implementing its technical offer, for which it must provide, along with the offer, the risk management and mitigation plan in accordance with the aforementioned regulation. 3.2. The bidder must submit a sworn statement indicating that it complies with the adoption of the following cybersecurity standards:

3.3. In accordance with Article 10 of the Costa Rica Cybersecurity Regulation No. 44196-MSP-MICITT, which indicates that a single hardware and software supplier cannot be used for critical network elements, ICE may not award the Mobile CORE (items 3 and 4) and the mobile access network (items 1 and 2) to the same bidder. In the event that a bid participates for the Mobile CORE (items 3 and 4) and the mobile access network (items 1 and 2) and meets all technical, financial, and legal aspects and ranks first in price for all the mentioned items, ICE will award only items 1 and 2 (mobile access network) to this bidder, and items 3 and 4 (Mobile Core) will be awarded to the second place in price, in order not to have a single hardware and software supplier for critical network elements, in compliance with Article 10 of the Costa Rica Cybersecurity Regulation No. 44196-MSP-MICITT. 3.4. The bidder must submit a sworn statement indicating that its headquarters are [sic] in a country that has expressed its consent to be bound by the Convention on Cybercrime (Budapest Convention). Supporting documentation must be attached. ICE reserves the right to verify the validity [sic] of the information provided. 3.5. The bidder must submit a sworn statement indicating whether or not the factory headquarters is susceptible to pressure from a foreign government by regulatory provision or official public policy of said foreign government, in relation to the location or execution of its operations. 3.6. The bidder must submit a sworn statement indicating whether it is based in a country, or, in any way, is subject to the direction of a foreign government with established laws or practices that may require it to share end-user information of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests. 3.7. For the 5G requirements specifically applicable to the CORE, the following must be complied with: 3.7.1 The contractor must execute, within the contractual execution period, backups for all systems involved in CORE; these backups must be made on the institutional systems arranged for this purpose. 3.7.2 There must be periodic penetration testing, which must be negotiated between the factory [sic] and contractor with ICE; these tests will be performed by the ICE cybersecurity areas designated for these matters. 3.7.3 There must be integration with a cyber-risk-based vulnerability management system, which must be able to integrate with the solutions available at the institutional level. 3.7.4 There must be patch management and updates involving the manufacturer and the contractor, for which a defined update schedule is required that allows closing cybersecurity gaps within a period negotiable with ICE. 3.7.5 Replication of logs in CEF or Syslog format to the institutional event correlation solution or SIEM, which enables detecting and analyzing possible suspicious activities or attacks and cybersecurity incident response. 3.7.6 In the 5G CORE element, the bidder must present solutions aimed at protecting an IP-based service architecture, preventing common botnet attacks or vulnerabilities via the internet, so that critical services are not degraded and remain available to legitimate users. 3.7.7 For the 5G CORE element, the bidder must present solutions aimed at protecting the main network functions, namely: a) Access and Mobility Management Function (AMF). b) Authentication Server Function (AUSF). c) Unified Data Management (UDM). These solutions shall protect stored authentication and subscription data against threats similar to botnets and DDoS attacks. 3.7.8 For the 5G CORE element, the bidder must present solutions that allow the use of encryption for Internet Protocol Security (IPSec) for non-3GPP access types, preventing common botnet attacks or vulnerabilities via the internet or DDoS attacks. Considering the 5G requirements specifically those that apply to the Radio Access Network (RAN). 3.8 For the 5G requirements specifically applicable to the RAN, the following must be complied with: 3.8.1 The contractor must execute, within the contractual execution period, backups for all systems involved in RAN; these backups must be made on the institutional systems arranged for this purpose. 3.8.2 There must be periodic penetration testing, which must be negotiated between the factory [sic] and contractor with ICE; these tests will be performed by the ICE cybersecurity areas designated for these matters. 3.8.3 There must be integration with a cyber-risk-based vulnerability management system, which must be able to integrate with the solutions available at the institutional level. 3.8.4 There must be patch management and updates involving the manufacturer and the contractor, for which a defined update schedule is required that allows closing cybersecurity gaps within a period negotiable with ICE. 3.8.5 Replication of logs in CEF or Syslog format to the institutional event correlation solution or SIEM, which enables detecting and analyzing possible suspicious activities or attacks and cybersecurity incident response. 3.8.6 In the 5G RAN element, the bidder must present solutions aimed at protecting 5G systems and networks using Multiple Input Multiple Output (MIMO) antennas, ensuring the spectrum bands assigned to this function. 3.8.7 In the 5G RAN element, the bidder must present solutions aimed at protecting transmission and reception data and signaling through encryption that protects their integrity. 3.8.8 In the 5G RAN element, the bidder must present solutions aimed at protecting against possible threats from malicious base stations (RBS), which could generate man-in-the-middle (MiTM) attacks between the user equipment (UE) and the mobile network, preventing common DDoS attacks or vulnerabilities. 3.9 For the 5G requirements specifically applicable to UE, the following must be complied with: 3.9.1 For the 5G UE element, the bidder must present solutions aimed at protecting against possible threats such as mobile botnets, DDoS attacks, attacks by device infection (viruses, worms, etc.), and downloading malicious content from the internet. (…)”. On December 18, 2023, the company [Name 002] submitted an offer in five of the six items of electronic file 2023XE000023-0000400001 with description “GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK ON-DEMAND DELIVERY”.

Given this scenario, the Chamber dismisses any situation that, at this time, merits its intervention.

First, on the date this writ was filed, ICE had not published any tender documents (cartel) for procurements related to 5G telecommunications network technology, but had only conducted a study with potential suppliers to verify market conditions and cybersecurity-related aspects. Notwithstanding the foregoing, although the publication of the set of tender documents did not occur until November 9, 2023 (during the processing of this proceeding) and not in the periods alluded to in the filing brief, it is no less true that, in essence, what the claimant questions is the implementation of requirements related to risk management and mitigation, as well as the standards contemplated in the ‘Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher’ (Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores); specifically, it claims the alleged impossibility for [Name 002] to meet the requirements established therein.

Now, the aforementioned regulation, in relation to the arguments of the appellant, states:

“Article 2 – Scope of application. The active operation of networks and services based on fifth-generation mobile technology (5G) and higher is subject to this regulation by natural or legal persons, public or private, national or foreign, that operate networks or provide telecommunications services based on fifth-generation mobile technology (5G) and higher that originate, terminate, or transit through the national territory, excluding the operation of private telecommunications networks.

In the case of public procurement processes aimed at enabling networks and services based on fifth-generation mobile technology (5G) and higher, as well as the active technological equipment necessary for their deployment, for the use and exploitation of the radio spectrum, the Administration or contracting entity must adopt the appropriate mechanisms to verify that potential bidders have considered all aspects related to the management and mitigation of risks contained in this regulation when planning, designing, and implementing their technical offer. If awarded the contract, the provisions of this regulation shall be mandatory during the operation of the networks and provision of services based on fifth-generation mobile technology (5G) or higher.

(…)

Article 6 – Adoption of standards. The subjects included in the scope of application of Article 2 of this Executive Decree must adopt, implement, and maintain cybersecurity standards and/or reference frameworks, including the following:

(…)

Article 10 – High-risk parameters. The subjects included in the scope of application of Article 2 of this Regulation must consider the following high-risk parameters for the operation of 5G or higher telecommunications networks and the provision of their services:

(…)

• c)When the subjects included in the scope of application of Article 2 of this Regulation or their hardware and software suppliers are susceptible to pressure from a foreign government by regulatory provision or official public policy of said foreign government, in relation to the location or execution of their operations.
• d)When the subjects included in the scope of application of Article 2 of this Regulation or their hardware and software suppliers are based in a country, or, in any way, are subject to the direction of a foreign government with established laws or practices that may require them to share end-user information of telecommunications services in the absence of a transparent legal process that adequately protects their rights and interests.
• e)When the subjects included in the scope of application of Article 2 of this Regulation use hardware and software suppliers that are headquartered in a country that has not expressed its consent to be bound by the Convention on Cybercrime (Budapest Convention).
• f)When the subjects included in the scope of application of Article 2 of this regulation use hardware and software suppliers that do not comply with the cybersecurity standards set forth in Article 6 of this Regulation.

Article 11. Measures applicable upon identification of high risk. When any of the subjects included in the scope of application of Article 2 of this Regulation identifies the presence of one or more of the high-risk parameters set forth in the previous article, it must inform the Telecommunications Superintendency (Sutel) in accordance with the provisions of Article 42 of the General Telecommunications Law, No. 8642, within 3 (three) calendar days following its identification, and adopt the appropriate technical and administrative measures to ensure the security of its networks and services.

When the presence of one or more of the high-risk parameters is identified by the subjects included in the scope of application of Article 2 of this Regulation, it shall be subject to the immediate adoption of the following technical cybersecurity measures:

• 1)Telecommunication equipment, transmission systems, switching or routing equipment, and other resources that allow signal transport shall not be used in critical network elements, as they represent a high cybersecurity risk for 5G and higher networks and national security. For this purpose, the following are declared critical elements of the 5G and higher network: i. Those related to the functions of the network core.

ii. Control and management systems and support services.

iii. The access network in those geographical areas and locations that provide coverage to centers linked to national security and the provision of essential public services.

• 2)Carry out the replacement of equipment, products, and services of the 5G and higher network when necessary, for which it must consider the market situation of hardware and software suppliers, viable alternative equipment and substitute product supply options, the implementation of such equipment and products in the 5G and higher network, especially in critical network elements, the intrinsic difficulty of carrying out equipment replacement, equipment upgrade cycles, as well as its economic impact. Under no circumstances may the equipment replacement period exceed five years, counted from the classification as high risk.

Compliance with these regulatory provisions must be considered for the operation of 5G and higher networks and their services, in accordance with the provisions of Article 49, paragraphs 1 and 3, of Law No. 8642, General Telecommunications Law”.

In this regard, ICE acknowledged that the consultations carried out were based on the regulation in question and, indeed, the published set of tender documents expressly refers to aspects related to the management and mitigation of cybersecurity risks contained in said regulatory body; however, considering the terms set forth by the claimant, no manifest and express provision is observed that prevents, in an arbitrary, absolute, and unjustified manner, the participation of companies solely based on their origin. Precisely, without analyzing the merits of each of the regulatory provisions, it can be observed that, according to said regulatory body, companies with high-risk parameters may adopt “appropriate technical and administrative measures to ensure the security of their networks and services”; indeed, the set of tender documents for the procurement in question expressly stated that “when planning, designing, and implementing its technical offer, for which it must provide, along with the offer, the risk management and mitigation plan in accordance with the aforementioned regulation”. Now, it is not for this constitutional jurisdiction to analyze whether ICE contemplated or not the totality of the provisions contained in the regulation, nor whether it indirectly limited the participation of companies with requirements unjustified from a technical standpoint. Ergo, if there were any disagreement with the conditions and other technical specifications, this must be ventilated through ordinary channels. Likewise, the appropriate technical and administrative measures to guarantee the security of networks and services in companies with high-risk parameters are matters appropriate for ordinary channels.

In relation to the foregoing, it is important to note that matters related to telecommunications network technology, as well as cybersecurity requirements and standards in Costa Rica (for example, ISO/IEC, SCS standards, among others), are technical aspects, in principle, characteristic of public State policies, which, unless they entail some impact on the essential core of fundamental rights or manifestly transgress the constitutional bloc, constitute government matters. Hence, prima facie, their origin, suitability, or timeliness is not for this Court to assess, by virtue of the principle of self-restraint of the constitutional judge. In this sense, the claimant’s arguments do not demonstrate any arbitrariness contrary to the Law of the Constitution, so, at this time, it is not for the Chamber to analyze the general technical content of such standards, nor to assess whether the European Convention on Cybercrime (an instrument ratified in our country through Law No. 9452) is indispensable for the implementation of fifth-generation mobile technology. Ergo, if [Name 002] wishes to question the technical requirements established by ICE in section 3 “5G Mobile RAN-CORE Cybersecurity” of the “SET OF TENDER DOCUMENTS FOR THE ACQUISITION OF: GT- ACQUISITION OF GOODS AND SERVICES FOR THE IMPLEMENTATION OF THE 5G NETWORK ON-DEMAND DELIVERY”, or if it considers that it meets or exceeds the parameters put out to bid without exposing the country to cybersecurity risks, it may raise its arguments in the administrative venue, or in the ordinary jurisdictional venue, in order to subject its position to adversarial proceedings and broadly present the evidence it deems pertinent.

Similarly, even though discrimination is alleged, as indicated supra, no manifest situation in that sense is verified, and, furthermore, no comparable elements are provided that would allow, at this time and through this amparo writ, analyzing any transgression of the principle of equality with respect to other natural or legal persons.

In addition, although the violation of the “principle of technological neutrality” (principio de imparcialidad tecnológica) contained in Chapter XIII of the Free Trade Agreement between the Dominican Republic, Central America, and the United States is claimed, the Chamber prima facie does not consider that the alleged principle constitutes a constitutional parameter for the specific case, given the generality and abstraction with which the argument was raised and the commercial nature that frames such an agreement. Note that the claimant does not explain how the alleged impact on [Name 002] (a company incorporated in Costa Rica and registered in the National Registry of this country) would contravene the stipulations adopted between the Dominican Republic, Central America, and the United States, in such a way that it would be transcendent for the Law of the Constitution. It is worth pointing out that the Minister of Science, Innovation, Technology and Telecommunications noted that: “the principle of flexibility in technological options (technological neutrality) arises within the framework of the commercial opening process of the telecommunications sector, as part of the “IV. Regulatory Principles approved in Annex 13 of the “Specific Commitments of Costa Rica on Telecommunications Services” of the Dominican Republic-Central America-United States Free Trade Agreement (CAFTA-DR) Law No. 8622, which in relevant part provides: “10. Flexibility in Technological Options Costa Rica shall not prevent suppliers of public telecommunications services from having the flexibility to choose the technologies they use to supply their services, subject to the requirements necessary to satisfy legitimate public policy interests.” (Emphasis added). From this regulatory principle, it follows that, in telecommunications matters, operators and providers of publicly available services effectively enjoy the flexibility to choose the technologies they prefer to operate public networks and supply their services, for example, to provide International Mobile Telecommunications services known as IMT (in any of its technically available generations), provided that legitimate public policy interests are satisfied. In this area, it is important to note that public policy on telecommunications is defined through the National Telecommunications Development Plan (Plan Nacional de Desarrollo de las Telecomunicaciones, PNDT) 2022-2027 “Costa Rica: Towards inclusive digital disruption” (Costa Rica: Hacia la disrupción digital inclusiva), which was approved by the Executive Branch through Executive Decree No. 43843-MICITT published in the Official Gazette La Gaceta No. 5 dated January 13, 2023, (…). Therefore, the public policy for the operation of networks and the provision of telecommunications services is embodied in the National Telecommunications Development Plan (PNDT) 2022-2027 “Costa Rica: Towards inclusive digital disruption”, with the objective of marking the sector’s development from the perspective of sectoral public policy, which will make it possible in the coming years to address the challenges and issues of telecommunications. It should be emphasized that in its section “3.3.3.3 National Cybersecurity Strategy Costa Rica” the PNDT 2022-2027 states that “The cybersecurity strategy dates from 2017 and seeks actions conducive to data assurance and online protection in different aspects, considering the person as a priority, respect for human rights and privacy, coordination with multiple interested parties, and international cooperation”. Consequently, under the terms presented, the alleged disagreement on this point is appropriate for elucidation through the channels provided for such purposes.

Likewise, the claimant seeks that the writ be granted in order to order that its represented party cannot be prevented from participating in a public procurement through clauses impossible for it to fulfill; however, as indicated supra, no transgression of the Law of the Constitution was verified, so determining whether or not it can fulfill the requirements, as well as the technical basis thereof, constitutes matters of legality that, in principle, exceed the summary nature of the amparo writ. In this sense, determining whether bidders can justify or give reasons for alleged restrictions are aspects appropriate for resolution within the procurement procedure, or in the ordinary jurisdictional venue, in order to subject their position to adversarial proceedings and present the technical evidence they deem pertinent.

Furthermore, in a subsequent brief during the course of this proceeding, the claimant alleges the unconstitutionality and unconventionality of the ‘Regulation on cybersecurity measures applicable to telecommunications services based on fifth-generation mobile technology (5G) and higher’ for the purposes of numeral 75 of the Constitutional Jurisdiction Law (Ley de la Jurisdicción Constitucional); however, this writ, for the considerations set forth above, does not constitute a reasonable means to protect the right or interest considered injured.

For the reasons set forth, not only is the requested precautionary protection prima facie improper, but it is appropriate to declare the writ without merit in all its aspects.

VI.- Dissenting vote of Judges Cruz Castro and Araya García.- Grant a deadline to file an unconstitutionality action against the Regulation in question:

We believe that this case should be given a different approach from that prevailing in the majority vote.

The issue has a dimension directly related to fundamental rights (consumer rights and internet access), so it is not a matter of this Court hearing, through amparo, technical questions related to cybersecurity; rather, it must examine whether the provisions of the regulation in question that order the exclusion (or classification as high risk, which amounts to the same thing) of certain companies from a public tender, based on their nationality, is consistent with Constitutional Law.

Thus, given the significance of the matter in question and its impact on the fundamental rights of internet access for the entire population, it is appropriate to grant the appellant the time limit established in the Ley de la Jurisdicción Constitucional to file the corresponding unconstitutionality action against the provisions it considers unconstitutional in the “Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (SG) y Superiores.” This is so that this amparo can serve as the base matter for the action, if such an action has not already been filed. This amparo is not actually about questioning ICE's technical criteria, but rather what the provisions of a regulation state and their impact on fundamental rights.

As observed, the amparo remedy also proceeds against threats (article 29 of the Ley de la Jurisdicción Constitucional). In this case, it is indicated that the public tender that ICE will issue to implement and operate 5G IMT technology in its networks will be based on the “Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (SG) y Superiores,” and it threatens the protected company's rights because said regulation contains provisions that expressly prevent its represented party's participation in that public procurement process. Provisions that, therefore, the appellant considers are contrary to the constitutional rights of free competition, equal participation, and non-discrimination.

In view of the foregoing, we consider that what is appropriate in this case is to grant the appellant a deadline to file the corresponding unconstitutionality action—so that this amparo can serve as the base matter for the action—against the provisions of the regulation in question that it considers unconstitutional. Note that an a priori exclusion of participants from a public tender directly impacts the services the consumer will receive, since the principle of free participation results in better protection of consumer rights. The more bidders that participate, the greater the transparency and evaluation in the selection of the public telecommunications service. A restrictive regulation on the number of bidders for this public service would have a direct impact on rates, the digital divide, and, in general, on the fundamental right of access to the internet.

In the unconstitutionality action, it will be possible to examine in greater detail whether the a priori exclusion of countries that have not adhered to the Budapest Convention (2001) is reasonable, or whether, on the contrary, it is discriminatory, violates the principle of free participation in public tenders, and threatens consumer rights.

As this Chamber has indicated (see vote No. 2010-10627, and among others 2010-12790, 2011-8408, 2017-11212), there exists a true fundamental right to communication derived from the right to freedom of expression, the right to information, and the right to internet access. Particularly in the aforementioned 2017 ruling, where this Chamber examined the fair use policy for internet access, it was stated that internet access is not only a fundamental right in itself, but also “(...) is a tool that incalculably enhances the exercise of other fundamental rights: it democratizes knowledge by placing an immeasurable amount of information within reach of any person; it facilitates citizen participation in state management, promoting transparency in public administration; it establishes means for people to exercise their freedom of expression; it constitutes a work tool for many professions, even those outside the field of information technology.” From this, the State's obligation was derived to “protect people against threats that seek to unjustifiably limit said right, but also entails the State's obligation to ensure its progressive growth and improvement, as well as the implementation of new technologies that enhance the right of access to the Internet.” Therefore, due to the direct impact the regulation would have on the public tender related to Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (SG) y Superiores, and its close relationship with the fundamental right of internet access, the appropriate course in this case is to examine the regulations in question in an unconstitutionality action proceeding.

VII.- Dissenting vote of Judge Rueda Leal. This amparo appeal should have been summarily dismissed, since it was filed on behalf of [Name 002]; however, the essential link between this legal entity and some natural person, in relation to the allegedly aggrieved fundamental rights, does not derive from the filing brief. Of importance for the sub examine, in the dissenting vote I recorded in judgment No. 2019-2355 of 9:30 a.m. on February 12, 2019, I held:

“in Advisory Opinion 22-16 of February 26, 2016, the Inter-American Court of Human Rights indicated that although some States recognize the right of petition for legal persons under special conditions, such as unions, political parties, or representatives of indigenous peoples, Afro-descendant communities, or specific groups, the truth is that ‘Article 1.2 of the American Convention only enshrines rights in favor of natural persons, so legal persons are not holders of the rights enshrined in said treaty.’ Furthermore, in the same advisory opinion, the Inter-American Court ruled that, in certain particular contexts, natural persons can exercise their rights through legal persons (for example, through a communication medium, as occurred in the case of Granier et al. v. Venezuela); however, in order for this to be protectable before the inter-American system, ‘the exercise of the right through a legal person must involve an essential and direct relationship between the natural person requiring protection from the inter-American system and the legal person through which the violation occurred, since a simple link between both persons is not sufficient to conclude that the rights of natural persons are effectively being protected and not those of the legal persons. Indeed, it must be proven beyond the mere participation of the natural person in the activities of the legal person, such that said participation is substantially related to the rights alleged as violated’ (emphasis added) (AO. 22/16).” In my opinion, the reading of the Ley de la Jurisdicción Constitucional compels the same interpretive rationale (ratio) of the aforementioned conventional hermeneutics regarding all fundamental rights. Thus, in a constitutionality proceeding formulated in the name of or on behalf of a legal entity, its admission for study requires an essential and direct relationship between the legal entity claiming to be affected by some violation of the constitutional order and the natural person who, by such injury, sees some fundamental right impaired, in a reflected but direct manner. For these purposes, the mere reference to a connection or link between the legal entity and the natural person is insufficient to conclude that, precisely, the constitutionality proceeding is seeking the protection of the fundamental rights of the latter, not merely those of the former. The aforementioned requirement thus becomes a sine qua non prerequisite for the admissibility of constitutionality review in this venue. Based on the foregoing, I consider that this must be the guideline with which the Ley de la Jurisdicción Constitucional must be interpreted, so that in the sub iudice, the application of jurisdictional constitutionality review is inappropriate, since the referred link has not been demonstrated in relation to the alleged aggrieved right. I have followed this thesis not only when companies in the Telecommunications sector have been considered as the protected party (for example, judgment No. 2019014375 of 2:20 p.m. on August 1, 2019), but also when, in general, appeals have been filed in the name or on behalf of legal persons without establishing the aforementioned essential relationship between the natural person and the legal person (for example, resolutions Nos. 2023014282 of 9:30 a.m. on June 16, 2023, 2022029898 of 9:21 a.m. on December 16, 2022, 2022005751 of 9:20 a.m. on March 11, 2022, 2020014695 of 9:15 a.m. on August 7, 2020, 2020012170 of 10:05 a.m. on June 30, 2020, 2020009074 of 9:15 a.m. on May 15, 2020, 2020006905 of 9:20 a.m. on April 3, 2020, among others).

VIII.- Documentation provided to the case file. The parties are warned that if they have provided any paper document, as well as objects or evidence contained in any additional electronic, computer, magnetic, optical, telematic device or one produced by new technologies, these must be withdrawn from the office within a maximum period of 30 business days counted from the notification of this judgment. Otherwise, any material not withdrawn within this period will be destroyed, in accordance with the provisions of the "Reglamento sobre Expediente Electrónico ante el Poder Judicial", approved by the Corte Plena in session No. 27-11 of August 22, 2011, article XXVI and published in Boletín Judicial number 19 of January 26, 2012, as well as in the agreement approved by the Consejo Superior del Poder Judicial, in session No. 43-12 held on May 3, 2012, article LXXXI.

Por tanto:

By majority vote, the appeal is declared without merit. Judge Garro Vargas records a note. Judges Cruz Castro and Araya García dissent and grant the appellant a deadline to file an unconstitutionality action against the ‘Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores.’ Judge Araya García records a note. Judge Rueda Leal dissents and summarily dismisses the appeal.

Fernando Castillo V.

Fernando Cruz C. Paul Rueda L.

Luis Fdo. Salazar A. Jorge Araya G.

Anamari Garro V. Ingrid Hess H.

Sentencia 2024-002222 Note of Judge Garro Vargas Preliminary considerations I have concurred with the majority because I substantially agree with the judgment's arguments. Additionally, I have considered it appropriate to record this note to highlight that, in my opinion, this is a matter that should have been dismissed from the outset, because it is patently evident that its subject matter cannot be heard through a summary remedy such as amparo.

Examples of the jurisprudential line maintained by the undersigned On similar occasions, and even in others whose subject matter has been of much lesser magnitude, I have stated that it is not sufficient for fundamental rights to be allegedly involved for the matter to be placed in this venue and resolved through an amparo appeal.

Here are some examples:

• 1)Cases of the admission exams for the Instituto Tecnológico de Costa Rica In those cases, which by the way were very numerous, the appellants challenged the admission criteria of that higher education institution. The issue was very directly related to the right to education, the right to equality, and the principle of reasonableness. The Chamber, following an old and very reasonable jurisprudential line, summarily dismissed those numerous appeals, with statements such as the following:

“As can be inferred from the transcribed rulings, this Court has been consistent in pointing out that the admission requirements for state universities are a matter within their competence. In addition, the Chamber has reiterated that the controversy regarding the method and content of a university admission exam must be resolved in the ordinary jurisdiction, since it is a matter of great technical specificity, whose review requires a thorough examination of technical evidence, which is foreign to the summary nature of amparo” (rulings 2020-023153, 2020-023160, 2020-024016, 2021-04817, among others; highlighting not in the original).

In those very numerous similar rulings, Judge Hernández López and I recorded the following note:

“Note of Judges Hernández López and Garro Vargas, with drafting by the latter.

The amparo appeal is a summary proceeding by nature and, pursuant to Article 48 of the Constitución Política, is designed to protect constitutional rights (with the exception of personal liberty and integrity) and those of a fundamental nature established in international human rights instruments applicable to the Republic. Therefore, a matter is susceptible to being heard through an amparo appeal when the alleged violation of any of these rights is invoked. But this is not sufficient. It is necessary that the subject matter under discussion can be adequately heard in a summary proceeding: that is, in a simple procedure without the need for a complex evidentiary phase. Furthermore, the summary nature must be evident not only in the adjudication phase but also in its enforcement phase. Based on the foregoing, the undersigned judges believe that this matter should not be heard in the Constitutional Chamber through the amparo appeal, since, although fundamental rights could be involved, properly analyzing it requires producing technical evidence from various disciplines, in order to examine the various elements that come into play in its resolution.” (Ruling 2020-23160; highlighting not in the original).

• 2)Rainforest Alliance Case On another occasion, the Chamber heard an amparo appeal filed against Rainforest Alliance (file 21-023756-0007-CO), which was granted (ruling 2022-005556). I recorded my dissenting vote in which, among other arguments, I stated the following:

“3. On the procedure of the amparo appeal As announced in the preamble of this dissenting vote, for the alleged injury to a constitutional or fundamental right to be heard before this court, the nature of the claim must be compatible with the characteristics of the amparo appeal. Although this is not the case—as there is no constitutional or fundamental right involved—, it could be argued that many other grievances could be reconducted towards Constitutional Law, because ultimately this is the basis from which the rest of the legal system emanates.

However, not every infringement of a constitutional right must necessarily be assessed in the amparo appeal, since due to the nature of the claim, in many cases, the best way to examine it with detail and depth is to place it in the ordinary jurisdiction, which offers ample guarantees for the parties in order to resolve the conflict between them and which has the possibilities of resorting to robust precautionary measures. In this regard, this Court has reiterated a jurisprudential line to the effect that “the amparo proceeding is eminently summary in nature because its sole purpose is to provide timely protection against infringements or imminent threats to fundamental rights and freedoms, so its processing does not lend itself well to the execution of slow and complex evidentiary proceedings” (among many others, votes Nos. 2003-14336, 2006-014421 and 2020-019038 can be consulted). This jurisprudential line merely recalls the very nature of this proceeding. [Highlighting not in the original].

It is also necessary to point out that there are other parallel jurisdictional mechanisms, where, with ample guarantees, protection can be granted to claims related to infringements of constitutional or fundamental rights. An example of this is the Constitutional Chamber’s thesis that ordered, under a better balancing, that claims related to the delay of administrative proceedings be placed in the contentious-administrative jurisdiction, since at heart their analysis involves an examination of the legal deadlines that public administrations have to address the requests of individuals. Thus, since ruling No. 2008-002545 the Constitutional Chamber has been consistently holding the following:

“It is evident that determining whether the public administration complies or not with the deadlines set by the Ley General de la Administración Pública (articles 261 and 325) or sectoral laws for special administrative procedures, to resolve an administrative procedure—initiated ex officio or at the request of a party—by final act or to hear the applicable administrative appeals, is an evident matter of ordinary legality which, from now on, can be discussed and resolved before the contentious-administrative jurisdiction with the application of the principles that nourish constitutional jurisdiction, such as those of vicarious standing, the possibility of material defense—that is, appearing without legal counsel—and of gratuity for the appellant.” (The highlighting does not correspond to the original).

Similarly, since ruling No. 2017-017948, this Court has been deciding, in relation to the protection of labor rights, the following:

“Certainly, the protection of the Constitutional Chamber, in the area of labor law, derives from the application of Title V, Single Chapter, of the Constitución Política, called Social Rights and Guarantees. It is there where constitutional protection, through the amparo appeal, is afforded to the right to work, to a minimum wage, to the workday, to weekly rest, to paid annual vacations, to free unionization, to the right to strike, to the conclusion of collective labor agreements, among others; all of this, in connection with employment. However, under a new balancing, given the enactment of the Labor Procedure Reform, Law No. 9343 of January 25, 2016, in force since July 25, 2017, this Chamber considers that now all claims related to those labor rights, derived from a special protection status (fuero especial) (for reasons of age, ethnicity, sex, religion, race, sexual orientation, marital status, political opinion, national origin, social origin, affiliation, disability, union membership, economic status, as well as any other discriminatory cause contrary to human dignity), have an expeditious and swift procedural channel, through a very summary (sumarísimo) process and a plenary and universal jurisdiction, for their proper hearing and resolution, in pursuit of adequate protection of those rights and substantial legal situations, grounded in the infra-constitutional legal order, which has an indirect relationship with fundamental rights and Constitutional Law. The same reasons apply to State servants, regarding the procedure before the Tribunal de Servicio Civil guaranteed to them by the legal order, as well as to other Public Sector workers for the protection of due process or similar special statuses to which they are entitled according to the constitutional or legal order. In sum, the very summary process will be applicable, in both the public and private sectors, by virtue of a special protection status, with enjoyment of job stability or special procedures for their protection, due to dismissal or any other disciplinary or discriminatory measure, for violation of special protective statuses or procedures, authorizations and formalities to which they are entitled: women in a state of pregnancy or lactation period, adolescent workers, persons covered by Article 367 of the Código de Trabajo, persons reporting sexual harassment, workers indicated in Article 620, and finally, those who enjoy any similar protection status by law, special regulations, or collective labor instruments.” This shows that, even when constitutional or fundamental rights are involved, their reestablishment and protection need not necessarily be placed in the constitutional jurisdiction through the amparo appeal; rather, there may be parallel avenues that are more guaranteeing from a procedural point of view, intended to hear—with the depth the case requires—claims related to these rights. Precisely, due to the way the amparo appeal is designed, the grievances that should be heard in this venue are those in which the protection of the right is compatible with the characteristics and possibilities of this summary proceeding. Conversely, it is not appropriate to hear in the amparo appeal those matters that require a complex evidentiary analysis, adversarial phases, and immediate presentation of evidence, which completely distort the essence of the amparo appeal.” [Highlighting not in the original].

• 3)Parque Viva Case Subsequently, the Chamber heard the Parque Viva case (file 22-016697-0007-CO). In the operative part (ruling 2022-25167), regarding me, it states: “Judge Garro Vargas partially dissents in the following sense: she declares it partly with merit, for her own reasons, regarding freedom of expression; and declares it without merit regarding the annulment of the health order and the aforementioned official letter, since she considers that matters related to these cannot be heard in this jurisdiction.” From my dissenting vote, I wish to highlight the following, which is relevant to the present matter:

“The competence of the body is also determined by respect for the nature of the proceeding.

Not every act, omission, or de facto action (vía de hecho) originating from an authority, even if it is inherently challengeable, is susceptible to being heard in a summary and informal proceeding. The reasons may be diverse: the legal or technical complexity of the act, the need for a broad body of evidence to determine its validity and effectiveness, etc. There is consolidated case law on this point that the Chamber reiterates every week when dismissing a good part of the amparo appeals filed before it.

Likewise, the court must verify whether the protected object (the fundamental rights allegedly violated) can be effectively guaranteed through an amparo appeal, which is a summary and informal proceeding. In this regard, there is very reiterated case law on the matter, which the Chamber also regularly applies.

Precisely in this sense, I co-signed with Judge Hernández López a note that we reiterated on many occasions [already cited here] (…) (note to ruling 2020-23153).

This is so because, indeed, many matters involve fundamental rights but must be heard in their corresponding venue.” (Highlighting not in the original).

On that occasion, I added a few paragraphs with a somewhat didactic tone, but which simply reflected my approach to the issue.

“For example, if a person claims they were defrauded in the purchase and sale of a plot of land, there is no doubt—if that was indeed the case—that their right has been violated and that this is a fundamental right. It is the right recognized in Article 45 of the Constitución Política; but it is clear that the litigation regarding this matter should not be heard in the Constitutional Chamber, not even if the seller was a public law entity, because the corresponding jurisdiction exists to resolve this type of conflict. Furthermore, as examples could be abundant, if a passer-by shoots another, the aggressor is violating the fundamental right to life or, at least, the victim's integrity, but evidently the matter cannot be heard through an amparo appeal either, because that conduct is typified and, therefore, it will be the criminal judge who determines responsibility and its scope and consequences. Well, the Chamber has usually been very clear about this in its case law; for that reason, each week, it dismisses many amparo appeals indicating that they are matters pertaining to ordinary legality.

The foregoing means that, for a case to be examined and resolved in an amparo appeal, it is not enough to argue that the alleged violation of the fundamental right has its cause in conduct by the respondent party. And the Chamber strives to respect these criteria precisely so as not to invade the competences of the ordinary jurisdiction (established in Articles 49 and 153 of the Constitución Política) or those of the administrative authorities, as appropriate. But not only for that reason, but also because in that way, by placing the matter where it belongs, the parties will have all the procedural guarantees inherent to due process, which are reduced in a summary and informal remedy like amparo. Thus, for instance, the reports from authorities, being given under oath, are taken as true, so the possibilities of disproving them are much lesser than in plenary proceedings.

That is why the Chamber must verify whether, in view of the challenged object (the allegedly harmful acts), the protected object (the fundamental rights allegedly violated), and the type of injury (whether the affectation is direct or not), the matter is susceptible to being heard in a summary proceeding such as amparo.” (Highlighting not in the original).

• 4)Highly complex environmental matters This Chamber heard an environmental matter (file 22-003777-0007-CO) in which it was partially granted (ruling 2022-9857). Of relevance, it considered that aspects of great complexity should not be placed in this jurisdiction. On that occasion, Judges Castillo Víquez, Garita Navarro, and the undersigned recorded a note, which holds the following:

“X.- NOTE OF JUDGES CASTILLO VÍQUEZ AND GARITA NAVARRO AND OF JUDGE GARRO VARGAS, WITH DRAFTING BY THE LATTER.

We deem it necessary to record this note in which we warn that, under a better balancing, in environmental matters of such complexity—as the one challenged in the specific case—we assess that it is appropriate to dismiss the appeal in order to place the discussion in the ordinary jurisdiction where, with greater evidentiary and procedural possibilities, as well as for enforcement, the questioned conduct can be examined in detail.

Firstly, it is necessary to emphasize that we consider that this Chamber is competent to hear amparo appeals related to the violation of the fundamental right to a healthy and ecologically balanced environment under the terms of Article 50 of the Constitución Política. The foregoing, as this Court has done so successfully in the past. However, we warn that there are questions and complaints that, due to their complexity, exceed the summary nature of the amparo appeal and, in such circumstances, it is more guaranteeing for all parties, and even for the effective protection of the right to a healthy and ecologically balanced environment and the protection of natural resources, to place the conflict in an ordinary venue, with plenary proceedings, in which, with more procedural opportunities, the evidence can be examined and the grievances compared. In short, to judge in detail the regularity of the omissive and/or active conduct of the competent public administrations in attending to and resolving the reported environmental conflict.

Let it be remembered that historically this Chamber has maintained the jurisprudential line that “the amparo proceeding is eminently summary in nature because its sole purpose is to provide timely protection against infringements or imminent threats to fundamental rights and freedoms, so its processing does not lend itself well to the execution of slow and complex evidentiary proceedings” (among many others, votes Nos. 2003-14336, 2006-014421 and 2020-019038 can be consulted). This jurisprudential line merely recalls the very nature of this proceeding. Moreover, upon the entry into force of the Código Procesal Contencioso Administrativo, it was determined that said jurisdiction possesses broad competences to hear grievances like those questioned in the sub lite. To this effect, this Court has reiterated the following:

“[U]pon the enactment of the Código Procesal Contencioso-Administrativo (Law No.

8508 of April 24, 2006) and its entry into force as of January 1, 2008, has made it clear that those subject to the law now have access to a plenary and universal contentious-administrative jurisdiction, which is extremely expeditious and swift due to the various procedural mechanisms that this legislation incorporates into the legal system, such as the shortening of time limits for carrying out various procedural acts, broad standing, precautionary measures, the numerus apertus of admissible claims, orality—and its sub-principles of concentration, immediacy, and celerity—, the single instance with appeal only in expressly limited situations, intra-procedural conciliation, the unified process, the preferential processing procedure or "amparo de legalidad," pure legal proceedings, new enforcement measures (coercive fines, substitute or commissarial execution, seizure of assets in the fiscal domain and some in the public domain), the broad powers of the body of enforcement judges, the extension and adaptation of the effects of case law to third parties, and the flexibility of the cassation appeal. All these novel procedural institutes have the manifest purpose and objective of achieving procedural economy, celerity, promptness, and the effective or complete protection of the substantial legal situations of those administered, all while guaranteeing basic fundamental rights such as due process, the right to defense, and the adversarial principle." (See, for example, judgments numbers 2010-17909, 2020-011247, and 2022-003724).

In contrast, the absence of a full evidentiary phase that facilitates the immediacy and adversarial testing of evidence necessarily requires that, for the sake of adequate and prudent protection of the right, the ordinary channel be used to hear environmental conflicts that are inherently complex, such as the one raised in this specific case. (...).

From the enumeration of grievances and the analysis of the claim of the appealing party, it is possible to confirm that the conflict reported is extremely complex to resolve through the amparo process and, therefore, should be settled in an ordinary venue that, with greater tools, can thoroughly hear the substantive complaint, adopt precautionary measures, and issue broad and specific orders to address the issue raised.

This Chamber must hear environmental matters in all those cases where the claim is compatible with the summary nature of the amparo appeal. Everything that can be heard and settled before the constitutional jurisdiction because the claim is compatible with the qualities and possibilities that this process grants must remain in this venue. This does not apply to environmental complaints whose elucidation requires, for their hearing and adequate analysis, a full evidentiary phase such as the one provided for in the Contentious-Administrative Jurisdiction. That is the exception. We consider that the rule is, therefore, that it is appropriate to hear a matter in an amparo appeal when the verification of the problem is relatively simple and the Chamber has the appropriate tools for a timely and appropriate remedy, that is, when its enforcement is also characteristic of a summary proceeding.

In this regard, it is necessary to warn that there are grievances that are easily verifiable and would not be so difficult to hear, but they are part of a whole. Therefore, it is better for that whole to be settled in a venue that, by its characteristics, allows the matter to be heard comprehensively with the analysis of all the facets that cover the specific case. That is precisely what happens in the case at hand, where the failure to resolve a complaint to provide more personnel to guard the Osa Conservation Area (Área de Conservación de Osa) is claimed, and, concurrently, a series of issues are reported and enumerated that justify—in the opinion of the appellants—the need to appoint more technical personnel to safeguard the area.

Ultimately, we consider that, upon better deliberation, it is necessary to conclude that there are conflicts that, due to their magnitude, necessarily require a full evidentiary process for their attention and resolution. This is precisely one of those cases, and therefore, we consider it appropriate to dismiss the appeal and refer the entirety of the conflict raised—a complaint regarding personnel shortages to the detriment of biodiversity—to the contentious-administrative jurisdiction.

We make this note in order to guarantee due legal certainty in the jurisprudential lines of this Constitutional Jurisdiction and to specifically warn what the partial change of criteria of the undersigned judges consists of." (The emphasis is not from the original).

In similar terms, I have referred to other environmental matters (for example, judgments 2023-11233 and 2023-16088).

Conclusion

What has been said so far is sufficient to show that I have endeavored to be consistent in my line of voting. This can be summarized by saying that, for the Constitutional Chamber to correctly determine its own competence when hearing matters submitted to it through an amparo appeal, it must respect the necessary congruence that must exist between the protected object (fundamental rights), the challenged object (administrative conduct or conduct of a subject of law), and the procedural mechanism (summary proceeding). This means that it must admit for processing only those matters in which, in addition to the alleged violation of a fundamental right being involved, the challenged object is susceptible to being heard through a summary, simple proceeding, without evidentiary complexity. This must also be done for the sake of due process, respect for the nature of the proceedings, and the very purpose of this jurisdiction.

It is worth adding that to assert that only the Constitutional Chamber is called upon to protect fundamental rights would be tantamount to calling into question, from its very root, the principle of constitutional supremacy and the principle of the unity of the legal system. Furthermore, it would suppose—in this case—unjustly disparaging the contentious-administrative jurisdiction and its robust precautionary justice and its enforcement mechanisms.

Anamari Garro Vargas Judge Having seen the final wording of the judgment of this Chamber, number 2024-2222, of fourteen hours on January 26, 2024, by which the present amparo appeal is dismissed, the undersigned Judge renounces the note that during the discussion of said judgment he indicated he would record.

San José, July 31, 2024.

Jorge Araya G.

Judge 1 Telephones: 2549-1500 / 800-SALA-4TA (800-7252-482). Fax: 2295-3712 / 2549-1633. Electronic address: www.poder-judicial.go.cr/salaconstitucional. Address: (Sabana Sur, Calle Morenos, 100 mts south of the Perpetuo Socorro church). Reception of matters from vulnerable groups: Edificio Corte Suprema de Justicia, San José, Distrito Catedral, Barrio González Lahmann, calles 19 y 21, avenidas 8 y 6 [1] Voto 1998-001650 of 17:36 hours of March 10, 1998.

[2] Barth Jiménez. Jose Francisco. "Recurso de Amparo y regulación de telecomunicaciones". In Constitución y Justicia Constitucional Corte Suprema de Justicia, San José, Costa Rica, 2013. Page 499.

[3] [4] [5] [6] [7] Observations from the SALA CONSTITUCIONAL Voted by ballot Classification prepared by the SALA CONSTITUCIONAL of the Poder Judicial.

Prohibited its reproduction and/or distribution for profit.

It is a faithful copy of the original - Taken from Nexus.PJ on: 08-05-2026 13:17:27.

[ { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "-" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "000023" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "-" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "0000400001" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": ";" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "2023XE" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "-" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "000023" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "-" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "0000400001" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": ";" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "2023XE" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "-" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "000023" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "0000400001" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "," }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "2023XE" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "-" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "000023" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "-" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "0000400001" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "," }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "2023XE" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "-" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "000023" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "-" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "0000400001" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "," }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "2023XE" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "-" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "000023" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "0000400001" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "," }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "2023XE" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "-" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "000023" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "-" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "0000400001" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "." }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "2023XE" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "-" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "000023" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "-" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "0000400001" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "," }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "2023XE" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "-" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "000023" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "0000400001" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "." }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "2023XE" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "-" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "000023" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "-" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "0000400001" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "." }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "2023XE" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "000023" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "-" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "0000400001" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "2023XE" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "000023" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "-" }, { "url": "https://www.sicop.go.cr/moduloPcont/pcont/ctract/es/CE_CEJ_ESQ002.jsp", "label": "0000400001" }, { "url": "https://nexuspj.poder-judicial.go.cr/document/sen-1-0007-1012923", "label": "2020-023153" }, { "url": "https://nexuspj.poder-judicial.go.cr/document/sen-1-0007-1010289", "label": "2020-023160" }, { "url": "https://nexuspj.poder-judicial.go.cr/document/sen-1-0007-1012929", "label": "2020-024016" }, { "url": "https://nexuspj.poder-judicial.go.cr/document/sen-1-0007-1025754", "label": "2021-04817" }, { "url": "https://scij.hacienda.go.cr/SCIJ_MHDA/default.aspx ", "label": "SCIJ of Hacienda" }, { "url": "http://www.pgrweb.go.cr/scij/main.aspx", "label": "SCIJ of the Procuraduría General de la República" }, { "url": "/la9gj3qIS3w-I5PIpgNk7ebSDLOri7bTIje15vMx4Ew=.html", "label": "la9gj3qIS3w-I5PIpgNk7ebSDLOri7bTIje15vMx4Ew=.html" } ], "next_actions": [ "Full document text is in the 'content' field", "Check 'metadata' for resolution number, expediente, etc.", "Related documents may be linked from this page" ], "requested_url": "https://nexuspj.poder-judicial.go.cr/document/ext-1-0007-363525" }

Sala Constitucional Clase de asunto: Recurso de amparo Analizado por: SALA CONSTITUCIONAL Sentencia con Voto Salvado Sentencia con nota separada Indicadores de Relevancia Sentencia relevante Sentencia con datos protegidos, de conformidad con la normativa vigente Contenido de Interés:

Temas Estrategicos: Der Económicos sociales culturales y ambientales Tipo de contenido: Voto de mayoría Rama del Derecho: 4. ASUNTOS DE GARANTÍA Tema: CONTRATOS O LICITACIONES Subtemas:

LICITACION.

002222-24. CONTRATOS O LICITACIONES. SE ACUSA QUE, NIEGAN A EMPRESA, PARTICIPAR EN LICITACIÓN PÚBLICA QUE ABRIRÁ EL ICE, PARA IMPLEMENTAR Y OPERAR LA TECNOLOGÍA 5 IMT EN SUS REDES. POR MAYORÍA SE DECLARA SIN LUGAR EL RECURSO. VCG08/2024 “(…) V. Sobre el caso concreto: En el sub lite, la parte accionante indica que [Nombre 002]. está preparada para participar en la licitación pública que abrirá el ICE para implementar y operar la tecnología 5G IMT en sus redes, dado que es uno de los principales proveedores de esa tecnología en este país. Señala que, el 31 de agosto de 2023, el Poder Ejecutivo promulgó y publicó en La Gaceta el “Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores”, el cual contiene disposiciones que expresamente impiden la participación de su representada en ese concurso público. Acota que el presidente de la República, la ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones, y el presidente ejecutivo del ICE, han manifestado públicamente que la promulgación del citado reglamento se hizo con el motivo específico de impedir la participación de empresas de diversas nacionalidades, especialmente las de origen chino, en los procedimientos licitatorios tendentes a la obtención y operación de la tecnología en telecomunicaciones 5G IMT y superiores de las redes del instituto recurrido. Agrega que, a las 16:20 horas de 5 de setiembre de 2023, su representada recibió un correo electrónico de parte de Huberth Valverde Batista, administrador de contratos del ICE, con un cuestionario sobre el cumplimiento del Reglamento de Ciberseguridad nro. 44196-MSP-MICITT. Añade que en tal comunicación se les otorgó un plazo de cuatro días hábiles para suministrar la información. Asevera que el cuestionario es una copia exacta de los requerimientos del reglamento mencionado, lo cual es prueba directa de la publicación inminente de la licitación y la afectación de su representada, pues resultará imposibilitada de participar. Refiere que lo anterior corresponde al estudio de mercado que exige la Ley de Contratación Pública, previo a la publicación del pliego de condiciones. Menciona que el presidente del ICE manifestó que a finales de setiembre sacará a concurso público la adquisición de la tecnología en telecomunicaciones 5G Móvil y que aplicarán los requisitos exigidos en el ‘Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores’. Afirma que el Presidente de la República ha declarado que la promulgación del reglamento tenía como objetivo impedir la participación de empresas de diverso origen en los concursos públicos próximos que abrirán el ICE y la SUTEL para la adquisición de la tecnología en telecomunicaciones 5G Móvil. Añade que lo anterior fue ratificado por la ministra del MICITT. Sostiene que es más que notorio el riesgo directo y manifiesto que enfrenta su representada. Asevera que existe una amenaza cierta, real, efectiva e inminente, casi en etapa de ejecución, lo que lesiona los derechos de su representada. Menciona que el concurso que abrirá el ICE le impedirá participar a [Nombre 002]. por tener origen chino. Asevera que no se le puede imputar a la empresa que el Gobierno de la República Popular China, dentro de sus potestades soberanas, no hubiese firmado el Convenio de Budapest. Agrega que tal instrumento fue publicado 18 años antes de que la tecnología 5G fuera lanzada al mercado, por lo que es imposible que alguna de sus consideraciones estuviera relacionada con esta. Refiere que el factor de evaluación está desfasado y no se encuentra directamente relacionado con ciberseguridad; además, viola el “principio de imparcialidad tecnológica” recogido en el Capítulo XIII del CAFTA. Estima discriminatorio que se le impida participar a su representada por una decisión del gobierno chino. Sostiene que la única forma de evitar la transgresión a los derechos constitucionales de libre competencia, igualdad de participación y no discriminación, es con la suspensión del concurso, toda vez que si llegara a materializarse se le causaría a su representada un perjuicio irreversible de imposible reparación, así como daños y perjuicios reputacionales. Refiere que la amenaza del ICE de sacar un concurso público en el que aplicará el artículo 10) incisos c), d), e) y f) y el numeral 11 del reglamento aludido implica una clara violación de los derechos fundamentales a la libre concurrencia en las contrataciones públicas y de igualdad de trato de los oferentes, pues el pliego de condiciones impedirá la participación de su representada en la contratación pública. Arguye que, conforme el artículo 33 constitucional, ninguna persona física o jurídica puede ser discriminada por ninguna razón (sexo, creencias religiosas, ideología, nacionalidad, etc.); empero, a su representada se le discrimina tanto por su ideología como por su nacionalidad. Aduce que es discriminatorio admitir solo empresas de países que hubiesen suscrito el Convenio de Budapest, pues este no se refiere estrictamente a temas de ciberseguridad sino que se enfoca en la pena de crímenes informáticos que incluyen: fraudes, infracciones a la propiedad intelectual, distribución y posesión de pornografía infantil, falsificación informática, entre otros, para aplicar una política penal común entre los estados. Añade que otra característica de ese instrumento es la cooperación internacional, aspecto que facilita la investigación de infracciones cibernéticas y que es relevante por las características de los delitos informáticos y la posibilidad de que sean cometidos fuera de las fronteras de un país, pero con impacto en un territorio determinado. Explica que la discriminación significa otorgamiento de trato diferente basado en desigualdades injustas o arbitrarias que son contrarias al principio de igualdad ante la ley. Señala que la prohibición de discriminar cobija la interdicción de hacerlo por cualquier circunstancia personal o social; es decir, que toda diferenciación que carezca de justificación objetiva y razonable puede calificarse de discriminatoria. Formula la siguiente petitoria: “1.- Que mi representada no puede ser impedida de participar en el citado concurso público introduciendo cláusulas de imposible cumplimiento para ella, porque ello viola los derechos fundamentales a la libre competencia, la igualdad de trato y la prohibición de la discriminación exclusivamente por razones ideológicas y de nacionalidad. 2.- Que una vez notificada al ICE la imposibilidad de continuar adelante con el concurso público tantas veces citado, se convierta este amparo en una acción de inconstitucionalidad con el fin de que varias normas del Reglamento impugnado puedan ser eliminadas del ordenamiento jurídico y, por tanto, no puedan ser aplicados en ninguna licitación presente o futura”.

En escritos posteriores, el apoderado de la parte actora señala que el 9 de noviembre de 2023 se publicó el ‘PLIEGO DE CONDICIONES PARA LA ADQUISICIÓN DE: GT-ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA’, el cual contiene requisitos de imposible cumplimiento para su representada por estar ubicada su casa matriz en la República Popular de China. Además, se impone el cumplimiento de los aspectos alusivos a la gestión y mitigación de riesgos contenidos en ‘Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores’, así como de los estándares ahí contemplados. Asevera que lo anterior transgrede los derechos de su representada a la libre competencia e igualdad de participación en los concursos públicos y a no ser discriminados en razón del origen de la empresa. Añade que su representada no puede cumplir el apartado 3 “CiberSeguridad RAN-CORE Móvil 5G”, el cual excluye a Huawei del concurso al exigir: ““3. APARTADO DE CIBERSEGURIDAD RAN-CORE MOVIL 5G. 3.1. El oferente deberá cumplir todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en el Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT, a la hora de planificar, diseñar e implementar su oferta técnica, para lo cual deberá aportar junto con la oferta, el plan de gestión y mitigación de riesgos en concordancia con la normativa precitada. 3.2. El oferente deberá presentar una declaración jurada en donde indique que cumple con la adopción de los siguientes estándares de ciberseguridad:

Estándares de cumplimiento obligatorios Número Nombre ISO/IEC 27001:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad- Sistemas de Gestión de la Seguridad de la Información Requerimientos ISO/IEC 27002:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Controles de seguridad de la información ISO/IEC 27003:2017 Tecnologías de la información —Técnicas de seguridad — Sistemas de Gestión de la Seguridad de la Información —Guía ISO/IEC 27011:2016 Tecnologías de la información —Técnicas de seguridad — Código de prácticas para los controles de seguridad de la información basado en ISO/IEC 27002 para organizaciones de telecomunicaciones.

SCS 9001 Estándar de Seguridad de la Cadena de Suministro Ciberseguridad GSMA NESAS Esquema de aseguramiento de ciberseguridad definido por GSMA y 3GPP.

ISO/IEC 27400 Ciberseguridad — Seguridad y privacidad en IoT— Guías de implementación 3GPP 33.501 Arquitectura y procedimiento de seguridad para sistemas 5G.

NIST 1800-33B 5G Ciberseguridad 3.3. De conformidad con el artículo 10 del Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT en donde se indica que no se puede tener un único suministrador en cuanto a hardware y software en elementos críticos de la red, el ICE no podrá adjudicar al mismo oferente el CORE Móvil (partidas 3 y 4) y la red de acceso móvil (partidas 1 y 2). En caso de que la oferta, participe para el CORE Móvil (partidas 3 y 4) y la red de acceso móvil (partidas I y 2) y cumpla con todos los aspectos técnicos, financieros, jurídicos y ocupe el primer lugar en precio para todas las partidas mencionadas, el ICE adjudicará solamente las partidas I y 2 (red de acceso móvil) a este oferente y las partidas 3 y 4 (Core Móvil) se adjudicará al segundo lugar en precio, con el fin de no tener un único suministrador en cuanto a hardware y software en elementos críticos de la red, lo anterior en cumplimiento del 10 del Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT. 3.4. El oferente deberá presentar una declaración jurada en donde se indique su sede está en un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). Para lo cual deberá adjuntar la documentación de respaldo. El ICE se reserva el derecho de verificar la valides (sic) de la información aportada. 3.5. El oferente deberá presentar una declaración jurada en donde se indique que, si la sede de la fábrica es o no susceptible de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones. 3.6. El oferente deberá presentar una declaración jurada en donde se indique si tiene su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses”. Refiere que plantearon recurso de objeción; empero, se rechazaron los alegatos relacionados con el apartado mencionado. Sostiene que, con base en lo expuesto, se configuró la discriminación hacia la parte actora por su nacionalidad.

Del estudio de los autos se tiene por demostrado, que la sociedad [Nombre 002]. con cédula jurídica [Valor 001] se encuentra inscrita en el Registro Nacional de Costa Rica. En el Alcance nro. 166 a La Gaceta nro. 159 de 31 de agosto de 2023, se publicó el decreto ejecutivo nro. 44196-MSP-MICITT, mediante el cual se emitió el ‘Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores’. El 5 de setiembre de 2023, la Gerencia de Telecomunicaciones del ICE, a través del Área Administradora de Contratos, envió a Huawei, Nokia, Ericsson, GBM Costa Rica y Rakuten, una comunicación electrónica con las siguientes consultas: “Buenas tardes: En vista de la reglamentación emitida en relación al (sic) tema de ciberseguridad para la tecnología 5G en Costa Rica, se solicitar (sic) indicar el cumplimiento de los siguientes puntos por parte de su representada, esto con el fin de realizar estudio de mercado: 1. El proveedor podrá cumplir todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en el presente reglamento, a la hora de planificar, diseñar e implementar su oferta técnica. 2. Indicar el cumplimiento de los siguientes estándares de ciberseguridad:

Número Nombres ISO/IEC 27001:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos ISO/IEC 27002:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos ISO/IEC 27003:2017 Tecnologías de la información —Técnicas de seguridad — Sistemas de Gestión de la Seguridad de la Información —Guía ISO/IEC 27011:2016 Tecnologías de la información —Técnicas de seguridad — Código de prácticas para los controles de seguridad de la información basado en ISO/IEC 27002 para organizaciones de telecomunicaciones.

SCS 9001 Estándar de Seguridad de la Cadena de Suministro y Ciberseguridad 3. Que la solución ofertada no es de un único suministrador en cuanto a hardware y software. Entiéndase por Suministradores de hardware y software a: Entidades que brindan servicios o equipo activo a los sujetos comprendidos en el artículo 2 del presente reglamento. Esta categoría incluye: i) fabricantes de equipos de telecomunicaciones; y ii) otros proveedores externos, como proveedores de infraestructura en la nube, integradores de sistemas, contratistas de seguridad y mantenimiento, y fabricantes de equipos de transmisión, cuando estos se encargan de configurar e integrar los equipos activos y software de la solución. 4. Indicar si su sede está en un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). 5. Que proveedor es o no susceptible de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones. 6. Indicar si tiene su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de los servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses” La información requerida se debe dar respuesta para el próximo 08 de setiembre de 2023”. El 11 de setiembre de 2023, desde la dirección <[email protected]> se envió al correo <[email protected]>, lo siguiente: “Estimado Huberth, Espero que se encuentre muy bien. Por este medio me permito brindar respuesta a las consultas enviadas el pasado 5 de setiembre. 1. El proveedor podrá cumplir todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en el presente reglamento, a la hora de planificar, diseñar e implementar su oferta técnica. Huawei tiene la capacidad de cumplir con todos los requerimientos técnicos y de seguridad definidos, estandarizados, adoptados y probados por la industria, en lo que a Diseño, Implementación y Operación de redes móviles (3G, 4G y 5G) se refiere. 2. Indicar el cumplimiento de los siguientes estándares de ciberseguridad:

Número Nombre ISO/IEC 27001:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos Huawei se adhiere a las directrices y principios establecidos en esta Norma.

ISO/IEC 27002:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos Huawei se adhiere a las directrices y principios establecidos en esta Guía.

ISO/IEC 27003:2017 Tecnologías de la información —Técnicas de seguridad — Sistemas de Gestión de la Seguridad de la Información —Guía Huawei se adhiere a las directrices y principios establecidos en esta Guía.

ISO/IEC 27011:2016 Tecnologías de la información —Técnicas de seguridad — Código de prácticas para los controles de seguridad de la información basado en ISO/IEC 27002 para organizaciones de telecomunicaciones.

Este estándar es una extensión de ISO27001, basado en los controles de ISO27002, pero agregando Controles adicionales que están dirigidos a los proveedores de Servicios de Telecomunicaciones (Operadores, tal como ICE).

SCS 9001 Estándar de Seguridad de la Cadena de Suministro y Ciberseguridad Huawei excede los principios y requerimientos de seguridad en la cadena de suministro, incorporados en estándares internacionales como los listados en la Tabla No. 1.

En los siguientes enlaces pueden encontrar más información al respecto.

https://www-file.huawei.com/-/media/corp2020/pdf/trust-center/huawei-5g-security-white-paper-2021-en.pdf?la=en https://www.huawei.com/en/trust-center/transparency/standard-certification https://www.gsma.com/security/nesas-results/ Tabla No.1 Entity Code Name ISO 9001 Quality management 27001 Information Security 27017 Security techniques for Cloud Services 27018 Security techniques for Privacy Protection in Cloud Services 27034 Application Security 27701 Privacy Management 28000 Security in Supply Chain 22301 Business Continuity 19790 Security Cryptographic Modules 30111 Vulnerability Handling Processes 29147 Vulnerability Disclosure GSMA NESAS/SCAS GSMA Mobile Security PCI SSC Secure Software Secure Software Development NIST FIPS 140-2 Security Cryptographic Modules CSA STAR 711080 Cloud Security ISCC Information Security Qualification of Information Security 3. Que la solución ofertada no es de un único suministrador en cuanto a hardware y software. Entiéndase por Suministradores de hardware y software a: Entidades que brindan servicios o equipo activo a los sujetos comprendidos en el artículo 2 del presente reglamento. Esta categoría incluye: i) fabricantes de equipos de telecomunicaciones; y ii) otros proveedores externos, como proveedores de infraestructura en la nube, integradores de sistemas, contratistas de seguridad y mantenimiento, y fabricantes de equipos de transmisión, cuando estos se encargan de configurar e integrar los equipos activos y software de la solución. Dado que la redacción del artículo, al que se refiere esta pregunta, se presta a interpretaciones, recomendamos que se aclare con las instancias pertinentes cuál de los siguientes tipos de diversidad están considerando: a) Horizontal, que indica dos fabricantes en la misma capa de red (Acceso, Core, etc). Por ejemplo, asignar el acceso móvil (RAN) de una región a un fabricante y en otra región a otro fabricante. b) Hibrido (sic), que indica tener fabricantes para el Hardware y otros para el software en cada capa de la red. 4. Indicar si su sede está en un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). [Nombre 002], es una empresa constituida bajo las leyes de la República de Costa Rica, nuestra sede global de manufactura está en China. 5. Que (sic) proveedor es o no susceptible de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones. Huawei es una empresa privada independiente. La operación, la toma de decisiones y la gestión de Huawei no están controladas por ningún gobierno o terceros. 6. Indicar si tiene su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses. Huawei es una empresa privada independiente. La operación, la toma de decisiones y la gestión de Huawei no están controladas por ningún gobierno o terceros. Adicionalmente, nuestra línea de negocios es el suministro de equipos de Telecomunicaciones y su instalación. El proveedor de servicios de telecomunicaciones es quien gestiona los datos de Usuario. Quedo a la orden para cualquier comentario o consulta adicional”. El director del Programa General 5G de la Dirección Planificación de Infraestructura y Espectro de la Gerencia de Telecomunicaciones del ICE, en el informe técnico interno 9191-1520-2023 de 6 de octubre de 2023, consignó: “1. El Decreto Ejecutivo N.º 44196-MSP-MICITT denominado “Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores” emitido por la Presidencia de la República, el Ministro de Seguridad Pública y la Ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones, según se comentó anteriormente, entró a regir el 31 de agosto de 2023. (Ver Anexo N.º1)” 2. Este Reglamento, según se indica en el artículo 1, “tiene por objeto establecer medidas de ciberseguridad para garantizar el uso y la explotación segura y con resguardo de la privacidad de las personas, de las redes y los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores”. Asimismo, el artículo 2 establece lo siguiente: (Ver Anexo N.º 1) “Artículo 2º-Ámbito de aplicación. Está sometida al presente reglamento la operación activa de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, por parte de las personas físicas o jurídicas, públicas o privadas, nacionales o extranjeras, que operen redes o presten servicios de telecomunicaciones basadas en la tecnología de quinta generación móvil (5G) y superiores que se originen, terminen o transiten por el territorio nacional, exceptuando la operación de redes privadas de telecomunicaciones. En el caso de procesos de compra pública que tengan por objeto la habilitación de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, así como de equipamiento tecnológico activo necesario para el despliegue de éstas, para el uso y explotación del espectro radioeléctrico, la Administración o entidad contratante deberá adoptar los mecanismos idóneos para verificar que los potenciales oferentes han considerado todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en la presente normativa, a la hora de planificar, diseñar e implementar su oferta técnica. En caso de resultar adjudicatario, las disposiciones de la presente norma serán de acatamiento obligatorio durante la operación de las redes y prestación de los servicios basados en la tecnología de quinta generación móvil (5G) o superiores.” (El resaltado, con excepción del título del artículo, es proveído). 3. Ante la entrada en vigor de dicho Reglamento, obligatorio para los operadores y proveedores de servicios de telecomunicaciones, el 5 de setiembre de 2023 la Gerencia de Telecomunicaciones del ICE, a través del Área Administradora de Contratos, y para efectos de un estudio de mercado, envió a potenciales interesados (Huawei, Nokia, Ericsson, GBM Costa Rica y Rakuten) una comunicación electrónica con la siguiente redacción y consultas: (Ver Anexo N.º 2) “Buenas tardes: En vista de la reglamentación emitida en relación al (sic) tema de ciberseguridad para la tecnología 5G en Costa Rica, se solicitar (sic) indicar el cumplimiento de los siguientes puntos por parte de su representada, esto con el fin de realizar estudio de mercado: 1. El proveedor podrá cumplir todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en el presente reglamento, a la hora de planificar, diseñar e implementar su oferta técnica. 2. Indicar el cumplimiento de los siguientes estándares de ciberseguridad:

Número Nombres ISO/IEC 27001:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos ISO/IEC 27002:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos ISO/IEC 27003:2017 Tecnologías de la información —Técnicas de seguridad — Sistemas de Gestión de la Seguridad de la Información —Guía ISO/IEC 27011:2016 Tecnologías de la información —Técnicas de seguridad — Código de prácticas para los controles de seguridad de la información basado en ISO/IEC 27002 para organizaciones de telecomunicaciones.

SCS 9001 Estándar de Seguridad de la Cadena de Suministro y Ciberseguridad 3. Que la solución ofertada no es de un único suministrador en cuanto a hardware y software. Entiéndase por Suministradores de hardware y software a: Entidades que brindan servicios o equipo activo a los sujetos comprendidos en el artículo 2 del presente reglamento. Esta categoría incluye: i) fabricantes de equipos de telecomunicaciones; y ii) otros proveedores externos, como proveedores de infraestructura en la nube, integradores de sistemas, contratistas de seguridad y mantenimiento, y fabricantes de equipos de transmisión, cuando estos se encargan de configurar e integrar los equipos activos y software de la solución. 4. Indicar si su sede está en un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). 5. Que proveedor es o no susceptible de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones. 6. Indicar si tiene su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de los servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses” La información requerida se debe dar respuesta para el próximo 08 de setiembre de 2023” 4. El 08 de setiembre de 2023, a las 12:24 horas, por medio de correo electrónico, el señor Juan Carlos Blanco Infante de la empresa NOKIA responde a las consultas realizadas, según se demuestra en el Anexo N.º 3 del Informe Técnico, del cual se solicita la confidencialidad dado que dichos datos están amparados en convenios que resguardan este tipo de información. 5. El 08 de setiembre de 2023, a las 15:46 horas, por correo electrónico, el señor Mustafa Syed de la empresa Rakuten, responde a las consultas realizadas, según se demuestra en el Anexo N.º 4 del Informe Técnico, del cual se solicita la confidencialidad dado que dichos datos están amparados en convenios que resguardan este tipo de información. 6. El 08 de setiembre de 2023, a las 18:29 horas por correo electrónico, el señor Neil Baute de la empresa Ericsson, responde a las consultas realizadas según se demuestra en el Anexo N.º 5 del Informe Técnico, del cual se solicita la confidencialidad dado que dichos datos están amparados en convenios que resguardan este tipo de información. 7. El 08 de setiembre de 2023, mediante oficio UL-2023-0460, el señor Eduardo Blanco González de la empresa GBM de Costa Rica, responde a las consultas realizadas según se demuestra en el Anexo N.º 6 del Informe Técnico, del cual se solicita la confidencialidad dado que dichos datos están amparados en convenios que resguardan este tipo de información. 8. El 11 de setiembre de 2023, el señor Marcel Aguilar Sandoval de la empresa Huawei Tecnologies (sic) Costa Rica, responde a las consultas realizadas según se demuestra en el Anexo N.º 7 del Informe Técnico, del cual se solicita la confidencialidad dado que dichos datos están amparados en convenios que resguardan este tipo de información. 9. En lo que concierne a las respuestas de Huawei Tecnologies (sic) Costa Rica, según podrá constatar el Honorable Tribunal Constitucional, no se evidencia que dicha empresa haya tenido algún tipo de disconformidad con lo consultado. (Ver Anexo N.º 7 del Informe Técnico). 10. Hasta el momento, lo que el ICE ha realizado es un estudio de mercado, de conformidad con el artículo 85 del Reglamento a la Ley General de Contratación Pública, con los posibles proveedores de la tecnología de la red de telecomunicaciones 5G, para verificar las condiciones del mercado y comprobar el cumplimiento de los mismos en materia de ciberseguridad, conforme las disposiciones del Decreto precitado; es decir, no existe a la fecha una publicación de un pliego de condiciones para un concurso específico, conforme dispone la Ley General de Contratación Pública. (…)• Las consultas realizadas por el ICE, en fase de estudio de estudio de mercado, son acordes con lo establecido en el Decreto Ejecutivo N.º 44196-MSP-MICITT denominado “Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores” emitido el 25 de agosto de 2023 por la Presidencia de la República, el Ministro de Seguridad Pública y la Ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones, publicado en el Alcance N.º 166 del Diario Oficial La Gaceta del 31 de agosto de 2023, vigente a partir de esa fecha. • Dicha normativa emitida por el Poder Ejecutivo es acatamiento obligatorio para el ICE, según se ha explicado anteriormente. • Si el ICE incumple con las disposiciones del Reglamento será sometido al régimen sancionatorio administrativo de la Ley General de Telecomunicaciones N.º 8642 (LGT). • Conforme a lo indicado en la respuesta al hecho quinto, no se evidencia que Huawei Tecnologies (sic) Costa Rica haya tenido algún tipo de disconformidad, al momento de responder las consultas del ICE relativas al Reglamento en cuestión en el marco del estudio de mercado realizado. (…) hasta el momento, lo que el ICE ha realizado es un estudio de mercado, de conformidad con el artículo 85 del Reglamento a la Ley General de Contratación Pública, con los posibles proveedores de la tecnología de la red de telecomunicaciones 5G, para verificar las condiciones del mercado y comprobar el cumplimiento de los mismos en materia de ciberseguridad, conforme las disposiciones del Decreto precitado; es decir, no existe a la fecha una publicación de un pliego de condiciones para un concurso específico, conforme dispone la Ley General de Contratación Pública. (…)”. El 9 de noviembre de 2023, el ICE publicó en el SICOP el “PLIEGO DE CONDICIONES PARA LA ADQUISICIÓN DE: GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, que en lo conducente señala: “3. APARTADO DE CIBERSEGURIDAD RAN-CORE MOVIL 5G. 3.1. El oferente deberá cumplir todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en el Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT, a la hora de planificar, diseñar e implementar su oferta técnica, para lo cual deberá aportar junto con la oferta, el plan de gestión y mitigación de riesgos en concordancia con la normativa precitada. 3.2. El oferente deberá presentar una declaración jurada en donde indique que cumple con la adopción de los siguientes estándares de ciberseguridad:

Estándares de cumplimiento obligatorios Número Nombre ISO/IEC 27001:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos ISO/IEC 27002:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Controles de seguridad de la información ISO/IEC 27003:2017 Tecnologías de la información —Técnicas de seguridad — Sistemas de Gestión de la Seguridad de la Información —Guía ISO/IEC 27011:2016 Tecnologías de la información —Técnicas de seguridad — Código de prácticas para los controles de seguridad de la información basado en ISO/IEC 27002 para organizaciones de telecomunicaciones.

SCS 9001 Estándar de Seguridad de la Cadena de Suministro y Ciberseguridad GSMA NESAS Esquema de aseguramiento de ciberseguridad definido por GSMA y 3GPP.

ISO/IEC 27400 Ciberseguridad — Seguridad y privacidad en IoT — Guías de implementación 3GPP 33.501 Arquitectura y procedimiento de seguridad para sistemas 5G.

NIST 1800-33B 5G Ciberseguridad 3.3. De conformidad con el artículo 10 del Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT en donde se indica que no se puede tener un único suministrador en cuanto a hardware y software en elementos críticos de la red, el ICE no podrá adjudicar al mismo oferente el CORE Móvil (partidas 3 y 4) y la red de acceso móvil (partidas 1 y 2). En caso de que la oferta, participe para el CORE Móvil (partidas 3 y 4) y la red de acceso móvil (partidas 1 y 2) y cumpla con todos los aspectos técnicos, financieros, jurídicos y ocupe el primer lugar en precio para todas las partidas mencionadas, el ICE adjudicará solamente las partidas 1 y 2 (red de acceso móvil) a este oferente y las partidas 3 y 4 (Core Móvil) se adjudicará al segundo lugar en precio, con el fin de no tener un único suministrador en cuanto a hardware y software en elementos críticos de la red, lo anterior en cumplimiento del 10 del Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT. 3.4. El oferente deberá presentar una declaración jurada en donde se indique su sede estáen (sic) un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). Para lo cual deberá adjuntar la documentación de respaldo. El ICE se reserva el derecho de verificar la valides (sic) de la información aportada. 3.5. El oferente deberá presentar una declaración jurada en donde se indique que, si la sede de la fábrica es o no susceptible de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones. 3.6. El oferente deberá presentar una declaración jurada en donde se indique si tiene su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses. 3.7. Para los requerimientos de 5G específicamente que aplican al CORE, se deberá cumplir con lo siguiente: 3.7.1 El contratista debe ejecutar dentro del plazo de ejecución contractual los respaldos de todos los sistemas involucrados en CORE, estos respaldos deben realizarse en los sistemas institucionales dispuestos para tal efecto. 3.7.2 Debe existir ejecución de pruebas de penetración periódicas, las mismas deben ser negociadas entre fabrica (sic) y contratista con el ICE, estas pruebas serán realizadas por las áreas de ciberseguridad del ICE dispuestas para estos temas. 3.7.3 Debe existir una integración con un sistema de gestión de vulnerabilidades basada en riesgo cibernético, el mismo deberá permitir integrarse a las soluciones dispuestas a nivel institucional. 3.7.4 Debe existir una gestión de parcheo y actualizaciones que involucre al fabricante y al contratista, para lo cual se requiere de un cronograma de actualizaciones definido y que permita cerrar brechas de ciberseguridad en un periodo negociable con el ICE. 3.7.5 Replicación de registros en formato CEF o Syslog a la solución de correlación de eventos o SIEM institucional, misma que permita detectar y analizar posibles actividades sospechosas o ataques y respuesta ante incidentes de ciberseguridad. 3.7.6 En el elemento de CORE 5G el oferente debe presentar soluciones orientadas a proteger una arquitectura de servicio basado en IP, que prevengan ataques o vulnerabilidades comunes de botnets a través de internet, esto con el fin que los servicios críticos no se degraden y que se mantengan disponibles a usuarios legítimos. 3.7.7 Para el elemento CORE 5G el oferente debe presentar soluciones orientadas a proteger las funciones principales de red a saber: a)Función de administración de acceso y movilidad (AMF por sus siglas en ingles). b) Función de servidor de autenticación (AUSF por sus siglas en ingles). c) Función de administración de datos unificados (UDM por sus siglas en ingles). Estas soluciones deberán proteger los datos almacenados de autenticación y suscripción contra amenazas similares botnets y ataques DDoS. 3.7.8 Para el elemento CORE 5G el oferente debe presentar soluciones orientadas que permitan el uso cifrado para el protocolo de internet seguro (IPSec por sus siglas en ingles) para tipos de acceso non-3GPP, que prevengan ataques o vulnerabilidades comunes de botnets a través de internet o ataques DDoS. Considerando los requerimientos de 5G específicamente aquellos que aplican al Red de acceso de radio (RAN por sus siglas en inglés).3.8 Para los requerimientos de 5G específicamente que aplican a la RAN, se deberá cumplir con lo siguiente: 3.8.1 El contratista debe ejecutar dentro del plazo de ejecución contractual los respaldos de todos los sistemas involucrados en RAN, estos respaldos deben realizarse en los sistemas institucionales dispuestos para tal efecto. 3.8.2 Debe existir ejecución de pruebas de penetración periódicas, las mismas deben ser negociadas entre fabrica (sic) y contratista con el ICE, estas pruebas serán realizadas por las áreas de ciberseguridad del ICE dispuestas para estos temas. 3.8.3 Debe existir una integración con un sistema de gestión de vulnerabilidades basada en riesgo cibernético, el mismo deberá permitir integrarse a las soluciones dispuestas a nivel institucional. 3.8.4 Debe existir una gestión de parcheo y actualizaciones que involucre al fabricante y al contratista, para lo cual se requiere de un cronograma de actualizaciones definido y que permita cerrar brechas de ciberseguridad en un periodo negociable con el ICE. 3.8.5 Replicación de registros en formato CEF o Syslog a la solución de correlación de eventos o SIEM institucional, misma que permita detectar y analizar posibles actividades sospechosas o ataques y respuesta ante incidentes de ciberseguridad. 3.8.6 En el elemento de RAN 5G el oferente debe presentar soluciones orientadas a proteger sistemas y redes 5G que utilicen antenas para Entradas Múltiples y Salidas Múltiples (MIMO por sus siglas en ingles), que aseguren el espectro de bandas asignadas a esta función. 3.8.7 En el elemento de RAN 5G el oferente debe presentar soluciones orientadas a proteger los datos y señalización de transmisión y recepción a través de cifrado que protejan la integridad de estos. 3.8.8 En el elemento de RAN 5G el oferente debe presentar soluciones orientadas a proteger contra posibles amenazas de estaciones base maliciosas (RBS por sus siglas en ingles), que puedan generar ataques de hombre-en-el-medio (MiTM por sus siglas en inglés) entre el equipo de usuario móvil (UE por sus siglas en ingles) y la red móvil, que prevengan ataques o vulnerabilidades comunes de DDoS. 3.9 Para los requerimientos de 5G específicamente que aplican para UE, se deberá cumplir con lo siguiente: 3.9.1 Para el elemento UE de 5G el oferente debe presentar soluciones orientadas a proteger posibles amenazas como redes Botnets móviles ataques DDoS, ataques por infección de dispositivos (virus, gusanos etc.) y descarga de contenido malicioso desde internet. (…)”. El 18 de diciembre de 2023, la empresa [Nombre 002]. formuló oferta en cinco de las seis partidas del expediente electrónico 2023XE000023-0000400001 con descripción “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”.

Desde este panorama, la Sala descarta alguna situación que, en este momento, amerite su intervención.

En primer lugar, a la fecha de interposición de este recurso, el ICE no había publicado cartel alguno para contrataciones relacionadas con la tecnología de la red de telecomunicaciones 5G, sino que únicamente había efectuado un estudio con los posibles proveedores para verificar condiciones del mercado y aspectos relacionados con ciberseguridad. Sin perjuicio de lo anterior, si bien la publicación del pliego no se dio sino hasta el 9 de noviembre de 2023 (durante la tramitación de este proceso) y no en los periodos aludidos en el escrito de interposición, no menos cierto es que, en el fondo, la parte accionante lo que cuestiona es la implementación de requisitos alusivos a la gestión y mitigación de riesgos, así como los estándares contemplados en el ‘Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores’; concretamente, reclama la presunta imposibilidad de [Nombre 002]. de cumplir los requisitos ahí establecidos.

Ahora, el aludido reglamento, en relación con los alegatos de la parte recurrente, señala:

“Artículo 2º-Ámbito de aplicación. Está sometida al presente reglamento la operación activa de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, por parte de las personas físicas o jurídicas, públicas o privadas, nacionales o extranjeras, que operen redes o presten servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores que se originen, terminen o transiten por el territorio nacional, exceptuando la operación de redes privadas de telecomunicaciones.

En el caso de procesos de compra pública que tengan por objeto la habilitación de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, así como de equipamiento tecnológico activo necesario para el despliegue de éstas, para el uso y explotación del espectro radioeléctrico, la Administración o entidad contratante deberá adoptar los mecanismos idóneos para verificar que los potenciales oferentes han considerado todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en la presente normativa, a la hora de planificar, diseñar e implementar su oferta técnica. En caso de resultar adjudicatario, las disposiciones de la presente norma serán de acatamiento obligatorio durante la operación de las redes y prestación de los servicios basados en la tecnología de quinta generación móvil (5G) o superiores.

(…)

Artículo 6º- Adopción de estándares. Los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Decreto Ejecutivo, deberán adoptar, implementar, y mantener estándares y/o marcos de referencia sobre ciberseguridad, incluyendo los siguientes:

Número Nombre ISO/IEC 27001:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos ISO/IEC 27002:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Controles de seguridad de la información ISO/IEC 27003:2017 Tecnologías de la información —Técnicas de seguridad — Sistemas de Gestión de la Seguridad de la Información —Guía ISO/IEC 27011:2016 Tecnologías de la información —Técnicas de seguridad — Código de prácticas para los controles de seguridad de la información basado en ISO/IEC 27002 para organizaciones de telecomunicaciones.

SCS 9001 Estándar de Seguridad de la Cadena de Suministro y Ciberseguridad (…)

Artículo 10º- Parámetros de riesgo alto. Los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento, deberán considerar los siguientes parámetros de riesgo alto para la operación de redes de telecomunicaciones 5G o superiores y la prestación de sus servicios:

(…)

• c)Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento o sus suministradores de hardware y software sean susceptibles de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones.
• d)Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento o sus suministradores de hardware y software tienen su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses.
• e)Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento utilizan suministradores de hardware y software que tengan su sede en un país que no ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest).
• f)Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este reglamento utilizan suministradores de hardware y software que no cumplen con los estándares de ciberseguridad dispuestos en el artículo 6 de este Reglamento.

Artículo 11º. Medidas aplicables ante la identificación de riesgo alto. Cuando alguno de los sujetos comprendidos en el ámbito de aplicación del artículo 2 del presente Reglamento identifique la presencia de alguno o varios de los parámetros de riesgo alto consignados en el artículo anterior, deberá informarlo a la Superintendencia de Telecomunicaciones (Sutel) de conformidad con las disposiciones del artículo 42 de la Ley General de Telecomunicaciones, Nº8642, dentro de los 3 (tres) días naturales siguientes a su identificación y adoptar las medidas técnicas y administrativas idóneas para garantizar la seguridad de sus redes y sus servicios.

Cuando se identifique la presencia de alguno o varios de los parámetros de riesgo alto por parte de los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento, quedará sujeto a la adopción inmediata de las siguientes medidas técnicas de ciberseguridad:

• 1)No podrán ser utilizados en elementos críticos de la red, equipos de telecomunicación, sistemas de transmisión, equipos de conmutación o encaminamiento y demás recursos, que permitan el transporte de señales por representar un alto riesgo de ciberseguridad para las redes 5G y superiores, y la seguridad nacional. Para tal efecto, se declaran elementos críticos de la red 5G y superiores los siguientes: i. Los relativos a las funciones d i. Los relativos a las funciones del núcleo de la red.

ii. Los sistemas de control y gestión y los servicios de apoyo.

iii. La red de acceso en aquellas zonas geográficas y ubicaciones que proporcionen cobertura a centros vinculados con la seguridad nacional y la provisión de servicios públicos esenciales.

• 2)Llevar a cabo la sustitución de los equipos, productos y servicios de la red 5G y superiores cuando ello fuera necesario, para lo cual, deberá tener en cuenta la situación del mercado de los suministradores de hardware y software, las alternativas de suministro de equipos y productos sustitutivos viables, la implantación de esos equipos y productos en la red 5G y superiores, especialmente en los elementos críticos de la red, la dificultad intrínseca para llevar a cabo la sustitución de equipos, los ciclos de actualización de equipos, así como su impacto económico. En ningún caso, el plazo de sustitución de los equipos podrá ser superior a cinco años, contados a partir de la clasificación como de alto riesgo.

El cumplimiento de las presentes disposiciones reglamentarias deberá ser consideradas para la operación de redes 5G y superiores y sus servicios, de conformidad con las disposiciones del artículo 49 numerales 1 y 3 de la Ley N°8642, Ley General de Telecomunicaciones”.

Al respecto, el ICE reconoció que las consultas efectuadas se basaron en el reglamento de marras y, en efecto, el pliego de condiciones publicado hace alusión expresa a aspectos relativos a la gestión y mitigación de los riesgos de ciberseguridad contenidos en tal cuerpo normativo; sin embargo, tomando en consideración los términos expuestos por la parte accionante, no se observa alguna disposición manifiesta y expresa que impida, de forma arbitraria, absoluta e injustificada, la participación de empresas únicamente en razón de su origen. Precisamente, sin entrar a analizar el fondo de cada una de las disposiciones reglamentarias, se puede observar que, según tal cuerpo normativo, las compañías con parámetros de riesgo alto pueden adoptar “medidas técnicas y administrativas idóneas para garantizar la seguridad de sus redes y sus servicios”; incluso, en el pliego de condiciones de la contratación de marras se consignó expresamente que “a la hora de planificar, diseñar e implementar su oferta técnica, para lo cual deberá aportar junto con la oferta, el plan de gestión y mitigación de riesgos en concordancia con la normativa precitada”. Ahora, no corresponde a esta jurisdicción constitucional analizar si el ICE contempló o no la totalidad de las disposiciones contenidas en el reglamento, ni tampoco si indirectamente limitó la participación de empresas con requisitos injustificados desde el punto de vista técnico. Ergo, si existiese alguna inconformidad con las condiciones y demás especificaciones técnicas, esta deberá ser ventilada en las vías comunes. Asimismo, las medidas técnicas y administrativas idóneas para garantizar la seguridad de redes y servicios en empresas con parámetros de riesgo altos, son propias de ser ventiladas en las vías comunes.

En relación con lo anterior, es importante mencionar que lo relativo a la tecnología para la red de telecomunicaciones, así como los requisitos y estándares de ciberseguridad en Costa Rica (verbigracia, las normas ISO/IEC, SCS, entre otras), son aspectos técnicos, en principio, propios de políticas públicas de Estado que, salvo que entrañen alguna afectación al núcleo esencial de derechos fundamentales o transgredan manifiestamente el bloque de constitucionalidad, constituyen materia de gobierno. De ahí que prima facie su procedencia, conveniencia u oportunidad no es propia de ser valorada por este Tribunal, en virtud del principio de autocontención del juez constitucional. En ese sentido, los argumentos de la parte accionante no evidencian alguna arbitrariedad contraria al Derecho de la Constitución, por lo que, en este momento, no corresponde a la Sala analizar el contenido técnico general de tales estándares, ni tampoco valorar si el Convenio de Europa sobre Ciberdelincuencia (instrumento ratificado en nuestro país a través de la ley nro. 9452) resulta imprescindible para la implementación de la tecnología de quinta generación móvil. Ergo, si [Nombre 002]. desea cuestionar los requisitos técnicos establecidos por el ICE el apartado 3 “CiberSeguridad RAN-CORE Móvil 5G” del “PLIEGO DE CONDICIONES PARA LA ADQUISICIÓN DE: GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, o bien, si considera que satisface o excede los parámetros sacados a concurso sin exponer al país a riesgos en materia de ciberseguridad, podrá plantear sus alegatos en sede administrativa, o bien, en la vía jurisdiccional ordinaria, a los efectos de que someta a contradictorio su posición y evacúe de forma amplia la prueba que estime pertinente.

De igual forma, aun cuando se acusa discriminación, tal y como se indicó ut supra, no se verifica alguna situación manifiesta en ese sentido y, además, no se aportan elementos comparativos equiparables que permitan, en este momento y a través de este recurso de amparo, analizar alguna transgresión al principio de igualdad con respecto a otras personas físicas o jurídicas.

En adición, si bien se acusa la violación al “principio de imparcialidad tecnológica” recogido en el Capítulo XIII del Tratado de Libre Comercio entre República Dominicana, Centroamérica y Estados Unidos, la Sala prima facie no estima que el alegado principio constituya parámetro de constitucionalidad para el caso concreto, dada la generalidad y abstracción con que se planteó el argumento y la naturaleza comercial en que enmarca tal acuerdo. Nótese que la parte accionante no explica en qué términos la presunta afectación a [Nombre 002]. (empresa constituida en Costa Rica e inscrita en el Registro Nacional de este país) contravendría las estipulaciones adoptadas entre República Dominicana, Centroamérica y Estados Unidos, de forma tal que resultara trascendente para el Derecho de la Constitución. No está de más señalar que la ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones, hizo notar que: “el principio de flexibilidad en las opciones tecnológicas (neutralidad tecnológica) surge en el marco del proceso de apertura comercial del sector telecomunicaciones, como parte de los “IV. Principios Regulatorios aprobados en el Anexo 13 de los “Compromisos Específicos de Costa Rica en Materia de Servicios de Telecomunicaciones” del Tratado de Libre Comercio República Dominicana- Centroamérica - Estados Unidos (TLC) Ley N° 8622, el cual en lo conducente dispone: “10. Flexibilidad en las Opciones Tecnológicas Costa Rica no impedirá que los proveedores de servicios públicos de telecomunicaciones tengan la flexibilidad de escoger las tecnologías que ellos usen para suministrar sus servicios, sujeto a los requerimientos necesarios para satisfacer los intereses legítimos de política pública.” (El resaltado es propio) A partir de este principio regulatorio se desprende que en materia de telecomunicaciones los operadores y proveedores de servicios disponibles al público, gozan efectivamente de la flexibilidad para escoger las tecnologías que prefieran para operar las redes públicas y suministrar sus servicios, por ejemplo para prestar servicios de Telecomunicaciones Móviles Internacionales conocidas como IMT por sus siglas en inglés (en cualquiera de sus generaciones técnicamente disponibles), siempre y cuando, se satisfagan los intereses legítimos de política pública. En este ámbito es importante señalar que la política pública en materia de telecomunicaciones se define a través del Plan Nacional de Desarrollo de las Telecomunicaciones (PNDT) 2022-2027 “Costa Rica: Hacia la disrupción digital inclusiva”, el cual fue aprobado por el Poder Ejecutivo mediante Decreto Ejecutivo N° 43843-MICITT publicado en el Diario Oficial La Gaceta N°5 de fecha 13 de enero de 2023, (…). Por lo cual, la política pública para la operación de redes y la prestación de servicios de telecomunicaciones está plasmada en Plan Nacional de Desarrollo de las Telecomunicaciones (PNDT) 2022-2027 “Costa Rica: Hacia la disrupción digital inclusiva”, con el objetivo de marcar el desarrollo del sector desde la perspectiva de la política pública sectorial, que permita durante los próximos años atender los retos y desafíos de las telecomunicaciones. Debe de subrayarse que en su sección “3.3.3.3 Estrategia Nacional de Ciberseguridad Costa Rica” el PNDT 2022-2027 señala que “La estrategia en materia de ciberseguridad data de 2017 y procura la búsqueda de acciones conducentes al aseguramiento de datos y la protección en línea en diferentes aspectos, considera a la persona como prioridad, el respeto a los derechos humanos y la privacidad, la coordinación con múltiples partes interesadas y la cooperación internacional”. En consecuencia, en los términos planteados, la alegada inconformidad en cuanto a este extremo es propia de ser dilucidada a través de las vías previstas para tales efectos.

Asimismo, la parte accionante pretende que se declare con lugar el recurso a los efectos de que se ordene que su representada no puede ser impedida de participar en un concurso público a través de cláusulas de imposible cumplimiento para ella; sin embargo, tal y como se indicó ut supra, no se verificó alguna transgresión al Derecho de la Constitución, por lo que determinar si está en posibilidad o no de cumplir los requisitos, así como el sustento técnico de estos, constituyen extremos de legalidad que, en principio, exceden la sumariedad del recurso de amparo. En ese sentido, determinar si los oferentes pueden justificar o motivar presuntas restricciones son aspectos propios de ser dilucidades en el procedimiento de contratación, o bien, en la vía jurisdiccional ordinaria a fin de que sometan a contradictorio su posición y evacúen la prueba técnica que estimen pertinente.

Por otra parte, en escrito posterior al curso de este proceso, la parte accionante alega inconstitucionalidad e inconvencionalidad del ‘Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores’ a los efectos del numeral 75 de la Ley de la Jurisdicción Constitucional; sin embargo, este recurso, por las consideraciones expuestas líneas arriba, no constituye medio razonable para amparar el derecho o interés que se considera lesionado.

Por las consideraciones expuestas, no solo resulta improcedente prima facie la tutela cautelar pretendida, sino que procede declarar sin lugar el recurso en todos sus extremos. (…)” ... Ver más Contenido de Interés:

Tipo de contenido: Voto de mayoría Rama del Derecho: 6. LEY DE LA JURISDICCIÓN CONSTITUCIONAL ANOTADA CON JURISPRUDENCIA Tema: 034- Legitimación pasiva. Litis consorcios Subtemas:

NO APLICA.

ARTÍCULO 34 DE LA LEY DE LA JURISDICCIÓN CONSTITUCIONAL “(…) I.- Sobre las coadyuvancias planteadas. De acuerdo con el artículo 34 de la Ley de la Jurisdicción Constitucional, terceros al proceso pueden interponer una solicitud de coadyuvancia, que es una forma de intervención adhesiva que se da, cuando una persona actúa en un proceso, adhiriéndose a las pretensiones de algunas de las partes principales. En consecuencia, se encuentra legitimado para actuar como coadyuvante quien ostente un interés directo en el resultado del recurso; sin embargo, al no ser actor principal, el coadyuvante no resultará directamente afectado por la sentencia, es decir, la eficacia de esta no podrá alcanzarle de manera directa e inmediata, ni le afecta la condición de cosa juzgada del pronunciamiento (Véanse, entre otras, las sentencias número 3235 de las 9:20 horas del 30 de octubre de 1992 y la sentencia 2010-000254 de las 11:28 horas el 08 de enero de 2010). En este caso, se admite la coadyuvancia pasiva de Silvia Patricia Castro Montero, presidenta de la Cámara Costarricense Norteamericana de Comercio, toda vez que, dada su naturaleza, en efecto podría tener un interés directo en el resultado de este proceso. (…)” VCG08/2024 ... Ver más Contenido de Interés:

Tipo de contenido: Voto salvado Rama del Derecho: 4. ASUNTOS DE GARANTÍA Tema: CONTRATOS O LICITACIONES Subtemas:

LICITACION.

VI.- Voto salvado de los magistrados Cruz Castro y Araya García.- Dar plazo para presentar la acción de inconstitucionalidad en contra del Reglamento en cuestión:

Consideramos que en este caso debe dársele un enfoque distinto al que impera en el voto de mayoría. La cuestión tiene una vertiente directamente relacionada con derechos fundamentales (derecho de consumidores y acceso a internet), así que no se trata de que esta Jurisdicción conozca en amparo de las cuestiones técnicas relacionadas con ciberseguridad, sino que corresponde examinar si la normativa del reglamento en cuestión que dispone excluir (o calificar como alto riesgo, que viene siendo lo mismo) de una licitación pública a ciertas empresas, en razón de su nacionalidad, es acorde al Derecho de la Constitución.

Así, por la trascendencia de la materia en cuestión y su impacto para los derechos fundamentales de acceso a internet de toda la población, resulta procedente otorgarle al recurrente el plazo establecido en la Ley de la Jurisdicción Constitucional para presentar la acción de inconstitucionalidad correspondiente en contra de las normas que considere inconstitucionales del “Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (SG) y Superiores”. Eso, a efectos de que este amparo sirva como asunto base de la acción, si es que no se ha presentado ya una acción al respecto. No se trata en este amparo, en realidad, de cuestionar criterios técnicos del ICE, sino lo que disponen las normas de un reglamento y su incidencia en derechos fundamentales.

Tal como se observa, el recurso de amparo procede también en contra de amenazas (artículo 29 Ley de la Jurisdicción Constitucional). En este caso, se indica que la licitación pública que sacará el ICE para implementar y operar la tecnología 5G IMT en sus redes estará basada en el “Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (SG) y Superiores”, amenaza los derechos de la empresa amparada por cuanto dicho reglamento contiene disposiciones que expresamente impiden la participación de su representada en ese concurso público. Disposiciones que por tanto, considera el recurrente, resultan contrarias a los derechos constitucionales de libre competencia, igualdad de participación y no discriminación.

Con vista en lo anterior, consideramos que lo procedente en este caso es darle plazo al recurrente para que plantee la acción de inconstitucionalidad correspondiente -a efectos de que este amparo sirva como asunto base de la acción-, en contra de las normas del reglamento en cuestión, que considera son inconstitucionales. Nótese que una exclusión a priori de participantes de una licitación pública tiene un impacto directo en los servicios que recibirá el consumidor, pues el principio de libre participación redunda en una mejor protección de los derechos de los consumidores. Entre más oferentes participen, mayor será la trasparencia y valoración en la escogencia del servicio público de telecomunicaciones. Una normativa restrictiva en la cantidad de oferentes para este servicio público, tendría una incidencia directa en las tarifas, la brecha digital, y en general, en el derecho fundamental de acceso a internet.

En la acción de inconstitucionalidad se podrá examinar con mayor detalle si la exclusión a priori de los países que no han estado adheridos al Convenio de Budapest (2001) resulta razonable, o si por el contrario, es discriminatorio, violatorio del principio de libre participación en las licitaciones públicas y amenaza los derechos de los consumidores.

Tal como lo ha indicado esta Sala (ver voto n°2010-10627, y entre otros 2010-12790, 2011-8408, 2017-11212) existe un verdadero derecho fundamental a la comunicación derivado del derecho a la libertad de expresión, del derecho de información y del derecho de acceso a internet. Particularmente en la mencionada sentencia del 2017, donde esta Sala examinó la política de uso justo de acceso a internet, se indicó que el acceso a internet no solo es un derecho fundamental por sí mismo sino que “(…) es una herramienta que potencia de manera incalculable el ejercicio de otros derechos fundamentales: democratiza el conocimiento al poner una cantidad inmensurable de información al alcance de cualquier persona; facilita la participación de los ciudadanos en la gestión estatal, fomentando la transparencia en la gestión pública; establece medios para que las personas puedan ejercer su libertad de expresión; constituye una herramienta de trabajo para muchas profesiones, incluso ajenas a la rama de las tecnologías de la información,”. De allí se derivó la obligación del Estado de “proteger a las personas frente a amenazas que busquen limitar injustificadamente dicho derecho, sino que conlleva también la obligación del Estado de velar por su progresivo crecimiento y mejoramiento, así como la implementación de nuevas tecnologías que potencien el derecho de acceso a Internet.” Por lo anterior, por la incidencia directa que el reglamento tendría en la licitación pública relacionada con los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (SG) y Superiores, y por su íntima relación con el derecho fundamental de acceso a internet, lo procedente en este caso es examinar la normativa en cuestión en un proceso de acción de inconstitucionalidad.

VCG08/2024 ... Ver más Contenido de Interés:

Tipo de contenido: Voto salvado Rama del Derecho: 6. LEY DE LA JURISDICCIÓN CONSTITUCIONAL ANOTADA CON JURISPRUDENCIA Tema: 033- Legitimación activa Subtemas:

NO APLICA.

VII.- Voto salvado del magistrado Rueda Leal. Este recurso de amparo debió rechazarse de plano, por cuanto se interpuso en representación de [Nombre 002].; sin embargo, del escrito de interposición no se deriva el vínculo esencial entre esta persona jurídica y alguna natural, en relación con los presuntos derechos fundamentales agraviados. De importancia para el sub examine, en el voto salvado que consigné en la sentencia nro. 2019-2355 de las 9:30 horas de 12 de febrero de 2019, sostuve:

“en la Opinión Consultiva 22-16 del 26 de febrero de 2016, la Corte Interamericana de Derechos Humanos indicó que si bien algunos Estados reconocen el derecho de petición a personas jurídicas con condiciones especiales, como lo son los sindicatos, partidos políticos o representantes de pueblos indígenas, comunidades afrodescendientes o grupos específicos, lo cierto es que “El artículo 1.2 de la Convención Americana sólo consagra derechos a favor de personas físicas, por lo que las personas jurídicas no son titulares de los derechos consagrados en dicho tratado”. Por otro lado, en la misma opinión consultiva, la Corte Interamericana dispuso que, en ciertos contextos particulares, las personas físicas pueden llegar a ejercer sus derechos a través de personas jurídicas (verbigracia, a través de un medio de comunicación, como acaeció en el caso Granier y otros contra Venezuela); empero, a efectos de que ello sea tutelable ante el sistema interamericano, “el ejercicio del derecho a través de una persona jurídica debe involucrar una relación esencial y directa entre la persona natural que requiere protección por parte del sistema interamericano y la persona jurídica a través de la cual se produjo la violación, por cuanto no es suficiente con un simple vínculo entre ambas personas para concluir que efectivamente se están protegiendo los derechos de personas físicas y no de las personas jurídicas. En efecto, se debe probar más allá de la simple participación de la persona natural en las actividades propias de la persona jurídica, de forma que dicha participación se relacione de manera sustancial con los derechos alegados como vulnerados.” (énfasis agregado) (OC. 22/16)”.

En mi criterio, la lectura de la Ley de la Jurisdicción Constitucional obliga a la misma ratio de la hermenéutica convencional supracitada respecto a todo derecho fundamental. Así, en un proceso de constitucionalidad formulado en nombre o a favor de una persona jurídica, su admisión para estudio exige una relación esencial y directa entre la persona jurídica que aduce verse afectada por alguna vulneración al orden constitucional y la persona natural que, por tal lesión, viene a ver menoscabado, de forma refleja pero directa, algún derecho fundamental. Para tales efectos es insuficiente la mera referencia a una conexión o vínculo entre la persona jurídica y la natural para poder colegir que, precisamente, por medio del proceso de constitucionalidad se esté procurando el resguardo de los derechos fundamentales de la última, no meramente los de la primera. El requerimiento antedicho deviene entonces un presupuesto sine qua non para la procedencia del control de constitucionalidad en esta vía. A partir de lo expuesto, considero que esta debe ser la pauta con que se tiene que interpretar la Ley de la Jurisdicción Constitucional, de manera que en el sub iudice deviene improcedente la aplicación del control jurisdiccional de constitucionalidad, puesto que no se ha demostrado el referido vínculo, en relación con el presunto derecho agraviado. Esta tesis la he seguido no solo cuando se ha tenido como parte tutelada a empresas del sector de Telecomunicaciones (verbigracia, la sentencia nro. 2019014375 de las 14:20 horas del 1º de agosto de 2019), sino también cuando, en general, se han planteado recursos en nombre o a favor de personas jurídicas sin establecer la aludida relación esencial entre la persona natural y la persona jurídica (por ejemplo, las resoluciones nros. 2023014282 de las 9:30 horas de 16 de junio de 2023, 2022029898 de las 9:21 horas de 16 de diciembre de 2022, 2022005751 de las 9:20 horas de 11 de marzo de 2022, 2020014695 de las 9:15 horas de 7 de agosto de 2020, 2020012170 de las 10:05 horas de 30 de junio de 2020, 2020009074 de las 9:15 horas de 15 de mayo de 2020, 2020006905 de las 9:20 horas de 3 de abril de 2020, entre otras).

VCG08/2024 ... Ver más Contenido de Interés:

Tipo de contenido: Nota separada Rama del Derecho: 4. ASUNTOS DE GARANTÍA Tema: CONTRATOS O LICITACIONES Subtemas:

LICITACION.

Sentencia 2024-002222 Nota de la magistrada Garro Vargas Consideraciones preliminares He concurrido con la mayoría porque coincido en lo sustancial con los argumentos de la sentencia. Además, he considerado oportuno consignar esta nota para poner de manifiesto que a mi juicio este es un asunto que desde el inicio debió ser rechazado, porque de manera palmaria se advierte que su objeto no corresponde ser conocido mediante un recurso sumario como lo es el amparo.

Ejemplos de la línea jurisprudencial sostenida por la suscrita En similares ocasiones, e incluso en otras cuyo objeto ha sido de menor mucho menor envergadura, he dicho que no basta que estén presuntamente involucrados derechos fundamentales para que proceda que el asunto sea residenciado en esta sede y que sea resuelto mediante un recurso de amparo.

He aquí algunos ejemplos:

• 1)Casos de los exámenes de admisión al Instituto Tecnológico de Costa Rica En esos casos, que por cierto fueron muy numerosos, los recurrentes impugnaban los criterios de admisión a esa institución de educación superior. El tema hacía directísima relación al derecho a la educación, al derecho a la igualdad y al principio de razonabilidad. La Sala, siguiendo una antigua y muy razonable línea jurisprudencial, rechazó de plano esos numerosos recursos, con afirmaciones como la siguiente:

“Como se desprende de las sentencias transcritas, este Tribunal ha sido consistente en señalar que los requisitos de ingreso a las universidades estatales es materia que le compete a estas. En adición, la Sala ha reiterado que la controversia acerca del método y contenido de una prueba de admisión universitaria corresponde dirimirse en la vía de la legalidad, toda vez que se trata de una cuestión de gran especificidad técnica, cuya revisión obliga a un profundo diligenciamiento de prueba técnica, lo que resulta ajeno a la naturaleza sumaria del amparo” (sentencias 2020-023153, 2020-023160, 2020-024016, 2021-04817, entre otras; el destacado no es del original).

En esas numerosísimas sentencias similares, la magistrada Hernández López y yo, consignamos la siguiente nota:

“Nota de las Magistradas Hernández López y Garro Vargas con redacción de la segunda.

El recurso de amparo es un proceso sumario por naturaleza y, a tenor del artículo 48 de la Constitución Política, está diseñado para proteger los derechos constitucionales (con excepción de la libertad e integridad personal) y los de carácter fundamental establecidos en instrumentos internacionales de derechos humanos aplicables a la República. Por ende, un asunto es susceptible de ser conocido mediante un recurso de amparo cuando se invoca la presunta de lesión de alguno de esos derechos. Pero eso no es suficiente. Es preciso que el objeto en discusión pueda ser conocido adecuadamente en un proceso sumario: es decir, en un trámite sencillo sin necesidad de una fase probatoria compleja. Además, el carácter sumario debe manifestarse no sólo en la fase de conocimiento sino también en su fase de ejecución. Sobre la base de lo anterior, las suscritas magistradas estimamos que el presente asunto no corresponde ser conocido en la Sala Constitucional mediante el recurso de amparo, pues, aunque podrían estar involucrados derechos fundamentales, para analizarlo debidamente se requiere producir prueba técnica proveniente de diversas disciplinas, con el fin de examinar los diversos elementos que entran en juego en su resolución”. (Sentencia 2020-23160; el destacado no es del original).

• 2)Caso Rainforest Alliance En otra ocasión, la Sala conoció de un recurso de amparo interpuesto contra Rainforest Alliance (expediente 21-023756-0007-CO), que declaró con lugar (sentencia 2022-005556). Consigné mi voto salvado en el que, entre otros argumentos, afirmé lo siguiente:

“3. Sobre el procedimiento del recurso de amparo Como se anunció en el preámbulo de este voto salvado, para que la aducida lesión a un derecho constitucional o fundamental pueda ser conocida ante esta jurisdicción, la naturaleza del reclamo debe ser compatible con las características del recurso de amparo. Si bien este no es el caso ?por no existir un derecho constitucional o fundamental de por medio?, cabría afirmar que muchos otros agravios podrían ser reconducidos hacia el Derecho de la Constitución, porque en definitiva esta es la base de la que dimana el resto del ordenamiento jurídico.

No obstante, no toda infracción a un derecho constitucional debe ser necesariamente valorada en el recurso de amparo, pues por la naturaleza del reclamo, en muchos casos, la mejor manera de examinarlo con detalle y profundidad es residenciarlo en la vía ordinaria, que ofrece amplias garantías para las partes a fin de resolver el conflicto que hay entre ellas y que cuenta con las posibilidades de acudir a una robusta justicia cautelar. Al respecto, este Tribunal ha reiterado una línea jurisprudencial en el sentido de que “el proceso de amparo es de carácter eminentemente sumario porque tiene como única finalidad brindar tutela oportuna contra infracciones o amenazas inminentes a los derechos y libertades fundamentales, por lo que su tramitación no se aviene bien con la práctica de diligencias probatorias lentas y complejas” (entre muchos otros se pueden consultar los votos números 2003-14336, 2006-014421 y 2020-019038). Esta línea jurisprudencial no hace sino recordar la naturaleza propia de este proceso. [El destacado no es del original].

También es preciso indicar que existen otros mecanismos jurisdiccionales paralelos, en donde con amplias garantías se puede conceder tutela a reclamos relacionados con infracciones a derechos de rango constitucional o fundamentales. Un ejemplo de ello es la tesis de la Sala Constitucional que ordenó, bajo una mejor ponderación, residenciar los reclamos relacionados con la dilación de los procedimientos administrativos en la jurisdicción contencioso-administrativa, pues en el fondo su análisis implica un examen de los plazos legales con los que cuentan las administraciones públicas para atender los reclamos de los administrados. Así, desde la sentencia n.°2008-002545 la Sala Constitucional viene sosteniendo de forma ininterrumpida lo siguiente:

“Es evidente que determinar si la administración pública cumple o no los plazos pautados por la Ley General de la Administración Pública (artículos 261 y 325) o las leyes sectoriales para los procedimientos administrativos especiales, para resolver por acto final un procedimiento administrativo –incoado de oficio o a instancia de parte- o conocer de los recursos administrativos procedentes, es una evidente cuestión de legalidad ordinaria que, en adelante, puede ser discutida y resuelta ante la jurisdicción contencioso-administrativa con la aplicación de los principios que nutren la jurisdicción constitucional, tales como los de la legitimación vicaria, la posibilidad de la defensa material –esto es de comparecer sin patrocinio letrado- y de gratuidad para el recurrente”. (Lo destacado no corresponde al original).

En forma similar, desde la sentencia n.°2017-017948, este Tribunal ha venido resolviendo, en relación con la tutela de derechos laborales, lo siguiente:

“Ciertamente, la tutela de la Sala Constitucional, en tratándose de la materia laboral, deriva de la aplicación del Título V, Capítulo Único, de la Constitución Política, denominado Derechos y Garantías Sociales. Es allí, donde encuentran protección constitucional, por medio del recurso de amparo, el derecho al trabajo, al salario mínimo, a la jornada laboral, al descanso semanal, a vacaciones anuales remuneradas, a la libre sindicalización, al derecho de huelga, a la celebración de convenciones colectivas de trabajo, entre otros; todo ello, con ocasión del trabajo. Sin embargo, bajo una nueva ponderación, dada la promulgación de la Reforma Procesal Laboral, Ley N° 9343 de 25 de enero de 2016, vigente desde el 25 de julio de 2017, esta Sala considera que ahora todos los reclamos relacionados con esos derechos laborales, derivados de un fuero especial (por razones de edad, etnia, sexo, religión, raza, orientación sexual, estado civil, opinión política, ascendencia nacional, origen social, filiación, discapacidad, afiliación sindical, situación económica, así como cualquier otra causal discriminatoria contraria a la dignidad humana), tienen un cauce procesal expedito y célere, por medio de un proceso sumarísimo y una jurisdicción plenaria y universal, para su correcto conocimiento y resolución, en procura de una adecuada protección de esos derechos y situaciones jurídicas sustanciales, con asidero en el ordenamiento jurídico infra constitucional, que tiene una relación indirecta con los derechos fundamentales y el Derecho de la Constitución. Iguales razones caben aplicar para las personas servidoras del Estado, respecto del procedimiento ante el Tribunal de Servicio Civil que les garantiza el ordenamiento jurídico, así como las demás personas trabajadoras del Sector Público para la tutela del debido proceso o fueros semejantes a que tengan derecho de acuerdo con el ordenamiento constitucional o legal. En fin, el proceso sumarísimo será de aplicación, tanto del sector público como del privado, en virtud de un fuero especial, con goce de estabilidad en el empleo o de procedimientos especiales para su tutela, con motivo del despido o de cualquier otra medida disciplinaria o discriminatoria, por violación de fueros especiales de protección o de procedimientos, autorizaciones y formalidades a que tienen derecho, las mujeres en estado de embarazo o periodo de lactancia, las personas trabajadoras adolescentes, las personas cubiertas por el artículo 367, del Código de Trabajo, las personas denunciantes de hostigamiento sexual, las personas trabajadoras indicadas en el artículo 620, y en fin, de quienes gocen de algún fuero semejante mediante ley, normas especiales o instrumentos colectivos de trabajo”.

Esto pone de manifiesto que, incluso, cuando hay de por medio derechos de orden constitucional o fundamental, no necesariamente su restablecimiento y protección debe residenciarse en la jurisdicción constitucional a través del recurso de amparo, sino que pueden existir vías paralelas más garantistas desde el punto de vista procesal, destinadas a conocer –con la profundidad que el caso lo requiere– reclamos relacionados con estos derechos. Justamente, por la forma en que está diseñado el recurso de amparo, es que los agravios que se deben conocer en esta sede son aquellos en los cuales la tutela del derecho sea compatible con las características y posibilidades de este proceso sumario. Por el contrario, no corresponde conocer en el recurso de amparo aquellos asuntos que necesiten un complejo análisis probatorio, fases de contradicción, e inmediación de la prueba, que desnaturalizan por completo la esencia del recurso de amparo” [El destacado no es del original].

• 3)Parque Viva Posteriormente, la Sala conoció del caso Parque Viva (expediente 22-016697-0007-CO). En la parte dispositiva (sentencia 2022-25167), en lo que a mí atañe dice: “La magistrada Garro Vargas salva parcialmente el voto en el siguiente sentido: lo declara con lugar, por sus propias razones, respecto de la libertad de expresión; y lo declara sin lugar respecto de la anulación de la orden sanitaria y del citado oficio, por cuanto estima que lo relativo a estos no procede ser conocido en esta jurisdicción”. De mi voto salvado deseo destacar lo siguiente, que es relevante para el presente asunto:

“La competencia del órgano también está determinada por el respeto de la naturaleza del proceso.

No todo acto u omisión o vía de hecho, que provengan de una autoridad, aunque sean de suyo impugnable, es susceptible de ser conocido en un proceso sumario e informal. Las razones pueden ser diversas: la complejidad jurídica o técnica del acto, la necesidad de contar con un amplio acervo probatorio para determinar su validez y eficacia, etc. Sobre esto hay jurisprudencia consolidada que la Sala reitera todas las semanas al rechazar buena parte de los recursos de amparo que le son presentados.

Igualmente, el tribunal debe constatar si el objeto protegido (los derechos fundamentales presuntamente conculcados) puede ser efectivamente garantizado mediante un recurso de amparo, que es un proceso sumario e informal. Al respecto hay una reiteradísima jurisprudencia sobre el particular, que la Sala también recoge de modo habitual.

Justamente en este sentido, suscribí con la magistrada Hernández López una nota que reiteramos en muchas ocasiones [ya citada acá] (…) (nota a la sentencia 2020-23153).

Esto es así porque ciertamente muchos asuntos involucran derechos fundamentales, pero deben ser conocidos en su sede correspondiente”. (El destacado no es del original).

En esa ocasión añadí unos párrafos con un tono un tanto didácticos, pero que reflejaban de manera simple mi aproximación al tema.

“Por ejemplo, si una persona aduce que la defraudaron en una compraventa de un lote, qué duda cabe –si en efecto fue así– que le han violado su derecho y que este es un derecho fundamental. Se trata del derecho reconocido en el artículo 45 de la Constitución Política; pero es claro que el litigio sobre el particular no corresponde ser conocido en la Sala Constitucional, ni siquiera si el vendedor fue un sujeto de derecho público, porque para resolver este tipo de conflictos está la jurisdicción correspondiente. Sin ir más lejos, pues los ejemplos podrían ser abundantísimos, si un transeúnte dispara a otro, el victimario está violando el derecho fundamental a la vida o, al menos, a la integridad de la víctima, pero evidentemente el asunto tampoco puede ser conocido mediante un recurso de amparo, porque esa conducta está tipificada y, por tanto, será el juez penal quien determine la responsabilidad y el alcance y las consecuencias de esta. Pues bien, esto la Sala habitualmente lo ha tenido muy claro en su jurisprudencia, por eso, cada semana, rechaza muchos recursos de amparo señalando que se trata de asuntos propios de la legalidad ordinaria.

Lo anterior significa que, para que un caso sea examinado y resuelto en un recurso de amparo, no basta aducir que la lesión del derecho fundamental alegada tiene su causa en una conducta de la parte recurrida. Y la Sala procura respetar esos criterios justamente para no invadir las competencias de la jurisdicción ordinaria (establecidas en los artículos 49 y 153 de la Constitución Política) o las de las autoridades administrativas, según corresponda. Pero no solo por ese motivo, sino porque de esa manera, residenciándose el asunto donde corresponde, las partes tendrán todas las garantías procesales propias del debido proceso, que en un recurso sumario e informal como el amparo se reducen. Así, por ejemplo, los informes de las autoridades, al ser dados bajo fe de juramento, se tienen por ciertos, por lo que las posibilidades de desvirtuarlos son mucho menores que en procesos plenarios.

Por eso la Sala debe constatar si en atención al objeto impugnado (los actos presuntamente lesivos), al objeto protegido (los derechos fundamentales presuntamente conculcados) y al tipo de lesión (si la afectación es directa o no) el asunto es susceptible de ser conocido en un proceso sumario como es el amparo”. (El destacado no es del original).

• 4)Asuntos ambientales de gran complejidad Esta Sala conoció de un asunto ambiental (expediente 22-003777-0007-CO) en el que se declaró parcialmente con lugar (sentencia 2022-9857). En lo que interesa, estimó que los aspectos de gran complejidad no debían ser residenciados en esta jurisdicción. En esa oportunidad los magistrados Castillo Víquez, Garita Navarro y la suscrita consignamos una nota, que sostiene lo siguiente:

“X.- NOTA DE LOS MAGISTRADOS CASTILLO VÍQUEZ Y GARITA NAVARRO Y DE LA MAGISTRADA GARRO VARGAS, CON REDACCIÓN DE LA ÚLTIMA.

Estimamos necesario consignar esta nota en la que advertimos que, bajo una mejor ponderación, en asuntos ambientales de tanta complejidad ?como el que se cuestiona en el caso concreto? valoramos que corresponde desestimar el recurso para residenciar la discusión en la vía ordinaria en donde con mayores posibilidades probatorias y procesales, así como de ejecución, se examine con detalle la conducta cuestionada.

En primer lugar, se hace necesario enfatizar que consideramos que esta Sala es competente para conocer recursos de amparo relacionados con la lesión al derecho fundamental a un medio ambiente sano y ecológicamente equilibrado en los términos del artículo 50 de la Constitución Política. Lo anterior, como lo ha hecho este Tribunal con tanto éxito en el pasado. Sin embargo, advertimos que hay cuestionamientos y denuncias que, por su complejidad, rebasan la naturaleza sumaria del recurso de amparo y, en tales circunstancias, resulta más garantista para todas las partes, e incluso para la tutela efectiva del derecho al ambiente sano y ecológicamente equilibrado y de la protección de los recursos naturales, residenciar el conflicto en una vía ordinaria, de conocimiento plenario, en la que con más oportunidades procesales se pueda examinar la prueba y contrastar los agravios. En definitiva, para juzgar con detalle la regularidad de la conducta omisiva y/o activa de las administraciones públicas competentes en la atención y resolución del conflicto ambiental denunciado.

Recuérdese que históricamente esta Sala ha sostenido la línea jurisprudencial de que “el proceso de amparo es de carácter eminentemente sumario porque tiene como única finalidad brindar tutela oportuna contra infracciones o amenazas inminentes a los derechos y libertades fundamentales, por lo que su tramitación no se aviene bien con la práctica de diligencias probatorias lentas y complejas” (entre muchos otros se pueden consultar los votos números 2003-14336, 2006-014421 y 2020-019038). Esta línea jurisprudencial no hace sino recordar la naturaleza propia de este proceso. Por otra parte, a partir de la entrada en vigencia del Código Procesal Contencioso Administrativo se determinó que dicha jurisdicción posee amplias competencias para conocer de agravios como los que se cuestionan en el sub lite. A tales efectos, este Tribunal ha reiterado lo siguiente:

“[A]nte la promulgación del Código Procesal Contencioso-Administrativo (Ley No. 8508 de 24 de abril de 2006) y su entrada en vigencia a partir del 1° de enero de 2008, ha quedado patente que ahora los justiciables cuentan con una jurisdicción contencioso-administrativa plenaria y universal, sumamente expedita y célere por los diversos mecanismos procesales que incorpora al ordenamiento jurídico esa legislación, tales como el acortamiento de los plazos para realizar los diversos actos procesales, la amplitud de la legitimación, las medidas cautelares, el numerus apertus de las pretensiones deducibles, la oralidad –y sus subprincipios concentración, inmediación y celeridad-, la única instancia con recurso de apelación en situaciones expresamente tasadas, la conciliación intra-procesal, el proceso unificado, el proceso de trámite preferente o “amparo de legalidad”, los procesos de puro derecho, las nuevas medidas de ejecución (multas coercitivas, ejecución sustitutiva o comisarial, embargo de bienes del dominio fiscal y algunos del dominio público), los amplios poderes del cuerpo de jueces de ejecución, la extensión y adaptación de los efectos de la jurisprudencia a terceros y la flexibilidad del recurso de casación. Todos esos institutos procesales novedosos tienen por fin y propósito manifiesto alcanzar la economía procesal, la celeridad, la prontitud y la protección efectiva o cumplida de las situaciones jurídicas sustanciales de los administrados, todo con garantía de derechos fundamentales básicos como el debido proceso, la defensa y el contradictorio”. (Ver, por ejemplo, las sentencias números 2010-17909, 2020-011247 y 2022-003724).

En contraposición, la ausencia de una fase probatoria plenaria que facilite la inmediación y el contradictorio de la prueba, imponen necesariamente que, en aras de una adecuada y prudente protección del derecho, se recurra a la vía ordinaria para conocer conflictos medio ambientales de suyo complejos como el que se plantea en el caso concreto. (…).

De la enumeración de agravios y el análisis de la pretensión de la parte recurrente es posible constatar que el conflicto denunciado es sumamente complejo de resolver mediante el proceso de amparo y, por lo tanto, correspondería ser residenciado en una sede ordinaria que, con mayores herramientas, pueda conocer con profundidad la denuncia de fondo, adoptar medidas cautelares y dictar amplias y específicas órdenes para atender la problemática apuntada.

La Sala debe conocer de los asuntos ambientales en todos aquellos casos cuya pretensión sea compatible con la naturaleza sumaria del recurso de amparo. Todo lo que pueda conocerse y residenciarse ante la jurisdicción constitucional porque la pretensión es compatible con las cualidades y posibilidades que este proceso otorga, debe mantenerse en esta sede. No así las denuncias ambientales cuya dilucidación requiera para su conocimiento y adecuado análisis un espacio probatorio plenario como el que se prevé en la Jurisdicción Contencioso Administrativa. Esa es la excepción. Estimamos que la regla es entonces que procede conocer en un recurso de amparo cuando sea relativamente sencilla la constatación de la problemática y la Sala tenga las herramientas apropiadas para una oportuna y apropiada reparación, es decir, que su ejecución sea también propia de un proceso sumario.

Al respecto, es preciso advertir que hay agravios que son fácilmente constatables y no sería tan difícil su conocimiento, pero son parte de un todo. Por lo tanto es mejor que ese todo sea residenciado en una sede que, por sus características, permita que el asunto sea conocido integralmente con el análisis de todas las aristas que revisten el caso concreto. Eso sucede precisamente en el sub lite en el que se acusa la falta de resolución de una denuncia para dotar de más personal para custodiar el Área de Conservación de Osa y, paralelamente, se denuncian y enumeran una serie de problemáticas que justifican ?a juicio de los recurrentes? la necesidad de nombrar más personal técnico para salvaguardar la zona.

En definitiva, consideramos que, bajo una mejor ponderación, se hace preciso concluir que hay conflictos que, por su magnitud, requieren necesariamente de un proceso probatorio plenario para su atención y resolución. Este es justamente uno de esos casos, por lo que estimamos que lo correspondiente es declarar sin lugar el recurso y remitir la totalidad del conflicto planteado ?denuncia por escasez de personal en detrimento de la biodiversidad? ante la jurisdicción contencioso-administrativa.

Esta nota la realizamos en aras de garantizar la debida seguridad jurídica en las líneas jurisprudenciales de esta Jurisdicción Constitucional y advertir concretamente en qué consiste el cambio de criterio parcial de los suscritos magistrados”. (El destacado no es del original).

En términos similares me he referido en otros asuntos ambientales (por ejemplo, sentencias 2023-11233 y 2023-16088).

Conclusión

Lo dicho hasta acá es suficiente para mostrar que he procurado ser consistente en mi línea de votación. Esta puede resumirse diciendo que, para que la Sala Constitucional determine con acierto su propia competencia al conocer de asuntos que se le someten mediante un recurso de amparo, ha de respetar la necesaria congruencia que debe haber entre el objeto protegido (derechos fundamentales), objeto impugnado (conducta administrativa o de sujeto de derecho) y mecanismo procesal (proceso sumario). Esto significa que debe admitir a su trámite solo asuntos en los que, además de estar involucrada la presunta lesión de un derecho fundamental, el objeto impugnado sea susceptible de ser conocido mediante un proceso sumario, sencillo, sin complejidad probatoria. Esto además corresponde hacerlo en aras del debido proceso, el respeto de la naturaleza de los procesos y de la finalidad misma de esta jurisdicción.

Conviene agregar que si se afirmara que sólo la Sala Constitucional está llamada a proteger derechos fundamentales sería tanto como poner en entredicho, desde su raíz misma, el principio de supremacía constitucional y el de unidad del ordenamiento. Además, supondría ?en este caso? menospreciar injustamente la jurisdicción contencioso-administrativa y su robusta justicia cautelar y sus mecanismos de ejecución.

Anamari Garro Vargas Magistrada VCG08/2024 ... Ver más Contenido de Interés:

Tipo de contenido: Nota separada Rama del Derecho: 4. ASUNTOS DE GARANTÍA Tema: CONTRATOS O LICITACIONES Subtemas:

LICITACION.

Vista la redacción final de la sentencia de esta Sala, número 2024-2222, de las catorce horas de 26 de enero de 2024, por la cual se declara sin lugar el presente recurso de amparo, el suscrito Magistrado renuncia a la nota que durante la discusión de dicha sentencia indicó que consignaría.

San José, 31 de julio de 2024.

Jorge Araya G. Magistrado VCG08/2024 ... Ver más Res. N° 2024-002222 SALA CONSTITUCIONAL DE LA CORTE SUPREMA DE JUSTICIA. San José, a las catorce horas del veintiséis de enero de dos mil veinticuatro.

Recurso de amparo que se tramita en el expediente nro. 23-023887-0007-CO, interpuesto por [Nombre 001], gerente general de [Nombre 002]., cédula jurídica [Valor 001], contra el INSTITUTO COSTARRICENSE DE ELECTRICIDAD (ICE).

Resultando:

1.- Por escrito recibido en la Secretaría de la Sala el 28 de setiembre de 2023, la parte accionante plantea recurso de amparo contra el ICE. Expone los siguientes hechos: “1.- Mi representada está preparada para participar en la licitación pública que abrirá el ICE para implementar y operar la tecnología 5G IMT en sus redes, dado que somos uno de los principales proveedores de esa tecnología en Costa Rica. 2.- El 31 de agosto pasado, el Poder Ejecutivo promulgó y publicó en La Gaceta el "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic), el cual contiene disposiciones que expresamente impiden la participación de mi representada en ese concurso público. 3.- Tanto el Presidente de la República, la Ministra del MICITT así como el Presidente Ejecutivo del ICE han manifestado públicamente que la promulgación del citado Reglamento se hizo con el motivo específico de impedir la participación de empresas de diversas nacionalidades, especialmente las de origen chino, en los procesos licitatorios tendentes a la obtención y operación de la tecnología en telecomunicaciones 5G IMT y Superiores de las redes de aquella institución. 4.- El Presidente del ICE manifestó por medio del periódico El Mundo CR el pasado 16 de setiembre que el respectivo concurso público será publicado antes de finales de setiembre del año en curso. 5.- Adicionalmente, y como prueba fehaciente y absoluta del riesgo que existe para mi representada, el día 5 de setiembre de 2023 a las 4:20 p.m. se recibió de parte del señor Huberth Valverde Batista, Administrador del Contratos del ICE, un correo en el que envían un cuestionario consultando sobre el cumplimiento del Reglamento de Ciberseguridad No.44196-MSP-MICITT. El propio correo se indica la necesidad de obtener esa información en 4 días hábiles. 6.- Dicho cuestionario, como se puede apreciar de la certificación notarial que se aporta, es una copia exacta de los requerimientos del Reglamento. 7.- Lo anterior es prueba directa que, ante la publicación inminente de la licitación, mi representada se verá afectada e imposibilidad de participar en ella. 8.-Ante esta situación resulta más que claro, evidente y manifiesto el riesgo directo, indudable, actual, inminente y real al que se enfrenta la empresa que represento”. Describe amenazas en los siguientes términos: “1.- El Presidente Ejecutivo del ICE ha dicho claramente que a finales de setiembre esa institución sacará a concurso público la adquisición de la tecnología en telecomunicaciones 5G Móvil y que, en ese concurso público, aplicarán los requisitos exigidos en el "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores” (sic) . 2.- Como lo cita el medio noticiero digital "El Mundo.CR" el 15 de setiembre del año en curso, el presidente Ejecutivo del ICE expresamente señaló lo siguiente: "el decreto ya lo tienen los equipos y lo están revisando para ver de qué manera se incluye en el cartel. Además, tenemos algunas aclaraciones que tenemos que hacer. Sin embargo, la respuesta es que sí, vamos a tener que incluir lo que ahí se dispone, puesto que es política pública aplicable" (https: elmundo.cr/costa-rica/licitaciónpara-5g-saldra-a-finales-de-setiembre-vetando-empresas-chinas/). 3.- El presidente de la República, don Rodrigo Chaves Robles, había declarado ante la prensa cuando se encontraba en los Estados Unidos, luego de haber firmado poco antes de su partida el citado Reglamento, que su promulgación tenía como objetivo impedir la participación de empresas de diverso origen, en los próximos concursos públicos que abrirían el ICE y la SUTEL para la adquisición de la tecnología en telecomunicaciones 5G Móvil lo cual se puede verificar en el siguiente link https://dplnews.com/rodrigo-chaves-prohibeempresas-chinas-en-el-desarrollo-de-5g-en-costa-rica/ 4.- Este criterio fue ratificado por la ministra del MICITT en el programa radial de Amelia Rueda el lunes 4 de setiembre pasado conforme se puede verificar en el siguiente link https://ameliarueda.com/noticia/huawei-china-5g-micitt-subastacosta-rica-noticas 5.- En consonancia con todo lo anterior, mi representada recibió un cuestionario del ICE, solicitando confirmación del cumplimiento del Decreto, el cual se refiere específicamente a la tecnología 5G o superior, esto como una evidencia clara y directa de la intención del ICE de promover este concurso a la mayor brevedad. 6.-Es evidente que el cuestionario enviado por el ICE tiene directa relación con el Pliego de Condiciones que será utilizado para el proceso de licitación que tenga como objetivo la tecnología 5G. De conformidad con la Ley General de la Contratación Pública, la Administración, previo a publicar el Pliego de Condiciones de cualquier naturaleza, debe realizar un estudio de mercado para verificar cuáles son los posibles oferentes. En este caso es evidente que el ICE está cumpliendo con el estudio de mercado establecido en artículo 34 de la Ley de Contratación Pública, al hacer las preguntas sustentadas en el Reglamento, dejando así claro que van a incorporar dichas disposiciones al proceso licitatorio de 5G, en razón de que el Reglamento es una norma vigente el ICE no tiene potestad para desaplicarlo. 7.- Por tanto, estamos en presencia de una amenaza cierta, real, efectiva e inminente, casi en etapa de ejecución, de un acto lesivo de los derechos fundamentales de mi representada. 8.- En efecto, el concurso público que abrirá el ICE antes de finales de este mes, según lo han anunciado sus propios personeros, impedirá que mi representada pueda participar en él, por el simple hecho de ser una compañía de origen chino. 9.- Es importante indicar que no puede ser imputable a mi representada que el Gobierno de la República Popular China, dentro de sus potestades soberanas, no haya firmado al día de hoy el Convenio de Budapest. 10.- El Convenio de Budapest fue publicado 18 años antes que la tecnología 5G fuera lanzada al mercado, por lo que es imposible que alguna de sus consideraciones estuviera relacionada con esa tecnología. Se está usando un factor de evaluación que está desfasado y no relacionado directamente con la ciberseguridad, además de que se viola el principio de imparcialidad tecnológica recogido en el Capítulo XIII del CAFTA. 11- Es completamente discriminatorio que se le impida a mi representada participar en una licitación por una decisión que no está en sus manos, por ser una decisión completamente del Gobierno chino. 12- La única forma de evitar una flagrante violación a los derechos constitucionales de libre competencia e igualdad de participación que según la jurisprudencia de esa Sala tienen rango constitucional (Voto 998-1998) , así como el derecho a la no discriminación, es mediante la suspensión inmediata del concurso público en cuestión. 13- Si el citado acto llegare a materializarse el perjuicio para mi representada sería irreversible y de imposible reparación, tales como los daños y perjuicios reputacionales. Por ello, es que estamos procesalmente legitimados para incoar el presente recurso de amparo contra las amenazas inminentes del ICE, consistentes en sacar un concurso público para implementar y operar la tecnología 5G IMT en sus redes, del cual estamos de antemano excluidos”. Refiere las siguientes violaciones a los derechos fundamentales de su representada: “La amenaza recurrida viola en perjuicio de mi representada al menos los siguientes derechos fundamentales: a) derecho de libre competencia e igualdad de participación en los concursos públicos y b) derecho a no ser discriminado en razón del origen de la empresa. A.-La violación de los derechos fundamentales de libre competencia e igualdad de participación en los concursos públicos. 1.- La jurisprudencia de esa Sala ha establecido que “si el artículo 182 de la Constitución Política establece este principio -el de la licitación-, entonces se encuentran inmersos en el concepto todos los principios propios de la Contratación Administrativa. En virtud de lo anterior, debe entenderse que del artículo 182 de la Constitución Política se derivan todos los principios y parámetros constitucionales que rigen la actividad contractual del Estado. Algunos de estos principios que orientan y regulan la licitación son: 1.- de la libre concurrencia, que tiene por objeto afianzar la posibilidad de oposición y competencia entre los oferentes dentro de las prerrogativas de la libertad de empresa regulado en el artículo 46 de la Constitución Política, destinado a promover y estimular el mercado competitivo, con el fin de que participen el mayor número de oferentes, para que la Administración pueda contar con una amplia y variada gama de ofertas, de modo que pueda seleccionar la que mejores condiciones le ofrece; 2.- de igualdad de trato entre todos los posibles oferentes, principio complementario del anterior y que dentro de la licitación tiene una doble finalidad, la de ser garantía para los administrados en la protección de sus intereses y derechos como contratistas, oferentes y como particulares, que se traduce en la prohibición para el Estado de imponer condiciones restrictivas para el acceso del concurso, sea mediante la promulgación de disposiciones legales o reglamentarias con ese objeto, como en su actuación concreta; y la de constituir garantía para la administración, en tanto acrece la posibilidad de una mejor selección del contratista; todo lo anterior, dentro del marco constitucional dado por el artículo 33 de la Carta Fundamental" (Voto 998-1998). 2.- La amenaza del ICE de sacar un concurso público en el que aplicará el artículo 10) incisos c), d), e) y f) y el numeral 11 del Reglamento precitado implica una clara violación, en perjuicio de mi representada, de sus derechos fundamentales a la libre concurrencia en las contrataciones públicas y de igualdad de trato de los oferentes. 3.- En efecto, esas normas establecen requisitos para que compañías de diversas nacionalidades, así como las de origen chino, no puedan participar en ningún concurso público para la adquisición de tecnología de telecomunicaciones 5G Móvil y superiores. 4.- De esa forma se violan de manera grosera y evidente los derechos fundamentales a la libertad de competencia e igualdad de trato que tienen todos los eventuales interesados en participar en concursos públicos para la adquisición de bienes y servicios en nuestro país, entre ellos mi representada. 5.- En el caso de mi representada, el pliego de condiciones impedirá nuestra participación en esa contratación pública al aplicar lo estipulado en los incisos c), d), e) y f) del artículo 10 y numeral 11 del citado Reglamento, que es la finalidad que persigue esa normativa según declaraciones del Presidente Ejecutivo del ICE, de la Ministra del MICITT y del Presidente de la República. A confesión de parte, relevo de prueba. B.- La violación del principio constitucional a no ser discriminado por ninguna razón 1.- El artículo 33 de la Constitución consagra el principio cardinal en el Derecho Occidental, de que ninguna persona, física o jurídica, puede ser discriminada por ninguna razón (sexo, creencias religiosas, ideología, nacionalidad, etc.). 2.- En el presente caso a mi representada se le discrimina abiertamente tanto por su supuesta ideología como por su nacionalidad, lo que implica una grosera violación del artículo 33 de la Constitución Política. 3.- Por ejemplo, admitir que sólo (sic) empresas de países que hayan suscrito el Convenio de Budapest pueden participar en los concursos públicos para adquirir la tecnología 5G es evidentemente discriminatorio, pues tal Convenio no se refiere estrictamente a temas de ciberseguridad sino que más bien esa normativa se enfocan en la pena de crímenes informáticos que incluyen: fraudes, infracciones a la propiedad intelectual, distribución y posesión de pornografía infantil, falsificación informática, entre otros. Aplicando una política penal común entre los Estados inscritos. En este contexto, otra característica del Convenio de Budapest es la cooperación internacional, aspecto que facilita la investigación de infracciones cibernéticas y que es relevante por las características de los delitos informáticos y la posibilidad de que sean cometidos fuera de las fronteras de un país, pero con impacto en un territorio determinado. 4.- Recordemos que la discriminación, desde el punto de vista jurídico, significa otorgamiento de trato diferente basado en desigualdades injustas o arbitrarias que son contrarias al principio de igualdad ante la ley. 5.- La prohibición de discriminar cobija la interdicción de hacerlo por cualquier circunstancia personal o social; o sea, que toda diferenciación que carezca de justificación objetiva y razonable puede calificarse de discriminatoria. 6.- De esa forma, son contrarias al principio de no discriminación las desigualdades de trato que se funden exclusivamente en razones de sexo, raza, condición social, motivos ideológicos, origen, nacionalidad, etc. 7.- La normativa que el ICE pretende aplicar en el citado concurso público implica una clara violación al principio de no discriminación en perjuicio de mi representada, dado que se la excluye de un concurso público por razones supuestamente ideológicas y de nacionalidad”. Formula la siguiente solicitud de medida cautelar: “1.- Dado que estamos ante un caso de excepción, pues si no se suspende la ejecución del futuro acto lesivo de nuestros derechos fundamentales y que se encuentra casi en fase de ejecución, el perjuicio para mi representada sería irreparable e irreversible pues no podría participar en el citado concurso público para la adquisición de la tecnología en telecomunicaciones 5G/IMT Móvil. Para entender esta irreparabilidad e irreversibilidad, se debe considerar que el ICE representa el 60% del negocio de Huawei en Costa Rica. Ante esto, si Huawei se ve impedido de participar en el concurso, se estarían afectando de forma directa a cerca de 80 empleados en Costa Rica, además de las pérdidas financieras para la empresa. 2.- Por tanto, solicitamos que en aplicación del artículo 41 de la Ley de la Jurisdicción Constitucional, se proceda a suspender la publicación de cualquier pliego de condiciones o en caso de que ya esté publicado, la suspensión de cualquier proceso licitatorio por parte del ICE en que deba aplicarse el "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic) hasta tanto esa Sala Constitucional se haya pronunciado sobre el fondo de este recurso de amparo y, en caso de que fuere convertido en una acción de inconstitucionalidad, hasta que se haya pronunciado sobre el fondo de ésta”. Plantea esta petitoria: “1.- Que mi representada no puede ser impedida de participar en el citado concurso público introduciendo cláusulas de imposible cumplimiento para ella, porque ello viola los derechos fundamentales a la libre competencia, la igualdad de trato y la prohibición de la discriminación exclusivamente por razones ideológicas y de nacionalidad. 2.- Que una vez notificada al ICE la imposibilidad de continuar adelante con el concurso público tantas veces citado, se convierta este amparo en una acción de inconstitucionalidad con el fin de que varias normas del Reglamento impugnado puedan ser eliminadas del ordenamiento jurídico y, por tanto, no puedan ser aplicados en ninguna licitación presente o futura”.

2.- Mediante resolución de las 18:41 horas de 29 de setiembre de 2023, la Presidencia de la Sala dio curso al proceso y solicitó informe tanto al presidente ejecutivo como al administrador de contratos, ambos del ICE, sobre los siguientes hechos: “que la compañía [Nombre 002], a la cual representa, está preparada para participar en la licitación pública que abrirá el Instituto Costarricense de Electricidad -ICE- para implementar y operar la tecnología 5G IMT en sus redes, dado que son uno de los principales proveedores de esa tecnología en Costa Rica. Indica que el 31 de agosto de 2023, el Poder Ejecutivo promulgó y publicó en La Gaceta el “Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores” (sic) (sic), el cual contiene disposiciones que expresamente impiden la participación de su representada en ese concurso público. Señala que el presidente de la República, la ministra del Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones -MICITT- y el presidente ejecutivo del ICE, han manifestado públicamente que la promulgación del citado reglamento se hizo con el motivo específico de impedir la participación de empresas de diversas nacionalidades, especialmente las de origen chino, en los procesos licitatorios tendentes a la obtención y operación de la tecnología en telecomunicaciones SG IMT y superiores de las redes del instituto recurrido. Arguye que el 16 de setiembre de 2023, el presidente del ICE manifestó por medio del periódico El Mundo CR, que el respectivo concurso público sería publicado antes de finalizar el mes de setiembre del año en curso. Agrega que el día 5 de setiembre de 2023, a las 4:20 p.m., la compañía que representa recibió un correo electrónico de parte del señor Huberth Valverde Batista, en su condición de Administrador de Contratos del ICE, en el cual se le envió un cuestionario consultando sobre el cumplimiento del Reglamento de Ciberseguridad nro. 44l96- MSP-MICITT, además se indicó la necesidad de obtener esa información en 4 días hábiles. Alega que ese cuestionario, es una copia exacta de los requerimientos del citado reglamento, lo cual asegura que es una prueba directa que, ante la publicación inminente de la licitación, su representada se verá afectada e impedida de participar en ella. Afirma que ante esa situación resulta más que evidente el riesgo directo que se enfrenta la empresa a la cual representa. Estima lesionados los derechos fundamentales de libre competencia e igual participación en los concursos públicos y el derecho a no ser discriminado en razón del origen nacional de la empresa. Por los motivos expuestos, solicita que se declare con lugar el presente recurso”.

3.- Por escrito recibido en la Secretaría de la Sala el 6 de octubre de 2023, la parte recurrente se apersona. Expone: “Para los efectos del artículo 75 de la Ley de la Jurisdicción Constitucional alego de manera sucinta la inconstitucionalidad e inconvenciona1idad in toto y de algunas normas en específico de “El Reglamento sobre Medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones en la Tecnología de Quinta Generación Móvil (5G) y superiores”, aprobado mediante decreto ejecutivo número 44196- MSP -MCITT, publicado en La Gaceta del 31 de agosto del 2023. A continuación, fundamento someramente los vicios constitucionales alegados. I.- Vicios de inconstitucionalidad “El Reglamento sobre Medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones en la Tecnología de Quinta Generación Móvil (5 G) y superiores”, aprobado mediante decreto ejecutivo número 44196- MSP-MCITT, publicado en La Gaceta del 31 de agosto del 2023, contiene serios vicios tanto de inconstitucionalidad como de inconvencionalidad, los cuales enumeramos a continuación de manera sucinta. 1.- El Reglamento in toto viola el artículo 28 de la Constitución Política, por cuanto regula materia reservada por tales normas al dominio de la ley. Es decir, sólo (sic) por ley se pueden reglamentar y, sobre todo, restringir el ejercicio de los derechos fundamentales. 9.- Finalmente, los artículos 9 párrafo primero y 11 inciso f) violan el principio constitucional de razonabilidad técnica, el cual exige, como lo ha establecido la jurisprudencia de esa Sala, que toda norma y, en general, todo acto emanado de las instituciones públicas, debe estar fundamentado en criterios técnicos sobre la materia que regulan. 10.- Es la especie, los artículos impugnados carecen de fundamentación técnica y los requisitos establecidos en ellos no se ajustan a los estándares internacionales debidamente probados, aceptados y adoptados. Por ejemplo, el artículo 9 párrafo primero dispone que “Los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento, deberán solicitar a sus suministradores de hardware y software, que intervienen en el funcionamiento y operación de las redes 5G y superiores y sus servicios, la definición de los requisitos, controles y mediciones del sistema de gestión de ciberseguridad de la cadena de suministro para el diseño, desarrollo, producción, entrega, instalación y mantenimiento de hardware, software y servicios de conformidad con el estándar SCS 9001 “Estándar de Seguridad de la Cadena de Suministro” sin justificar porqué se exige específicamente este standard. El Estándar SCS 9001 (Supply Chain Security 9001) fue recientemente creado, en el 2022, por la TIA (Telecommunications Industry Association), que es una agrupación Estadounidense de proveedores TIC (Tecnologías de la Información y Comunicación). El Estándar SCS 9001 carece de datos suficientes que permitan la comprobación de su eficacia, puesto que aún se encuentran en la fase de planes piloto para llevar a cabo la correspondiente evaluación técnica. El ecosistema actual de normas de Ciberseguridad, que ha sido desarrollado por ISO, GSMA y 3GPP, siendo reconocido, aceptado, verificado e implementado por la industria de Servicios de Telefonía Móvil Celular a nivel mundial, desde hace ya varios años. 11.- Los artículos 8 inciso i) y 10 inciso a) violan el principio constitucional de proporcionalidad. 12.- Como lo ha establecido la jurisprudencia de esa Sala, un acto estatal que limite derechos fundamentales debe ser necesario, idóneo y proporcional. 13.- Los artículos antes citados del Reglamento no son necesarios, ni idóneos ni proporcionales. En efecto, no son necesarios pues la red de telefonía ha operado en el país desde sus inicios mediante el sistema de diversificación vertical, que es la metodología más eficiente y por ende la más ampliamente usada a nivel mundial, para garantizar un balance de proveedores que garantice la seguridad de la red en forma costo-efectiva. Si algo funciona bien no hay razón para cambiar. Por tanto, no existe una necesidad imperiosa de acoger el modelo indicado en los artículos 8 inciso i) y el 10 inciso a) del Reglamento impugnado. 14.-Finalmente, no existe una proporcionalidad entre el supuesto beneficio que obtendría el interés público según el modelo indicado en loé artículos 8 inciso i) y el 10 inciso a) del Reglamento impugnado”.

4.- Por escrito incorporado al expediente digital el 9 de octubre de 2023, rinden informe bajo juramento Marco Vinicio Acuña Mora y Huberth Valverde Batista, por su orden presidente ejecutivo y administrador de contratos, ambos del ICE. Señalan: “I. CONTEXTO En virtud del principio de colaboración con las Autoridades de Justicia, a nivel de preámbulo y para efectos de establecer en su justa dimensión lo alegado por el Sr. Recurrente, se realiza el siguiente contexto para facilitar una mejor comprensión de los hechos al Alto Tribunal Constitucional: 1. El Recurso de Amparo interpuesto, y por ende los hechos alegados, se basan en el Decreto Ejecutivo N.º 44196-MSP-MICITT denominado “Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores” emitido el 25 de agosto de 2023 por la Presidencia de la República, el Ministro de Seguridad Pública y la Ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones, publicado en el Alcance N.º 166 del Diario Oficial La Gaceta del 31 de agosto de 2023, vigente a partir de esa fecha. 2. El Decreto N.º 44196-MSP-MICITT en el artículo 2, establece lo siguiente: “Artículo 2º-Ámbito de aplicación. Está sometida al presente reglamento la operación activa de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, por parte de las personas físicas o jurídicas, públicas o privadas, nacionales o extranjeras, que operen redes o presten servicios de telecomunicaciones basadas en la tecnología de quinta generación móvil (5G) y superiores que se originen, terminen o transiten por el territorio nacional, exceptuando la operación de redes privadas de telecomunicaciones. En el caso de procesos de compra pública que tengan por objeto la habilitación de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, así como de equipamiento tecnológico activo necesario para el despliegue de éstas, para el uso y explotación del espectro radioeléctrico, la Administración o entidad contratante deberá adoptar los mecanismos idóneos para verificar que los potenciales oferentes han considerado todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en la presente normativa, a la hora de planificar, diseñar e implementar su oferta técnica. En caso de resultar adjudicatario, las disposiciones de la presente norma serán de acatamiento obligatorio durante la operación de las redes y prestación de los servicios basados en la tecnología de quinta generación móvil (5G) o superiores.” (El resaltado, con excepción del título del artículo, es proveído). 3. El Reglamento de marras, en el artículo 13, relativo a sanciones e infracciones establece lo siguiente: “Artículo 13º— Sanciones e infracciones. El régimen sancionatorio administrativo aplicable por el incumplimiento de las disposiciones contenidas en este Decreto Ejecutivo se regirá por lo dispuesto en la Ley Nº 8642, Ley General de Telecomunicaciones.” (El resaltado, con excepción del título del artículo, es proveído). Los anteriores elementos fácticos, de conocimiento general, permiten evidenciar de manera palmaria los siguientes aspectos que serán centrales para resolver el caso: 1. El ICE no emitió el Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores, con lo cual existe una evidente falta de legitimación pasiva del Instituto para efectos del presente Recurso de Amparo. 2. El ICE, en su condición de operador y proveedor de servicios de telecomunicaciones, junto con los otros homólogos de naturaleza pública o privada, están sometidos al presente Reglamento emitido por el Poder Ejecutivo; ámbito de aplicación que, en el caso del Instituto, al emplear fondos públicos, también comprende los procesos de compra pública. 3. Si el ICE, en dicha condición de operador y proveedor de servicios de telecomunicaciones, incumple con las disposiciones del Reglamento será sometido al régimen sancionatorio administrativo de la Ley General de Telecomunicaciones N.º 8642 (LGT), el cual, dependiendo de la gravedad particular de la falta, podría implicar sanciones de uno por ciento (1%) y hasta un diez por ciento (10%) de las ventas anuales obtenidas por el infractor durante el ejercicio fiscal anterior, o entre un uno por ciento (1%) y hasta por un diez por ciento (10%) del valor de los activos del infractor, además del cierre definitivo del establecimiento, clausura de instalaciones, en aplicación de los artículos 68 y 69 de la LGT. 4. Hasta el momento, lo que el ICE ha realizado es un estudio de mercado, de conformidad con el artículo 85 del Reglamento a la Ley General de Contratación Pública, con los posibles proveedores de la tecnología de la red de telecomunicaciones 5G, para verificar las condiciones del mercado y comprobar el cumplimiento de los mismos en materia de ciberseguridad, conforme las disposiciones del Decreto precitado; es decir, no existe a la fecha una publicación de un pliego de condiciones para un concurso específico, conforme dispone la Ley General de Contratación Pública. A partir de estos criterios objetivos y legítimos, en el siguiente apartado haremos referencias a los hechos indicados por el Sr. Recurrente. II. SOBRE LOS HECHOS ALEGADOS POR EL SR. RECURRENTE Con base en el informe técnico N.º 9191-1520-2023 del 6 de octubre de 2023 emitido por el Programa 5G de la Gerencia de Telecomunicaciones del ICE, el cual se aporta como prueba, a continuación, hacemos referencia a los hechos que el Sr. Recurrente, haciendo la salvedad respectiva cuando versen sobre elementos fácticos que no corresponden directamente al ICE, o bien, cuando son hechos valorativos, y por ende no puros y simples. HECHO PRIMERO: El Sr. Recurrente manifiesta lo siguiente: (…) RESPUESTA DEL ICE: No le consta al ICE las afirmaciones que realiza el Sr. Recurrente en cuanto a la aptitud, estado y características de su representada. En lo que respecta a las manifestaciones que realiza en cuanto a que el ICE abrirá una licitación pública para implementar y operar la tecnología 5G IMT en sus redes, se debe contextualizar y dimensionar lo siguiente: Hasta el momento, lo que el ICE ha realizado es un estudio de mercado, de conformidad con el artículo 85 del Reglamento a la Ley General de Contratación Pública, con los posibles proveedores de la tecnología de la red de telecomunicaciones 5G, para verificar las condiciones del mercado y comprobar el cumplimiento de los mismos en materia de ciberseguridad, conforme las disposiciones del Decreto precitado; es decir, no existe a la fecha una publicación de un pliego de condiciones para un concurso específico, conforme dispone la Ley General de Contratación Pública. HECHO SEGUNDO: El Sr. Recurrente manifiesta lo siguiente: (…) RESPUESTA DEL ICE: Este hecho, además de ser en parte de carácter valorativo, no corresponde a conductas activas o pasivas del ICE. En virtud del principio de colaboración con el Honorable Tribunal Constitucional nos permitimos manifestar que lo indicado por el Sr. Recurrente es parcialmente cierto, según se explica a continuación: Es cierto en cuanto a que el Poder Ejecutivo, a través de la Presidencia de la República, el Ministro de Seguridad Pública y la Ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones el 31 de agosto de 2023 promulgó y publicó el Decreto Ejecutivo N.º 44196-MSP-MICITT denominado “Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores”; para lo cual se debe precisar que la divulgación se realizó en el Alcance N.º 166 del Diario Oficial La Gaceta del 31 de agosto de 2023, estando vigente a partir de dicha fecha. En cuanto a las afirmaciones de que dicho Reglamento contiene disposiciones que expresamente impiden la participación de la representada del Sr. Recurrente en el concurso, esto son valoraciones propias del accionante, y no hechos, que en todo caso no le constan al ICE. HECHO TERCERO: El Sr. Recurrente manifiesta lo siguiente: (…) RESPUESTA DEL ICE: El Recurrente en este hecho, en parte, hace referencia a supuestas manifestaciones públicas que no le corresponden al ICE, sino al Sr. Presidente de la República y la Sra. Ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones, con lo cual no se harán referencia a las mismas al ser hechos ajenos a este Instituto. Por su parte, se rechaza que el Presidente Ejecutivo del ICE haya manifestado públicamente que la promulgación del reglamento se hizo con el motivo específico de impedir la participación de empresas de diversas nacionales, especialmente las de origen chino, en los procesos licitatorios tendientes a la obtención y operación de la tecnología en telecomunicaciones 5G IMT y Superiores de las redes de la Institución como erróneamente lo indica el Sr. Recurrente. A este respecto, si bien en la prueba documental aportada por el Sr. Recurrente consta parcialmente algunas manifestaciones que se transcriben entrecomilladas del Sr. Presidente Ejecutivo del ICE (en los medios AmeliaRueda.com y elmundo.cr), en ninguna de ellas se evidencia que haya manifestado lo que alega expresa y específicamente el accionante en el hecho tercero, sin que le puedan ser endilgadas al Sr. Presidente Ejecutivo del ICE las respetables opiniones, enfoques, perspectivas, matices o línea editorial que hayan tenido los periodistas y medios de comunicación sobre el reglamento, ni los titulares o encabezados de dichas noticias. Además, como se explicó anteriormente, el ICE no fue el emisor de dicho Reglamento, ni quien lo promulgó, sino que como operador y proveedor de servicios de telecomunicaciones debe acatar dicha normativa de carácter general. HECHO CUARTO: El Sr. Recurrente manifiesta lo siguiente: (…) RESPUESTA DEL ICE: Es cierto parcialmente según se explicará a continuación. Es cierto en cuanto a que el Sr. Presidente Ejecutivo del ICE hizo manifestaciones ante el medio de comunicación elmundo.cr, con las siguientes aclaraciones: • La noticia es de fecha 15 de setiembre de 2023 y no del 16 de setiembre de 2023 según se deduce de la prueba documental aportada por el Sr. Recurrente. • En la noticia se transcriben entrecomilladas algunas manifestaciones del Sr. Presidente Ejecutivo del ICE, sin que sea cierto, ni preciso concluir específica y unívocamente lo afirmado en el hecho cuarto en cuanto a que el concurso público será publicado antes de finales de setiembre del año en curso, sino que esa afirmación se deriva del propio titular de la noticia y de la redacción del primer párrafo de la misma, ambos realizados por el periodista o medio de comunicación, lo cual si bien es plenamente respetable no puede ser atribuible directamente al Sr. Presidente Ejecutivo. • A este respecto el titular de la noticia fue “Licitación para 5G saldrá a finales de septiembre vetando empresas chinas” y la redacción del primer párrafo de dicha nota periodística fue “San José, 15 sep (elmundo.cr)- El presidente ejecutivo del Instituto Costarricense de Electricidad (ICE), señaló que la licitación para adjudicar las frecuencias de 5G saldrá a finales de septiembre”. • Por el contrario, según se evidencia de la misma noticia, y así lo puede constatar el Honorable Tribunal, ante la pregunta del medio de comunicación relativo a cuánto va a durar este proceso para que Costa Rica empiece a trabajar el tema de 5G, lo manifestado por el Sr. Presidente Ejecutivo del ICE, según se entrecomilla fue lo siguiente: “nosotros creemos que ya en unos tres meses, o sea, este año, a ver, septiembre, octubre, diciembre. Este año debería quedar adjudicada la empresa, y ya después sí, para empezar a implementar el otro año, si Dios quiere”. (El resaltado es proveído). Por ende, no es correcto lo manifestado en este hecho cuarto en cuanto a que el Presidente Ejecutivo del ICE indicó que el concurso sería publicado a finales de setiembre del año en curso, dado que según lo transcrito en dicha noticia da un rango que oscila entre setiembre a diciembre de 2023, incluso nótese que a la fecha esta publicación no ha sucedido. HECHO QUINTO: El Sr. Recurrente manifiesta lo siguiente: (…) RESPUESTA DEL ICE: Lo manifestado por el Sr. Recurrente no constituye en su integralidad un hecho puro y simple, dado que las afirmaciones relativas a “prueba fehaciente y absoluta del riesgo que existe a mi representada” son manifestaciones de carácter valorativo y subjetivas. En cuanto a la comunicación recibida por la representada del Sr. Recurrente, es cierto, bajo la siguiente contextualización y precisiones: 1. El Decreto Ejecutivo N.º 44196-MSP-MICITT denominado “Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores” emitido por la Presidencia de la República, el Ministro de Seguridad Pública y la Ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones, según se comentó anteriormente, entró a regir el 31 de agosto de 2023. (Ver Anexo N.º 1 del Informe Técnico) 2. Este Reglamento, según se indica en el artículo 1 “tiene por objeto establecer medidas de ciberseguridad para garantizar el uso y la explotación segura y con resguardo de la privacidad de las personas, de las redes y los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores”. Asimismo, el artículo 2 establece lo siguiente: (Ver Anexo N.º 1 del Informe Técnico) “Artículo 2º-Ámbito de aplicación. Está sometida al presente reglamento la operación activa de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, por parte de las personas físicas o jurídicas, públicas o privadas, nacionales o extranjeras, que operen redes o presten servicios de telecomunicaciones basadas en la tecnología de quinta generación móvil (5G) y superiores que se originen, terminen o transiten por el territorio nacional, exceptuando la operación de redes privadas de telecomunicaciones. En el caso de procesos de compra pública que tengan por objeto la habilitación de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, así como de equipamiento tecnológico activo necesario para el despliegue de éstas, para el uso y explotación del espectro radioeléctrico, la Administración o entidad contratante deberá adoptar los mecanismos idóneos para verificar que los potenciales oferentes han considerado todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en la presente normativa, a la hora de planificar, diseñar e implementar su oferta técnica. En caso de resultar adjudicatario, las disposiciones de la presente norma serán de acatamiento obligatorio durante la operación de las redes y prestación de los servicios basados en la tecnología de quinta generación móvil (5G) o superiores.” (El resaltado, con excepción del título del artículo, es proveído). 3. Ante la entrada en vigor de dicho Reglamento, obligatorio para los operadores y proveedores de servicios de telecomunicaciones, el 5 de setiembre de 2023 la Gerencia de Telecomunicaciones del ICE, a través del Área Administradora de Contratos, y para efectos de un estudio de mercado, envió a potenciales interesados (Huawei, Nokia, Ericsson, GBM Costa Rica y Rakuten) una comunicación electrónica con la siguiente redacción y consultas: (Ver Anexo N.º 2 del Informe Técnico) “Buenas tardes: En vista de la reglamentación emitida en relación al (sic) tema de ciberseguridad para la tecnología 5G en Costa Rica, se solicitar (sic) indicar el cumplimiento de los siguientes puntos por parte de su representada, esto con el fin de realizar estudio de mercado: 1. El proveedor podrá cumplir todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en el presente reglamento, a la hora de planificar, diseñar e implementar su oferta técnica. 2. Indicar el cumplimiento de los siguientes estándares de ciberseguridad:

Número Nombres ISO/IEC 27001:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos ISO/IEC 27002:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos ISO/IEC 27003:2017 Tecnologías de la información —Técnicas de seguridad — Sistemas de Gestión de la Seguridad de la Información —Guía ISO/IEC 27011:2016 Tecnologías de la información —Técnicas de seguridad — Código de prácticas para los controles de seguridad de la información basado en ISO/IEC 27002 para organizaciones de telecomunicaciones.

SCS 9001 Estándar de Seguridad de la Cadena de Suministro y Ciberseguridad 3. Que la solución ofertada no es de un único suministrador en cuanto a hardware y software. Entiéndase por Suministradores de hardware y software a: Entidades que brindan servicios o equipo activo a los sujetos comprendidos en el artículo 2 del presente reglamento. Esta categoría incluye: i) fabricantes de equipos de telecomunicaciones; y ii) otros proveedores externos, como proveedores de infraestructura en la nube, integradores de sistemas, contratistas de seguridad y mantenimiento, y fabricantes de equipos de transmisión, cuando estos se encargan de configurar e integrar los equipos activos y software de la solución. 4. Indicar si su sede está en un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). 5. Que proveedor es o no susceptible de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones. 6. Indicar si tiene su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de los servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses” La información requerida se debe dar respuesta para el próximo 08 de setiembre de 2023”. 4. El 08 de setiembre de 2023, a las 12:24 horas, por medio de correo electrónico, el señor Juan Carlos Blanco Infante de la empresa NOKIA responde a las consultas realizadas, según se demuestra en el Anexo N.º 3 del Informe Técnico, del cual se solicita la confidencialidad dado que dichos datos están amparados en convenios que resguardan este tipo de información. 5. El 08 de setiembre de 2023, a las 15:46 horas, por correo electrónico, el señor Mustafa Syed de la empresa Rakuten, responde a las consultas realizadas, según se demuestra en el Anexo N.º 4 del Informe Técnico, del cual se solicita la confidencialidad dado que dichos datos están amparados en convenios que resguardan este tipo de información. 6. El 08 de setiembre de 2023, a las 18:29 horas por correo electrónico, el señor Neil Baute de la empresa Ericsson, responde a las consultas realizadas, según se demuestra en el Anexo N.º 5 del Informe Técnico, del cual se solicita la confidencialidad dado que dichos datos están amparados en convenios que resguardan este tipo de información. 7. El 08 de setiembre de 2023, mediante oficio UL-2023-0460, el señor Eduardo Blanco González de la empresa GBM de Costa Rica, responde a las consultas realizadas según se demuestra en el Anexo N.º 6 del Informe Técnico, del cual se solicita la confidencialidad dado que dichos datos están amparados en convenios que resguardan este tipo de información. 8. El 11 de setiembre de 2023, el señor Marcel Aguilar Sandoval de la empresa Huawei Tecnologies (sic) Costa Rica, responde a las consultas realizadas, según se demuestra en el Anexo N.º 7 del Informe Técnico, del cual se solicita la confidencialidad dado que dichos datos están amparados en convenios que resguardan este tipo de información. 9. En lo que concierne a las respuestas de Huawei Tecnologies (sic) Costa Rica, según podrá constatar el Honorable Tribunal Constitucional, no se evidencia que dicha empresa haya tenido algún tipo de disconformidad con lo consultado. (Ver Anexo N.º 7 del Informe Técnico). 10. Hasta el momento, lo que el ICE ha realizado es un estudio de mercado, de conformidad con el artículo 85 del Reglamento a la Ley General de Contratación Pública, con los posibles proveedores de la tecnología de la red de telecomunicaciones 5G, para verificar las condiciones del mercado y comprobar el cumplimiento de los mismos en materia de ciberseguridad, conforme las disposiciones del Decreto precitado; es decir, no existe a la fecha una publicación de un pliego de condiciones para un concurso específico, conforme dispone la Ley General de Contratación Pública. HECHO SEXTO: El Sr. Recurrente manifiesta lo siguiente: (…) RESPUESTA DEL ICE: Es cierto con las siguientes precisiones: • Las consultas realizadas por el ICE, en fase de estudio de estudio de mercado, son acordes con lo establecido en el Decreto Ejecutivo N.º 44196-MSP-MICITT denominado “Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores” emitido el 25 de agosto de 2023 por la Presidencia de la República, el Ministro de Seguridad Pública y la Ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones, publicado en el Alcance N.º 166 del Diario Oficial La Gaceta del 31 de agosto de 2023, vigente a partir de esa fecha. • Dicha normativa emitida por el Poder Ejecutivo es de acatamiento obligatorio para el ICE, según se ha explicado anteriormente. • Si el ICE incumple con las disposiciones del Reglamento será sometido al régimen sancionatorio administrativo de la Ley General de Telecomunicaciones N.º 8642 (LGT). • Conforme a lo indicado en la respuesta al hecho quinto, no se evidencia que Huawei Tecnologies (sic) Costa Rica haya tenido algún tipo de disconformidad, al momento de responder las consultas del ICE relativas al Reglamento en cuestión en el marco del estudio de mercado realizado. HECHO SÉTIMO: El Sr. Recurrente manifiesta lo siguiente: (…) RESPUESTA DEL ICE: Lo afirmado por el Sr. Recurrente no es un hecho puro y simple, sino que son afirmaciones de carácter valorativo, y por ende subjetivas. En virtud del principio de colaboración con el Honorable Tribunal Constitucional nos permitimos reiterar que hasta el momento, lo que el ICE ha realizado es un estudio de mercado, de conformidad con el artículo 85 del Reglamento a la Ley General de Contratación Pública, con los posibles proveedores de la tecnología de la red de telecomunicaciones 5G, para verificar las condiciones del mercado y comprobar el cumplimiento de los mismos en materia de ciberseguridad, conforme las disposiciones del Decreto precitado; es decir, no existe a la fecha una publicación de un pliego de condiciones para un concurso específico, conforme dispone la Ley General de Contratación Pública. Asimismo, conforme a lo indicado en la respuesta al hecho quinto, no se evidencia que Huawei Tecnologies (sic) Costa Rica haya tenido algún tipo de disconformidad, al momento de responder las consultas del ICE relativas al Reglamento en cuestión en el marco del estudio de mercado realizado. HECHO OCTAVO: El Sr. Recurrente manifiesta lo siguiente: (…) RESPUESTA DEL ICE: Lo afirmado por el Sr. Recurrente no es un hecho puro y simple, sino que son afirmaciones de carácter valorativo, y por ende subjetivas. En virtud del principio de colaboración con el Honorable Tribunal Constitucional nos permitimos reiterar que hasta el momento, lo que el ICE ha realizado es un estudio de mercado, de conformidad con el artículo 85 del Reglamento a la Ley General de Contratación Pública, con los posibles proveedores de la tecnología de la red de telecomunicaciones 5G, para verificar las condiciones del mercado y comprobar el cumplimiento de los mismos en materia de ciberseguridad, conforme las disposiciones del Decreto precitado; es decir, no existe a la fecha una publicación de un pliego de condiciones para un concurso específico, conforme dispone la Ley General de Contratación Pública. Asimismo, conforme a lo indicado en la respuesta al hecho quinto, no se evidencia que Huawei Tecnologies (sic) Costa Rica haya tenido algún tipo de disconformidad, al momento de responder las consultas del ICE relativas al Reglamento en cuestión en el marco del estudio de mercado realizado. III. SOBRE LOS FUNDAMENTOS DE DERECHO QUE ALEGA EL SR. RECURRENTE RELATIVOS A PRESUNTAS VIOLACIONES A DERECHOS FUNDAMENTALES DE LIBRE COMPETENCIA, NO DISCRIMINACIÓN E IGUALDAD DE CONDICIONES EN CONCURSOS PÚBLICOS En cuanto a las manifestaciones realizadas por el Sr. Recurrente, en el Apartado de Derecho del escrito de interposición del Recurso de Amparo, sobre presuntas violaciones a derechos fundamentales de libre competencia, no discriminación e igualdad de participación en los concursos públicos, en virtud del principio de colaboración, nos permitimos manifestar lo siguiente al Honorable Tribunal Constitucional: El Reglamento sobre Medidas de Ciberseguridad aplicables a los Servicios de Telecomunicaciones basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores emitido y publicado por Poder Ejecutivo, en el párrafo segundo del artículo 2 (Ámbito de aplicación) establece lo siguiente: “En el caso de procesos de compra pública que tengan por objeto la habilitación de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, así como de equipamiento tecnológico activo necesario para el despliegue de éstas, para el uso y explotación del espectro radioeléctrico, la Administración o entidad contratante deberá adoptar los mecanismos idóneos para verificar que los potenciales oferentes han considerado todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en la presente normativa, a la hora de planificar, diseñar e implementar su oferta técnica. En caso de resultar adjudicatario, las disposiciones de la presente norma serán de acatamiento obligatorio durante la operación de las redes y prestación de los servicios basados en la tecnología de quinta generación móvil (5G) o superiores.” (El resaltado y subrayado son proveídos). Este Reglamento, como se ha explicado supra, resulta de carácter mandatorio para el ICE como operador de telecomunicaciones, conforme dispone también el párrafo primero del artículo 2 de dicha normativa. Como ha quedado evidenciado en este informe, no es ICE quien emite dicha normativa, sino, que al momento de generar alguna contratación para la red 5G deberá en su momento oportuno, considerar obligatoriamente las condiciones establecidas en tal Decreto. Hasta el momento, lo que el ICE ha realizado es un estudio de mercado, de conformidad con el artículo 85 del Reglamento a la Ley General de Contratación Pública, con los posibles proveedores de la tecnología de la red de telecomunicaciones 5G, para verificar las condiciones del mercado y comprobar el cumplimiento de los mismos en materia de ciberseguridad, conforme las disposiciones del Decreto precitado; es decir, no existe a la fecha una publicación de un pliego de condiciones para un concurso específico, conforme dispone la Ley General de Contratación Pública. Por otra parte, el Sr. Recurrente menciona en el recurso, en el apartado de derecho, lo siguiente: “12- La única forma de evitar una flagrante violación a los derechos constitucionales de libre competencia e igualdad de participación que según la jurisprudencia de esa Sala tienen rango constitucional (Voto 998-1998), así como el derecho a la no discriminación, es mediante la suspensión inmediata del concurso público en cuestión.” Valga aclarar que esta indicación que hace el Sr. Recurrente, en su condición de representante de la empresa Huawei, carece de fundamento, toda vez que el ICE no ha publicado concurso alguno que tenga por objeto la contratación relativa a la tecnología 5G. El estado de situación actual de la Institución, atendiendo a su deber sustancial de proveer los servicios de telecomunicaciones e infocomunicaciones a la población, es el de analizar las condiciones que provee el mercado para atender el desarrollo de la red 5G que va a ocupar el ICE, en cumplimiento del artículo 34 de la Ley General de Contratación Pública N°9986 y el artículo 85 del Reglamento a dicha Ley. Este artículo 34 de la Ley N°9986, justamente dispone: “…El estudio de mercado tendrá también como fin establecer la existencia de bienes, obras o servicios, en la cantidad, calidad y oportunidad requeridas, así como verificar la existencia de proveedores, permitir la toma de decisiones informadas respecto del procedimiento de contratación y proporcionar información para la determinación de disponibilidad presupuestaria. Dicho estudio deberá considerar todo el ciclo de vida de la contratación y tomar en cuenta el principio de valor por el dinero, todo lo cual se deberá desarrollar en el reglamento de la presente ley…” (El subrayado es proveído). En ese sentido, las actuaciones del ICE se han apegado a derecho, en procura de tomar decisiones informadas y sustentadas, siendo contestes con el deber de los funcionarios públicos de respaldar sus actuaciones. Además, nótese por parte de la Sala Constitucional, que esa misma información ha sido solicitada por el ICE a los posibles oferentes, donde se consultó tanto a la representada del Sr. Recurrente como a las empresas Nokia, Ericsson, GBM Costa Rica y Rakuten, según se explicó en la respuesta al Hecho Quinto. Así las cosas, no es cierto que se esté violentando el principio de libre competencia e igualdad de participación indicado por el Sr. Recurrente, toda vez que no se ha cursado invitación a participar en un concurso del ICE, y las acciones de la Institución han estado apegadas a las etapas previas establecidas en materia de adquisiciones, conforme a la Ley General de Contratación Pública, de manera transparente e igualitaria. Debe considerarse que la empresa que representa el Sr. Recurrente en este momento no constituye un oferente o un contratista como para alegar que se le está violentando el principio de igualdad de trato, que es una garantía de los intereses de esos oferentes o contratistas propiamente en los procedimientos de contratación pública como tales, y no en etapas tempranas de sondeo o estudio de mercado, en las que aun así también se le consideró. En torno al tema en estudio es importante, traer a colación lo dispuesto por la Contraloría General de la República en su resolución R-DCA-0153-2019: “…Se presume que la función administrativa del Estado tiene un fin público y que por lo tanto sus actos (en este caso los carteles de una licitación) se presumen dictados apegados al ordenamiento jurídico y básicamente como instrumento de satisfacción de los intereses generales. De tal suerte que cada cartel lleva implícita la presunción de apego a los principios de la contratación administrativa y del resto del ordenamiento jurídico, siempre partiendo de la supremacía del interés general sobre cualquier otro (…)Y es que acá debe partirse de otro elemento fundamental que conviene reiterar, los procedimientos de contratación administrativa no son concursos que han de ser abiertos a todo el mercado de manera irrestricta y por encima de las necesidades concretas que tiene cada entidad licitante; ello llevaría no solo al caos comparativo de ofertas que son diametralmente diferentes y por lo tanto incomparables, sino principalmente a un fuerte riesgo de afectación a la satisfacción de las necesidades públicas. En otros términos, la libre concurrencia y la igualdad de trato no han de ser entendidas como portillos irrestrictos para todo aquel que desee concursar, sino como un punto de sano y razonable equilibrio entre las verdaderas necesidades que debe satisfacer la Administración Pública y un trato justo y equitativo a 10 todos aquellos potenciales oferentes que sí logran contribuir adecuadamente en esa delicada labor. En la práctica ese equilibrio, así como la justicia y equidad que ha de perseguir el ordenamiento jurídico se logra mediante la incorporación únicamente de cláusulas limitativas (o más bien delimitativas) que tengan el adecuado sustento técnico, legal y financiero pero concomitantemente mediante la posibilidad revisar esas cláusulas, en aras de la adecuada satisfacción del interés general e igualmente mediante argumentos objetivamente fundamentados, que permitan el estudio del cartel no solo desde la perspectiva de los intereses particulares, sino primordialmente desde la óptica de la función social o colectiva que persigue el Estado.”…” (El resaltado es proveído). Podemos concluir entonces, que las consideraciones que potencialmente tengan por objeto mitigar riesgos en materia de ciberseguridad identificados en el citado Decreto Ejecutivo, no lesionan el principio constitucional de igualdad y libre concurrencia en materia de contratación pública, en el entendido que están orientados a la prevención y mitigación del riesgo en esta materia como lineamientos de política pública definidos por el Poder Ejecutivo como rector en materia de telecomunicaciones en el país. Así las cosas, el ICE ha actuado en todo momento apegado al Principio de Legalidad, siguiendo las disposiciones de la Ley General de Contratación Pública en estas etapas tempranas de sondeo o estudio de mercado, como de lo dispuesto en el Decreto antes mencionado; además, en apego a los principios de integridad y transparencia, así como la buena fe en cuanto las gestiones de contratación pública y como principio moral básico de la Administración, conforme a las normas éticas en donde prevalece el interés público sobre cualquier otro. Importante, considerar por el Tribunal Constitucional, que tratándose de la materia de contratación pública, todo procedimiento tiene inmersa la satisfacción de un interés público, incluso de alcance general, el cual celosamente debe resguardar la Administración en toda compra que se promueva, entendiendo que para ello goza de una amplia discrecionalidad en la definición de la cláusulas del pliego de condiciones que tiendan a la protección de ese interés, y que eventualmente puedan no ser cumplidas por algunos oferentes, sin que tal disposición tienda a lesionar el principio constitucional de igualdad de trato y libre participación. Ahora bien, en el momento en que el ICE tenga certeza del objeto a contratar, su alcance y condiciones, y proceda a publicar un pliego de condiciones relativo a la tecnología 5G, cualquier empresa interesada podrá participar, siempre que cumpla con los requerimientos definidos por la Administración en dicho pliego, de manera que no se está limitando la participación a ningún posible proveedor. Por ende, no existe ningún tipo de transgresión a derechos fundamentales establecidas en la Constitución Política, ni a los alegados por el Sr. Recurrente. IV. SOBRE LA IMPROCEDENCIA DE LA MEDIDA CAUTELAR Se solicita se rechace la medida cautelar solicitada por el Sr. Recurrente en cuanto a suspender la publicación de cualquier pliego de condiciones dado que no se cumple con los presupuestos establecidos para dicha tutela excepcional. En este sentido, según se ha explicado en el presente informe, hasta el momento, lo que el ICE ha realizado es un estudio de mercado, de conformidad con el artículo 85 del Reglamento a la Ley General de Contratación Pública, con los posibles proveedores de la tecnología de la red de telecomunicaciones 5G, para verificar las condiciones del mercado y comprobar el cumplimiento de los mismos en materia de ciberseguridad, conforme las disposiciones del Decreto precitado; es decir, no existe a la fecha una publicación de un pliego de condiciones para un concurso específico, conforme dispone la Ley General de Contratación Pública. La empresa que representa el Sr. Recurrente en este momento no constituye un oferente o un contratista como para alegar que se le está violentando los principios de igualdad, libre competencia o discriminación, que es una garantía de los intereses de esos oferentes o contratistas propiamente en los procedimientos de contratación pública como tales, y no en etapas tempranas de sondeo o estudio de mercado, en las que aun así también se le consideró, sin que haya tenido algún tipo de disconformidad, al momento de responder las consultas del ICE relativas al Reglamento en cuestión según se explicó en la respuesta al Hecho Quinto. Las acciones del ICE han estado apegadas a las etapas previas establecidas en materia de adquisiciones, conforme a la Ley General de Contratación Pública y al Decreto Ejecutivo N.º 44196-MSP-MICITT denominado “Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores” emitido por el Poder Ejecutivo, disposición que como operador y proveedor de servicios de telecomunicaciones debe acatar de manera obligatorio dado que su incumplimiento implica que será sometido al régimen sancionatorio administrativo de la Ley General de Telecomunicaciones N.º 8642 (LGT). El suspender la publicación de cualquier pliego de condiciones, en los términos solicitado por el Sr. Recurrente, no solo implicaría un daño grave, irreparable e irreversible a esta Institución Pública, impidiéndole cumplir con sus competencias establecidas por ley, sino que ante todo afectaría a los usuarios finales de telecomunicaciones a quienes se les impediría tener acceso a nuevas tecnologías y servicios, afectando su derecho fundamental de acceso a las telecomunicaciones, reconocido jurisprudencialmente por este Tribunal Constitucional y positivizado recientemente por el Constituyente Derivado por reforma a la Carta Magna. (…) VI. PETITORIA A partir de lo expuesto, se solicita que el Recurso de Amparo sea declarado sin lugar en todos sus extremos y sin especial condenatoria en costas relativas al Instituto, toda vez que el ICE no ha lesionado derecho fundamental alguno y tampoco ostenta la legitimación pasiva, al no haber emitido el Decreto Ejecutivo aludido por el recurrente”.

5.- Por escrito recibido en la Secretaría de la Sala el 10 de octubre de 2023, se apersona la parte accionante. Indica: “Con fundamento en el artículo 41 de la Ley de la Jurisdicción Constitucional reitero mi solicitud que se suspenda la ejecución de la licitación que promoverá el ICE en pocos días para la adquisición de la tecnología en telecomunicaciones 5G/IMT Móvil, con base en las siguientes razones fácticas y jurídicas. 1.- Las finalidades del recurso de amparo 1.- Como es sabido, la institución del amparo fue tomada por nuestros Constituyentes de 1949 de la efímera Constitución cubana de 1940. Este modelo, a diferencia de lo que ocurre en el resto de las legislaciones, establece el recurso de amparo exclusivamente contra conductas administrativas (actos, omisiones, amenazas). 2.- Este sistema tiene la ventaja de que cumple con el principal objetivo del recurso de amparo que consiste en evitar la violación de derechos fundamentales cuando se plantea contra amenazas, o bien en restituir el derecho fundamental conculcado antes de que el daño se convierta en irreversible. Para lograr este objetivo es que se utiliza precisamente el instituto de las medidas cautelares y, en el caso costarricense, de suspender los efectos de la ejecución de la conducta impugnada, de conformidad con la letra y espíritu del artículo 41 de la Ley de la Jurisdicción Constitucional. 3.- Cuando el amparo se consagra sólo (sic) contra resoluciones judiciales, como ocurre en la mayoría de las legislaciones, sólo (sic) tiene un efecto indemnizatorio, pues ya la violación o amenaza de violación se ha materializado de manera irreversible, por lo que resulta jurídicamente imposible restituir al amparado en el ejercicio efectivo de su derecho fundamental conculcado o bien la amenaza de violación se tradujo en una conculcación irreversible de su derecho. 4.- Por ello, cuando en nuestro sistema no se suspende la ejecución del acto o de la amenaza impugnada por la gravedad de sus implicaciones, el citado remedio procesal termina teniendo sólo (sic) efectos indemnizatorios pues se habría renunciado a cumplir con su vocación primaria de restituir el derecho fundamental vulnerado o de impedir que se viole alguno. 5.- Por tanto, esa Sala debe valorar, caso por caso, cuando es imprescindible suspender la ejecución presente (cuando se trata de actos) o futura (cuando estemos en presencia de amenazas), dado que si, en determinados casos no lo hace, la no suspensión podría producir violaciones irreversibles a los derechos fundamentales y sus titulares tendrían que resignarse con el cobro de los daños y perjuicios sufridos en la vía contencioso- administrativa. 6.- En tales circunstancias, el recurso de amparo deja de ser un remedio procesal para reintegrar el derecho violado o impedir que se concrete su violación, para convertirse en una jurisdicción reparadora de daños y perjuicios. Esta última función es accesoria y debe ceder ante la finalidad primaria del amparo que es la tutela efectiva de los derechos fundamentales. II.- Los elementos para decretar una medida cautelar 1.- En el presente caso estamos en presencia de un caso de excepción, pues si no se suspende la ejecución del futuro acto lesivo de nuestros derechos fundamentales y que se encuentra casi en fase de ejecución, el perjuicio para mi representada sería irreparable e irreversible pues no podría participar en el citado concurso público para la adquisición de la tecnología en telecomunicaciones 5G/IMT Móvil. 2.- Por ello es claro que en la especie se presentan los tres elementos que la doctrina procesal administrativa considera que son necesarios para el otorgamiento de una medida cautelar, a saber: a) apariencia de buen derecho, b) peligro en la demora, c) bilateralidad del periculum in mora. 3.- La apariencia de buen derecho está ampliamente demostrada en el expediente con las evidentes violaciones de los derechos fundamentales a la libre concurrencia e igualdad de participación en los concursos públicos en perjuicio de mi representada. 4.- El peligro en la demora consiste en el temor objetivamente fundado y razonable de que la situación jurídica sustancial aducida resulte seriamente dañada o perjudicada en forma grave e irreparable, durante el transcurso del tiempo necesario para dictar sentencia en el proceso principal. 5.- Este presupuesto requiere la presencia de dos elementos: el daño o perjuicio grave y la demora en el proceso principal, sin soslayar que dentro de este presupuesto se encuentra lo que la doctrina denomina la “bilateralidad del periculum in mora” o como comúnmente se le conoce, la ponderación de los intereses en juego. 6.- El presupuesto del peligro en la demora alude a dos aspectos: primero, a los daños que se reprochen que son susceptibles de producirse actual o potencialmente de no adoptarse la medida que se requiere. Daños que deben establecerse como graves, además de tenerse como derivados de la situación aducida. 7.- En cuanto a los daños es claro que, de no suspenderse los efectos de la conducta impugnada en el presente recurso de amparo, se le podrían ocasionar daños y perjuicios de difícil o inclusive imposible reparación a mi representada, al impedírsele participar en el citado procedimiento licitatorio tendente a la adquisición de la tecnología en telecomunicaciones 5 G Móvil. 8.- Solo para el Instituto Costarricense de Electricidad los costos por la exclusión de [Nombre 002]. que es el actual suplidor de hardware y software para esa entidad, sería de $1.5 billones. Lo anterior es un hecho público y notorio que consta en la noticia de La República de 11 de septiembre de 2023 “Excluir a empresas asiáticas de concurso de redes 5G le costaría al país $1,5 billones en tecnología” disponible en https://www.larepublica.net/noticia/excluir-a-empresas-asiaticas-de-concurso-de-redes-5g-le-costaria-al-pais-15-billones-en-tecnologia 9.- En segundo lugar, este presupuesto se refiere a la situación que se genera con ocasión de los procesos jurisdiccionales que requieren para su desarrollo y posteriormente fenecimiento, la realización de una serie de actos a través de los cuales se garantiza no sólo (sic) el debido proceso, sino la emisión de un fallo que si no se puede llevar a cabo con prontitud al menos que sea justo. 10.- El ponerle fin a un proceso, cuya sentencia dependerá de que previamente se resuelva una acción de inconstitucionalidad contra normas que necesariamente tienen que aplicarse en él, demanda tiempo y es precisamente donde la tutela cautelar adquiere especial relevancia, por cuanto mientras llega esa decisión del proceso se evita la producción de graves daños, que en el evento de producirse haría nugatorio el derecho que se reclama. 11.- El presente recurso de amparo no podrá resolverse antes que esa misma Sala vote por el fondo la acción de inconstitucionalidad que se presentará con base en él, lo cual podría tardar al menos dos años. 12.- La bilateralidad del periculum in mora se refiere a la ponderación de los intereses en juego, vinculado ello con el interés público que sea susceptible de encontrarse en necesidad de ser protegido, frente al interés de terceros y por supuesto del interés de quien acude por medio de una medida cautelar, debiendo valorarse comparativamente los mismos, imponiéndose la derogatoria de la medida cuando el perjuicio sufrido o susceptible de ser producido a la colectividad o terceros, sea superior al que podría experimentar el Solicitante de la medida. 13.-El interés público también se vería afectado porque el impacto en los operadores con exclusión de Huawei en 5G tendría efectos muy perjudiciales. La implementación del decreto podría traducirse en la necesidad de un incremento de inversión de aproximadamente USD196,69 millones en un periodo de 5 años. Pero más allá del impacto monetario directo, esta situación podría generar un atraso en la implementación de la tecnología 5G, extendiendo la duración de su despliegue hasta 4 años adicionales. Estos retrasos, además de los costos adicionales financieros, pueden tener repercusiones en la competitividad del país y en la adaptabilidad de las industrias locales a las tendencias tecnológicas globales. 14.-Desde el punto de vista del impacto interno también se acarrearían importantes perjuicios. Por ejemplo, el ICE tendría que incrementar su deuda externa debido a las inversiones adicionales que tendría que realizar para compatibilizar el nuevo sistema. 15.- El PIB bajaría debido a la disminución de las actividades económicas impulsadas por las tecnologías avanzadas y que requieren de la 5G para su desarrollo, tales como la auto conducción, la auto fabricación, la inteligencia artificial, etc. 16.- Los costos de adquisición de equipos por parte de los operadores de redes y prestadores de servicios de telecomunicaciones se incrementarán al tener que adquirirlos a un precio mayor de empresas estadounidenses y europeas (hecho público y notorio que consta en noticias de medios de prensa Semanario Universidad, 6 de septiembre de 2023 “Decreto de Presidente Chaves deja fuera a cinco de las empresas líderes en 5G” disponible en https://semanariouniversidad.com/pais/decreto-de-presidente-chaves-deja-fuera-a-cinco-de-las-empresas-lideres-en-5g/ y Diario Extra, 6 de septiembre de 2023 “Decisión de Gobierno subiría precio del Internet” https://www.diaríoextra.com/Noticia/detalle/504206/decisi-n-de-gobierno-subir-a-precio-del-internet-). 17.- Los costos más elevados en la adquisición de los equipos por los operadores de redes y prestadores de servicios de telecomunicaciones serían trasladados a los consumidores y usuarios finales de tales servicios (Hecho público y notorio que consta en noticias de medios de prensa Semanario Universidad, 6 de septiembre de 2023 “Decreto de Presidente Chaves deja fuera a cinco de las empresas .líderes en SG” disponible en https://semanariouniversidad.com/pais/decreto-de.presidente-chaves-deja-fuera-a-cinco-de-las-empresas-lideres-en-5g/ y Diario Extra, 6 de septiembre de 2023 “Decisión de Gobierno subiría precio del internet” https://www.diarioextra.com/Noticia/detalle/504206/decisi-n-de-gobierno-subir-a-precio-del-internet-). 18.- También habría una pérdida de oportunidades justas para que los usuarios del sistema obtengan acceso a tecnologías avanzadas de 5G debido al inevitable aumento de las tarifas telefónicas. En efecto, el costo adicional de las tecnologías menos avanzadas y el mercado con competencia insuficiente se trasferirá finalmente a los usuarios. El precio de las tarifas aumentaría entre un 40%. 19.- Si se lleva a cabo el despliegue 5G sin restricciones, su inversión contribuiría con USD 748,4 millones al Producto Interno Bruto (PIB) de Costa Rica en un lapso de 5 años. Esto representa un significativo 3,19% del PIB. Sin embargo, bajo las limitaciones del decreto, esta contribución se desploma a apenas USD 419,1 millones. Estamos hablando de una reducción de USD329,3 millones en tan solo cinco años, una cifra nada despreciable para cualquier economía y altamente significativa para Costa Rica. 20.- En todo caso, el estudio económico realizado por el CINPE de la Universidad Nacional en la que participaron 5 prestigiosos investigadores de ese centro educativo llega a las siguientes conclusiones: Capítulo IV: Conclusiones y Recomendaciones. A lo largo de la presente investigación nos hemos propuesto calcular el impacto financiero y económico que tiene para Costa Rica la decisión de implementación del decreto ejecutivo No 44196-MSP-MICITT. Hemos dejado claro en el capítulo 1 de la investigación la importancia y efectos que tendrá el paso de la internet 4 y 4.5 G a las plataformas de uso basadas en 5G. Este proceso de transformación de la economía digital tiene importantes efectos en la competitividad de las empresas, en el empleo y el desarrollo tecnológico de industrias claves para el país y en la generación de oportunidades de innovación. Por todo lo anterior, hemos de tomarle la mayor importancia y trascendencia al proceso que viene para el país con el despliegue de las redes 5G. En el capítulo 2 y 3 de este estudio, a partir de los resultados obtenidos de la aplicación de la metodología de análisis de impacto financiero y de impacto económico, así como la distribución de dichos montos en las tarifas, podemos concluir qué, las restricciones a los proveedores asiáticos y en particular a la empresa Huawei de participar en la licitación de los equipos y el mantenimiento de las redes 5G en Costa (sic), tiene significativos efectos financieros para los operadores de telefonía celular y un muy alto impacto económico y social para el país. Se concluye que: 1. La implementación del decreto podría traducirse en la necesidad de un incremento de inversión de aproximadamente USD196,69 millones en un periodo de 5 años. Pero más allá del impacto monetario directo, esta situación podría generar un atraso en la implementación de la tecnología SG, extendiendo la duración de su despliegue hasta 4 años adicionales. Estos retrasos, además de los costos adicionales financieros, pueden tener repercusiones en la competitividad del país y en la adaptabilidad de las industrias locales a las tendencias tecnológicas globales. 2. Respecto al impacto en la economía de dichos efectos del despliegue de la tecnología 5G puede apreciarse de manera contundente al comparar los escenarios con y sin la implementación de este decreto. De acuerdo con nuestra investigación y los datos presentados en la tabla 2.3, si se lleva a cabo el despliegue 5G sin restricciones, su inversión contribuiría con USD 748,4 millones al Producto Interno Bruto (PIB) de Costa Rica en un lapso de 5 años. Esto representa un significativo 3,19% del PIB. Sin embargo, bajo las limitaciones del decreto, esta contribución se desploma a apenas USD 419,1 millones. Estamos hablando de una reducción de USD 329,3 millones en tan solo cinco años, una cifra nada despreciable para cualquier economía y altamente significativa para Costa Rica. 3. Las industrias más afectadas son, la industria manufacturera, el sector TIC, el sector comercial y la administración pública. La industria de manufactura es un sector estrechamente ligado al dinamismo de las zonas francas y que ha sido históricamente un pilar del crecimiento económico de Costa Rica y esta será la que absorbería cerca de un tercio de ese costo económico (USD 117,0 millones), lo que es alarmante. Esta industria no solo es vital por su aporte al PIB, sino también porque es una fuente crucial de empleo para los costarricenses. Adicionalmente, el sector de información y comunicación no se queda atrás, proyectando un impacto negativo de USD 39,18 millones durante el mismo periodo, como consecuencia directa del decreto. En un tercer lugar, se ubica el costo económico para el sector comercial que totaliza USD 29,9 millones. De alguna forma, el impacto estimado para esta industria sería el mejor escenario posible, es decir, podría existir un costo mayor producto de la profundidad que tiene y que tendría la tecnología 5G en la en el acceso a nuevos productos para los consumidores, como es el caso de las plataformas digitales. En un cuarto lugar, se sitúa el impacto en la administración pública por un total de USD24,6 millones, lo cual limitaría al gobierno en general y a los gobiernos locales en particular, en poder acelerar el proceso de ciudades inteligentes. A esto se le complementa mejoras tecnológicas para mejorar la seguridad ciudadana y la cobertura de las tarifas de servicios públicos como es el caso del agua y la luz. 4. A1 integrar los efectos de costos adicionales de inversión en un modelo tarifario medio de la industria, encontramos que las tarifas podrían elevarse hasta en un 40 por ciento adicional, con la implementación del decreto. El efecto para las y los usuarios tiende a la exclusión digital de manera muy importante, sin embargo, dependerá de la estrategia de precios que desarrollen los prestadores del servicio 5G y/o de la intervención del Estado costarricense para amortiguar este impacto en los ingresos de los costarricenses producto del incremento de costos y de precios de los servicios de las telecomunicaciones. 5. Preocupa de sobremanera la exclusión de clientes en áreas rurales y en segmentos de menor ingreso relativo. La brecha existente en la actualidad podría ampliarse significativamente con nefastas implicaciones para las personas excluidas. Adicionalmente, la no implementación a tiempo tendrá efectos de pérdida de oportunidades de inversión y empleo. 6. En su conjunto, vemos que el impacto financiero, económico y social del decreto da cuentas de una significativa pérdida para el país por implementar esta medida. Es claro que existen posiciones encontradas sobre el tema, pero la magnitud de los efectos requiere de un análisis profundo, crítico y coherente con la realidad país. Para ejemplificar el tamaño del impacto económico, podemos compararlo con tres grandes rubros de inversión: a. Emisión de Eurobonoz La pérdida de USD 329,3 millones equivale aproximadamente al 33% de lo que el Gobierno de Costa Rica obtendría a través de la emisión de un eurobono. Estos bonos son herramientas cruciales que el gobierno utiliza para financiar sus operaciones y proyectos de infraestructura. b. Infraestructura Deportiva: E1 monto en cuestión podría financiar la construcción de casi cuatro Estadios Nacionales. Estos recintos no solo sirven para eventos deportivos, sino también para actividades culturales y sociales que benefician a la población. c. Seguridad Nacional: La cifra también representa el doble del presupuesto anual destinado al Organismo de Investigación Judicial (OIJ), una entidad vital para el mantenimiento de la seguridad y el orden en el país. 7. Estos ejemplos ilustran la gravedad de las consecuencias financieras y económicas que implica el decreto y enfatizan la necesidad de reconsiderar políticas que puedan tener repercusiones tan profundas en la economía y bienestar del país. Todo lo anterior nos hace pensar en la necesidad de discutir la neutralidad tecnológica en política de proveedores 5G y sobre todo, la necesidad de obviar criterios basados en prejuicios políticos no comprobados, en tanto afectan factores críticos del mercado a saber: • Promoción de la Competencia: Una política de neutralidad tecnológica asegura un campo de juego equitativo para todos los proveedores, promoviendo la competencia, lo que puede resultar en precios más bajos y soluciones más innovadoras.• Seguridad y Resiliencia: Depender de una variedad de proveedores puede aumentar la seguridad y resiliencia de la red al reducir la dependencia de un único proveedor o tecnología. • Desarrollo Tecnológico Inclusivo: Una política neutral evita la exclusión tecnológica, garantizando que el país tenga acceso a la gama completa de avances y soluciones SG disponibles globalmente. En suma, es imperativo que Costa Rica y otros países adopten una política de neutralidad tecnológica al considerar la implementación de la tecnología SG. Esta neutralidad no solo garantizará una adopción eficiente y económica, sino que también posicionará al país de manera óptima para capitalizar las oportunidades de la próxima era digital y de todas las que vendrán a futuro. La implementación efectiva y oportuna de la SG puede ser una de las decisiones más críticas que los líderes tomen para garantizar el progreso y la prosperidad en la era moderna. 21.- Con la finalidad de que la situación jurídica sustancial que nos ocupa se corrija y se eviten mayores afectaciones, serias e irreparables mientras se discute la constitucionalidad y validez del contenido de la conducta impugnada es que solicitamos la suspensión del procedimiento licitatorio tantas veces citado. 22.- Esa medida guarda total proporcionalidad con el interés público, dado que la eventual medida cautelar nos brindaría una protección integral en cuanto tendríamos la posibilidad de participar en la licitación pública para la adquisición de la tecnología de telecomunicaciones 5 G que en los próximos días promoverá el ICE y a la cual, de antemano, estamos imposibilitados de participar. 23.- Por lo tanto, las afectaciones que producirá el acto licitatorio son mayores y reales a las que presuntamente sufriría el interés público. De esa manera queda demostrada la necesidad imperiosa que existe para adoptar la presente medida cautelar, la cual constituye el único remedio para prevenir y evitar mayores afectaciones a nuestro derecho a ejercer una actividad empresarial altamente beneficiosa para el país. 24.- Lo anterior confirma la idoneidad de la medida que se está solicitando, que además resulta ser proporcionada con el fin que se busca en el presente recurso de amparo, es decir, la inconstitucionalidad evidente y manifiesta de cualquier concurso público que promueva el ICE para la adquisición de la tecnología en telecomunicaciones 5 G Móvil por violar los derechos fundamentales de libre competencia e igualdad de participación en los concursos públicos. PRUEBAS 1.- Informe técnico: Sobre las repercusiones económicas que tendría para el país la exclusión de proveedores asiáticos en las inversiones de la red 5G en Costa Rica, particularmente la no participación de Huawei en el citado concurso público promovido por el ICE para la adquisición de la tecnología en telecomunicaciones 5G en el país preparado por el CÂINPE de la UNA. 2.- Copia notarizada de la publicación del periódico digital La República del 11 septiembre del 2023 en que se indica que la exclusión a empresas asiáticas de concurso de redes 5G le constaría al .país $1,5 billones en tecnología. 3.- Copia notarizada de la noticia de medio de prensa Semanario Universidad del 6 de septiembre de 2023 "Decreto de Presidente Chaves deja fuera a cinco de las empresas líderes en 5G". 4.- Copia notarizada de la noticia de medio de prensa Diario Extra, 6 de septiembre de 2023 "Decisión de Gobierno subiría precio del internet" PETITORIA 1.- Por tanto, solicitamos que en aplicación del artículo 41 de la Ley de la Jurisdicción Constitucional, se proceda a suspender la publicación de cualquier pliego de condiciones o en caso de que ya esté publicado, la suspensión de cualquier proceso licitatorio por parte del ICE en que deba aplicarse el "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic) hasta tanto esa Sala Constitucional se haya pronunciado sobre el fondo de este recurso de amparo y, en caso de que fuere convertido en una acción de inconstitucionalidad, hasta que se haya pronunciado sobre el fondo de ésta (sic)”.

6.-El 16 de octubre de 2023, la magistrada Anamari Garro Vargas formula inhibitoria.

7.- Mediante resolución de las 8:27 horas de 17 de octubre de 2023, la Presidencia de la Sala rechazó la inhibitoria de la magistrada Garro Vargas y la habilitó para conocer el recurso de amparo.

8.- Mediante resolución de las 15:16 horas de 23 de octubre de 2023, el magistrado instructor dispuso: “Visto que el escrito incorporado al expediente digital el 6 de octubre de 2023 (recibido en la Secretaría de la Sala a las 17:11 horas de ese mismo día), de acuerdo con el orden de los argumentos y la numeración de la última página, se encuentra incompleto (no contiene la plana nro. 2), de previo a resolver lo que en derecho corresponda, se le previene a la parte accionante [Nombre 001], gerente general de [Nombre 002]., aportar, en el plazo de TRES DÍAS, contado a partir de la notificación de este proveído, la totalidad del referido escrito. Notifíquese”.

9.- Por escrito recibido en la Secretaría de la Sala el 25 de octubre de 2023, se apersona Rubén Hernández Valle, en su condición de apoderado especial judicial de la parte actora. Señala que, en cumplimiento de la prevención, aporta nuevamente el escrito entregado el 6 de octubre pasado. Este último contiene la siguiente argumentación: “Para los efectos del artículo 75 de la Ley de la Jurisdicción Constitucional alego de manera sucinta la inconstitucionalidad e inconvenciona1idad in toto y de algunas normas en específico de “El Reglamento sobre Medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones en la Tecnología de Quinta Generación Móvil (5G) y superiores”, aprobado mediante decreto ejecutivo número 44196- MSP -MCITT, publicado en La Gaceta del 31 de agosto del 2023. A continuación, fundamento someramente los vicios constitucionales alegados. I.- Vicios de inconstitucionalidad “El Reglamento sobre Medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones en la Tecnología de Quinta Generación Móvil (5 G) y superiores”, aprobado mediante decreto ejecutivo número 44196- MSP-MCITT, publicado en La Gaceta del 31 de agosto del 2023, contiene serios vicios tanto de inconstitucionalidad como de inconvencionalidad, los cuales enumeramos a continuación de manera sucinta. 1.- El Reglamento in toto viola el artículo 28 de la Constitución Política, por cuanto regula materia reservada por tales normas al dominio de la ley. Es decir, sólo (sic) por ley se pueden reglamentar y, sobre todo, restringir el ejercicio de los derechos fundamentales. 2.- En el Reglamento se regula el derecho fundamental a la autodeterminación informativa, los derechos de libre competencia e igualdad de participación en los concursos públicos, además de consagrar un régimen sancionatorio contra quienes violen disposiciones contenidas en el Reglamento. Todos estos aspectos están sustraídos al dominio del Reglamento pues deben ser necesariamente regulados por ley. 3.- Consecuencia de lo anterior, se viola también el principio de la división de poderes consagrado en el artículo 9 de la Constitución Política, según el cual ningún Poder puede inmiscuirse en las competencias garantizadas constitucionalmente a otro Poder. 4.- En la especie, el Poder Ejecutivo invadió competencias propias de la Asamblea Legislativa, pues según el artículo 121 inciso 1) de la Constitución corresponde al órgano legislativo aprobar, interpretar auténticamente y derogar las leyes. 5.- E1 artículo 13 viola el artículo 39 de la Constitución Política, norma que consagra los principios de legalidad y tipicidad en materia de sanciones administrativas y penales. 6.- Según el primer principio, los tipos sancionatorios deben establecerse por ley, en tanto que el de tipicidad exige que la conducta objeto de una eventual sanción debe estar precisada en la norma. 7.- E1 artículo 13 del Reglamento no especifica las infracciones ni las sanciones, sino que se limita a remitir a lo dispuesto en la materia en la Ley General de Telecomunicaciones. 8.- Los artículos 9 y 10 incisos c), d) , e) y f) violan los principios constitucionales de libertad de competencia e igualdad de participación en los procedimientos de contratación pública, al impedir la libre competencia entre todos los posibles oferentes que poseen tecnología 5G y así como limitar esa participación por razones ajenas a criterios estrictamente técnicos. 9.- Finalmente, los artículos 9 párrafo primero y 11 inciso f) violan el principio constitucional de razonabilidad técnica, el cual exige, como lo ha establecido la jurisprudencia de esa Sala, que toda norma y, en general, todo acto emanado de las instituciones públicas, debe estar fundamentado en criterios técnicos sobre la materia que regulan. 10.- Es la especie, los artículos impugnados carecen de fundamentación técnica y los requisitos establecidos en ellos no se ajustan a los estándares internacionales debidamente probados, aceptados y adoptados. Por ejemplo, el artículo 9 párrafo primero dispone que “Los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento, deberán solicitar a sus suministradores de hardware y software, que intervienen en el funcionamiento y operación de las redes 5G y superiores y sus servicios, la definición de los requisitos, controles y mediciones del sistema de gestión de ciberseguridad de la cadena de suministro para el diseño, desarrollo, producción, entrega, instalación y mantenimiento de hardware, software y servicios de conformidad con el estándar SCS 9001 “Estándar de Seguridad de la Cadena de Suministro” sin justificar porqué se exige específicamente este standard. El Estándar SCS 9001 (Supply Chain Security 9001) fue recientemente creado, en el 2022, por la TIA (Telecommunications Industry Association), que es una agrupación Estadounidense de proveedores TIC (Tecnologías de la Información y Comunicación). El Estándar SCS 9001 carece de datos suficientes que permitan la comprobación de su eficacia, puesto que aún se encuentran en la fase de planes piloto para llevar a cabo la correspondiente evaluación técnica. El ecosistema actual de normas de Ciberseguridad, que ha sido desarrollado por ISO, GSMA y 3GPP, siendo reconocido, aceptado, verificado e implementado por la industria de Servicios de Telefonía Móvil Celular a nivel mundial, desde hace ya varios años. 11.- Los artículos 8 inciso i) y 10 inciso a) violan el principio constitucional de proporcionalidad. 12.- Como lo ha establecido la jurisprudencia de esa Sala, un acto estatal que limite derechos fundamentales debe ser necesario, idóneo y proporcional. 13.- Los artículos antes citados del Reglamento no son necesarios, ni idóneos ni proporcionales. En efecto, no son necesarios pues la red de telefonía ha operado en el país desde sus inicios mediante el sistema de diversificación vertical, que es la metodología más eficiente y por ende la más ampliamente usada a nivel mundial, para garantizar un balance de proveedores que garantice la seguridad de la red en forma costo-efectiva. Si algo funciona bien no hay razón para cambiar. Por tanto, no existe una necesidad imperiosa de acoger el modelo indicado en los artículos 8 inciso i) y el 10 inciso a) del Reglamento impugnado. 14.-Finalmente, no existe una proporcionalidad entre el supuesto beneficio que obtendría el interés público según el modelo indicado en los artículos 8 inciso i) y el 10 inciso a) del Reglamento impugnado”.

10.- Por escrito recibido en la Secretaría de la Sala el 9 de noviembre de 2023, se apersona Rubén Hernández Valle, apoderado especial de la parte actora. Expone lo siguiente: “1.- El ICE publicó el día de hoy 9 de noviembre de 2023, el PLIEGO DE CONDICIONES PARA LA ADQUISICIÓN DE: GT-ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”. 2.- El cartel contiene requisitos que son imposibles de cumplir por mi representada por estar ubicada su casa matriz en la República Popular China. Específicamente el Apartado 3, Ciberseguridad RAN-CORE Móvil 5G que en lo que interesa indica: “3. APARTADO DE CIBERSEGURIDAD RAN-CORE MOVIL 5G. 3.1. El oferente deberá cumplir todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en el Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT, a la hora de planificar, diseñar e implementar su oferta técnica, para lo cual deberá aportar junto con la oferta, el plan de gestión y mitigación de riesgos en concordancia con la normativa precitada. 3.2. El oferente deberá presentar una declaración jurada en donde indique que cumple con la adopción de los siguientes estándares de ciberseguridad:

Estándares de cumplimiento obligatorios Número Nombre ISO/IEC 27001:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad- Sistemas de Gestión de la Seguridad de la Información Requerimientos ISO/IEC 27002:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Controles de seguridad de la información ISO/IEC 27003:2017 Tecnologías de la información —Técnicas de seguridad — Sistemas de Gestión de la Seguridad de la Información —Guía ISO/IEC 27011:2016 Tecnologías de la información —Técnicas de seguridad — Código de prácticas para los controles de seguridad de la información basado en ISO/IEC 27002 para organizaciones de telecomunicaciones.

SCS 9001 Estándar de Seguridad de la Cadena de Suministro Ciberseguridad GSMA NESAS Esquema de aseguramiento de ciberseguridad definido por GSMA y 3GPP.

ISO/IEC 27400 Ciberseguridad — Seguridad y privacidad en IoT— Guías de implementación 3GPP 33.501 Arquitectura y procedimiento de seguridad para sistemas 5G.

NIST 1800-33B 5G Ciberseguridad 3.3. De conformidad con el artículo 10 del Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT en donde se indica que no se puede tener un único suministrador en cuanto a hardware y software en elementos críticos de la red, el ICE no podrá adjudicar al mismo oferente el CORE Móvil (partidas 3 y 4) y la red de acceso móvil (partidas 1 y 2). En caso de que la oferta, participe para el CORE Móvil (partidas 3 y 4) y la red de acceso móvil (partidas 1 y 2) y cumpla con todos los aspectos técnicos, financieros, jurídicos y ocupe el primer lugar en precio para todas las partidas mencionadas, el ICE adjudicará solamente las partidas 1 y 2 (red de acceso móvil) a este oferente y las partidas 3 y 4 (Core Móvil) se adjudicará al segundo lugar en precio, con el fin de no tener un único suministrador en cuanto a hardware y software en elementos críticos de la red, lo anterior en cumplimiento del 10 del Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT. 3.4. El oferente deberá presentar una declaración jurada en donde se indique su sede está en un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). Para lo cual deberá adjuntar la documentación de respaldo. El ICE se reserva el derecho de verificar la valides (sic) de la información aportada. 3.5. El oferente deberá presentar una declaración jurada en donde se indique que, si la sede de la fábrica es o no susceptible de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones. 3.6. El oferente deberá presentar una declaración jurada en donde se indique si tiene su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses.” Como se puede observar de la cita anterior, se involucran en la presente contratación los elementos discriminatorios contenidos en el Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT, que son condiciones de carácter obligatorio para la calificación del oferente para participar en el proceso de licitación, el cual excluye a mi representante del acceso a la licitación, y pierde la oportunidad de competir, en razón del origen de su casa matriz. Todo lo anterior, conforme fue debidamente fundamentado, sustentado y probado en el Recurso de Amparo principal del expediente 23-023887-0007-CO. 3.- De esa manera se concretó inminentemente la violación de nuestros derechos fundamentales conforme lo habíamos indicado en el escrito de interposición del presente recurso de amparo. (…) DERECHO I.- Las violaciones de los derechos fundamentales de mi representada El pliego de condiciones de la licitación pública del ICE citado viola en perjuicio de mi representada al menos los siguientes derechos fundamentales: a) derecho de libre competencia e igualdad de participación en los concursos públicos y b) derecho a no ser discriminado en razón del origen de la empresa. A.-La violación de los derechos fundamentales de libre competencia e igualdad de participación en los concursos públicos 1.- La jurisprudencia de esa Sala ha establecido que "si el artículo 182 de la Constitución Política establece este principio -el de la licitación entonces se encuentran inmersos en el concepto todos los principios propios de la Contratación Administrativa. En virtud de lo anterior, debe entenderse que del artículo 182 de la Constitución Política se derivan todos los principios y parámetros constitucionales que rigen la actividad contractual del Estado. Algunos de estos principios que orientan y regulan la licitación son: 1.-de la libre concurrencia, que tiene por objeto afianzar la posibilidad de oposición y competencia entre los oferentes dentro de las prerrogativas de la libertad de empresa regulado en el artículo 46 de la Constitución Política, destinado a promover y estimular el mercado competitivo, con el fin de que participen el mayor número de oferentes, para que la Administración pueda contar con una amplia y variada gama de ofertas, de modo que pueda seleccionar la que mejores condiciones le ofrece; 2.- de igualdad de trato entre todos los posibles oferentes, principio complementario del anterior y que dentro de la licitación tiene una doble finalidad, la de ser garantía para los administrados en la protección de sus intereses y derechos como contratistas, oferentes y como particulares, que se traduce en la prohibición para el Estado de imponer condiciones restrictivas para el acceso del concurso, sea mediante la promulgación de disposiciones legales o reglamentarias con ese objeto, como en su actuación concreta; y la de constituir garantía para la administración, en tanto acrece la posibilidad de una mejor selección del contratista; todo lo anterior, dentro del marco constitucional dado por el artículo 33 de la Carta Fundamental” (Voto 998-1998). 2.- El pliego de condiciones publicado por el ICE para la adquisición de “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, implica una clara violación, en perjuicio de mi representada, de sus derechos fundamentales a la libre concurrencia en las contrataciones públicas y de igualdad de trato de los oferentes, dado que se aplican en esa licitación pública directamente los artículos 10) incisos c), d), e) y f) y el numeral 11 del "Reglamento Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic), normas que establecen regulaciones discriminatorias y contrarias a los citados derechos fundamentales de la libre competencia e igualdad de trato en los concursos públicos. 3.- En efecto, esas normas establecen requisitos para el caso concreto, a fin de que compañías de diferentes orígenes, especialmente chino, no pueden participar en ningún concurso público para la adquisición de tecnología de telecomunicaciones 5 G Móvil y superiores. 4.- De esa forma se violan de manera grosera y evidente los derechos fundamentales a la libertad de competencia e igualdad de trato que tienen todos los eventuales interesados en participar en concursos públicos para la adquisición de bienes y servicios en nuestro país. 5.- En el caso de mi representada, el pliego de condiciones impide nuestra participación en esa contratación pública al aplicar lo estipulado en los incisos c), d), e) y f) del artículo 10 y numeral 11 del citado Reglamento, que es la finalidad que persigue esa normativa según declaraciones, en su momento, del Presidente Ejecutivo del ICE, de la Ministra del MICITT y del Presidente de la República. A confesión de parte, relevo de prueba. B.- La violación del principio constitucional a no ser discriminado por ninguna razón 1.- El artículo 33 de la Constitución consagra el principio cardinal en el Derecho Occidental, de que ninguna persona, física o jurídica, puede ser discriminada por ninguna razón (sexo, creencias religiosas, ideología, nacionalidad, etc). 2.- En el presente caso a mi representada se le discrimina abiertamente tanto por su supuesta ideología como por su nacionalidad, lo que implica una grosera violación del artículo 33 de la Constitución Política. 3.- Recordemos que la discriminación, desde el punto de vista jurídico, significa otorgamiento de trato diferente basado en desigualdades injustas o arbitrarias que son contrarias al principio de igualdad ante la ley. 4.- La prohibición de discriminar cobija la interdicción de hacerlo por cualquier circunstancia personal o social; o sea, que toda diferenciación que carezca de justificación objetiva y razonable puede calificarse de discriminatoria. 5.- De esa forma, son contrarias al principio de no discriminación las desigualdades de trato que se funden exclusivamente en razones de sexo, raza, condición social, motivos ideológicos, origen, nacionalidad, etc. 6.- La normativa que el ICE pretende aplicar contiene elementos discriminatorios como requisitos obligatorios en el citado concurso público implica una clara violación al principio de no discriminación en perjuicio de mi representada, dado que se la excluye desde el inicio de un concurso público por razones supuestamente ideológicas y de nacionalidad. MEDIDA CAUTELAR 1.- Dado que estamos ante un caso de excepción, pues si no se suspende la ejecución del futuro acto lesivo de nuestros derechos fundamentales y que se encuentra en fase de ejecución, el perjuicio para mi representada sería irreparable e irreversible pues le impide la participación en el citado concurso público para la adquisición de la tecnología en telecomunicaciones 5G/IMT Móvil. 2.- Por tanto, solicitamos que en aplicación del artículo 41 de la Ley de la Jurisdicción Constitucional, se proceda a suspender la tramitación del proceso licitatorio indicado en el cartel impugnado dado que en él se está aplicando el “Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores” (sic), hasta tanto esa Sala Constitucional no se haya pronunciado sobre el fondo de este recurso de amparo y sobre la acción de inconstitucionalidad planteada contra ese decreto oportunamente. PETITORIA Con fundamento en los hechos invocados, pruebas ofrecidas y consideraciones jurídicas señaladas, solicito que en sentencia se declare: 1.- Que mi representada no puede ser impedida de participar en el citado concurso público introduciendo cláusulas de imposible cumplimiento para ella, porque ello viola los derechos fundamentales a la libre competencia, la igualdad de trato y la prohibición de la discriminación exclusivamente por razones ideológicas y de nacionalidad. 2.- Reitero la solicitud de condenatoria al ICE al pago de los daños y perjuicios y costas de esta acción”.

11.-Por escrito recibido en la Secretaría de la Sala el 14 de noviembre de 2023, se apersona Rubén Hernández Valle, apoderado especial judicial de la parte actora. Indica: “1. Con el documento técnico adjunto las pérdidas que sufrirían tanto mi representada, así como el país si se nos impidiera participar en la licitación del ICE”.

12.- Por escrito recibido en la Secretaría de la Sala el 24 de noviembre de 2023, se apersona Rubén Hernández Valle, en su condición de apoderado especial judicial de la parte actora. Expone lo siguiente: “Amplío por este medio, el recurso de amparo presentado y seguido bajo el expediente 23-023887-0007-CO, con base en los siguientes HECHOS 1.- Que mediante escrito remitido a esta Sala Constitucional el día 09 de noviembre de 2023, se amplió en una primera ocasión el recurso de amparo presentado, debido a que el ICE publicó el día de 9 de noviembre de 2023, el PLIEGO DE CONDICIONES PARA LA ADQUISICIÓN DE: GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED SG ENTREGA SEGÚN DEMANDA". 2.- El cartel contiene requisitos que son imposibles de cumplir por mi representada por estar ubicada su casa matriz en la República Popular China. Específicamente el Apartado 3, CiberSeguridad RAN-CORE Móvil 5G, mismo que puede ser revisado en el escrito del 09 de noviembre de 2023. 3.- Que contra dicho pliego de condiciones, por ser discriminatorio e impedir la participación de [Nombre 002]., se presentó en tiempo y forma un recurso de objeción al pliego. 4.- Que mediante oficio 5201-250-202 del 21 de noviembre de 2023, el ICE procedió a admitir parcialmente el recurso de objeción, sin embargo, procedió a rechazar de forma absoluta todas las objeciones relacionadas con el Apartado 3, CiberSeguridad RAN-CORE Móvil 5G, que precisamente excluye a Huawei del concurso. 5.- De esa manera, mi representada demuestra el uso oportuno de todos los mecanismos legales disponibles para procurar garantizar sus derechos constitucionales y sin embargo, se concretó la violación de nuestros derechos fundamentales conforme lo habíamos indicado en el escrito de interposición del presente recurso de amparo. Queda así configurada — ya no una posible violación si no una violación consumada — la discriminación hacia mi representada y las condiciones actuales de Costa Rica en contra de empresas Chinas, discriminándolas por su nacionalidad. PRUEBAS 1.- Copia del recurso interpuesto y de la respuesta del ICE. DERECHO I.- Las violaciones de los derechos fundamentales de mi representada El pliego de condiciones de la licitación pública del ICE citado, se encuentra consolidado y ante el rechazo del recurso de objeción no quedan más remedios legales que pueda utilizar mi representada para procurar la protección de sus derecho legítimos constitucionales. Es con base en esto, que podemos asegurar que, con el agotamiento de esa vía administrativa, el pliego viola en perjuicio de mi representada al menos los siguientes derechos fundamentales: a) derecho de libre competencia e igualdad de participación en los concursos públicos y b) derecho a no ser discriminado en razón del origen de la empresa, todo lo anterior, según fue debidamente explicado y fundamentado en el escrito del 09 de noviembre de 2023. MEDIDA CAUTELAR 1.- Reiteramos en este acto que estamos ante un caso de excepción y de urgentísima protección cautelar, ante el hecho de que actualmente y habiéndose agotado los remedios procesales, resulta imposible detener el concurso. Una vez que el concurso reciba ofertas y mi representada no sea capaz de presentar la suya, por no cumplir con el apartado 3, CiberSeguridad RAN-CORE Móvil 5G, se configurará el daño grave, manifiesto, inminente y de imposible reparación, al quedar completamente fuera del concurso y sin legitimación para reclamar. De igual forma, se ha demostrado de forma sobrada en este proceso de amparo, la apariencia de buen derecho del reclamo, sustentado en normativa constitucional, en los principios constitucionales, en derecho comparado y también en documentación y análisis técnicos, lo cual demuestran que nuestro reclamo tiene un fundamento debido. Finalmente, en la ponderación de intereses en juego, la suspensión no genera un daño directo a la Administración, pues se trataría de un (sic) medida cautelar provisional. 2.- Por tanto, solicitamos que en aplicación del artículo 41 de la Ley de la Jurisdicción Constitucional, se proceda a suspender la tramitación del proceso licitatorio indicado en el cartel impugnado dado que en él deberá aplicarse el "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic), hasta tanto esa Sala Constitucional no se haya pronunciado sobre el fondo de este recurso de amparo y sobre la acción de inconstitucionalidad planteada contra ese decreto oportunamente. PETITORIA Con fundamento en los hechos invocados, pruebas ofrecidas y consideraciones jurídicas señaladas, solicito que en sentencia se declare: 1.- Que mi representada no puede ser impedida de participar en el citado concurso público introduciendo cláusulas de imposible cumplimiento para ella, porque ello viola los derechos fundamentales a la libre competencia, la igualdad de trato y la prohibición de la discriminación exclusivamente por razones ideológicas y de nacionalidad. 3.- Reitero la solicitud de condenatoria al ICE al pago de los daños y perjuicios y costas de esta acción”.

13.- Mediante resolución de las 13:18 horas de 24 de noviembre de 2023, la magistrada instructora, por disposición del Pleno, amplió los hechos de este recurso al ICE y solicitó informe a su presidente ejecutivo y administrador de contratos, sobre los siguientes hechos: “i) Por escrito recibido en la Secretaría de la Sala el 28 de setiembre de 2023, la parte accionante plantea recurso de amparo contra el ICE, en los siguientes términos: “1.- Mi representada está preparada para participar en la licitación pública que abrirá el ICE para implementar y operar la tecnología 5G IMT en sus redes, dado que somos uno de los principales proveedores de esa tecnología en Costa Rica. 2.- El 31 de agosto pasado, el Poder Ejecutivo promulgó y publicó en La Gaceta el "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic), el cual contiene disposiciones que expresamente impiden la participación de mi representada en ese concurso público. 3.- Tanto el Presidente de la República, la Ministra del MICITT así como el Presidente Ejecutivo del ICE han manifestado públicamente que la promulgación del citado Reglamento se hizo con el motivo específico de impedir la participación de empresas de diversas nacionalidades, especialmente las de origen chino, en los procesos licitatorios tendentes a la obtención y operación de la tecnología en telecomunicaciones 5G IMT y Superiores de las redes de aquella institución. 4.- El Presidente del ICE manifestó por medio del periódico El Mundo CR el pasado 16 de setiembre que el respectivo concurso público será publicado antes de finales de setiembre del año en curso. 5.- Adicionalmente, y como prueba fehaciente y absoluta del riesgo que existe para mi representada, el día 5 de setiembre de 2023 a las 4:20 p.m. se recibió de parte del señor Huberth Valverde Batista, Administrador del Contratos del ICE, un correo en el que envían un cuestionario consultando sobre el cumplimiento del Reglamento de Ciberseguridad No.44196-MSP-MICITT. El propio correo se indica la necesidad de obtener esa información en 4 días hábiles. 6.- Dicho cuestionario, como se puede apreciar de la certificación notarial que se aporta, es una copia exacta de los requerimientos del Reglamento. 7.- Lo anterior es prueba directa que, ante la publicación inminente de la licitación, mi representada se verá afectada e imposibilidad de participar en ella. 8.-Ante esta situación resulta más que claro, evidente y manifiesto el riesgo directo, indudable, actual, inminente y real al que se enfrenta la empresa que represento”. Describe amenazas en los siguientes términos: “1.- El Presidente Ejecutivo del ICE ha dicho claramente que a finales de setiembre esa institución sacará a concurso público la adquisición de la tecnología en telecomunicaciones 5G Móvil y que, en ese concurso público, aplicarán los requisitos exigidos en el "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores” (sic). 2.- Como lo cita el medio noticiero digital "El Mundo.CR" el 15 de setiembre del año en curso, el presidente Ejecutivo del ICE expresamente señaló lo siguiente: "el decreto ya lo tienen los equipos y lo están revisando para ver de qué manera se incluye en el cartel. Además, tenemos algunas aclaraciones que tenemos que hacer. Sin embargo, la respuesta es que sí, vamos a tener que incluir lo que ahí se dispone, puesto que es política pública aplicable" (https: elmundo.cr/costa-rica/licitaciónpara-5g-saldra-a-finales-de-setiembre-vetando-empresas-chinas/). 3.- El presidente de la República, don Rodrigo Chaves Robles, había declarado ante la prensa cuando se encontraba en los Estados Unidos, luego de haber firmado poco antes de su partida el citado Reglamento, que su promulgación tenía como objetivo impedir la participación de empresas de diverso origen, en los próximos concursos públicos que abrirían el ICE y la SUTEL para la adquisición de la tecnología en telecomunicaciones 5G Móvil lo cual se puede verificar en el siguiente link https://dplnews.com/rodrigo-chaves-prohibeempresas-chinas-en-el-desarrollo-de-5g-en-costa-rica/ 4.- Este criterio fue ratificado por la ministra del MICITT en el programa radial de Amelia Rueda el lunes 4 de setiembre pasado conforme se puede verificar en el siguiente link https://ameliarueda.com/noticia/huawei-china-5g-micitt-subastacosta-rica-noticas 5.- En consonancia con todo lo anterior, mi representada recibió un cuestionario del ICE, solicitando confirmación del cumplimiento del Decreto, el cual se refiere específicamente a la tecnología 5G o superior, esto como una evidencia clara y directa de la intención del ICE de promover este concurso a la mayor brevedad. 6.-Es evidente que el cuestionario enviado por el ICE tiene directa relación con el Pliego de Condiciones que será utilizado para el proceso de licitación que tenga como objetivo la tecnología 5G. De conformidad con la Ley General de la Contratación Pública, la Administración, previo a publicar el Pliego de Condiciones de cualquier naturaleza, debe realizar un estudio de mercado para verificar cuáles son los posibles oferentes. En este caso es evidente que el ICE está cumpliendo con el estudio de mercado establecido en artículo 34 de la Ley de Contratación Pública, al hacer las preguntas sustentadas en el Reglamento, dejando así claro que van a incorporar dichas disposiciones al proceso licitatorio de 5G, en razón de que el Reglamento es una norma vigente el ICE no tiene potestad para desaplicarlo. 7.- Por tanto, estamos en presencia de una amenaza cierta, real, efectiva e inminente, casi en etapa de ejecución, de un acto lesivo de los derechos fundamentales de mi representada. 8.- En efecto, el concurso público que abrirá el ICE antes de finales de este mes, según lo han anunciado sus propios personeros, impedirá que mi representada pueda participar en él, por el simple hecho de ser una compañía de origen chino. 9.- Es importante indicar que no puede ser imputable a mi representada que el Gobierno de la República Popular China, dentro de sus potestades soberanas, no haya firmado al día de hoy el Convenio de Budapest. 10.- El Convenio de Budapest fue publicado 18 años antes que la tecnología 5G fuera lanzada al mercado, por lo que es imposible que alguna de sus consideraciones estuviera relacionada con esa tecnología. Se está usando un factor de evaluación que está desfasado y no relacionado directamente con la ciberseguridad, además de que se viola el principio de imparcialidad tecnológica recogido en el Capítulo XIII del CAFTA. 11- Es completamente discriminatorio que se le impida a mi representada participar en una licitación por una decisión que no está en sus manos, por ser una decisión completamente del Gobierno chino. 12- La única forma de evitar una flagrante violación a los derechos constitucionales de libre competencia e igualdad de participación que según la jurisprudencia de esa Sala tienen rango constitucional (Voto 998-1998) , así como el derecho a la no discriminación, es mediante la suspensión inmediata del concurso público en cuestión. 13- Si el citado acto llegare a materializarse el perjuicio para mi representada sería irreversible y de imposible reparación, tales como los daños y perjuicios reputacionales. Por ello, es que estamos procesalmente legitimados para incoar el presente recurso de amparo contra las amenazas inminentes del ICE, consistentes en sacar un concurso público para implementar y operar la tecnología 5G IMT en sus redes, del cual estamos de antemano excluidos”. Refiere las siguientes violaciones a los derechos fundamentales de su representada: “La amenaza recurrida viola en perjuicio de mi representada al menos los siguientes derechos fundamentales: a) derecho de libre competencia e igualdad de participación en los concursos públicos y b) derecho a no ser discriminado en razón del origen de la empresa. A.-La violación de los derechos fundamentales de libre competencia e igualdad de participación en los concursos públicos. 1.- La jurisprudencia de esa Sala ha establecido que “si el artículo 182 de la Constitución Política establece este principio -el de la licitación-, entonces se encuentran inmersos en el concepto todos los principios propios de la Contratación Administrativa. En virtud de lo anterior, debe entenderse que del artículo 182 de la Constitución Política se derivan todos los principios y parámetros constitucionales que rigen la actividad contractual del Estado. Algunos de estos principios que orientan y regulan la licitación son: 1.- de la libre concurrencia, que tiene por objeto afianzar la posibilidad de oposición y competencia entre los oferentes dentro de las prerrogativas de la libertad de empresa regulado en el artículo 46 de la Constitución Política, destinado a promover y estimular el mercado competitivo, con el fin de que participen el mayor número de oferentes, para que la Administración pueda contar con una amplia y variada gama de ofertas, de modo que pueda seleccionar la que mejores condiciones le ofrece; 2.- de igualdad de trato entre todos los posibles oferentes, principio complementario del anterior y que dentro de la licitación tiene una doble finalidad, la de ser garantía para los administrados en la protección de sus intereses y derechos como contratistas, oferentes y como particulares, que se traduce en la prohibición para el Estado de imponer condiciones restrictivas para el acceso del concurso, sea mediante la promulgación de disposiciones legales o reglamentarias con ese objeto, como en su actuación concreta; y la de constituir garantía para la administración, en tanto acrece la posibilidad de una mejor selección del contratista; todo lo anterior, dentro del marco constitucional dado por el artículo 33 de la Carta Fundamental" (Voto 998-1998). 2.- La amenaza del ICE de sacar un concurso público en el que aplicará el artículo 10) incisos c), d), e) y f) y el numeral 11 del Reglamento precitado implica una clara violación, en perjuicio de mi representada, de sus derechos fundamentales a la libre concurrencia en las contrataciones públicas y de igualdad de trato de los oferentes. 3.- En efecto, esas normas establecen requisitos para que compañías de diversas nacionalidades, así como las de origen chino, no puedan participar en ningún concurso público para la adquisición de tecnología de telecomunicaciones 5G Móvil y superiores. 4.- De esa forma se violan de manera grosera y evidente los derechos fundamentales a la libertad de competencia e igualdad de trato que tienen todos los eventuales interesados en participar en concursos públicos para la adquisición de bienes y servicios en nuestro país, entre ellos mi representada. 5.- En el caso de mi representada, el pliego de condiciones impedirá nuestra participación en esa contratación pública al aplicar lo estipulado en los incisos c), d), e) y f) del artículo 10 y numeral 11 del citado Reglamento, que es la finalidad que persigue esa normativa según declaraciones del Presidente Ejecutivo del ICE, de la Ministra del MICITT y del Presidente de la República. A confesión de parte, relevo de prueba. B.- La violación del principio constitucional a no ser discriminado por ninguna razón 1.- El artículo 33 de la Constitución consagra el principio cardinal en el Derecho Occidental, de que ninguna persona, física o jurídica, puede ser discriminada por ninguna razón (sexo, creencias religiosas, ideología, nacionalidad, etc.). 2.- En el presente caso a mi representada se le discrimina abiertamente tanto por su supuesta ideología como por su nacionalidad, lo que implica una grosera violación del artículo 33 de la Constitución Política. 3.- Por ejemplo, admitir que sólo (sic) empresas de países que hayan suscrito el Convenio de Budapest pueden participar en los concursos públicos para adquirir la tecnología 5G es evidentemente discriminatorio, pues tal Convenio no se refiere estrictamente a temas de ciberseguridad sino que más bien esa normativa se enfocan en la pena de crímenes informáticos que incluyen: fraudes, infracciones a la propiedad intelectual, distribución y posesión de pornografía infantil, falsificación informática, entre otros. Aplicando una política penal común entre los Estados inscritos. En este contexto, otra característica del Convenio de Budapest es la cooperación internacional, aspecto que facilita la investigación de infracciones cibernéticas y que es relevante por las características de los delitos informáticos y la posibilidad de que sean cometidos fuera de las fronteras de un país, pero con impacto en un territorio determinado. 4.- Recordemos que la discriminación, desde el punto de vista jurídico, significa otorgamiento de trato diferente basado en desigualdades injustas o arbitrarias que son contrarias al principio de igualdad ante la ley. 5.- La prohibición de discriminar cobija la interdicción de hacerlo por cualquier circunstancia personal o social; o sea, que toda diferenciación que carezca de justificación objetiva y razonable puede calificarse de discriminatoria. 6.- De esa forma, son contrarias al principio de no discriminación las desigualdades de trato que se funden exclusivamente en razones de sexo, raza, condición social, motivos ideológicos, origen, nacionalidad, etc. 7.- La normativa que el ICE pretende aplicar en el citado concurso público implica una clara violación al principio de no discriminación en perjuicio de mi representada, dado que se la excluye de un concurso público por razones supuestamente ideológicas y de nacionalidad”. Formula la siguiente solicitud de medida cautelar: “1.- Dado que estamos ante un caso de excepción, pues si no se suspende la ejecución del futuro acto lesivo de nuestros derechos fundamentales y que se encuentra casi en fase de ejecución, el perjuicio para mi representada sería irreparable e irreversible pues no podría participar en el citado concurso público para la adquisición de la tecnología en telecomunicaciones 5G/IMT Móvil. Para entender esta irreparabilidad e irreversibilidad, se debe considerar que el ICE representa el 60% del negocio de Huawei en Costa Rica. Ante esto, si Huawei se ve impedido de participar en el concurso, se estarían afectando de forma directa a cerca de 80 empleados en Costa Rica, además de las pérdidas financieras para la empresa. 2.- Por tanto, solicitamos que en aplicación del artículo 41 de la Ley de la Jurisdicción Constitucional, se proceda a suspender la publicación de cualquier pliego de condiciones o en caso de que ya esté publicado, la suspensión de cualquier proceso licitatorio por parte del ICE en que deba aplicarse el "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic) hasta tanto esa Sala Constitucional se haya pronunciado sobre el fondo de este recurso de amparo y, en caso de que fuere convertido en una acción de inconstitucionalidad, hasta que se haya pronunciado sobre el fondo de ésta”. Plantea esta petitoria: “1.- Que mi representada no puede ser impedida de participar en el citado concurso público introduciendo cláusulas de imposible cumplimiento para ella, porque ello viola los derechos fundamentales a la libre competencia, la igualdad de trato y la prohibición de la discriminación exclusivamente por razones ideológicas y de nacionalidad. 2.- Que una vez notificada al ICE la imposibilidad de continuar adelante con el concurso público tantas veces citado, se convierta este amparo en una acción de inconstitucionalidad con el fin de que varias normas del Reglamento impugnado puedan ser eliminadas del ordenamiento jurídico y, por tanto, no puedan ser aplicados en ninguna licitación presente o futura”. ii) Por escrito recibido en la Secretaría de la Sala el 6 y 25 de octubre de 2023, la parte recurrente se apersona y expone: “Para los efectos del artículo 75 de la Ley de la Jurisdicción Constitucional alego de manera sucinta la inconstitucionalidad e inconvenciona1idad in toto y de algunas normas en específico de “El Reglamento sobre Medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones en la Tecnología de Quinta Generación Móvil (5G) y superiores”, aprobado mediante decreto ejecutivo número 44196- MSP -MCITT, publicado en La Gaceta del 31 de agosto del 2023. A continuación, fundamento someramente los vicios constitucionales alegados. I.- Vicios de inconstitucionalidad “El Reglamento sobre Medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones en la Tecnología de Quinta Generación Móvil (5 G) y superiores”, aprobado mediante decreto ejecutivo número 44196- MSP-MCITT, publicado en La Gaceta del 31 de agosto del 2023, contiene serios vicios tanto de inconstitucionalidad como de inconvencionalidad, los cuales enumeramos a continuación de manera sucinta. 1.- El Reglamento in toto viola el artículo 28 de la Constitución Política, por cuanto regula materia reservada por tales normas al dominio de la ley. Es decir, sólo (sic) por ley se pueden reglamentar y, sobre todo, restringir el ejercicio de los derechos fundamentales. 2.- En el Reglamento se regula el derecho fundamental a la autodeterminación informativa, los derechos de libre competencia e igualdad de participación en los concursos públicos, además de consagrar un régimen sancionatorio contra quienes violen disposiciones contenidas en el Reglamento. Todos estos aspectos están sustraídos al dominio del Reglamento pues deben ser necesariamente regulados por ley. 3.- Consecuencia de lo anterior, se viola también el principio de la división de poderes consagrado en el artículo 9 de la Constitución Política, según el cual ningún Poder puede inmiscuirse en las competencias garantizadas constitucionalmente a otro Poder. 4.- En la especie, el Poder Ejecutivo invadió competencias propias de la Asamblea Legislativa, pues según el artículo 121 inciso 1) de la Constitución corresponde al órgano legislativo aprobar, interpretar auténticamente y derogar las leyes. 5.- E1 artículo 13 viola el artículo 39 de la Constitución Política, norma que consagra los principios de legalidad y tipicidad en materia de sanciones administrativas y penales. 6.- Según el primer principio, los tipos sancionatorios deben establecerse por ley, en tanto que el de tipicidad exige que la conducta objeto de una eventual sanción debe estar precisada en la norma. 7.- E1 artículo 13 del Reglamento no especifica las infracciones ni las sanciones, sino que se limita a remitir a lo dispuesto en la materia en la Ley General de Telecomunicaciones. 8.- Los artículos 9 y 10 incisos c), d) , e) y f) violan los principios constitucionales de libertad de competencia e igualdad de participación en los procedimientos de contratación pública, al impedir la libre competencia entre todos los posibles oferentes que poseen tecnología 5G y así como limitar esa participación por razones ajenas a criterios estrictamente técnicos. 9.- Finalmente, los artículos 9 párrafo primero y 11 inciso f) violan el principio constitucional de razonabilidad técnica, el cual exige, como lo ha establecido la jurisprudencia de esa Sala, que toda norma y, en general, todo acto emanado de las instituciones públicas, debe estar fundamentado en criterios técnicos sobre la materia que regulan. 10.- Es la especie, los artículos impugnados carecen de fundamentación técnica y los requisitos establecidos en ellos no se ajustan a los estándares internacionales debidamente probados, aceptados y adoptados. Por ejemplo, el artículo 9 párrafo primero dispone que “Los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento, deberán solicitar a sus suministradores de hardware y software, que intervienen en el funcionamiento y operación de las redes 5G y superiores y sus servicios, la definición de los requisitos, controles y mediciones del sistema de gestión de ciberseguridad de la cadena de suministro para el diseño, desarrollo, producción, entrega, instalación y mantenimiento de hardware, software y servicios de conformidad con el estándar SCS 9001 “Estándar de Seguridad de la Cadena de Suministro” sin justificar porqué se exige específicamente este standard. El Estándar SCS 9001 (Supply Chain Security 9001) fue recientemente creado, en el 2022, por la TIA (Telecommunications Industry Association), que es una agrupación Estadounidense de proveedores TIC (Tecnologías de la Información y Comunicación). El Estándar SCS 9001 carece de datos suficientes que permitan la comprobación de su eficacia, puesto que aún se encuentran en la fase de planes piloto para llevar a cabo la correspondiente evaluación técnica. El ecosistema actual de normas de Ciberseguridad, que ha sido desarrollado por ISO, GSMA y 3GPP, siendo reconocido, aceptado, verificado e implementado por la industria de Servicios de Telefonía Móvil Celular a nivel mundial, desde hace ya varios años. 11.- Los artículos 8 inciso i) y 10 inciso a) violan el principio constitucional de proporcionalidad. 12.- Como lo ha establecido la jurisprudencia de esa Sala, un acto estatal que limite derechos fundamentales debe ser necesario, idóneo y proporcional. 13.- Los artículos antes citados del Reglamento no son necesarios, ni idóneos ni proporcionales. En efecto, no son necesarios pues la red de telefonía ha operado en el país desde sus inicios mediante el sistema de diversificación vertical, que es la metodología más eficiente y por ende la más ampliamente usada a nivel mundial, para garantizar un balance de proveedores que garantice la seguridad de la red en forma costo-efectiva. Si algo funciona bien no hay razón para cambiar. Por tanto, no existe una necesidad imperiosa de acoger el modelo indicado en los artículos 8 inciso i) y el 10 inciso a) del Reglamento impugnado. 14.-Finalmente, no existe una proporcionalidad entre el supuesto beneficio que obtendría el interés público según el modelo indicado en los artículos 8 inciso i) y el 10 inciso a) del Reglamento impugnado”. iii) Por escrito recibido en la Secretaría de la Sala el 10 de octubre de 2023, se apersona la parte accionante. Indica: “Con fundamento en el artículo 41 de la Ley de la Jurisdicción Constitucional reitero mi solicitud que se suspenda la ejecución de la licitación que promoverá el ICE en pocos días para la adquisición de la tecnología en telecomunicaciones 5G/IMT Móvil, con base en las siguientes razones fácticas y jurídicas. 1.- Las finalidades del recurso de amparo 1.- Como es sabido, la institución del amparo fue tomada por nuestros Constituyentes de 1949 de la efímera Constitución cubana de 1940. Este modelo, a diferencia de lo que ocurre en el resto de las legislaciones, establece el recurso de amparo exclusivamente contra conductas administrativas (actos, omisiones, amenazas). 2.- Este sistema tiene la ventaja de que cumple con el principal objetivo del recurso de amparo que consiste en evitar la violación de derechos fundamentales cuando se plantea contra amenazas, o bien en restituir el derecho fundamental conculcado antes de que el daño se convierta en irreversible. Para lograr este objetivo es que se utiliza precisamente el instituto de las medidas cautelares y, en el caso costarricense, de suspender los efectos de la ejecución de la conducta impugnada, de conformidad con la letra y espíritu del artículo 41 de la Ley de la Jurisdicción Constitucional. 3.- Cuando el amparo se consagra sólo (sic) contra resoluciones judiciales, como ocurre en la mayoría de las legislaciones, sólo (sic) tiene un efecto indemnizatorio, pues ya la violación o amenaza de violación se ha materializado de manera irreversible, por lo que resulta jurídicamente imposible restituir al amparado en el ejercicio efectivo de su derecho fundamental conculcado o bien la amenaza de violación se tradujo en una conculcación irreversible de su derecho. 4.- Por ello, cuando en nuestro sistema no se suspende la ejecución del acto o de la amenaza impugnada por la gravedad de sus implicaciones, el citado remedio procesal termina teniendo sólo (sic) efectos indemnizatorios pues se habría renunciado a cumplir con su vocación primaria de restituir el derecho fundamental vulnerado o de impedir que se viole alguno. 5.- Por tanto, esa Sala debe valorar, caso por caso, cuando es imprescindible suspender la ejecución presente (cuando se trata de actos) o futura (cuando estemos en presencia de amenazas), dado que si, en determinados casos no lo hace, la no suspensión podría producir violaciones irreversibles a los derechos fundamentales y sus titulares tendrían que resignarse con el cobro de los daños y perjuicios sufridos en la vía contencioso- administrativa. 6.- En tales circunstancias, el recurso de amparo deja de ser un remedio procesal para reintegrar el derecho violado o impedir que se concrete su violación, para convertirse en una jurisdicción reparadora de daños y perjuicios. Esta última función es accesoria y debe ceder ante la finalidad primaria del amparo que es la tutela efectiva de los derechos fundamentales. II.- Los elementos para decretar una medida cautelar 1.- En el presente caso estamos en presencia de un caso de excepción, pues si no se suspende la ejecución del futuro acto lesivo de nuestros derechos fundamentales y que se encuentra casi en fase de ejecución, el perjuicio para mi representada sería irreparable e irreversible pues no podría participar en el citado concurso público para la adquisición de la tecnología en telecomunicaciones 5G/IMT Móvil. 2.- Por ello es claro que en la especie se presentan los tres elementos que la doctrina procesal administrativa considera que son necesarios para el otorgamiento de una medida cautelar, a saber: a) apariencia de buen derecho, b) peligro en la demora, c) bilateralidad del periculum in mora. 3.- La apariencia de buen derecho está ampliamente demostrada en el expediente con las evidentes violaciones de los derechos fundamentales a la libre concurrencia e igualdad de participación en los concursos públicos en perjuicio de mi representada. 4.- El peligro en la demora consiste en el temor objetivamente fundado y razonable de que la situación jurídica sustancial aducida resulte seriamente dañada o perjudicada en forma grave e irreparable, durante el transcurso del tiempo necesario para dictar sentencia en el proceso principal. 5.- Este presupuesto requiere la presencia de dos elementos: el daño o perjuicio grave y la demora en el proceso principal, sin soslayar que dentro de este presupuesto se encuentra lo que la doctrina denomina la “bilateralidad del periculum in mora” o como comúnmente se le conoce, la ponderación de los intereses en juego. 6.- El presupuesto del peligro en la demora alude a dos aspectos: primero, a los daños que se reprochen que son susceptibles de producirse actual o potencialmente de no adoptarse la medida que se requiere. Daños que deben establecerse como graves, además de tenerse como derivados de la situación aducida. 7.- En cuanto a los daños es claro que, de no suspenderse los efectos de la conducta impugnada en el presente recurso de amparo, se le podrían ocasionar daños y perjuicios de difícil o inclusive imposible reparación a mi representada, al impedírsele participar en el citado procedimiento licitatorio tendente a la adquisición de la tecnología en telecomunicaciones 5 G Móvil. 8.- Solo para el Instituto Costarricense de Electricidad los costos por la exclusión de [Nombre 002]. que es el actual suplidor de hardware y software para esa entidad, sería de $1.5 billones. Lo anterior es un hecho público y notorio que consta en la noticia de La República de 11 de septiembre de 2023 “Excluir a empresas asiáticas de concurso de redes 5G le costaría al país $1,5 billones en tecnología” disponible en https://www.larepublica.net/noticia/excluir-a-empresas-asiaticas-de-concurso-de-redes-5g-le-costaria-al-pais-15-billones-en-tecnologia 9.- En segundo lugar, este presupuesto se refiere a la situación que se genera con ocasión de los procesos jurisdiccionales que requieren para su desarrollo y posteriormente fenecimiento, la realización de una serie de actos a través de los cuales se garantiza no sólo (sic) el debido proceso, sino la emisión de un fallo que si no se puede llevar a cabo con prontitud al menos que sea justo. 10.- El ponerle fin a un proceso, cuya sentencia dependerá de que previamente se resuelva una acción de inconstitucionalidad contra normas que necesariamente tienen que aplicarse en él, demanda tiempo y es precisamente donde la tutela cautelar adquiere especial relevancia, por cuanto mientras llega esa decisión del proceso se evita la producción de graves daños, que en el evento de producirse haría nugatorio el derecho que se reclama. 11.- El presente recurso de amparo no podrá resolverse antes que esa misma Sala vote por el fondo la acción de inconstitucionalidad que se presentará con base en él, lo cual podría tardar al menos dos años. 12.- La bilateralidad del periculum in mora se refiere a la ponderación de los intereses en juego, vinculado ello con el interés público que sea susceptible de encontrarse en necesidad de ser protegido, frente al interés de terceros y por supuesto del interés de quien acude por medio de una medida cautelar, debiendo valorarse comparativamente los mismos, imponiéndose la derogatoria de la medida cuando el perjuicio sufrido o susceptible de ser producido a la colectividad o terceros, sea superior al que podría experimentar el Solicitante de la medida. 13.-El interés público también se vería afectado porque el impacto en los operadores con exclusión de Huawei en 5G tendría efectos muy perjudiciales. La implementación del decreto podría traducirse en la necesidad de un incremento de inversión de aproximadamente USD196,69 millones en un periodo de 5 años. Pero más allá del impacto monetario directo, esta situación podría generar un atraso en la implementación de la tecnología 5G, extendiendo la duración de su despliegue hasta 4 años adicionales. Estos retrasos, además de los costos adicionales financieros, pueden tener repercusiones en la competitividad del país y en la adaptabilidad de las industrias locales a las tendencias tecnológicas globales. 14.-Desde el punto de vista del impacto interno también se acarrearían importantes perjuicios. Por ejemplo, el ICE tendría que incrementar su deuda externa debido a las inversiones adicionales que tendría que realizar para compatibilizar el nuevo sistema. 15.- El PIB bajaría debido a la disminución de las actividades económicas impulsadas por las tecnologías avanzadas y que requieren de la 5G para su desarrollo, tales como la auto conducción, la auto fabricación, la inteligencia artificial, etc. 16.- Los costos de adquisición de equipos por parte de los operadores de redes y prestadores de servicios de telecomunicaciones se incrementarán al tener que adquirirlos a un precio mayor de empresas estadounidenses y europeas (hecho público y notorio que consta en noticias de medios de prensa Semanario Universidad, 6 de septiembre de 2023 “Decreto de Presidente Chaves deja fuera a cinco de las empresas líderes en 5G” disponible en https://semanariouniversidad.com/pais/decreto-de-presidente-chaves-deja-fuera-a-cinco-de-las-empresas-lideres-en-5g/ y Diario Extra, 6 de septiembre de 2023 “Decisión de Gobierno subiría precio del Internet” https://www.diaríoextra.com/Noticia/detalle/504206/decisi-n-de-gobierno-subir-a-precio-del-internet-). 17.- Los costos más elevados en la adquisición de los equipos por los operadores de redes y prestadores de servicios de telecomunicaciones serían trasladados a los consumidores y usuarios finales de tales servicios (Hecho público y notorio que consta en noticias de medios de prensa Semanario Universidad, 6 de septiembre de 2023 “Decreto de Presidente Chaves deja fuera a cinco de las empresas .líderes en SG” disponible en https://semanariouniversidad.com/pais/decreto-de.presidente-chaves-deja-fuera-a-cinco-de-las-empresas-lideres-en-5g/ y Diario Extra, 6 de septiembre de 2023 “Decisión de Gobierno subiría precio del internet” https://www.diarioextra.com/Noticia/detalle/504206/decisi-n-de-gobierno-subir-a-precio-del-internet-). 18.- También habría una pérdida de oportunidades justas para que los usuarios del sistema obtengan acceso a tecnologías avanzadas de 5G debido al inevitable aumento de las tarifas telefónicas. En efecto, el costo adicional de las tecnologías menos avanzadas y el mercado con competencia insuficiente se trasferirá finalmente a los usuarios. El precio de las tarifas aumentaría entre un 40%. 19.- Si se lleva a cabo el despliegue 5G sin restricciones, su inversión contribuiría con USD 748,4 millones al Producto Interno Bruto (PIB) de Costa Rica en un lapso de 5 años. Esto representa un significativo 3,19% del PIB. Sin embargo, bajo las limitaciones del decreto, esta contribución se desploma a apenas USD 419,1 millones. Estamos hablando de una reducción de USD329,3 millones en tan solo cinco años, una cifra nada despreciable para cualquier economía y altamente significativa para Costa Rica. 20.- En todo caso, el estudio económico realizado por el CINPE de la Universidad Nacional en la que participaron 5 prestigiosos investigadores de ese centro educativo llega a las siguientes conclusiones: Capítulo IV: Conclusiones y Recomendaciones. A lo largo de la presente investigación nos hemos propuesto calcular el impacto financiero y económico que tiene para Costa Rica la decisión de implementación del decreto ejecutivo No 44196-MSP-MICITT. Hemos dejado claro en el capítulo 1 de la investigación la importancia y efectos que tendrá el paso de la internet 4 y 4.5 G a las plataformas de uso basadas en 5G. Este proceso de transformación de la economía digital tiene importantes efectos en la competitividad de las empresas, en el empleo y el desarrollo tecnológico de industrias claves para el país y en la generación de oportunidades de innovación. Por todo lo anterior, hemos de tomarle la mayor importancia y trascendencia al proceso que viene para el país con el despliegue de las redes 5G. En el capítulo 2 y 3 de este estudio, a partir de los resultados obtenidos de la aplicación de la metodología de análisis de impacto financiero y de impacto económico, así como la distribución de dichos montos en las tarifas, podemos concluir qué, las restricciones a los proveedores asiáticos y en particular a la empresa Huawei de participar en la licitación de los equipos y el mantenimiento de las redes 5G en Costa (sic), tiene significativos efectos financieros para los operadores de telefonía celular y un muy alto impacto económico y social para el país. Se concluye que: 1. La implementación del decreto podría traducirse en la necesidad de un incremento de inversión de aproximadamente USD196,69 millones en un periodo de 5 años. Pero más allá del impacto monetario directo, esta situación podría generar un atraso en la implementación de la tecnología SG, extendiendo la duración de su despliegue hasta 4 años adicionales. Estos retrasos, además de los costos adicionales financieros, pueden tener repercusiones en la competitividad del país y en la adaptabilidad de las industrias locales a las tendencias tecnológicas globales. 2. Respecto al impacto en la economía de dichos efectos del despliegue de la tecnología 5G puede apreciarse de manera contundente al comparar los escenarios con y sin la implementación de este decreto. De acuerdo con nuestra investigación y los datos presentados en la tabla 2.3, si se lleva a cabo el despliegue 5G sin restricciones, su inversión contribuiría con USD 748,4 millones al Producto Interno Bruto (PIB) de Costa Rica en un lapso de 5 años. Esto representa un significativo 3,19% del PIB. Sin embargo, bajo las limitaciones del decreto, esta contribución se desploma a apenas USD 419,1 millones. Estamos hablando de una reducción de USD 329,3 millones en tan solo cinco años, una cifra nada despreciable para cualquier economía y altamente significativa para Costa Rica. 3. Las industrias más afectadas son, la industria manufacturera, el sector TIC, el sector comercial y la administración pública. La industria de manufactura es un sector estrechamente ligado al dinamismo de las zonas francas y que ha sido históricamente un pilar del crecimiento económico de Costa Rica y esta será la que absorbería cerca de un tercio de ese costo económico (USD 117,0 millones), lo que es alarmante. Esta industria no solo es vital por su aporte al PIB, sino también porque es una fuente crucial de empleo para los costarricenses. Adicionalmente, el sector de información y comunicación no se queda atrás, proyectando un impacto negativo de USD 39,18 millones durante el mismo periodo, como consecuencia directa del decreto. En un tercer lugar, se ubica el costo económico para el sector comercial que totaliza USD 29,9 millones. De alguna forma, el impacto estimado para esta industria sería el mejor escenario posible, es decir, podría existir un costo mayor producto de la profundidad que tiene y que tendría la tecnología 5G en la en el acceso a nuevos productos para los consumidores, como es el caso de las plataformas digitales. En un cuarto lugar, se sitúa el impacto en la administración pública por un total de USD24,6 millones, lo cual limitaría al gobierno en general y a los gobiernos locales en particular, en poder acelerar el proceso de ciudades inteligentes. A esto se le complementa mejoras tecnológicas para mejorar la seguridad ciudadana y la cobertura de las tarifas de servicios públicos como es el caso del agua y la luz. 4. A1 integrar los efectos de costos adicionales de inversión en un modelo tarifario medio de la industria, encontramos que las tarifas podrían elevarse hasta en un 40 por ciento adicional, con la implementación del decreto. El efecto para las y los usuarios tiende a la exclusión digital de manera muy importante, sin embargo, dependerá de la estrategia de precios que desarrollen los prestadores del servicio 5G y/o de la intervención del Estado costarricense para amortiguar este impacto en los ingresos de los costarricenses producto del incremento de costos y de precios de los servicios de las telecomunicaciones. 5. Preocupa de sobremanera la exclusión de clientes en áreas rurales y en segmentos de menor ingreso relativo. La brecha existente en la actualidad podría ampliarse significativamente con nefastas implicaciones para las personas excluidas. Adicionalmente, la no implementación a tiempo tendrá efectos de pérdida de oportunidades de inversión y empleo. 6. En su conjunto, vemos que el impacto financiero, económico y social del decreto da cuentas de una significativa pérdida para el país por implementar esta medida. Es claro que existen posiciones encontradas sobre el tema, pero la magnitud de los efectos requiere de un análisis profundo, crítico y coherente con la realidad país. Para ejemplificar el tamaño del impacto económico, podemos compararlo con tres grandes rubros de inversión: a. Emisión de Eurobonoz La pérdida de USD 329,3 millones equivale aproximadamente al 33% de lo que el Gobierno de Costa Rica obtendría a través de la emisión de un eurobono. Estos bonos son herramientas cruciales que el gobierno utiliza para financiar sus operaciones y proyectos de infraestructura. b. Infraestructura Deportiva: E1 monto en cuestión podría financiar la construcción de casi cuatro Estadios Nacionales. Estos recintos no solo sirven para eventos deportivos, sino también para actividades culturales y sociales que benefician a la población. c. Seguridad Nacional: La cifra también representa el doble del presupuesto anual destinado al Organismo de Investigación Judicial (OIJ), una entidad vital para el mantenimiento de la seguridad y el orden en el país. 7. Estos ejemplos ilustran la gravedad de las consecuencias financieras y económicas que implica el decreto y enfatizan la necesidad de reconsiderar políticas que puedan tener repercusiones tan profundas en la economía y bienestar del país. Todo lo anterior nos hace pensar en la necesidad de discutir la neutralidad tecnológica en política de proveedores 5G y sobre todo, la necesidad de obviar criterios basados en prejuicios políticos no comprobados, en tanto afectan factores críticos del mercado a saber: • Promoción de la Competencia: Una política de neutralidad tecnológica asegura un campo de juego equitativo para todos los proveedores, promoviendo la competencia, lo que puede resultar en precios más bajos y soluciones más innovadoras.• Seguridad y Resiliencia: Depender de una variedad de proveedores puede aumentar la seguridad y resiliencia de la red al reducir la dependencia de un único proveedor o tecnología. • Desarrollo Tecnológico Inclusivo: Una política neutral evita la exclusión tecnológica, garantizando que el país tenga acceso a la gama completa de avances y soluciones SG disponibles globalmente. En suma, es imperativo que Costa Rica y otros países adopten una política de neutralidad tecnológica al considerar la implementación de la tecnología SG. Esta neutralidad no solo garantizará una adopción eficiente y económica, sino que también posicionará al país de manera óptima para capitalizar las oportunidades de la próxima era digital y de todas las que vendrán a futuro. La implementación efectiva y oportuna de la SG puede ser una de las decisiones más críticas que los líderes tomen para garantizar el progreso y la prosperidad en la era moderna. 21.- Con la finalidad de que la situación jurídica sustancial que nos ocupa se corrija y se eviten mayores afectaciones, serias e irreparables mientras se discute la constitucionalidad y validez del contenido de la conducta impugnada es que solicitamos la suspensión del procedimiento licitatorio tantas veces citado. 22.- Esa medida guarda total proporcionalidad con el interés público, dado que la eventual medida cautelar nos brindaría una protección integral en cuanto tendríamos la posibilidad de participar en la licitación pública para la adquisición de la tecnología de telecomunicaciones 5 G que en los próximos días promoverá el ICE y a la cual, de antemano, estamos imposibilitados de participar. 23.- Por lo tanto, las afectaciones que producirá el acto licitatorio son mayores y reales a las que presuntamente sufriría el interés público. De esa manera queda demostrada la necesidad imperiosa que existe para adoptar la presente medida cautelar, la cual constituye el único remedio para prevenir y evitar mayores afectaciones a nuestro derecho a ejercer una actividad empresarial altamente beneficiosa para el país. 24.- Lo anterior confirma la idoneidad de la medida que se está solicitando, que además resulta ser proporcionada con el fin que se busca en el presente recurso de amparo, es decir, la inconstitucionalidad evidente y manifiesta de cualquier concurso público que promueva el ICE para la adquisición de la tecnología en telecomunicaciones 5 G Móvil por violar los derechos fundamentales de libre competencia e igualdad de participación en los concursos públicos. PRUEBAS 1.- Informe técnico: Sobre las repercusiones económicas que tendría para el país la exclusión de proveedores asiáticos en las inversiones de la red 5G en Costa Rica, particularmente la no participación de Huawei en el citado concurso público promovido por el ICE para la adquisición de la tecnología en telecomunicaciones 5G en el país preparado por el CÂINPE de la UNA. 2.- Copia notarizada de la publicación del periódico digital La República del 11 septiembre del 2023 en que se indica que la exclusión a empresas asiáticas de concurso de redes 5G le constaría al .país $1,5 billones en tecnología. 3.- Copia notarizada de la noticia de medio de prensa Semanario Universidad del 6 de septiembre de 2023 "Decreto de Presidente Chaves deja fuera a cinco de las empresas líderes en 5G". 4.- Copia notarizada de la noticia de medio de prensa Diario Extra, 6 de septiembre de 2023 "Decisión de Gobierno subiría precio del internet" PETITORIA 1.- Por tanto, solicitamos que en aplicación del artículo 41 de la Ley de la Jurisdicción Constitucional, se proceda a suspender la publicación de cualquier pliego de condiciones o en caso de que ya esté publicado, la suspensión de cualquier proceso licitatorio por parte del ICE en que deba aplicarse el "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic) hasta tanto esa Sala Constitucional se haya pronunciado sobre el fondo de este recurso de amparo y, en caso de que fuere convertido en una acción de inconstitucionalidad, hasta que se haya pronunciado sobre el fondo de ésta (sic)”. iv) Por escrito recibido en la Secretaría de la Sala el 9 de noviembre de 2023, se apersona Rubén Hernández Valle, apoderado especial de la parte actora. Expone lo siguiente: “1.- El ICE publicó el día de hoy 9 de noviembre de 2023, el PLIEGO DE CONDICIONES PARA LA ADQUISICIÓN DE: GT-ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”. 2.- El cartel contiene requisitos que son imposibles de cumplir por mi representada por estar ubicada su casa matriz en la República Popular China. Específicamente el Apartado 3, Ciberseguridad RAN-CORE Móvil 5G que en lo que interesa indica: “3. APARTADO DE CIBERSEGURIDAD RAN-CORE MOVIL 5G. 3.1. El oferente deberá cumplir todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en el Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT, a la hora de planificar, diseñar e implementar su oferta técnica, para lo cual deberá aportar junto con la oferta, el plan de gestión y mitigación de riesgos en concordancia con la normativa precitada. 3.2. El oferente deberá presentar una declaración jurada en donde indique que cumple con la adopción de los siguientes estándares de ciberseguridad:

Estándares de cumplimiento obligatorios Número Nombre ISO/IEC 27001:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad- Sistemas de Gestión de la Seguridad de la Información Requerimientos ISO/IEC 27002:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Controles de seguridad de la información ISO/IEC 27003:2017 Tecnologías de la información —Técnicas de seguridad — Sistemas de Gestión de la Seguridad de la Información —Guía ISO/IEC 27011:2016 Tecnologías de la información —Técnicas de seguridad — Código de prácticas para los controles de seguridad de la información basado en ISO/IEC 27002 para organizaciones de telecomunicaciones.

SCS 9001 Estándar de Seguridad de la Cadena de Suministro Ciberseguridad GSMA NESAS Esquema de aseguramiento de ciberseguridad definido por GSMA y 3GPP.

ISO/IEC 27400 Ciberseguridad — Seguridad y privacidad en IoT— Guías de implementación 3GPP 33.501 Arquitectura y procedimiento de seguridad para sistemas 5G.

NIST 1800-33B 5G Ciberseguridad 3.3. De conformidad con el artículo 10 del Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT en donde se indica que no se puede tener un único suministrador en cuanto a hardware y software en elementos críticos de la red, el ICE no podrá adjudicar al mismo oferente el CORE Móvil (partidas 3 y 4) y la red de acceso móvil (partidas 1 y 2). En caso de que la oferta, participe para el CORE Móvil (partidas 3 y 4) y la red de acceso móvil (partidas 1 y 2) y cumpla con todos los aspectos técnicos, financieros, jurídicos y ocupe el primer lugar en precio para todas las partidas mencionadas, el ICE adjudicará solamente las partidas 1 y 2 (red de acceso móvil) a este oferente y las partidas 3 y 4 (Core Móvil) se adjudicará al segundo lugar en precio, con el fin de no tener un único suministrador en cuanto a hardware y software en elementos críticos de la red, lo anterior en cumplimiento del 10 del Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT. 3.4. El oferente deberá presentar una declaración jurada en donde se indique su sede está en un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). Para lo cual deberá adjuntar la documentación de respaldo. El ICE se reserva el derecho de verificar la valides (sic) de la información aportada. 3.5. El oferente deberá presentar una declaración jurada en donde se indique que, si la sede de la fábrica es o no susceptible de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones. 3.6. El oferente deberá presentar una declaración jurada en donde se indique si tiene su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses.” Como se puede observar de la cita anterior, se involucran en la presente contratación los elementos discriminatorios contenidos en el Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT, que son condiciones de carácter obligatorio para la calificación del oferente para participar en el proceso de licitación, el cual excluye a mi representante del acceso a la licitación, y pierde la oportunidad de competir, en razón del origen de su casa matriz. Todo lo anterior, conforme fue debidamente fundamentado, sustentado y probado en el Recurso de Amparo principal del expediente 23-023887-0007-CO. 3.- De esa manera se concretó inminentemente la violación de nuestros derechos fundamentales conforme lo habíamos indicado en el escrito de interposición del presente recurso de amparo. (…) DERECHO I.- Las violaciones de los derechos fundamentales de mi representada El pliego de condiciones de la licitación pública del ICE citado viola en perjuicio de mi representada al menos los siguientes derechos fundamentales: a) derecho de libre competencia e igualdad de participación en los concursos públicos y b) derecho a no ser discriminado en razón del origen de la empresa. A.-La violación de los derechos fundamentales de libre competencia e igualdad de participación en los concursos públicos 1.- La jurisprudencia de esa Sala ha establecido que "si el artículo 182 de la Constitución Política establece este principio -el de la licitación entonces se encuentran inmersos en el concepto todos los principios propios de la Contratación Administrativa. En virtud de lo anterior, debe entenderse que del artículo 182 de la Constitución Política se derivan todos los principios y parámetros constitucionales que rigen la actividad contractual del Estado. Algunos de estos principios que orientan y regulan la licitación son: 1.-de la libre concurrencia, que tiene por objeto afianzar la posibilidad de oposición y competencia entre los oferentes dentro de las prerrogativas de la libertad de empresa regulado en el artículo 46 de la Constitución Política, destinado a promover y estimular el mercado competitivo, con el fin de que participen el mayor número de oferentes, para que la Administración pueda contar con una amplia y variada gama de ofertas, de modo que pueda seleccionar la que mejores condiciones le ofrece; 2.- de igualdad de trato entre todos los posibles oferentes, principio complementario del anterior y que dentro de la licitación tiene una doble finalidad, la de ser garantía para los administrados en la protección de sus intereses y derechos como contratistas, oferentes y como particulares, que se traduce en la prohibición para el Estado de imponer condiciones restrictivas para el acceso del concurso, sea mediante la promulgación de disposiciones legales o reglamentarias con ese objeto, como en su actuación concreta; y la de constituir garantía para la administración, en tanto acrece la posibilidad de una mejor selección del contratista; todo lo anterior, dentro del marco constitucional dado por el artículo 33 de la Carta Fundamental” (Voto 998-1998). 2.- El pliego de condiciones publicado por el ICE para la adquisición de “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, implica una clara violación, en perjuicio de mi representada, de sus derechos fundamentales a la libre concurrencia en las contrataciones públicas y de igualdad de trato de los oferentes, dado que se aplican en esa licitación pública directamente los artículos 10) incisos c), d), e) y f) y el numeral 11 del " Reglamento Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic), normas que establecen regulaciones discriminatorias y contrarias a los citados derechos fundamentales de la libre competencia e igualdad de trato en los concursos públicos. 3.- En efecto, esas normas establecen requisitos para el caso concreto, a fin de que compañías de diferentes orígenes, especialmente chino, no pueden participar en ningún concurso público para la adquisición de tecnología de telecomunicaciones 5 G Móvil y superiores. 4.- De esa forma se violan de manera grosera y evidente los derechos fundamentales a la libertad de competencia e igualdad de trato que tienen todos los eventuales interesados en participar en concursos públicos para la adquisición de bienes y servicios en nuestro país. 5.- En el caso de mi representada, el pliego de condiciones impide nuestra participación en esa contratación pública al aplicar lo estipulado en los incisos c), d), e) y f) del artículo 10 y numeral 11 del citado Reglamento, que es la finalidad que persigue esa normativa según declaraciones, en su momento, del Presidente Ejecutivo del ICE, de la Ministra del MICITT y del Presidente de la República. A confesión de parte, relevo de prueba. B.- La violación del principio constitucional a no ser discriminado por ninguna razón 1.- El artículo 33 de la Constitución consagra el principio cardinal en el Derecho Occidental, de que ninguna persona, física o jurídica, puede ser discriminada por ninguna razón (sexo, creencias religiosas, ideología, nacionalidad, etc). 2.- En el presente caso a mi representada se le discrimina abiertamente tanto por su supuesta ideología como por su nacionalidad, lo que implica una grosera violación del artículo 33 de la Constitución Política. 3.- Recordemos que la discriminación, desde el punto de vista jurídico, significa otorgamiento de trato diferente basado en desigualdades injustas o arbitrarias que son contrarias al principio de igualdad ante la ley. 4.- La prohibición de discriminar cobija la interdicción de hacerlo por cualquier circunstancia personal o social; o sea, que toda diferenciación que carezca de justificación objetiva y razonable puede calificarse de discriminatoria. 5.- De esa forma, son contrarias al principio de no discriminación las desigualdades de trato que se funden exclusivamente en razones de sexo, raza, condición social, motivos ideológicos, origen, nacionalidad, etc. 6.- La normativa que el ICE pretende aplicar contiene elementos discriminatorios como requisitos obligatorios en el citado concurso público implica una clara violación al principio de no discriminación en perjuicio de mi representada, dado que se la excluye desde el inicio de un concurso público por razones supuestamente ideológicas y de nacionalidad. MEDIDA CAUTELAR 1.- Dado que estamos ante un caso de excepción, pues si no se suspende la ejecución del futuro acto lesivo de nuestros derechos fundamentales y que se encuentra en fase de ejecución, el perjuicio para mi representada sería irreparable e irreversible pues le impide la participación en el citado concurso público para la adquisición de la tecnología en telecomunicaciones 5G/IMT Móvil. 2.- Por tanto, solicitamos que en aplicación del artículo 41 de la Ley de la Jurisdicción Constitucional, se proceda a suspender la tramitación del proceso licitatorio indicado en el cartel impugnado dado que en él se está aplicando el “Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores” (sic), hasta tanto esa Sala Constitucional no se haya pronunciado sobre el fondo de este recurso de amparo y sobre la acción de inconstitucionalidad planteada contra ese decreto oportunamente. PETITORIA Con fundamento en los hechos invocados, pruebas ofrecidas y consideraciones jurídicas señaladas, solicito que en sentencia se declare: 1.- Que mi representada no puede ser impedida de participar en el citado concurso público introduciendo cláusulas de imposible cumplimiento para ella, porque ello viola los derechos fundamentales a la libre competencia, la igualdad de trato y la prohibición de la discriminación exclusivamente por razones ideológicas y de nacionalidad. 2.- Reitero la solicitud de condenatoria al ICE al pago de los daños y perjuicios y costas de esta acción”. v) Por escrito recibido en la Secretaría de la Sala el 14 de noviembre de 2023, se apersona Rubén Hernández Valle, apoderado especial judicial de la parte actora. Indica: “1. Con el documento técnico adjunto las pérdidas que sufrirían tanto mi representada, así como el país si se nos impidiera participar en la licitación del ICE”. vi) Por escrito recibido en la Secretaría de la Sala el 24 de noviembre de 2023, se apersona Rubén Hernández Valle, en su condición de apoderado especial judicial de la parte actora. Expone lo siguiente: “Amplío por este medio, el recurso de amparo presentado y seguido bajo el expediente 23-023887-0007-CO, con base en los siguientes HECHOS 1.- Que mediante escrito remitido a esta Sala Constitucional el día 09 de noviembre de 2023, se amplió en una primera ocasión el recurso de amparo presentado, debido a que el ICE publicó el día de 9 de noviembre de 2023, el PLIEGO DE CONDICIONES PARA LA ADQUISICIÓN DE: GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED SG ENTREGA SEGÚN DEMANDA". 2.- El cartel contiene requisitos que son imposibles de cumplir por mi representada por estar ubicada su casa matriz en la República Popular China. Específicamente el Apartado 3, CiberSeguridad RAN-CORE Móvil 5G, mismo que puede ser revisado en el escrito del 09 de noviembre de 2023. 3.- Que contra dicho pliego de condiciones, por ser discriminatorio e impedir la participación de [Nombre 002]., se presentó en tiempo y forma un recurso de objeción al pliego. 4.- Que mediante oficio 5201-250-202 del 21 de noviembre de 2023, el ICE procedió a admitir parcialmente el recurso de objeción, sin embargo, procedió a rechazar de forma absoluta todas las objeciones relacionadas con el Apartado 3, CiberSeguridad RAN-CORE Móvil 5G, que precisamente excluye a Huawei del concurso. 5.- De esa manera, mi representada demuestra el uso oportuno de todos los mecanismos legales disponibles para procurar garantizar sus derechos constitucionales y sin embargo, se concretó la violación de nuestros derechos fundamentales conforme lo habíamos indicado en el escrito de interposición del presente recurso de amparo. Queda así configurada — ya no una posible violación si no una violación consumada — la discriminación hacia mi representada y las condiciones actuales de Costa Rica en contra de empresas Chinas, discriminándolas por su nacionalidad. PRUEBAS 1.- Copia del recurso interpuesto y de la respuesta del ICE. DERECHO I.- Las violaciones de los derechos fundamentales de mi representada El pliego de condiciones de la licitación pública del ICE citado, se encuentra consolidado y ante el rechazo del recurso de objeción no quedan más remedios legales que pueda utilizar mi representada para procurar la protección de sus derecho legítimos constitucionales. Es con base en esto, que podemos asegurar que, con el agotamiento de esa vía administrativa, el pliego viola en perjuicio de mi representada al menos los siguientes derechos fundamentales: a) derecho de libre competencia e igualdad de participación en los concursos públicos y b) derecho a no ser discriminado en razón del origen de la empresa, todo lo anterior, según fue debidamente explicado y fundamentado en el escrito del 09 de noviembre de 2023. MEDIDA CAUTELAR 1.- Reiteramos en este acto que estamos ante un caso de excepción y de urgentísima protección cautelar, ante el hecho de que actualmente y habiéndose agotado los remedios procesales, resulta imposible detener el concurso. Una vez que el concurso reciba ofertas y mi representada no sea capaz de presentar la suya, por no cumplir con el apartado 3, CiberSeguridad RAN-CORE Móvil 5G, se configurará el daño grave, manifiesto, inminente y de imposible reparación, al quedar completamente fuera del concurso y sin legitimación para reclamar. De igual forma, se ha demostrado de forma sobrada en este proceso de amparo, la apariencia de buen derecho del reclamo, sustentado en normativa constitucional, en los principios constitucionales, en derecho comparado y también en documentación y análisis técnicos, lo cual demuestran que nuestro reclamo tiene un fundamento debido. Finalmente, en la ponderación de intereses en juego, la suspensión no genera un daño directo a la Administración, pues se trataría de un (sic) medida cautelar provisional. 2.- Por tanto, solicitamos que en aplicación del artículo 41 de la Ley de la Jurisdicción Constitucional, se proceda a suspender la tramitación del proceso licitatorio indicado en el cartel impugnado dado que en él deberá aplicarse el "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic), hasta tanto esa Sala Constitucional no se haya pronunciado sobre el fondo de este recurso de amparo y sobre la acción de inconstitucionalidad planteada contra ese decreto oportunamente. PETITORIA Con fundamento en los hechos invocados, pruebas ofrecidas y consideraciones jurídicas señaladas, solicito que en sentencia se declare: 1.- Que mi representada no puede ser impedida de participar en el citado concurso público introduciendo cláusulas de imposible cumplimiento para ella, porque ello viola los derechos fundamentales a la libre competencia, la igualdad de trato y la prohibición de la discriminación exclusivamente por razones ideológicas y de nacionalidad. 3.- Reitero la solicitud de condenatoria al ICE al pago de los daños y perjuicios y costas de esta acción”.

14.- Mediante resolución de las 13:22 horas de 24 de noviembre de 2023, la magistrada instructora, por disposición del Pleno, confirió audiencia a la superintendente de Superintendencia General de Entidades Financieras, y a quienes ejerzan la representación tanto de la Cámara de Infocomunicación y Tecnología (Infocom) como de la Cámara de Tecnologías de Información y Comunicación (Camtic).

15.- Por escrito incorporado al expediente digital el 30 de noviembre de 2023, rinden informe Marco Vinicio Acuña Mora y Hubert Valverde Batista, por su orden presidente ejecutivo y administrador de contratos, ambos del ICE, en los siguientes términos: I. CONTEXTO En la resolución de marras, por disposición del Pleno, su Autoridad al ampliar el curso del proceso sumario de amparo solicita un informe al ICE, por medio de los suscritos, sobre seis (6) hechos alegados por la Parte Accionante en escritos presentados en el período del 28 de setiembre al 24 de noviembre, todos de 2023. De previo a hacer referencia a dichos elementos fácticos, en tutela del principio de colaboración con las Autoridades de Justicia, en concordancia con el informe originario presentado el 6 de octubre de 2023 mediante oficio N.º 0060-456-2023, se realiza el siguiente contexto para efectos de establecer en su justa dimensión lo alegado por la Parte Recurrente y contribuir así la mejor comprensión de los hechos por la Honorable Sala Constitucional: 1. El Recurso de Amparo interpuesto, y por ende los hechos alegados- entre ellos los ampliados-, se basan en el Decreto Ejecutivo N.º 44196-MSP-MICITT denominado “Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores” emitido el 25 de agosto de 2023 por la Presidencia de la República, el Ministro de Seguridad Pública y la Ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones, publicado en el Alcance N.º 166 del Diario Oficial La Gaceta del 31 de agosto de 2023, vigente a partir de esa fecha. 2. El Decreto Ejecutivo N.º 44196-MSP-MICITT en el artículo 2, establece lo siguiente: “Artículo 2º-Ámbito de aplicación. Está sometida al presente reglamento la operación activa de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, por parte de las personas físicas o jurídicas, públicas o privadas, nacionales o extranjeras, que operen redes o presten servicios de telecomunicaciones basadas en la tecnología de quinta generación móvil (5G) y superiores que se originen, terminen o transiten por el territorio nacional, exceptuando la operación de redes privadas de telecomunicaciones. En el caso de procesos de compra pública que tengan por objeto la habilitación de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, así como de equipamiento tecnológico activo necesario para el despliegue de éstas, para el uso y explotación del espectro radioeléctrico, la Administración o entidad contratante deberá adoptar los mecanismos idóneos para verificar que los potenciales oferentes han considerado todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en la presente normativa, a la hora de planificar, diseñar e implementar su oferta técnica. En caso de resultar adjudicatario, las disposiciones de la presente norma serán de acatamiento obligatorio durante la operación de las redes y prestación de los servicios basados en la tecnología de quinta generación móvil (5G) o superiores.” (El resaltado, con excepción del título del artículo, es proveído). 3.- El Reglamento de marras, en el artículo 13, relativo a sanciones e infracciones establece lo siguiente: “Artículo 13º— Sanciones e infracciones. El régimen sancionatorio administrativo aplicable por el incumplimiento de las disposiciones contenidas en este Decreto Ejecutivo se regirá por lo dispuesto en la Ley Nº 8642, Ley General de Telecomunicaciones.” (El resaltado, con excepción del título del artículo, es proveído). Los anteriores elementos fácticos, de conocimiento general, permiten evidenciar de manera palmaria los siguientes aspectos que serán centrales para resolver el caso: 1.- El ICE no emitió el Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores, con lo cual existe una evidente falta de legitimación pasiva del Instituto para efectos del presente Recurso de Amparo. 2.- El ICE, en su condición de operador y proveedor de servicios de telecomunicaciones, junto con los otros homólogos de naturaleza pública o privada, están sometidos al presente Reglamento emitido por el Poder Ejecutivo; ámbito de aplicación que, en el caso del Instituto, al emplear fondos públicos, también comprende los procesos de compra pública. 3.- Si el ICE, en dicha condición de operador y proveedor de servicios de telecomunicaciones, incumple con las disposiciones del Reglamento será sometido al régimen sancionatorio administrativo de la Ley General de Telecomunicaciones N.º 8642 (LGT), el cual, dependiendo de la gravedad particular de la falta, podrían implicar sanciones de uno por ciento (1%) y hasta un diez por ciento (10%) de las ventas anuales obtenidas por el infractor durante el ejercicio fiscal anterior, o entre un uno por ciento (1%) y hasta por un diez por ciento (10%) del valor de los activos del infractor, además del cierre definitivo del establecimiento, clausura de instalaciones, en aplicación de los artículos 68 y 69 de la LGT. 4.- El ICE, el 9 de noviembre del 2023, publicó en el sistema SICOP, el procedimiento especial 2023XE-000023-0000400001 GT- Adquisición de Bienes y Servicios para la Implementación de la Red 5G, Entrega Según Demanda con el objetivo de brindar servicios 5G a los usuarios de telecomunicaciones, donde dentro del pliego de condiciones se incorporó los requisitos relativos al Decreto Ejecutivo N.º 44196-MSPMICITT, el cual se encuentra vigente, siendo una disposición de alcance general emitida por el Poder Ejecutivo, de acatamiento obligatorio para el Instituto. Actualmente dicho procedimiento de contratación pública está en etapa de recepción de ofertas. 5.- Por ende, el ICE lo que está haciendo es cumplir como en derecho corresponde, y conforme al principio de legalidad, con dicho Reglamento emitido por el Poder Ejecutivo, tanto en su condición de operador y proveedor de servicios de telecomunicaciones, como de institución pública en los procesos de compra pública, bajo la ley General de Contratación Pública, que tengan por objeto la habilitación de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, así como de equipamiento tecnológico activo necesario para el despliegue de éstas, para el uso y explotación del espectro radioeléctrico (conforme se explicará puntualmente en el siguiente apartado) según el ámbito de aplicación establecido en el artículo 2 del mencionado Decreto Ejecutivo, cuyo incumplimiento implica sanciones e infracciones regulatorias y económicas según lo regulado en el numeral 13 de dicha norma de alcance general. II. SOBRE LOS SEIS HECHOS ALEGADOS POR LA PARTE ACCIONANTE Con base en el informe técnico N.º 9191-1860-2023 del 29 de noviembre de 2023 emitido por el Programa 5G de la Gerencia de Telecomunicaciones del ICE, el cual se aporta como prueba, a continuación, hacemos referencia a los seis hechos indicados por el Alto Tribunal Constitucional, numerados del i) al vi) en la resolución de traslado. Hecho i) Dado que el hecho se refiere al escrito recibido por la Secretaría de la Sala el 28 de setiembre de 2023, sobre el cual se dio curso original al Recurso de Amparo y por ende se dio traslado al ICE, nos permitimos manifestar respetuosamente a su Autoridad que los suscritos se refirieron a dicho elemento fáctico en el Informe de ley presentado el 6 de octubre de 2023 mediante el oficio N.º 0060-456-2023, en el cual, bajo el principio de colaboración procesal, se aportó la respectiva prueba documental. En este sentido, conforme al principio de eficiencia y a fin de no importunar al Alto Tribunal Constitucional con la transcripción extensa de dicho informe original, respetuosamente nos permitimos remitir a lo establecido en dicho memorial incorporado al expediente judicial. Hecho ii) Dicho hecho, originado en el escrito de la Parte Accionante del 6 de octubre de 2023, replicado en memorial del 25 del mismo mes y año (dado que le faltaba la página 2) se refiere a supuestos vicios de inconstitucionalidad “in toto y de algunas normas en específico” del Decreto Ejecutivo N.º 44196-MSP-MICITT denominado “Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores. En este sentido, lo alegado en el hecho ii) son aspectos ajenos al ICE, quien como se ha explicado, no es el emisor de dicho Reglamento, estando en la obligación de aplicarlo. Asimismo, tal y como es de conocimiento de su Autoridad, la Parte Recurrente, con posterioridad a la manifestación del escrito del 6 de octubre pasado, se apersonó ante la Sala Constitucional a interponer directamente una acción de inconstitucionalidad contra dicho Reglamento, gestionada bajo el expediente N.º 23025158-0007-CO, el cual a la fecha de suscripción de este informe de ley se reporta que está en estado de trámite, según la información pública disponible en el Sistema de Gestión en Línea del Poder Judicial, en la modalidad de consulta pública. Asimismo, la propia Parte Accionante, según se explicará en la respuesta al Hecho vi), ha informado al ICE sobre la interposición de dicha acción de inconstitucionalidad bajo el expediente N.º 23-025158-0007-CO. Por ende, dado que la acción de inconstitucionalidad sobre el Reglamento de marras, incluso por voluntad de la Parte Recurrente, se está tramitando bajo otro tipo de proceso y expediente judicial, se considera que este hecho ii), bajo la técnica jurídico procesal, es impertinente, además de carecer de interés actual, dado que la resolución de la acción, según corresponda, no se resolverá en el presente proceso sumario de amparo Hecho iii) En este hecho, basado en el escrito del 10 de octubre de 2023, la Parte Accionante reitera la solicitud de medida cautelar, realizada originalmente en el memorial de interposición del recurso de amparo, en cuanto a que “se suspenda la ejecución de la licitación que promoverá el ICE en pocos días para la adquisición de la tecnología en telecomunicaciones 5G/IMT Móvil”, para lo cual aporta tres noticias emitidas por medios de prensa y un estudio académico de la Universidad Nacional (UNA) de octubre de 2023 denominado “Evaluación del impacto económico de la exclusión de proveedores en las inversiones de la red 5G en Costa Rica”. A este respecto, dado que la Parte Recurrente reitera lo ya solicitado y argumentado en el memorial del 28 de setiembre de 2023 donde presenta recurso de amparo, nos permitimos manifestar que aun cuando los hechos sobre los cuales se solicitó rendir el informe de ley original no contemplaba dicha solicitud de medida cautelar, los suscritos, en virtud del principio de colaboración con las Autoridades de Justicia, se refirieron a la improcedencia de dicha solicitud en el Informe de ley presentado el 6 de octubre de 2023 mediante el oficio N.º 0060-456-2023, específicamente en el Apartado IV, donde se explicó que no se cumple con ninguno de los presupuestos establecidos para la tutela cautelar, asimismo, se evidenció que: “El suspender la publicación de cualquier pliego de condiciones, en los términos solicitado (sic) por el Sr. Recurrente, no solo implicaría un daño grave, irreparable e irreversible a esta Institución Pública, impidiéndole cumplir con sus competencias establecidas por ley, sino que ante todo afectaría a los usuarios finales de telecomunicaciones a quienes se les impediría tener acceso a nuevas tecnologías y servicios, afectando su derecho fundamental de acceso a las telecomunicaciones, reconocido jurisprudencialmente por este Honorable Tribunal Constitucional y positivizado reciente por el Constituyente Derivado por reforma a la Carta Magna.” (El resaltado es proveído). Ahora bien, dado que el Honorable Tribunal Constitucional, en este hecho iii) pone en formal conocimiento de la solicitud de medida cautelar, nos permitimos no solo reiterar la improcedencia de dicho requerimiento, sino también desarrollar los daños graves, irreparables e irreversibles que se le causarían no solo al ICE, sino ante todo a los usuarios finales de telecomunicaciones, afectando el interés público. A este respecto, una eventual suspensión del procedimiento de contratación pública en curso para la implementación de la tecnología 5G (Procedimiento especial 2023XE-000023-0000400001 GT- Adquisición de Bienes y Servicios para la Implementación de la Red 5G, Entrega Según Demanda”) generaría un daño grave, irreparable e irreversible al ICE por las siguientes razones: 1. Impide al ICE cumplir con las competencias históricas y legales de brindar servicios de telecomunicaciones a la colectividad establecidas desde el Decreto Ley 449 de 1949, reafirmadas y complementadas en la Ley de Fortalecimiento y Modernización de las Entidades Públicas del Sector Telecomunicaciones N.º 8660 de 2008, implicando a la vez un incumplimiento de los compromisos realizados expresamente por el Estado Costarricense en el Anexo 13 del Tratado de Libre Comercio República Dominicana-Centroamérica-Estados Unidos (CAFTA-DR) de fortalecer y modernizar al ICE como un participante en un mercado competitivo de telecomunicaciones, donde coexisten operadores públicos y privados. Dichas competencias de la empresa estatal de telecomunicaciones establecidas en las leyes, y los compromisos de fortalecimiento en el CAFTA responden a un interés público que debe ser salvaguardado y que tiene que ver primordialmente con satisfacer de la mejor forma el derecho de obtener servicios de telecomunicaciones con calidad, en forma oportuna y a precios asequibles por parte de los usuarios. 2.- Impide al ICE cumplir con las obligaciones establecidas en el título habilitante (Acuerdos Ejecutivos de concesión y Resolución N.º RT-024-2009-MINAET del 18 de diciembre de 2009) de uso y explotación de espectro radioeléctrico para brindar servicios de telecomunicaciones a la colectividad. 3.- Impide al ICE, ad portas, lanzar comercialmente al mercado toda una gama de servicios innovadores de tecnología 5G, afectando no solo de manera grave, irreparable e irreversible su función sustantiva como operador estatal de telecomunicaciones, sino que ante todo impactando negativamente a los usuarios finales de telecomunicaciones a quienes se les impediría tener acceso en el menor plazo posible a nuevas tecnologías y servicios, afectando su derecho fundamental de acceso a las telecomunicaciones, reconocido jurisprudencialmente por este Honorable Tribunal Constitucional y positivizado reciente por reforma parcial a la Carta Magna, según se explica a continuación: a) El lanzamiento comercial tiene como objetivo la implementación de una red nacional 5G, la cual brindará al ICE un apoyo estratégico para soportar y mantener el negocio de las telecomunicaciones, así como ofrecer a los usuarios de telecomunicaciones en nuestro país la posibilidad de incursionar en una amplia gama de nuevos servicios que actualmente no están disponibles a través de la tecnología 4G, potenciando la mejora en servicios de salud, transporte, realidad virtual, realidad aumentada, seguridad y hogares inteligentes, entre otros. b) Además, permitirá mejorar la banda ancha móvil, la capacidad de admitir densidades extremadamente altas de dispositivos por celda, menor latencia, implementación y operaciones de red flexibles y mayor eficiencia energética, contribuyendo de esta forma a reducir la brecha digital a nivel país. c) Según lo planificado por el ICE, bajo el caso de negocio, se pretende construir la primera fase de la red 5G, que implicará una evolución tecnológica de las redes móviles y responde al objetivo de brindar una nueva gama de servicios y mejora en los actuales, con una tecnología que satisface las necesidades de los ecosistemas tecnológicos. d) Además, permite asegurar los ingresos actuales del sector de telecomunicaciones, consecuentemente evitar las pérdidas de ingresos asociadas al riesgo de perder los clientes. e)El lanzamiento comercial de los servicios 5G permitirá al ICE cumplir los objetivos de fidelización, retención y recuperación de clientes, así como la habilitación de los primeros tres servicios a través de la tecnología 5G, con base en el plan de implementación del Programa General 5G. f) El ICE como operador estatal de telecomunicaciones y referente en el país como impulsor del desarrollo de las telecomunicaciones, ha previsto en sus objetivos estratégicos la evolución gradual de la red móvil para brindar beneficios a empresas ya establecidas en el país, pymes y clientes que desean contar con servicios de alta calidad, que les permitan movilidad de forma segura para atender en cualquier parte del país aspectos laborales, educativos o de entretenimiento. Luego de los lanzamientos de los servicios a nivel mundial utilizando la tecnología 5G en el último trimestre del año 2019, su tendencia de uso y alcance sigue incrementándose considerablemente, mientras las tecnologías 4G, 3G y 2G empiezan a disminuir. g) La implementación de 5G colocará al Grupo ICE, una vez más, como motor de desarrollo a nivel nacional y pionero de la transformación digital, impulsando la evolución de los servicios móviles mediante la tecnología 5G y, ofreciendo a la población costarricense, la posibilidad de incursionar en una amplia gama de nuevos servicios que habilita esta tecnología, potenciando la mejora en servicios de salud, transporte con el uso de automóviles autónomos, realidad virtual, realidad aumentada, seguridad y hogar inteligente, entre otros, siendo el aliado tecnológico por excelencia en los mercados, personas, Pymes, grandes empresas y Gobierno. h) Las soluciones 5G (junto con el Internet de las Cosas (IoT), la inteligencia artificial, la robótica, blockchain, bioinformática, realidad aumentada y virtual, entre otras) constituyen una de las tecnologías disruptivas de la Cuarta Revolución Industrial, que, además, por sus características, suponen una revolución en el campo de las infocomunicaciones. i) Todas estas ventajas de la evolución tecnológica ayudarán a crear servicios que abrirán nuevas oportunidades para los actores del mercado (actuales y futuros) y contribuirán al cierre de la brecha digital. j) De esta manera, el despliegue de esta tecnología contribuirá con el desarrollo y progreso del país, al favorecer una mayor competitividad de las empresas y el incremento en la inversión extranjera directa, la mejora de los procesos productivos de las MIPYMES y de los servicios públicos asociados con su digitalización, la construcción de ciudades inteligentes, la conexión de las áreas rurales con los centros de las ciudades a través del Internet de alta velocidad, entre múltiples aplicaciones. Todo lo anterior, ayudará a avanzar hacia un mundo más conectado, mejorando significativamente la calidad de vida de las personas. k) Los recursos públicos que invertirá el ICE en la red 5G, y en su lanzamiento comercial, se maximizarán de la siguiente forma: •Se coloca al país como pionero en desarrollo tecnológico en la región. •Eleva los indicadores de desarrollo económico a nivel nacional al aumentar la competitividad • Permite ampliar el portafolio de soluciones de las empresas, ya que contarán con una red 5G con capacidades mejoradas para dar mayores y mejores servicios a los clientes que adquieren sus productos y servicios. • Se pone a disposición de la población servicios de banda ancha superior a la que cuentan actualmente. • Se podrán desarrollar nuevos servicios que mejorará los servicios de salud, transporte, sector energético y educación. • Se lograría avanzar en el cierre de la brecha digital. • Se contribuye con el desarrollo y progreso económico del país. • Brinda mayor competitividad a las empresas. • Se maximizará la inversión directa extranjera, esto ya que las empresas que deseen invertir en el país podrán realizar sus actividades comerciales de forma más eficiente al contar con una red con capacidades de ancho de banda más amplios, por ende, será más atractivo nuestro país para nuevas empresas, potenciando la creación de nuevas fuentes de empleo. • Se fortalece la posición competitiva del Grupo ICE, así como crear nuevos negocios, que vayan más allá de la conectividad. l) El desarrollo de la tecnología 5G, a través del lanzamiento comercial por parte del ICE le permite al país un crecimiento económico, basado en la atracción de nuevas inversiones, lo que da como resultado nuevas fuentes de empleo que mejoren la calidad de vida de los costarricenses, lo cual, además está alineado con establecido la visión del Plan Nacional de Desarrollo de las Telecomunicaciones 20222027 referente a: “Promover la disponibilidad de servicios de telecomunicaciones asequibles, de calidad e innovadores a nivel nacional, mediante el despliegue oportuno de redes de telecomunicaciones seguras, robustas, escalables, resilientes y sostenibles, y desarrollar competencias digitales reduciendo la brecha digital en todos sus componentes y dimensiones, maximizando los beneficios de la economía digital para el disfrute y bienestar de todas las personas.” El alegado interés empresarial de la Parte Accionante no debe prevalecer sobre el interés público de los usuarios de telecomunicaciones de contar en el menor plazo posible con la disposición de servicios de la tecnología 5G por medio del lanzamiento comercial del ICE, no siendo tutelable el interés particular sobre el interés general de la colectividad. Por el contrario, no se afecta en absoluto el interés público el que el ICE continue con el procedimiento de contratación pública tendiente a lanzar comercialmente al mercado servicios 5G, dado que permitiría que los usuarios de telecomunicaciones gocen de los beneficios de la tecnología 5G en el menor plazo posible, cumpliéndose con el fin último de la regulación, como es el beneficio al usuario final. No es la primera vez que, bajo intereses empresariales particulares, se intenta (sin éxito), como sucede ahora con 5G, que por vías judiciales se le impida al ICE poner a disposición de los usuarios finales servicios aprovisionados bajo una nueva tecnología A este respecto, existe un precedente judicial importante, en la jurisdicción contenciosa administrativa, donde en su momento el operador privado TELEFÓNICA, coadyuvado por la SUTEL, pretendía evitar, por medio de una solicitud de medida cautelar que el ICE lanzara comercialmente la tecnología 4G aprovisionada en la banda 2.6 GHz, ante lo cual el Tribunal Contencioso Administrativo, bajo el expediente N° 13-006841-1027-CA, al rechazar dicha medida en la Resolución N° 2343-2013 de las 09:50 horas del 30 de octubre de 2013, hizo un interesante razonamiento, también aplicable al caso de marras, en cuanto a que pretender evitar el lanzamiento de dicha innovación tecnológica implica, desde la perspectiva del usuario final, una afectación al interés público: “Finalmente, existe una tercera afectación al interés público, viéndolo desde la perspectiva propia de los usuarios del servicio público de las telecomunicaciones, que como bien sabemos es un mundo globalizado como el que vivimos inmersos hoy día, el acceso a las nuevas tecnologías es cada vez, no solamente más apetecido, sino también más necesario y complementario. Desde este tratamiento, es dable pensar, contrario a lo narrado por la firma actora y respaldado por la propia Superintendencia de Telecomunicaciones, en el sentido de que indicar que el usuario se verá afectado por no tener oportunidad de elegir operador, y eventualmente como lo dijera el órgano regulador, de tener que interrumpírsele su servicio contratado, que el usuario-administrado sí se verá perjudicado en el caso de que el Tribunal suspenda a tan solo unas horas, la operación en el mercado de nuevas tecnologías que eminentemente van en su provecho. Considérese tan solo el menoscabo de aquellas personas, sean físicas o jurídicas, que deseen implementar para su beneficio individual o comercial, tecnologías más rápidas y avanzadas para su crecimiento personal o colectivo, situación con la que no puede coadyuvar este Tribunal, y es por eso justamente que, ante la prevalencia de un interés público claramente prevaleciente en tres perspectivas distintas como se ha explicado, y el interés privado de la empresa actora, este último debe ceder, trayendo como consecuencia el rechazo de la medida cautelar solicitada en todos sus extremos.” (El resaltado y subrayado son proveídos). Este precedente judicial que se generó a partir del rechazo de una solicitud de medida cautelar en sede contenciosa administrativa que pretendía que se le impidiera al ICE lanzar comercialmente una nueva tecnología aprovisionada por la banda 2.6. GHZ, lo cual intenta ahora la Parte Accionante para la tecnología 5G, permite evidenciar como la puesta a disposición de los usuarios finales de una innovación tecnológica, como lo fue en su momento el 4G y ahora será el 5G que lanzará comercialmente el ICE, tutela indiscutiblemente el interés público. Por ende, es evidente que la opción que mejor satisface el interés público y el beneficio de los usuarios es que el ICE pueda implementar, en favor de la colectividad, los servicios 5G. Los argumentos y documentos presentados por la Parte Recurrente no permiten acreditar, con algún grado mínimo de certeza razonable, ninguno de los presupuestos constitutivos para la emisión de una medida cautelar, pretendiendo la Accionante un debate plenario y evacuación de prueba técnico-económica que es ajena a la naturaleza sumaria del Recurso de Amparo, y que es propia de legalidad ordinaria como lo ha establecido la Sala Constitucional en varios precedentes, entre ellos los Votos 1998-01318 de las 10:15 horas del 27 de febrero de 1998, 1998001650 de las 17:36 horas del 10 de marzo de 1998 y 2002-06123 de las 9:33 horas del 21 de junio de 1998. A este respecto, en uno de sus precedentes jurisprudenciales más orientadores el Alto Tribunal Constitucional indicó lo siguiente: “El dominio del amparo, está reservado al análisis de los hechos y actos y su comparación con el ordenamiento jurídico para concluir en una posible ilegitimidad de lo impugnado, sin que sea posible incursionar en campos de la ciencia o de la técnica para ello. La disputa de criterios técnicos o científicos, pues está reservado a otras sedes”[1]. Criterio que, la “Sala lo extendió al campo de los servicios públicos e, incluso, a muchos otros más, según indica el jurista nacional José Francisco Barth Jiménez[2], en su artículo especializado “Recurso de Amparo y regulación de las Telecomunicaciones”. Hecho iv) En este hecho, derivado del escrito del 9 de noviembre de 2023, la Parte Recurrente menciona que el ICE en esa fecha publicó el pliego de condiciones para la adquisición de GT- Adquisición de Bienes y Servicios para la Implementación de la Red 5G, Entrega Según Demanda, alegando que contiene requisitos imposibles de cumplir, reiterando la solicitud de medida cautelar de suspensión de la contratación hasta tanto la Sala no se haya pronunciado sobre el fondo del recurso y sobre la acción de inconstitucionalidad presentada contra el reglamento. A este respecto, es cierto que el ICE el 09 de noviembre de 2023, publicó en el sistema SICOP, el procedimiento especial 2023XE-000023-0000400001 GT- Adquisición de Bienes y Servicios para la Implementación de la Red 5G, Entrega Según Demanda”. (Ver Prueba 1, Anexo 1). Dentro del pliego de condiciones, se incorporó los requisitos derivados del Decreto Ejecutivo N.º 44196-MSP-MICITT denominado “Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores” que, como mencionamos anteriormente, fue emitido el 25 de agosto de 2023 por la Presidencia de la República, el Ministro de Seguridad Pública y la Ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones, publicado en el Alcance N.º 166 del Diario Oficial La Gaceta del 31 de agosto de 2023, vigente a partir de esa fecha y es una disposición de alcance general emitida por el Poder Ejecutivo, el cual es de acatamiento obligatorio para el ICE. Dicho Decreto Ejecutivo en su artículo 2, relativo al ámbito de aplicación, establece lo siguiente: “Artículo 2º-Ámbito de aplicación. Está sometida al presente reglamento la operación activa de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, por parte de las personas físicas o jurídicas, públicas o privadas, nacionales o extranjeras, que operen redes o presten servicios de telecomunicaciones basadas en la tecnología de quinta generación móvil (5G) y superiores que se originen, terminen o transiten por el territorio nacional, exceptuando la operación de redes privadas de telecomunicaciones. En el caso de procesos de compra pública que tengan por objeto la habilitación de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, así como de equipamiento tecnológico activo necesario para el despliegue de éstas, para el uso y explotación del espectro radioeléctrico, la Administración o entidad contratante deberá adoptar los mecanismos idóneos para verificar que los potenciales oferentes han considerado todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en la presente normativa, a la hora de planificar, diseñar e implementar su oferta técnica. En caso de resultar adjudicatario, las disposiciones de la presente norma serán de acatamiento obligatorio durante la operación de las redes y prestación de los servicios basados en la tecnología de quinta generación móvil (5G) o superiores.” En el artículo 13 del Decreto también se incorporan ciertas sanciones e infracciones, para lo cual establece lo siguiente: “Artículo 13º— Sanciones e infracciones. El régimen sancionatorio administrativo aplicable por el incumplimiento de las disposiciones contenidas en este Decreto Ejecutivo se regirá por lo dispuesto en la Ley Nº 8642, Ley General de Telecomunicaciones.” Si el ICE, en dicha condición de operador y proveedor de servicios de telecomunicaciones, incumple con las disposiciones del Reglamento será sometido al régimen sancionatorio administrativo de la Ley General de Telecomunicaciones N.º 8642 (LGT), el cual, dependiendo de la gravedad particular de la falta, podrían implicar sanciones de uno por ciento (1%) y hasta un diez por ciento (10%) de las ventas anuales obtenidas por el infractor durante el ejercicio fiscal anterior, o entre un uno por ciento (1%) y hasta por un diez por ciento (10%) del valor de los activos del infractor, además del cierre definitivo del establecimiento, clausura de instalaciones, en aplicación de los artículos 68 y 69 de la LGT. El ICE, en su condición de operador y proveedor de servicios de telecomunicaciones, junto con los otros homólogos de naturaleza pública o privada, están sometidos al Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores emitido por el Poder Ejecutivo; ámbito de aplicación que, en el caso del Instituto, al emplear fondos públicos, también comprende los procedimientos de contratación pública, por lo cual en el pliego de condiciones antes citado se solicitó el cumplimiento de lo establecido en dicha disposición de alcance general vigente y de acatamiento obligatorio para el Instituto. Por su parte, en lo que concierne a la reiteración de la solicitud medida cautelar que realiza la Parte Accionante, nos permitimos confirmar los argumentos de improcedencia indicados tanto en el informe originario presentado el 6 de octubre de 2023 mediante el oficio N.º 0060-456-2023, como en la respuesta al Hecho i) y iii) del presente informe complementario. Hecho v) En este hecho, originado en escrito del 14 de noviembre de 2023, la Parte Accionante indica que aporta un “documento técnico” sobre las pérdidas que sufrirían dicha empresa, así como el país, si se les impidiera participar en la licitación del ICE. A este respecto, el documento presentado por la Parte Recurrente no permite acreditar, con algún grado mínimo de certeza razonable, ninguno de los presupuestos constitutivos para la emisión de una medida cautelar, pretendiendo la Accionante un debate plenario y evacuación de prueba técnico-económica que es ajena a la naturaleza sumaria del Recurso de Amparo, y que es propia de legalidad ordinaria como lo ha establecido la Sala Constitucional en varios precedentes, entre ellos los Votos 1998-01318 de las 10:15 horas del 27 de febrero de 1998, 1998001650 de las 17:36 horas del 10 de marzo de 1998 y 2002-06123 de las 9:33 horas del 21 de junio de 1998, según mencionamos en la respuesta al Hecho iii). Tal y como se mencionó en la respuesta a ese Hecho iii), el alegado interés empresarial de la Parte Accionante no debe prevalecer sobre el interés público de los usuarios de telecomunicaciones de contar en el menor plazo posible con la disposición de servicios de la tecnología 5G por medio del lanzamiento comercial del ICE, no siendo tutelable el interés particular sobre el interés general de la colectividad. Por el contrario, no se afecta en absoluto el interés público el que el ICE continue con el procedimiento de contratación pública tendiente a lanzar comercialmente al mercado servicios 5G, dado que permitiría que los usuarios de telecomunicaciones gocen de los beneficios de la tecnología 5G en el menor plazo posible, cumpliéndose con el fin último de la regulación, como es el beneficio al usuario final. Hecho vi) En este hecho, basado en el escrito del 24 de noviembre de 2023, la Parte Recurrente, en esencia indica que interpuso recurso de objeción al pliego de condiciones de la contratación pública del ICE para la adquisición de GT- Adquisición de Bienes y Servicios para la Implementación de la Red 5G, Entrega Según Demanda, que, a su criterio, se introducen cláusulas de imposible cumplimiento, que el ICE admitió parcialmente el recurso, rechazando las objeciones referentes a la aplicación del reglamento, reiterando la Parte Accionante la solicitud de medica cautelar de suspender la tramitación del proceso de contratación hasta tanto la Sala no se haya pronunciado sobre el fondo del recurso y sobre la acción de inconstitucionalidad presentada contra el reglamento. A este respecto, es cierto que el ICE, recibió un recurso de objeción al pliego de condiciones por parte de [Nombre 002], presentado el 14 de noviembre del 2023 (Ver Prueba 1, Anexo 2), donde la Parte Accionante mencionó que había interpuesto ante la Sala Constitucional una acción de inconstitucionalidad contra dicho Reglamento, gestionada bajo el expediente N.º 23-025158-0007-CO, el cual a la fecha de suscripción de este informe de ley se reporta que está en estado de trámite, según la información pública disponible en el Sistema de Gestión en Línea del Poder Judicial, en la modalidad de consulta pública. El recurso de objeción fue admitido parcialmente en cuanto a varios extremos del pliego de condiciones relativos a forma de adjudicación, especificaciones técnicas de los bienes y servicios, rechazando, por su parte, las objeciones de dicha empresa referente a la aplicación del Decreto Ejecutivo N.º 44196-MSP-MICITT denominado “Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores”, para lo cual, en la resolución, de manera motivada, y con sustento en dictámenes internos que sustentan dicho acto, se explicó con detalle las razones por las cuales el ICE debe aplicar dicho reglamento en el pliego de condiciones de la contratación. Para tal efecto, se adjunta el oficio 5201-250-2023 del 21 de noviembre del 2023 (Ver Prueba 1, Anexo 3), donde consta el detalle de la resolución que resolvió dicho recurso, la cual fue emitida por la Gerencia General del ICE (Anexo 4), la cual indicó: “Esta Gerencia General, en calidad de Órgano competente para resolver este Recurso de Objeción, con base en los criterios emitidos por la Dirección de Contratación Administrativa (DCA) mediante oficio 258-7212023 del 17 de noviembre del 2023 (Secuencia 0172023600000012) y correo electrónico del 21 de noviembre del 2023, así como el criterio técnico de la División Desarrollo y Construcción de la Red - Gerencia de Telecomunicaciones, mediante documento del 21 de noviembre del 2023 suscrito por el Administrador de Contrato (Secuencia 0152023830800006), y la recomendación emitida por la Dirección de Proveeduría mediante carta 5210-250-2023, secuencia 1348682 en la plataforma SICOP en fecha 21 de noviembre de 2023, determina acoger parcialmente el recurso de objeción interpuesto por la empresa [Nombre 002], en contra del pliego de condiciones del procedimiento especial No. 2023XE-0000230000400001, promovida por la citada División, para el procedimiento “GT- Adquisición De Bienes Y Servicios Para La Implementación De La Red 5G entrega según demanda”, en cuanto a los aspectos señalados en los criterios supra citados. Lo anterior de conformidad con los artículos N° 68 y 95 de la Ley General de Contratación Pública, N° 9986, artículos 253, 255 y 258 del Reglamento a la Ley General de Contratación Pública. Notifíquese a la empresa recurrente de esta resolución, conforme corresponde.” Tal y como se indicó en la respuesta al Hecho iv) dentro del pliego de condiciones, se incorporó los requisitos derivados del Decreto Ejecutivo N.º 44196-MSP-MICITT denominado “Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores” que, como mencionamos anteriormente, fue emitido el 25 de agosto de 2023 por la Presidencia de la República, el Ministro de Seguridad Pública y la Ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones, publicado en el Alcance N.º 166 del Diario Oficial La Gaceta del 31 de agosto de 2023, vigente a partir de esa fecha y es una disposición de alcance general emitida por el Poder Ejecutivo, el cual es de acatamiento obligatorio para el ICE. Dicho Decreto Ejecutivo en su artículo 2, relativo al ámbito de aplicación, establece lo siguiente: “Artículo 2º-Ámbito de aplicación. Está sometida al presente reglamento la operación activa de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, por parte de las personas físicas o jurídicas, públicas o privadas, nacionales o extranjeras, que operen redes o presten servicios de telecomunicaciones basadas en la tecnología de quinta generación móvil (5G) y superiores que se originen, terminen o transiten por el territorio nacional, exceptuando la operación de redes privadas de telecomunicaciones. En el caso de procesos de compra pública que tengan por objeto la habilitación de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, así como de equipamiento tecnológico activo necesario para el despliegue de éstas, para el uso y explotación del espectro radioeléctrico, la Administración o entidad contratante deberá adoptar los mecanismos idóneos para verificar que los potenciales oferentes han considerado todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en la presente normativa, a la hora de planificar, diseñar e implementar su oferta técnica. En caso de resultar adjudicatario, las disposiciones de la presente norma serán de acatamiento obligatorio durante la operación de las redes y prestación de los servicios basados en la tecnología de quinta generación móvil (5G) o superiores.” En el artículo 13 del Decreto también se incorporan ciertas sanciones e infracciones, para lo cual establece lo siguiente: “Artículo 13º— Sanciones e infracciones. El régimen sancionatorio administrativo aplicable por el incumplimiento de las disposiciones contenidas en este Decreto Ejecutivo se regirá por lo dispuesto en la Ley Nº 8642, Ley General de Telecomunicaciones.” Si el ICE, en dicha condición de operador y proveedor de servicios de telecomunicaciones, incumple con las disposiciones del Reglamento será sometido al régimen sancionatorio administrativo de la Ley General de Telecomunicaciones N.º 8642 (LGT), el cual, dependiendo de la gravedad particular de la falta, podrían implicar sanciones de uno por ciento (1%) y hasta un diez por ciento (10%) de las ventas anuales obtenidas por el infractor durante el ejercicio fiscal anterior, o entre un uno por ciento (1%) y hasta por un diez por ciento (10%) del valor de los activos del infractor, además del cierre definitivo del establecimiento, clausura de instalaciones, en aplicación de los artículos 68 y 69 de la LGT. El ICE, en su condición de operador y proveedor de servicios de telecomunicaciones, junto con los otros homólogos de naturaleza pública o privada, están sometidos al Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores emitido por el Poder Ejecutivo; ámbito de aplicación que, en el caso del Instituto, al emplear fondos públicos, también comprende los procedimientos de contratación pública, por lo cual en el pliego de condiciones antes citado se solicitó el cumplimiento de lo establecido en dicha disposición de alcance general vigente y de acatamiento obligatorio para el Instituto. Por su parte, en lo que concierne a la reiteración de la solicitud medida cautelar que realiza la Parte Accionante, nos permitimos confirmar los argumentos de improcedencia indicados tanto en el informe originario presentado el 6 de octubre de 2023 mediante el oficio N.º 0060-456-2023, como en la respuesta al Hecho i) y iii) del presente informe complementario”.

16.- Mediante resolución de las 11:02 horas de 4 de diciembre de 2023, la magistrada instructora rectificó el error material contenido en la resolución de las 13:22 horas de 24 de noviembre de 2023 en cuanto otorgó audiencia a la superintendente de Superintendencia General de Entidades Financieras y la dejó sin efecto; asimismo, confirió audiencia al superintendente de la Superintendencia de Telecomunicaciones.

17.- Por escrito recibido en la Secretaría de la Sala el 5 de diciembre de 2023, se apersona Ana Lucía Ramírez Calderón, directora ejecutiva y representante de la Asociación Cámara de Infocomunicación y Tecnología. Indica que adjunta el oficio CIT-0039-2023 de 26 de setiembre de 2023 remitido por su representada al Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones, el cual contiene consideraciones generales y técnicas sobre el decreto ejecutivo nro. 44196-MSP-MICITT.

18.- Por escrito incorporado al expediente digital el 7 de diciembre de 2023, se apersona Paul Fervoy, en su condición de presidente de la Cámara de Tecnologías de Información y Comunicación (CAMTIC). Manifiesta lo siguiente: “Consideramos que el asunto que se somete a conocimiento de la Sala Constitucional en este expediente obedece a cuestiones técnicas de constitucionalidad y legalidad sobre las que no podemos emitir una opinión al no ser parte de nuestra labor como representante de la industria. Como referencia, se anexa el comunicado de prensa emitido por CAMTIC el 7 de noviembre de 2023, titulado "CAMTIC insta al MICITT a promover mesas de diálogo para optimizar el marco de ciberseguridad 5G"; este documento refleja nuestra postura como representantes de la industria con relación a los aspectos técnicos de la ciberseguridad y la tecnología 5G”.

19.-Por escrito recibido en la Secretaría de la Sala el 8 de diciembre de 2023, se apersona Rubén Hernández Valle, en su condición de apoderado especial judicial de la parte actora. Manifiesta lo siguiente: “En respuesta a informe complementario brindado por el Instituto Costarricense de Electricidad con fecha del 29 de noviembre del año en curso, consideramos de relevancia para el proceso de amparo que nos ocupa señalar lo siguiente: 1.- En cuanto a lo señalado por el ICE en la primera parte de su informe denominada "Contexto", es claro que el Instituto pretende desvirtuar los fundamentos del proceso de Amparo que nos ocupa. Lo anterior, por cuanto se escuda en que el Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT fue emitido por la Presidencia de la República, el Ministro de Seguridad Pública y la Ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones. Sin embargo, el recurso de amparo es presentado en contra de ese Instituto en razón de las condiciones discriminatorias e inconstitucionales que se incluyeron en el procedimiento licitatorio que ha promovido el mismo mediante el PLIEGO DE CONDICIONES PARA LA ADQUISICIÓN DE: GT-ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA. 2.- A pesar de que el ICE justifica su actuar en su deber de cumplimiento al Reglamento de cita, omite señalar si de previo o posteriormente a la publicación del Decreto (sic) tomó alguna acción dentro del ordenamiento jurídico para evitar verse obligado a incluir las condiciones lesivas e inconstitucionales, que violan los derechos fundamentales de mi representada y contrarias al interés público. Es importante indicar, como lo hace el propio ICE, que es un operador de telecomunicaciones, de derecho público, con un interés en una gama de servicios de 5G y que por lo tanto, estaba en una posición de privilegio, de control y supervisión de las actuaciones que estaba realizando el Poder Ejecutivo, con lo cual, existe una clara violación a su deber de vigilancia del mercado al que se dirige. 3.- En el mismo orden de su respuesta procederemos a referirnos a las justificaciones utilizadas en cada uno de los hechos que hace referencia respecto a los alegatos de mi representada. En cuanto al hecho primero, respecto a la publicación del pliego de condiciones y el inicio del proceso licitatorio objeto del presente recurso de amparo, el ICE se limita a referirse a su informe inicial presentado en el proceso de amparo que nos ocupa. Sin embargo, para ese momento el pliego de condiciones de referencia no se había publicado, pues el mismo fue publicado el día 9 de noviembre del año en curso y el informe al que hace referencia fue presentado el día 6 de octubre de este mismo año. Lo que sí tiene el ICE es la potestad de determinar el momento circunstancial y oportuno para iniciar con la etapa concursal del procedimiento licitatorio que nos ocupa. En este sentido, como se indicó anteriormente y así mismo lo reconoce dicho Instituto, el mismo tenía el conocimiento del recurso de amparo que nos ocupa y de la acción de inconstitucionalidad presentada ante esa Sala, en la cual se cuestiona la inconstitucionalidad del Reglamento (sic) de reiterada cita. Por lo tanto, en resguardo del interés público y de la seguridad jurídica, dicho Instituto no debió iniciar el proceso de recepción de ofertas en el proceso licitatorio que nos ocupa, hasta que no existiera una luz por parte de esa Sala Constitucional. Como se ha demostrado de forma exhaustiva en los documentos de prueba aportados por mi representada, el daño a la misma, así como al interés público, a la competitividad del mismo Instituto (sic) y a los usuarios, es mucho más grave que haber esperado unos días hasta que esa Sala resolviera de conformidad a derecho. 4.- La referencia que hace en el Hecho ii) de la acción de inconstitucionalidad presentada en contra del Reglamento de reiterada cita, no puede considerarse "impertinente", ni mucho menos de "carecer de interés actual" como lo pretende hacer el ICE. Al contrario, el conocimiento de la existencia de dicha acción de inconstitucionalidad en contra del Reglamento (sic) que el mismo ICE señala que se vio obligado a cumplir e incluir condiciones en pliego de la licitación que nos ocupa, obliga a ese Instituto (sic) a actuar con la debida diligencia y cautela, en procura de la protección del interés general. Esto por cuanto, al cuestionarse la inconstitucionalidad de las normas que dan sustento a su actuación, podría tener como consecuencia la ilegalidad y nulidad absoluta de su actuación, en el proceso de contratación, lo que a su vez derivaría en un daño para la hacienda pública en razón del gasto de recursos públicos invertidos en un proceso que es abiertamente desigual, y que limita la participación. Esto además del hecho público y notorio de que para el Instituto Costarricense de Electricidad, la exclusión de [Nombre 002]. implicaría un aumento en los costos de aprovisionamiento de hardware y software $ 1.5 billones. Lo anterior conforme fue denunciado en el diario de circulación Nacional La República de 11 de septiembre de 2023 "Excluir a empresas asiáticas de concurso de redes 5G le costaría al país $1,5 billones en tecnología" disponible en https://www.larepublica.net/noticia/excluir-a-empresas-asiaticasdeconcurso-de-redes-5g-le-costaria-al-pais-15-billones-entecnologia 5.- En el Hecho iii) el ICE pretende minimizar nuestra petición de la medida cautelar, sin embargo, olvida que desde su óptica también debe demostrar el daño al interés público, para así poder ponderar el equilibrio de intereses en la medida. Sin embargo, el ICE ni siquiera presenta en su informe datos de terceros que compruebe lo dicho sobre el atraso o daño que supuestamente sufrirá. Tampoco ha presentado ninguna prueba que desvirtúen en ningún extremo los estudios de prueba fehaciente que sí presentó Huawei. El ICE únicamente justifica la continuidad en la expectativa que tiene el “Grupo ICE” en los eventuales servicios que espera colocar en el mercado. Sin embargo, no presenta ningún dato estadístico, técnico o de otra naturaleza, emitido por un tercero, que compruebe todos los beneficios que alega, discriminando la participación de empresas de origen chino, como lo es mi representada. Por el contrario, ya INFOCOM se pronunció en este mismo proceso señalando que: “Las redes 5G proveerán una plataforma de telecomunicaciones que permitirá la implementación de servicios digitales innovadores, que no serían posibles sin esta tecnología; lo cual dará espacio para nuevos modelos de negocio, permitiendo crear fuentes de trabajo y movilizar la economía. Nos preocupa la incidencia de las medidas adoptadas y, en ese sentido, los impactos que estamos puntualizando en los costos y eventuales retrasos en el proceso hacia la ruta de 5G en Costa Rica, que incidirán negativamente en las inversiones, inhibiendo este mercado emergente; lo cual va en detrimento de la economía, las personas y las empresas. El fortalecimiento de los servicios de telecomunicaciones es de vital importancia para el desarrollo de todas las demás industrias. Parte importante de un desarrollo sostenible, es la participación de las empresas de todos los niveles, de una manera justa, y basados en los principios rectores que han formado parte del marco normativo costarricense por décadas.” Son claras las dudas de INFOCOM respecto al decreto pero además, logró determinar el daño para el mercado y el interés público al indicar: “11. Considerando que todos los equipos de la red intervienen en el transporte y gestión de los datos de 5G, al forzar el cumplimiento de lo dispuesto en el Reglamento, en cada elemento que expida datos de 5G, se está infiriendo que los equipos del proveedor, considerado de Alto Riesgo, deben ser reemplazados, sea cual fuere el lugar de la red en que se encuentren, requiriendo para ella inversiones mucho mayores y tiempos de implementación más prolongados.” (El resaltado es nuestro) INFOCOM coincide con los argumentos y estudio presentados por Huawei en relación con el impacto del interés público. Son muy claros y contundentes los estudios que se han presentado como prueba por parte de mi representada, en los cuales se comprueba la lesión al interés público, pues al negarse de forma injustificada y discriminatoria la participación de Huawei y otras empresas de origen chino, se produciría la necesidad de aumentar la inversión en USD196,69 millones en un período de 5 años. Además, al contrario de lo que manifiesta el ICE, el mantener las condiciones discriminatorias en los procesos de implementación de la tecnología 5G se traducirá en un atraso de hasta 4 años adicionales. Asimismo, el ICE deberá incurrir en mayores gastos, se afectará negativamente la competitividad y el PIB del país, así como, un impacto en las tarifas de al menos un 40%, como se ha comprobado mediante los estudios, análisis y documentos presentados como prueba. Precisamente, por la obligación que el ICE alega cumplir de proveer “servicios de telecomunicaciones con calidad, en forma oportuna y a precios asequibles por parte de los usuarios”, es que se debe aceptar la medida cautelar solicitada. Pues como se ha comprobado, si se continúa el proceso licitatorio con las condiciones discriminatorias y violatorias de principios constitucionales, el efecto directo será completamente contrario sobre los derechos de los usuarios y el cumplimiento de sus deberes en protección del interés público. Es claro que es del interés tanto de operadores, proveedores, sectores interesados, entes reguladores y usuarios que se desarrollen en nuestro país los servicios de tecnología 5G. Pero sobre todo es de interés todos que se desarrollen en cumplimiento de los principios constitucionales de la libre competencia, igualdad de participación, sin discriminaciones por razones injustificadas por el origen de las empresas, bajo el principio de neutralidad tecnológica, así como velando por los principios y preceptos de nuestra Constitución Política y tratados ratificados por nuestro país. Ahora bien, el ICE intenta confundir al Tribunal Constitucional mediante la cita de un antecedente, resuelto por el Tribunal Contencioso Administrativo, en un caso del 2013 que en nada se parece al presente caso. La transcripción de la resolución realizada por el ICE se refiere a la medida precautoria solicitada por Telefónica, la cual se sustentó en aquel momento en un mero interés individual y comercial de dicha empresa, sin que se hubiera alegado un beneficio de la medida para el interés público, nuestra acción no está dirigida a intereses comerciales individuales de Huawei, nuestra acción tiene relación a la violación a los principios constitucionales de la libre competencia, igualdad de participación, sin discriminaciones por razones injustificadas por el origen de las empresas, bajo el principio de neutralidad tecnológica, así como velando por los principios y preceptos de nuestra Constitución Política y tratados ratificados por nuestro país. En el caso de la presente medida, se ha demostrado no solo el daño directo a Huawei, sino además y en especial, el daño al propio ICE y al interés público. Valga reiterar que dicho daño al ICE y al interés público no solo ha sido manifestado en nuestros escritos, sino que además ha sido demostrado mediante un informe de un ente objetivo y neutral. Resulta claro entonces que no hay similitud entre los casos y por lo tanto, la cita de la resolución resulta impertinente para la resolución del presente asunto. Más aún, cuando se suma a esto, el elenco probatorio que mi representada ha traído a este proceso. En razón de todo lo anterior, se reitera la necesidad que se acoja la medida cautelar solicitada por mi representada y se ordene al ICE la suspensión del proceso de licitación de interés. 6.- Lo señalado por el ICE como Hecho v), es una simple manifestación de que no está de acuerdo con los documentos de prueba presentados por Huawei. Es decir, no presenta ningún estudio que contradiga lo comprobado por terceros. A diferencia del ICE, mi representada sustenta sus alegatos con documentos serios emitidos por terceros que han realizado análisis exhaustivos del impacto que se producirá si se continúa con el proceso licitatorio y la aplicación del Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT. 7.- En cuanto a lo señalado en el Hecho vi) por el ICE, como se ha señalado de forma reiterada, dichas condiciones que se pretendieron objetar en el momento procesal oportuno son injustificadamente discriminatorias y sustentadas en un Decreto (sic) cuyo contenido normativo es contrario a los principios y derechos consagrados en la Constitución Política, así como a normas convencionales suscritas por nuestro país. Se comprueba y reitera por el mismo Instituto (sic) la aplicación a mi representada de las condiciones del pliego de proceso licitatorio que nos ocupa, violentando grosera y abiertamente los derechos fundamentales de mi representada. Adicionalmente esta acción no solo impacta a [Nombre 002]., sino que ha sido suficientemente demostrado, mediante documentación técnica aportada por terceros imparciales, que este es un asunto que también afectará gravemente las finanzas del propio ICE, quien podría verse afectado con un impacto de alrededor de 1.5 billones de colones, lo que implica un golpe grave para su estado financiero. Pero además, este sobrecosto exorbitante, a su vez derivará en un sobrecosto que deberemos pagar todos los que hacemos usos de la telefonía, mismo que podría llegar a un 40% sobre la tarifa actual, sin dejar de lado la posibilidad de un retraso de 4 años en la implementación de la red 5G. Por todo lo anterior, confirmamos que queda así reforzada nuestra petición y la solicitud de medida cautelar. MEDIDA CAUTELAR 1.- En razón de todo lo señalado supra y como se ha demostrado de forma indubitable, solicitamos que se dé trámite preferente a la medida cautelar de suspensión del proceso licitatorio en razón que los plazos de dicho proceso están corriendo y la apertura de las ofertas ha sido prorrogada para el 18 de diciembre del año en curso, según ha sido publicado en el Sistema Integrado de Compras Públicas (SICOP). Lo anterior, por cuanto el mismo es acto lesivo de nuestros derechos fundamentales y que se encuentra en fase de ejecución, el perjuicio para mi representada sería irreparable e irreversible pues le impide la participación en el citado concurso público para la adquisición de la tecnología en telecomunicaciones 5G/IMT Móvil. Así como los graves daños y perjuicios que le causará al interés público como se ha demostrado mediante la documentación aportada por mi representada como prueba que sustenta lo alegado. 2.- Por tanto, solicitamos que en aplicación del artículo 41 de la Ley de la Jurisdicción Constitucional, se proceda a suspender la tramitación del proceso licitatorio indicado en el cartel impugnado dado que en él se está aplicando el “Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores” (sic), hasta tanto esa Sala Constitucional no se haya pronunciado sobre el fondo de este recurso de amparo y sobre la acción de inconstitucionalidad planteada contra ese decreto oportunamente. PETITORIA Con fundamento en los hechos invocados, pruebas ofrecidas y consideraciones jurídicas señaladas, solicito que en sentencia se declare: 1.- Que mi representada no puede ser impedida de participar en el citado concurso público introduciendo cláusulas de imposible cumplimiento para ella, porque ello viola los derechos fundamentales a la libre competencia, la igualdad de trato y la prohibición de la discriminación exclusivamente por razones ideológicas y de nacionalidad. 2.- Reitero la solicitud de condenatoria al ICE al pago de los daños y perjuicios y costas de esta acción”.

20.- Por escrito incorporado al expediente digital el 11 de diciembre de 2023, se apersona Federico Chacón Loaiza, presidente del Consejo de la Superintendencia de Telecomunicaciones. Expone lo siguiente: “II. DEL INFORME DE LA SUTEL En relación con los hechos del recurso, informamos que esta Superintendencia ante consulta confidencial realizada por el Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones (en adelante MICITT), se refirió por medio del oficio número 06900SUTEL-CS-2023 de fecha 17 de agosto de 2023 al texto propuesto sobre “Reglamento sobre medidas cibernéticas aplicables a los servicios de telecomunicaciones basados en tecnología de quinta generación móvil (5G) y superiores” (en adelante Reglamento de Ciberseguridad), realizando algunas consideraciones de índole técnico, legal y desde el ámbito del resguardo a la competencia del mercado, el cual fue enviado al MICITT de previo a la emisión de dicho Reglamento. Estas observaciones, se toman como base para atender la solicitud de informe. 1. DEL PRINCIPIO DE RESERVA DE LEY En el oficio número 06900-SUTEL-CS-2023, esta Superintendencia indicó que la propuesta de Reglamento de Ciberseguridad podría rozar aspectos de legalidad y competencia en los siguientes términos: “(…) no se observan competencias específicas de la Sutel en relación con temas de ciberseguridad tal y como se contempla en el reglamento en consulta. Así las cosas, las obligaciones y funciones de la Sutel y el Consejo están establecidas en los artículos 59, 60 y 73 de la Ley de la Autoridad Reguladora de los Servicios Públicos (Ley N°7593), y de su lectura no se desprenden competencias puntuales de la Superintendencia en temas de ciberseguridad y su fiscalización y mucho menos en lo relativo a la cadena de suministros. Además de que, el artículo 42 de la Ley 8462 es enfático en señalar que los sujetos obligados a garantizar el secreto de las comunicaciones, el derecho a la intimidad y a la protección de datos de carácter personal de los abonados y usuarios finales, son los operadores y proveedores de servicios de telecomunicaciones, por lo que dicha obligación no puede hacerse extensiva a terceros no previstos por dicha ley, como lo sería los oferentes en procesos de contratación pública, los permisionarios o aquellos que habiliten redes y servicios o sean proveedores de equipos tecnológicos.(…)” Al respecto debe considerarse que, en la actualidad no existe una normativa de rango legal que regule de forma específica la materia de ciberseguridad, ni lo relativo a las funciones de verificación de la cadena de suministros, esto último se debe entender, como la constatación de la procedencia geográfica, país de origen y países a través de los cuales se realiza el proceso de envío de los equipos y software que se utilizan para la provisión de los servicios de telecomunicaciones. Lo anterior, se pretende hacer mediante un Decreto Ejecutivo de rango reglamentario, siendo esto violatorio del principio de reserva de ley, el cual evoca que la regulación o restricción de derechos y libertades fundamentales, solamente se puede hacer por ley formal emanada del Poder Legislativo y, por el procedimiento constitucionalmente previsto para la promulgación de normas legales. Establecer este tipo de funciones por la vía de un decreto con carácter reglamentario, conlleva un exceso del ejercicio de la potestad reglamentaria por parte del Poder Ejecutivo. En relación con el principio de reserva de ley, la Sala Constitucional en el Voto No. 1739-1992 (reiterado en el No. 440-1998), estimó lo siguiente: “(...) el principio de legalidad en el estado de derecho postula una forma especial de vinculación de las autoridades e instituciones públicas al ordenamiento jurídico, a partir de su definición básica según la cual toda autoridad o institución pública lo es y solamente puede actuar en la medida en que se encuentre apoderada para hacerlo por el mismo ordenamiento, y normalmente a texto expreso – para las autoridades e instituciones públicas sólo está permitido lo que esté constitucional y legalmente autorizado en forma expresa, y todo lo que no les esté autorizado les está vedado-; así como sus dos corolarios más importantes, todavía dentro de un orden general: el principio de regulación mínima, que tiene especiales exigencias en materia procesal, y el de reserva de ley, que en este campo es casi absoluto. En nuestra Constitución Política, el principio general de legalidad está consagrado en el artículo 11, y resulta, además, del contexto de éste con el 28, que recoge el principio general de libertad – para las personas privadas- y garantiza la reserva de ley para regularla, con el 121, especialmente en cuanto atribuye a la Asamblea Legislativa competencias exclusivas para legislar (incisos 1°, 4° y 17), para crear tribunales de justicia y otros organismos públicos (incisos 19 y 20) y para disponer la recaudación, destino y uso de los fondos públicos (incisos 11, 13 y 15); potestades que no pueden delegarse ni, por ende, compartirse con ningún otro poder, órgano o entidad (artículo 9°), y que generan consecuencias aun más explícitas como las que se recogen en la Ley General de la Administración Pública, principalmente en sus artículos 5° y 7° -que define las jerarquías normativas-, 11 –que consagra el principio de legalidad y su corolario de regulación mínima-, 19 y 59.1 –que reafirman el principio de reserva de ley para el régimen de los derechos fundamentales y para la creación de competencias públicas de efecto externo (...)” (Véase en similar sentido las Sentencias Nos. 6379-02 del 26 de junio de 2002; 10356-02 del 30 de octubre de 2002; 5015-04 del 12 de mayo de 2004; 1809-06 del 15 de febrero de 2006 y 13333-06 del 6 de septiembre de 2006).” (El énfasis es suplido). En este sentido, es criterio de la SUTEL que el Reglamento de Ciberseguridad incluye restricciones sobre la elección de los proveedores de equipos de hardware y software por parte de los operadores de los servicios de telecomunicaciones, también, establece funciones al MICITT y a la Sutel, en lo relativo a la aplicación del reglamento e incluye un régimen sancionatorio que, tal como se abordará en las siguientes secciones, corresponden a disposiciones que únicamente se pueden establecer por la vía legal. Precisamente por la necesidad de establecer elementos específicos como los anteriores, actualmente se encuentra en la corriente legislativa el proyecto de Ley denominado “LEY DE CIBERSEGURIDAD DE COSTA RICA”, expediente Nº 23.292, en el cual se propone en su artículo 4, la creación de la Agencia Nacional de Ciberseguridad que formará parte del Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones (MICITT) y “será la encargada de la gestión preventiva, reactiva y proactiva de las amenazas e incidentes cibernéticos que, a través del uso de datos, puedan generar un riesgo para la población costarricense”. Adicionalmente, además del eventual exceso de la potestad reglamentaria, el Reglamento de Ciberseguridad, es incompatible con preceptos esbozados en la Ley General de Telecomunicaciones (en adelante, LGT), así como en el Tratado de Libre Comercio entre República Dominicana-Centroamérica-Estados Unidos (en adelante CAFTA) , todos de rango superior. Este es el caso del principio de neutralidad tecnológica que se desarrollará de seguido. 2. DEL PRINCIPIO DE NEUTRALIDAD TECNOLÓGICA El Anexo 13 del CAFTA dispone sobre el principio de neutralidad tecnológica lo siguiente: “Costa Rica no impedirá que los proveedores de servicios de telecomunicaciones tengan la flexibilidad de escoger las tecnologías que ellos usen para suministrar sus servicios, sujeto a los requerimientos necesarios para satisfacer los intereses legítimos de política pública.” Dicho principio es congruente con el que se encuentra contenido en la LGT, tal cual se indicó en el oficio número 06900-SUTEL-CS-2023 en los siguientes términos: “El artículo 3 inciso h) de la Ley General de Telecomunicaciones, establece lo siguiente: “h) Neutralidad tecnológica: posibilidad que tienen los operadores de redes y proveedores de servicios de telecomunicaciones para escoger las tecnologías por utilizar, siempre que estas dispongan de estándares comunes y garantizados, cumplan los requerimientos necesarios para satisfacer las metas y los objetivos de política sectorial y se garanticen, en forma adecuada, las condiciones de calidad y precio a que se refiere esta Ley.” (…) Así las cosas, la propuesta reglamentaria no cumple con el principio citado, siendo que está direccionada únicamente a un tipo de tecnología, incluso dejando de lado que las redes 5G pueden operar de forma interconectada con otras tecnologías como lo es el modo “non-standalone” , dada la facultad que ostentan los operadores de desarrollar y diseñar sus propias redes.” Al entrar en vigor el Reglamento de Ciberseguridad, se materializó el riesgo de incumplimiento del principio de neutralidad tecnológica, tal como fue advertido por el Consejo de la Sutel mediante el oficio 06900-SUTEL-CS-2023. Finalmente, el Reglamento de Ciberseguridad hace amplia referencia y justifica su emisión en el Convenio sobre la Ciberdelincuencia (en adelante Convenio de Budapest), emitido en Budapest el 23 de noviembre de 2001, sin considerar el principio de neutralidad tecnológica aquí mencionado, restringiendo de esta manera, la participación de empresas cuyo país de origen no haya suscrito dicho Convenio. Lo anterior, violenta el CAFTA y la libertad de comercio que establece el artículo 46 de la Constitución Política. En relación con el Convenio de Budapest y su relación con el tema de ciberseguridad, esta Superintendencia indicó en el oficio número 09063-SUTEL-SCS-2023 de fecha 25 de octubre de 2023, en el cual se remiten al MICITT las observaciones a la Estrategia Nacional de Ciberseguridad de Costa Rica 2023-2027 , lo siguiente: “(…) sin embargo, es necesario considerar que el objeto de regulación de dicho Convenio corresponde al cibercrimen, es decir, su orientación no se asocia directamente con el objeto trazado en la Estrategia: Ciberseguridad. Debe señalarse que la Ciberseguridad está relacionada con las Tecnologías de Infocomunicación, por su parte, el cibercrimen o ciberdelincuencia, materia regulada en el Convenio de Budapest, se enfoca en el tratamiento de los delitos cibernéticos como delitos, propios del poder policía y de la materia punitiva (Poder Judicial) .(…)”. 3. DE LAS COMPETENCIAS DE LA SUTEL EN MATERIA DE CIBERSEGURIDAD El Reglamento de Ciberseguridad excede el ámbito de aplicación de la LGT, por cuanto le establece funciones a la Sutel, no contempladas en el ámbito de aplicación de dicha ley, según se extrae del siguiente artículo: “ARTÍCULO 1.- Objeto y ámbito de aplicación El objeto de esta Ley es establecer el ámbito y los mecanismos de regulación de las telecomunicaciones, que comprende el uso y la explotación de las redes y la prestación de los servicios de telecomunicaciones. Están sometidas a la presente Ley y a la jurisdicción costarricense, las personas, físicas o jurídicas, públicas o privadas, nacionales o extranjeras, que operen redes o presten servicios de telecomunicaciones que se originen, terminen o transiten por el territorio nacional.” Sin embargo, las potestades de la Sutel, de conformidad con el artículo 42 de la LGT, se circunscriben a garantizar la privacidad de las telecomunicaciones y protección de datos personales de los usuarios finales de las telecomunicaciones. Al respecto en el oficio número 06900-SUTEL-CS-2023 se indicó lo siguiente: “(…) el artículo 60 inciso a) de la Ley de la Aresep (Ley N°7593), determina como una obligación fundamental de la Sutel aplicar “el ordenamiento jurídico de las telecomunicaciones, para lo cual actuará en concordancia con las políticas del Sector (…)”. De la lectura de la Ley de la Autoridad Reguladora de los Servicios Públicos y de la Ley General de Telecomunicaciones y su reglamento, no se observan competencias específicas de la Sutel en relación con temas de ciberseguridad tal y como se contempla en el reglamento en consulta. Así las cosas, las obligaciones y funciones de la Sutel y el Consejo están establecidas en los artículos 59, 60 y 73 de la Ley de la Autoridad Reguladora de los Servicios Públicos (Ley N°7593), y de su lectura no se desprenden competencias puntuales de la Superintendencia en temas de ciberseguridad y su fiscalización y mucho menos en lo relativo a la cadena de suministros. Así las cosas, aunque el Reglamento de Ciberseguridad asigna competencias específicas a la Sutel en esa materia, fundamentado en el artículo 42 de la LGT, lo cierto del caso es que, en aplicación del principio de reserva de ley, la Sutel no cuenta con competencias específicas sobre ciberseguridad, deviniendo en inaplicables las funciones ahí conferidas. 4. DE LA AFECTACIÓN A LA COMPETENCIA La SUTEL como parte de sus funciones como autoridad de competencia, analizó el Reglamento de Ciberseguridad desde la óptica del principio de libre competencia consagrado en el artículo 46 de la Constitución Política, así como, según los elementos contenidos en el régimen sectorial de competencia en telecomunicaciones que contiene la LGT. El análisis de la SUTEL se basó en la aplicación de una metodología estandarizada cuyo objeto es determinar, si una regulación o reglamentación, tiene el potencial de afectar la competencia en el mercado de las telecomunicaciones. Desde la óptica de la normativa de competencia, una regulación adecuada es aquella que “busca que la consecución del objetivo que la norma persigue se alcance mediante un ejercicio regulador que impone las mínimas restricciones posibles a la actividad económica”5. Para garantizar lo anterior, la regulación debe respetar una serie de principios que contribuyan a minimizar la carga para la actividad económica y el perjuicio desde la perspectiva del funcionamiento eficiente de la competencia en el mercado. A partir del análisis realizado, mismo que se encuentra incorporado en el apartado IX del oficio número 06900-SUTEL-CS-2023, se concluye que: “(…) En lo que interesa para los efectos de esta Autoridad, la propuesta de reglamento contiene disposiciones que podrían tener el potencial de afectar la competencia, por lo cual el análisis de la DGCO se centra en los artículos 6, 7, 8, 9, 10 y 11 de la propuesta de reglamento. (…)”. En particular, se entiende que las disposiciones contenidas en el artículo 10 del Reglamento de Ciberseguridad, pueden excluir a empresas de determinados países de participar en el despliegue de las redes 5G en Costa Rica. Según el criterio vertido por SUTEL como autoridad sectorial de competencia, se destaca lo siguiente: A. Potencial limitación a operadores y proveedores de servicios de telecomunicaciones La normativa propuesta tiene el potencial de limitar la posibilidad de ciertos tipos de operadores o proveedores de telecomunicaciones para prestar sus servicios, al condicionar la asignación de concesiones para uso y explotación del espectro radioeléctrico para redes y servicios de telecomunicaciones 5G, así como establecer características específicas, no estrictamente de índole comercial, que deberán adoptar los operadores y proveedores de telecomunicaciones al dotarse de bienes y servicios requeridos en la implementación de sus redes 5G. B. Potencial de elevar costos La normativa propuesta tiene el potencial de elevar los costos de todos operadores o proveedores basados en la tecnología 5G, producto de la aplicación de estándares establecidos en la normativa, así como de eventuales sustituciones de equipos, productos y servicios, el cual podría ser trasladado a los usuarios finales de los servicios de telecomunicaciones. C. Potencial de reducción de incentivos de las empresas para competir La normativa propuesta tiene el potencial de propiciar la reducción de los incentivos de las empresas para competir, al no establecer criterios claros y libres de ambigüedades conducentes a la presentación de los resultados de los análisis de riesgos y la clasificación de estos como altos, además de no detallar el procedimiento y cualquier otro elemento con el fin de ordenar la ejecución de auditorías de ciberseguridad con cargo al auditado. Es importante tener en consideración que la restricción de la competencia en los mercados tiene un impacto, no sólo sobre los agentes económicos que participan de la provisión de bienes y servicios en dichos mercados, sino en última instancia sobre los consumidores. Las acciones que encarezcan la provisión de servicios de telecomunicaciones, o que hagan que los mercados se tornen menos competitivos o innovadores, terminan reflejándose en mayores precios para los usuarios, así como en una dilación en la introducción de mejoras en los servicios prestados. La competencia posee una serie de beneficios para las sociedades, y de ahí deviene su tutela como principio constitucional, entre algunos de los beneficios que tiene la competencia del mercado se encuentran: a. Beneficio directo a los usuarios: al directamente impulsar una mayor variedad de productos y servicios, mayor calidad, así como vía reducción de precios. b. Innovación: favorece el desarrollo de más y nuevos servicios de acuerdo con las necesidades de los usuarios, lo cual faculta el desarrollo de nuevas industrias. c. Fiscal: este beneficio surge en dos vías. La primera como resultado de un mayor nivel de actividad económica que finalmente redunda en mayores fuentes de recaudación tributaria. La segunda se refiere a cómo la competencia limita las posibilidades de colusión en materia de contrataciones públicas, o incluso en procesos de compras privadas. Los puntos anteriores constituyen beneficios que, directa e indirectamente, terminan favoreciendo al usuario, por lo tanto, el efecto que tiene el Reglamento de Ciberseguridad al limitar el proceso competitivo del mercado de las telecomunicaciones, a criterio de esta Superintendencia puede terminar impactando al usuario final de los servicios de telecomunicaciones. Un elemento esencial que se debe tener en consideración en relación con las restricciones al principio de competencia que provoca el Reglamento de Ciberseguridad es que, la afectación no se circunscribe sólo al mercado de las telecomunicaciones ya que, la tecnología móvil 5G es un habilitador de la innovación en otras industrias, como la agrícola, la industrial, la aeroportuaria, entre otras. De tal forma que, el encarecimiento y ralentización de la introducción de la tecnología 5G que pueden causar las restricciones a la competencia y que, son establecidas en el Reglamento de Ciberseguridad, terminarían eventualmente, afectando otras industrias, e incluso la competitividad a nivel país, que hoy en día está soportada en parte sobre la base de servicios y redes de telecomunicaciones que sean capaces de proveer servicios de última generación y amplias capacidades. De esta forma, del amplio análisis plasmado en el oficio número 06900-SUTEL-CS-2023, se concluye que el Reglamento de Ciberseguridad, tiene el potencial de generar barreras a la competencia entre los agentes del mercado, por cuanto impone restricciones de acuerdo con el país de origen para la provisión de equipo tecnológico de hardware y software en la tecnología 5G y superiores. Siendo que estas barraras podrían tener a su vez, consecuencias económicas para los operadores y proveedores del mercado, así como, consecuencias en materia de retrasos en el despliegue de las redes 5G, lo que limitaría el acceso a estas tecnologías a los usuarios y empresas ubicadas en el territorio costarricense, provocando en última instancia una ralentización en la innovación a nivel país. 5. DE LOS PARÁMETROS DE RIESGO ALTO EN LA CADENA DE SUMINISTROS Y SU RELACIÓN CON LA MATERIA DE CIBERSEGURIDAD En complemento de lo anterior, el Reglamento de Ciberseguridad dispone parámetros de riesgo alto, los cuales están direccionados a la evaluación de la cadena de suministros, siendo que los artículos 10 y 11 del citado reglamento hacen referencia, en sus diversos incisos, a restricciones aplicables a los proveedores de hardware y software, basadas en sus ubicaciones geográficas y la relación con los respectivos gobiernos, los cuales no se encuentran comprendidos como sujetos de regulación de la LGT. Precisamente, la evaluación de la cadena de suministro y la determinación del nivel de riesgo asociada a cada proveedor según su país de origen, le es asignada en el Reglamento de Ciberseguridad a la SUTEL, siendo que dichas funciones no son acordes con las competencias y ámbito de aplicación de la LGT, las cuales se circunscriben a garantizar la privacidad de las telecomunicaciones y protección de datos personales de los usuarios finales de las telecomunicaciones y no, a temas asociados a la valoración de la cadena de suministro de proveedores de hardware y software. Es decir, la Sutel no tiene competencias regulatorias sobre los proveedores de software y hardware de acuerdo con lo estipulado en la LGT. El citado oficio número 06900-SUTEL-CS-2023 contempla lo siguiente sobre el tema en cuestión: “(…) A la Sutel le corresponde entonces, en su rol de regulador del sector telecomunicaciones, asegurar que las comunicaciones (v.gr. llamadas o sesiones de datos), no sean intervenidas, escuchadas o inspeccionadas por terceros no autorizados por el usuario, con las excepciones normativas antes referidas. Y en relación con los datos personales vinculados con la localización y cobro, la protección que brinda la Sutel comprende por imperativo legal, el intercambio de registros de tasación de los servicios e interconexión (v.gr. CDRs de llamadas o de datos) de forma que no opere un posible “rastreo” de comunicaciones, sin la autorización del titular de la información o por orden judicial o del Ministerio Público, según corresponda. (…) De conformidad con lo anterior, es claro que la normativa legal e infralegal de telecomunicaciones, en lo que respecta a las competencias de la Sutel, regula expresamente el régimen de protección de los derechos de los usuarios finales, y no contempla dentro de su amplio ámbito de regulación lo relativo a las medias de ciberseguridad y cadena de valor aplicables a los servicios de telecomunicaciones, tal como se propone en el Reglamento sobre Medidas de ciberseguridad (…) De la lectura del numeral 10 propuesto, se colige que los parámetros de riesgo alto están direccionados a la cadena de suministros, siendo que se hace referencia en sus diversos incisos a los proveedores de hardware y software, sea se encuentra dirigido a fabricantes o comerciantes de equipos y de software, los cuales no se encuentran comprendidos como sujetos de regulación en la LGT. (…)” 6. DE LA RAZONABILIDAD TÉCNICA DEL REGLAMENTO DE CIBERSEGURIDAD Considerando el principio constitucional de razonabilidad técnica, que requiere que todo acto emanado por las instituciones del Estado deba fundamentarse en criterios técnicos, de conformidad en lo dispuesto en el artículo 16 de la Ley General de la Administración Pública, esta Superintendencia realizó un análisis del expediente relacionado con la propuesta de Reglamento de Ciberseguridad, en el cual se encontraron las siguientes deficiencias: A. No existen análisis técnicos que justifiquen las razones por las cuales es técnicamente necesario, distanciarse de los estándares aplicables a la industria específica y recurrir a otros. En este sentido, la SUTEL es del criterio que se deben utilizar aquellos estándares atinentes a la industria de telecomunicaciones, siendo para el caso específico del servicio móvil, los estándares de la 3GPP y NESAS (del trabajo conjunto desarrollado por la GSMA8 y 3GPP ), y sus actualizaciones. Dichas organizaciones se consolidaron de forma posterior a la adopción de los estándares GSM y han establecido los estándares utilizados para el despliegue mundial de las redes 3G en adelante, por lo que el papel de dichos entes de estandarización ha sido clave para asegurar la interconexión, interoperabilidad e itinerancia de las distintas generaciones de redes móviles. Es necesario considerar que las redes móviles nacionales, las cuales operan bajo los lineamientos de las Telecomunicaciones Móviles Internacionales (en adelante, IMT) de la Unión Internacional de Telecomunicaciones (UIT), han sido estandarizadas de forma global por la 3GPP , grupo que incluye siete de las principales entidades de estandarización mundiales en materia de telecomunicaciones. Además, la 3GPP agrupa una extensa lista de organizaciones de representación del mercado, que en conjunto con los fabricantes alcanzan consensos sobre el diseño de las redes IMT. El 3GPP, enfoca su trabajo en el establecimiento de las especificaciones técnicas para redes móviles y sus constantes actualizaciones (documentos llamados Releases), a través de las cuales se presentan nuevas funcionalidades por evolución tecnológica, disposiciones de empaquetamiento, de seguridad, de empleo de recurso radioeléctrico, de capacidades del servicio, entre otras. Por lo tanto, es imprescindible que los temas relativos a la seguridad de las redes, se sometan a los estándares de la industria tales como los señalados en los párrafos anteriores al ser estándares que domina el sector y que se cuenta con conocimiento amplio para su aplicación. B. En el expediente de la consulta de la propuesta de reglamento, el MICITT no presenta un análisis financiero del posible impacto de la citada normativa sobre el mercado de las telecomunicaciones, donde se tome en cuenta un desarrollo de una red Standalone (SA) o Non-standalone (NSA). Es decir, no se valora la decisión desde una perspectiva de costo beneficio. Al respecto, es importante tener presente que una red Non-standalone permite su integración con otras redes de tecnologías inferiores (como por ejemplo 4G) por lo que es posible su implementación por etapas y realizando las actualizaciones que correspondan según la necesidad y evolución del mercado en materia de adopción tecnológica. Sobre el particular, la siguiente figura muestra la relación de una red Standalone y su comparación con una red Non-standalone: (…) A partir de la imagen anterior, se destaca que con el método Non-standalone las redes 5G pueden iniciar su provisión sin requerirse la inversión inmediata en un núcleo propio, lo cual le permite al operador determinar, según la escala de clientes, requerimientos de tráfico y condiciones de su red, cuándo es oportuno realizar el salto a Standalone, con lo que cada operador puede sincronizar el momento idóneo para efectuar las inversiones y continuar rentabilizando las redes anteriores. El Reglamento de Ciberseguridad, al dejar de lado el principio de neutralidad tecnológica, disponiendo la sujeción a redes 5G y posteriores (consecuentemente todos los elementos de red), estaría obligando a los operadores que cuenten con redes de generaciones anteriores contratadas a fabricantes o proveedores cuyo país de origen no haya suscrito el Convenio de Budapest, a implementar redes 5G en modo Standalone, las cuales tienen altos costos de implementación que podrán ser trasladados a los usuarios finales. Igualmente, el citado Reglamento deja de lado la interacción natural que debe existir entre las redes 5G y sus predecesoras, para facilitar, por ejemplo, la realización de llamadas telefónicas o la transición del servicio entre zonas con cobertura de tecnologías anteriores, así como, la continuidad del servicio ante las distintas interacciones de los terminales móviles con las redes de telecomunicaciones. Con el propósito de ampliar lo anterior, se presenta en la siguiente imagen extraída del reporte denominado “October 2023 5G Standalone” de la GSA, que muestra la proporción de lanzamientos de redes Standalone (SA) y redes Non-standalone (NSA) en tecnología 5G en el mundo: (…) Tal y como se muestra en la imagen anterior, es claro que la predominancia en la implementación de redes 5G para las Non-standalone es muy superior a las redes Standalone. En el citado reporte, se ha señalado que “GSA ha identificado 121 operadores en 55 países y territorios en todo el mundo que han estado invirtiendo en la implementación de redes públicas 5G SA en forma de pruebas, planificadas o reales. Esto equivale al 20,9% de los 578 operadores conocidos que están invirtiendo en licencias, pruebas o despliegues 5G de cualquier tipo” (traducción propia) En función de lo anterior, es correcto indicar que la transición más aplicada a nivel mundial hacia 5G implica inicialmente una red Non-standalone que se apoya en elementos de las redes 4G, siendo que el 79% de despliegues actuales al tercer trimestre del 2023 (121 operadores en 55 países) son Non-standalone, tal y como se muestra en el citado reporte de la GSA. Por tanto, el Reglamento de Ciberseguridad podría generar limitaciones importantes a aquellos operadores que hayan adquirido redes 4G basadas en fabricantes y proveedores cuyo país de origen no hayan suscrito el Convenio de Budapest. Para lo cual, reiteramos que no consta en el expediente del proceso sujeto a consulta confidencial un estudio técnico y financiero de las implicaciones sobre el mercado nacional de estas restricciones. C. No se abordó en el expediente de la propuesta de reglamento, los posibles tiempos de implementación de las redes, el impacto en su lanzamiento oportuno y el costo para los operadores y proveedores, para la adopción de restricciones que no corresponden a los estándares aplicables a la industria IMT. Tampoco el impacto sobre los usuarios de la eventual ralentización del desarrollo de estas redes de nueva generación. 7. DEL ESTABLECIMIENTO DE UN RÉGIMEN SANCIONATORIO VÍA DECRETO El Reglamento de Ciberseguridad en el artículo 13 remite al régimen sancionatorio de la LGT, sin embargo, tal como se señaló, existen limitaciones importantes. Una de estas, se relaciona con que los proveedores de hardware y software están fuera del ámbito de aplicación de la LGT. La LGT no regula elementos de ciberseguridad, como tampoco de la cadena de suministro, y como consecuencia de ello, según el principio de reserva de ley, vía reglamento no es posible establecer sanciones a los sujetos que realizan dicha actividad. Por cuanto, el régimen sancionatorio debe tener como base una norma de rango legal, o al menos que la norma de rango legal le habilite para ejercer vía reglamentaria esa potestad. Sobre lo aquí desarrollado, en el oficio número 06900-SUTEL-CS-2023 se indicó: “(…) debe considerarse que vía reglamentaria no es posible establecer un régimen sancionatorio, por cuanto amerita como base, que la sanción e infracción esté previamente tipificada en una norma de rango de ley. En consecuencia, de acuerdo con lo señalado, en caso de incumplimiento del reglamento en consulta, podría resultar inaplicable el régimen sancionatorio que dispone la Ley N°8642. Asimismo, se puede observar que el régimen sancionatorio de la citada ley, deviene del incumplimiento de los derechos de los usuarios finales de los servicios de telecomunicaciones, y no lo relativo a la ciberseguridad en las redes de telecomunicaciones y su debida implementación por parte de los operadores, tal y como se propone. (…)”. De conformidad con lo anterior, para que se puedan materializar las sanciones contenidas en el Reglamento de Ciberseguridad se requiere una ley de la República, tal y como se está promoviendo en el proyecto de Ley del expediente N°23.292. Asimismo, debe señalarse que las faltas relativas a violaciones en la materia de ciberseguridad, respecto a la forma y términos establecidos en el citado reglamento, no se encuentran tipificadas en la LGT, de acuerdo con la graduación que contempla dicho cuerpo normativo (leve, grave y muy grave). A manera de conclusión, esta Superintendencia fue enfática en señalar la existencia de aspectos que debían ser revisados y ajustados en la propuesta de Reglamento de Ciberseguridad. Estos aspectos, se mantienen en el Reglamento de Ciberseguridad, materializándose las deficiencias regulatorias y normativas relacionadas con el exceso reglamentario (reserva de ley), la ausencia de norma legal en la LGT que asigne competencias a la Sutel en materia de ciberseguridad y fiscalización de la cadena de suministro, el establecimiento de un régimen sancionatorio sin norma legal que le ampare o de referencia y por último, las afectaciones a la competencia en el mercado de las telecomunicaciones”.

21.- Por escrito recibido en la Secretaría de la Sala el 13 de diciembre de 2023, se apersona Paula Bogantes Zamora, ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones. Indica que funge como ministra rectora en el sector de telecomunicaciones. Señala que aporta un dispositivo USB con una carpeta denominada “MANIFESTACIONES MICITT-RECURSO AMPARO 23-023887-0007-CO”.

22.- Por escrito recibido en la Secretaría de la Sala el 13 de diciembre de 2023, se apersona Paula Bogantes Zamora, ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones, en los siguientes términos: “PRIMERO. Que este Ministerio ha realizado consulta del expediente electrónico N° 23023887-0007-CO, en el que se conoce recurso de amparo interpuesto por la empresa [Nombre 002]. en contra del Instituto Costarricense de Electricidad, donde se ha dado audiencia a distintas entidades y órganos, lo cual justifica la participación informativa del Ministerio a mi digno cargo, brindando así a la Sala Constitucional una asesoría técnica complementaria como ejercicio de Rectoría de Telecomunicaciones, para los objetivos señalados. (…) CUARTO. Que, existe relación directa sobre los hechos planteados en el recurso de amparo, en su integralidad, con las funciones del Ministerio Rector en Telecomunicaciones, en tanto sus extremos versan sobre la emisión del Decreto Ejecutivo 44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” publicado en La Gaceta del 31 de agosto de 2023. QUINTO. Dado que, la norma de referencia fue emitida por el Poder Ejecutivo con participación directa de esta Cartera Ministerial, estimo procedente aportar las siguientes manifestaciones para la plena averiguación de la verdad real de los hechos, satisfacción del interés público que reviste la seguridad nacional, el régimen jurídico de derechos de los usuarios finales de los servicios de telecomunicaciones, la ciberseguridad aplicada a los servicios de telecomunicaciones bajo la tecnología de quinta generación móvil 5G y superiores, la adecuada explotación del espectro radioeléctrico como bien demanial constitucional a fin de garantizar una asignación justa, equitativa, independiente, transparente y no discriminatoria y en resguardo del principio de igualdad procesal con respecto a la oportunidad otorgada a las entidades referidas en la Resolución de las trece horas veintidós minutos del veinticuatro de noviembre de dos mil veintitrés, al Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones. Lo anterior, para efectos de contextualizar la aplicación del Decreto de cita que será de utilidad y pertinencia procesal para lo que corresponda resolver por la Sala Constitucional de la Corte Suprema de Justicia, todo de conformidad con los artículos 33, 39 y 41 de la Constitución Política. SEXTO: Que, para una mejor comprensión los aspectos de hecho y de derecho que motivan la emisión del “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT, publicado en La Gaceta del 31 de agosto de 2023, serán desarrollados a continuación. A. SOBRE LAS COMPETENCIAS DELEGADAS AL PODER EJECUTIVO PARA EL ESTABLECIMIENTO DE LAS CONDICIONES Y OBLIGACIONES DE LOS TÍTULOS HABILITANTES DE CONCESIÓN OTORGADOS A LOS OPERADORES DE SERVICIOS DE TELECOMUNICACIONES PARA EL USO Y EXPLOTACIÓN DEL ESPECTRO RADIOELÉCTRICO. Sobre el particular, conviene partir del mandato constitucional del 121 punto 14) inciso c) que al efecto señala: “(...) No podrán salir definitivamente del dominio del Estado: c) Los servicios inalámbricos; Los bienes mencionados en los apartes a), b) y c) anteriores sólo podrán ser explotados por la administración pública o por particulares, de acuerdo con la ley o mediante concesión especial” (El resaltado es propio) En ese sentido, el constituyente dispuso cuales eran las dos vías para explotar los bienes demaniales como ocurre con los servicios inalámbricos, en primer orden conforme al bloque de la legalidad y en segundo orden, mediante concesión especial. Con respecto a la normativa sectorial propia de la N° 8642, Ley General de Telecomunicaciones y su Reglamento, resulta de interés mencionar que para el momento en que se conoció tal proyecto de ley, el constituyente fue enfático en el objetivo prioritario de dicho texto, de ordenar el Sector Telecomunicaciones, en concreto lo relativo al uso y explotación del espectro radioeléctrico. Lo anterior, siendo que se requería de un marco normativo respetuoso, se consignó en actas, que la discusión de proyecto lo era con el propósito de regular aspectos como la administración y asignación de un recurso finito y limitado como lo es el espectro radioeléctrico. En el seno de este modelo sistemático, el legislador tomó en cuenta una serie de ejes que es necesario rescatar. En primer orden, dentro de los objetivos de la Ley General de Telecomunicaciones, se destaca en el artículo 2 inciso g): “Asegurar la eficiente y efectiva asignación, uso, explotación, administración y control del espectro radioeléctrico y demás recursos escasos”. Como bien finito que es, el espectro se debe disponer de la forma más transparente posible, por lo cual se instauró en dicha norma un modelo de separación de roles tripartito, en donde interactúan las figuras del Ente Rector, Órgano Regulador y el Operador de las telecomunicaciones. Esta desagregación de roles se plasmó en la normativa concordante con los principios de transparencia, equidad y seguridad jurídica que informan la materia de las telecomunicaciones, en donde el Estado en la figura del Poder Ejecutivo es el único que concede, modifica o extingue el título habilitante para explotar dicho bien demanial constitucional. Corolario de lo anterior, se lee del artículo 10 de la Ley de marras (N° 8642) la definición de competencias en donde: “(...) El Poder Ejecutivo asignará, reasignará o rescatará las frecuencias del espectro radioeléctrico, de acuerdo con lo establecido en el Plan nacional de atribución de frecuencias, de manera objetiva, oportuna, transparente y no discriminatoria, de conformidad con la Constitución Política y lo dispuesto en esta Ley. A la Sutel le corresponderá la comprobación técnica de las emisiones radioeléctricas, así como la inspección, detección, identificación y eliminación de las interferencias perjudiciales”. Como puede verse, la competencia permanente de asignar las frecuencias disponibles conforme al Plan Nacional de Atribución de Frecuencias (PNAF) fue delegada por el constituyente en el Poder Ejecutivo, lo cual puede hacer atendiendo los criterios de objetividad, transparencia y no discriminación. Es aquí como se manifiesta el principio de protección y control del espectro radioeléctrico en donde la administración concedente lleva en su seno la competencia de otorgar las concesiones, y junto a esto, ejerce con ello las potestades de supervisión y fiscalización para garantizar que el uso concedido no sólo (sic) es eficiente, sino que además en su fiscalización es garante de la protección del régimen superior de los derechos humanos bajo el principio de progresividad y no en detrimento de los particulares. Desde luego que la Procuraduría General de la República, hizo hincapié en este rol del Poder Ejecutivo durante la discusión del texto de la norma, sobre lo cual puede consultarse la Opinión Jurídica N° OJ-015-2007 del 26 de febrero de 2007, donde señaló: "(...) La Procuraduría es del criterio de que funciones como el control y administración del espectro son propias del Estado, que debería ejercerlas por medio del Poder Ejecutivo. (...) Reafirma la Procuraduría su posición en orden a la competencia para otorgar concesiones. Dicha competencia es propia del Poder Ejecutivo. El espectro electromagnético es un bien nacional, es un bien escaso y hoy por hoy es un bien estratégico. Por lo que debe permanecer en el ámbito del Estado. (...)”. Corolario de lo anterior, la Ley General de Telecomunicaciones en su artículo 7 reitera: “ARTÍCULO 7.- Planificación, administración y control El espectro radioeléctrico es un bien de dominio público. Su planificación, administración y control se llevará a cabo según lo establecido en la Constitución Política, los tratados internacionales, la presente Ley, el Plan nacional de desarrollo de las telecomunicaciones, el Plan nacional de atribución de frecuencias y los demás reglamentos que al efecto se emitan. En virtud de lo anterior, y de una adecuada hermenéutica jurídica es preciso señalar que la materia especialísima de telecomunicaciones que nos ocupa se rige en primer orden por las disposiciones del régimen constitucional y a su vez, por el derecho internacional público, tomando en cuenta que el artículo 7 de la Constitución Política establece que: “los tratados públicos, los convenios internacionales y los concordatos, debidamente aprobados por la Asamblea Legislativa, tendrán desde su promulgación o desde el día que ellos designen, autoridad superior a las leyes.” (El resaltado es propio) En ese sentido, la Ley N° 8622 “Tratado de Libre Comercio República Dominicana - Centroamérica - Estados Unidos (TLC)”, en su Anexo 13 del CAFTA “Compromisos Específicos de Costa Rica en Materia de Servicios de Telecomunicaciones”, observa en su artículo 4 el principio de asignación del espectro que recae precisamente en la figura del Poder Ejecutivo: “Asignación y Utilización de Recursos Escasos Costa Rica asegurará que los procedimientos para la asignación y utilización de recursos escasos, incluyendo frecuencias, números y los derechos de vía, sean administrados de manera objetiva, oportuna, transparente y no discriminatoria, por una autoridad doméstica competente. 6 La República de Costa Rica emitirá licencias directamente a los proveedores del servicio para el uso del espectro, de conformidad con el artículo 121, inciso 14 de la Constitución Política de la República de Costa Rica. Por otra parte, los artículos 6 y 10 marcan las pautas necesarias para el acceso y uso de las redes, en tanto debe considerarse: 6. Acceso a y Uso de Redes (...) (b) No obstante lo dispuesto en el subpárrafo (a), Costa Rica podrá tomar las medidas que sean necesarias para garantizar la seguridad y confidencialidad de los mensajes, o proteger la privacidad de datos personales no públicos de los suscriptores de servicios públicos de telecomunicaciones, sujeto al requisito de que tales medidas no se apliquen de tal manera que pudieran constituir un medio de discriminación arbitraria o injustificable, o alguna restricción encubierta al comercio de servicios. (c) Costa Rica también garantizará que no se impongan condiciones al acceso a y el uso de redes o servicios públicos de telecomunicaciones, distintas a las necesarias para salvaguardar las responsabilidades del servicio público de los prestadores de redes o servicios públicos de telecomunicaciones, en particular su capacidad para poner sus redes o servicios a disposición del público en general, o proteger la integridad técnica de las redes o servicios públicos de telecomunicaciones. (...) 10. Flexibilidad en las Opciones Tecnológicas Costa Rica no impedirá que los proveedores de servicios públicos de telecomunicaciones tengan la flexibilidad de escoger las tecnologías que ellos usen para suministrar sus servicios, sujeto a los requerimientos necesarios para satisfacer los intereses legítimos de política pública”. Es así como el régimen especial de las telecomunicaciones impuso en el Poder Ejecutivo un especial deber de vigilancia sobre el uso y explotación del espectro, por tratarse de un bien escaso, de uso no libre, por lo que dicha explotación ciertamente escapa a la esfera jurídica de los particulares y solamente se realiza bajo ciertos términos y condiciones definidas por el ordenamiento jurídico, la potestad discrecional reglamentaria del Poder Ejecutivo y demás regulaciones técnicas que le apliquen al caso concreto. Sobre este particular la Procuraduría General de la República en su dictamen N° C177-2023 de fecha 18 de setiembre de 2023, ha manifestado en lo que interesa: “En coherencia con las consideraciones anteriores, la LGT constituye el marco legal general por el que se regula en nuestro medio la competencia del Poder Ejecutivo para otorgar la concesión para el uso y explotación del espectro radioeléctrico y las condiciones bajo las cuales se explotarán las frecuencias y se prestarán los servicios correspondientes, a saber: requisitos y procedimiento para el otorgamiento de la concesión, obligaciones y derechos del concesionario, potestades de la Administración concedente, transmisión de los títulos habilitantes, entre otros aspectos. (...) Por consiguiente, ni un particular, ni la Administración pública, están habilitados para explotar el espectro si no cuentan con la concesión respectiva otorgada por el Poder Ejecutivo (ver el pronunciamiento PGROJ-059-2023, del 23 de mayo). La palabra concesión en su misma significación jurídica implica exclusividad, siendo esa la regla impuesta por la LGT cuando conlleve la “reserva” de un determinado uso (en este caso el comercial) en favor exclusivo del titular. Así también se desprende del artículo 19 de la misma ley, cuando a modo de excepción del procedimiento concursal, contempla la concesión otorgada por el Poder Ejecutivo en forma directa y según el orden de recibo de la solicitud por el interesado, en los supuestos de “frecuencias requeridas para la operación de redes privadas y de las que no requieran asignación exclusiva para su óptima utilización” (el subrayado es añadido). La asignación exclusiva implica así que únicamente el titular de la concesión puede usar o explotar las bandas de frecuencias del espectro que le fueron reservadas con dicho acto, al punto que la LGT tipifica como una infracción muy grave, el “[u]sar o explotar bandas de frecuencias del espectro radioeléctrico sin la correspondiente concesión o permiso”. Esta asignación exclusiva responde también a motivos técnicos, en la medida que el uso compartido por varios operadores de los mismos rangos de frecuencias podría generar interferencias que afecten la calidad del servicio.” Por ende, como parte de las potestades conferidas al Poder Ejecutivo en su carácter de administración concedente le corresponde promover el procedimiento impuesto por el constituyente para la respectiva asignación de frecuencias en el espectro radioeléctrico, lo cual resulta de aplicación en materia de explotación de redes mediante la tecnología de interés 5G. En este sentido, los artículos 11 y 12 de la Ley General de Telecomunicaciones, en lo que interesa disponen: “ARTÍCULO 11.-Concesiones. Se otorgará concesión para el uso y la explotación de las frecuencias del espectro radioeléctrico que se requieran para la operación y explotación de redes de telecomunicaciones. Dicha concesión habilitará a su titular para la operación y explotación de la red. Cuando se trate de redes públicas de telecomunicaciones, la concesión habilitará a su titular para la prestación de todo tipo de servicio de telecomunicaciones disponibles al público. La concesión se otorgará para un área de cobertura determinada, regional o nacional, de tal manera que se garantice la utilización eficiente del espectro radioeléctrico. (El resaltado es propio) Artículo 12.- Procedimiento concursal. Las concesiones de frecuencias para la operación y explotación de redes públicas de telecomunicaciones serán otorgadas por el Poder Ejecutivo por medio del procedimiento de concurso público, de conformidad con la Ley de contratación administrativa y su reglamento. La Sutel instruirá el procedimiento, previa realización de los estudios necesarios, para determinar la necesidad y factibilidad del otorgamiento de las concesiones, de conformidad con el Plan nacional de desarrollo de las telecomunicaciones y las políticas sectoriales.” (El resaltado es propio) De allí obedece, que el uso y explotación del espectro radioeléctrico como bien demanial constitucional puede asignarse en un régimen de competencia y libre concurrencia, según lo dispone el artículo 182 de la Constitución Política: “ARTÍCULO 182.- Los contratos para la ejecución de obras públicas que celebren los Poderes del Estado, las Municipalidades y las instituciones autónomas, las compras que se hagan con fondos de esas entidades y las ventas o arrendamientos de bienes pertenecientes a las mismas, se harán mediante licitación, de acuerdo con la ley en cuanto al monto respectivo”. De conformidad con lo anterior, la asignación de las nuevas frecuencias debe observar el principio de licitación regulado en el citado artículo 182 de nuestra Constitución Política, en concordancia con las disposiciones de la Ley General de Telecomunicaciones, Ley Nº 8642 y lo dispuesto de forma sistemática en la Ley General de Contratación Pública (en adelante LGCP), Ley N° 9986; y en un ámbito infralegal por lo dispuesto en el artículo 21 del Reglamento a la Ley General de Telecomunicaciones (por sus siglas RLGT), Decreto Ejecutivo N° 34765-MINAET, el cual en lo conducente indica: “Artículo 21. —Concesiones. Se otorgará concesión para el uso y la explotación de las frecuencias del espectro radioeléctrico que se requieran para la operación y explotación de redes de telecomunicaciones. (...) Las concesiones de frecuencias serán otorgadas por el Poder Ejecutivo por medio del procedimiento de concurso público, (...) y corresponderá a la SUTEL la instrucción del procedimiento.” Tenemos entonces que las concesiones de frecuencias serán otorgadas por el Poder Ejecutivo por medio del procedimiento de concurso público, trámite que le corresponde instruir a la Superintendencia de Telecomunicaciones, cómo Órgano regulador establecido por ley para determinar técnicamente la posibilidad del otorgamiento de cualquier frecuencia solicitada. Así lo estipula el artículo 23 del RLGT en donde se establecen los requisitos que deben ser acreditados para que el Poder Ejecutivo pueda iniciar un proceso de concurso público para la concesión de frecuencias de espectro radioeléctrico: “Artículo 23. —Decisión inicial. Una vez emitido el criterio técnico de los estudios previos por parte de la SUTEL y comprobada la necesidad y factibilidad de la concesión, el Poder Ejecutivo emitirá la decisión de inicio del procedimiento concursal respectivo, que trasladará a la SUTEL para que lo instruya. La decisión administrativa que da inicio al procedimiento de contratación será emitida por el Poder Ejecutivo. Esta decisión se adoptará una vez que se haya acreditado al menos, lo siguiente: a) Una justificación de la procedencia del concurso público, con indicación expresa de la necesidad a satisfacer, considerando para ello los planes de largo y mediano plazo, el Plan Nacional de Desarrollo de las Telecomunicaciones y las políticas sectoriales. b) Las especificaciones técnicas y características de la frecuencia del espectro radioeléctrico a concesionar. c) Deberá acreditarse la existencia de estudios necesarios y la factibilidad del otorgamiento de la concesión. La SUTEL valorará el cumplimiento de los anteriores requisitos, previo inicio del procedimiento y dispondrá la confección de un cronograma con tareas y responsables de su ejecución y velará por el debido cumplimiento del procedimiento.” Así las cosas, y en apego al principio de legalidad, el Poder Ejecutivo solamente licita el espectro disponible registralmente conforme lo dimensionan las normas del ordenamiento sectorial de las telecomunicaciones, en una sana inversión de los fondos públicos, máxima jurídica que se reitera en el artículo 8 inciso e) de la LGCP que reúne precisamente los principios de rango constitucional que informan la materia: “(...) e) Principios de eficacia y eficiencia: el uso de los fondos y bienes públicos y la conducta de todos los sujetos que intervienen en la actividad de compras públicas deben responder al cumplimiento de los fines, las metas y los objetivos institucionales y a la satisfacción del interés público. (...)”. Es al amparo del mandato constitucional y demás leyes especiales que regulan las compras públicas, que el Estado en su condición de Administración Concedente tiene la obligación de garantizar la igualdad y la más amplia concurrencia en un ambiente íntegro, imparcial y transparente, con apego a los principios generales de la contratación pública. Lo anterior, con especial resguardo además en la especificidad técnica del objeto contractual en este caso, conforme lo regula el artículo 23 inciso b) del RLGT antes citado. Es por ello que, la potestad del Poder Ejecutivo debe conciliar todos los aspectos derivados del régimen legal aplicable con las medidas técnicas necesarias en aras de proteger, administrar y controlar el uso y explotación que se haga de este bien demanial constitucional con estricto apego a los derechos fundamentales, condiciones que deben ser plasmadas en el pliego de condiciones del procedimiento concursal respectivo. A ese tenor, el Título II, Capítulo II denominado Régimen de Protección a la intimidad y derechos de los usuarios finales de la Ley N° 8642, Ley General de Telecomunicaciones, establece una norma especial que regula el régimen de privacidad y de protección de los derechos e intereses de los usuarios finales de los servicios de telecomunicaciones, y de forma específica los artículos 41 y 42 de este cuerpo legal disponen: “ARTÍCULO 41.- Régimen jurídico El presente capítulo desarrolla el régimen de privacidad y de protección de los derechos e intereses de los usuarios finales de los servicios de telecomunicaciones. Los acuerdos entre operadores, lo estipulado en las concesiones, autorizaciones y, en general, todos los contratos por servicios de telecomunicaciones que se suscriban de conformidad con esta Ley, tendrán en cuenta la debida protección de la privacidad y los derechos e intereses de los usuarios finales. A la Sutel le corresponde velar por que los operadores y proveedores cumplan lo establecido en este capítulo y lo que reglamentariamente se establezca. ARTÍCULO 42.- Privacidad de las comunicaciones y protección de datos personales Los operadores de redes públicas y proveedores de servicios de telecomunicaciones disponibles al público, deberán garantizar el secreto de las comunicaciones, el derecho a la intimidad y la protección de los datos de carácter personal de los abonados y usuarios finales, mediante la implementación de los sistemas y las medidas técnicas y administrativas necesarias. Estas medidas de protección serán fijadas reglamentariamente por el Poder Ejecutivo. (...)” Como puede desprenderse del párrafo primero del artículo 42 de la Ley General de Telecomunicaciones se confiere al Poder Ejecutivo un poder discrecional para fijar por la vía reglamentaria aquellas medidas de corte técnico y administrativo necesarias e idóneas dirigidas hacia los operadores de redes públicas como los proveedores de servicios quienes deberán ajustar en todo momento la actividad de telecomunicaciones a los mandatos constitucionales de secreto de las comunicaciones, el derecho a la intimidad y la protección de los datos de carácter personal de los usuarios finales. Esta delegación de reglamentar las medidas pertinentes desde luego que se deriva del artículo 140 de la Constitución Política que establece en lo conducente: ARTÍCULO 140.- Son deberes y atribuciones que corresponden conjuntamente al Presidente y al respectivo Ministro de Gobierno: (...) 3) Sancionar y promulgar las leyes, reglamentarlas, ejecutarlas y velar por su exacto cumplimiento; Del mandato anterior se origina constitucionalmente la potestad del Poder Ejecutivo de reglamentar las leyes lo cual el legislador plasmó a su vez en forma derivada en el norma del numeral 42 de la Ley General de Telecomunicaciones. Desde luego que, para ejercer dicha potestad corresponde observar también la trascendencia de la competencia económica y la libre concurrencia para el adecuado funcionamiento del mercado y en beneficio de los consumidores o usuarios, lo cual conlleva la debida protección a su seguridad e intereses económicos de conformidad ordinal 46 de la Constitución Política, así expresado por esta Sala Constitucional, en su Resolución Nº 01104 - 2017 del 25 de enero del 2017. En este sentido ha sido el deseo del Constituyente que los particulares participen de la explotación del espectro radioeléctrico, siempre y cuando, se cumplan con las condiciones estipuladas en la propia Norma Fundamental, por lo cual resulta óbice la supervisión del Poder Ejecutivo en este sentido. (Sala Constitucional, Resolución Nº 04569 - 2008 del 26 de marzo del 2008). Es al amparo de las competencias constitucionales y legales ya esbozadas, que el Poder Ejecutivo emitió el “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT, publicado en el Alcance No 166 del Diario Oficial La Gaceta No 159 del 31 de agosto de 2023, con el objeto de establecer medidas de ciberseguridad para garantizar el uso y la explotación segura y con resguardo de la privacidad de las personas, de las redes y los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores, con fundamento además en las consideraciones que más adelante se precisan. B. SOBRE LOS DERECHOS FUNDAMENTALES DERIVADOS DE LA DIGNIDAD HUMANA: LA INTIMIDAD, LA PRIVACIDAD, EL SECRETO DE LAS COMUNICACIONES Y LA AUTODETERMINACIÓN INFORMATIVA DE LOS USUARIOS FINALES DE TELECOMUNICACIONES. De cara a la transformación tecnológica de nuestro país y la transición a la tecnología 5G, siempre deberán observarse las garantías de raigambre constitucional relativas a la privacidad, el secreto de las comunicaciones, y la autodeterminación informativa de los usuarios finales de telecomunicaciones, del ordinal 24 de la Carta Fundamental que expresa en lo conducente: “ARTÍCULO 24.- Se garantiza el derecho a la intimidad, a la libertad y al secreto de las comunicaciones. Son inviolables los documentos privados y las comunicaciones escritas, orales o de cualquier otro tipo de los habitantes de la República. Sin embargo, la ley, cuya aprobación y reforma requerirá los votos de dos tercios de los Diputados de la Asamblea Legislativa, fijará en qué casos podrán los Tribunales de Justicia ordenar el secuestro, registro o examen de los documentos privados, cuando sea absolutamente indispensable para esclarecer asuntos sometidos a su conocimiento. A mayor abundamiento, el Tribunal Constitucional ha referido que la intimidad se conforma por una serie de actividades que no forman parte del conocimiento de la generalidad, entre ellos las comunicaciones, así mediante Resolución Nº 05996-2015, de las 16:00 horas de fecha 28 de Abril del 2015, desarrolló lo siguiente: “(…) III.-- PRECEDENTES JURISPRUDENCIALES SOBRE EL DERECHO DE INTIMIDAD. (...) "El numeral 24 de la Constitución Política consagra el derecho fundamental a la intimidad. Se trata de un fuero de protección a la vida privada de los ciudadanos. La intimidad está formada por aquellos fenómenos, comportamientos, datos y situaciones de una persona que normalmente están sustraídos al conocimiento de extraños y cuyo conocimiento por éstos puede turbarla moralmente por afectar su pudor y su recato, a menos que esa misma persona asienta a ese conocimiento. Si bien, no puede menos que reputarse que lo que suceda dentro del hogar del ciudadano es vida privada, también puede ser que lo que suceda en oficinas, hogares de amigos y otros recintos privados, esté en ese ámbito. De esta manera los derechos constitucionales de inviolabilidad del domicilio, de los documentos privados y de las comunicaciones existen para proteger dicha intimidad, que es un derecho esencial de todo individuo…". Igualmente, en sentencia número 6776-94 de las 14:57 horas del 22 de noviembre de 1994, se indicó lo siguiente: “El derecho a la intimidad tiene un contenido positivo que se manifiesta de múltiples formas, como por ejemplo: el derecho a la imagen, al domicilio y a la correspondencia. Para la Sala el derecho a la vida privada se puede definir como la esfera en la cual nadie puede inmiscuirse. La libertad de la vida privada es el reconocimiento de una zona de actividad que es propia de cada uno y el derecho a la intimidad limita la intervención de otras personas o de los poderes públicos en la vida privada de la persona; esta limitación puede manifestarse tanto en la observación y captación de la imagen y documentos en general, como en las escuchas o grabaciones de las conversaciones privadas y en la difusión o divulgación posterior de lo captado u obtenido sin el consentimiento de la persona afectada. (...)” (El resaltado es propio) En razón de lo anterior, resulta de mérito recordar que tales derechos fundamentales (intimidad, la privacidad y el secreto de las comunicaciones, y el derecho de autodeterminación informativa) se encuentran sustentados en la dignidad de la persona y la autodeterminación consciente y responsable de la propia vida. En ese sentido, se afirma que la dignidad es inherente al ser humano, y es el mínimo jurídico que se le debe asegurar a la persona con el objeto de que se respete su condición de tal y un mínimo de calidad de vida humana. En el respeto de los derechos derivados del artículo 24 se manifiesta el respeto a la dignidad humana.” (Procuraduría General de la República, Opinión Jurídica OJ-103-2010, del 13 de diciembre de 2010). Del mismo modo, como derivado de la dignidad e intimidad humanas, el tratamiento de los datos personales se encuentra dispuesto en un régimen jurídico especial que garantiza un trato adecuado de los mismos, por ello la Procuraduría General de la República en su Dictamen N° C-064-2022 de fecha 22 de marzo de 2022 manifestó: “(...) Por ejemplo, se prohíbe el tratamiento por parte de terceros, de aquellos datos considerados sensibles o personales, en cuyo caso, se consideran confidenciales, además, se protegen los datos personales de acceso restringido, los cuales, aún (sic) y cuando consten en registros de acceso al público, no pueden ser de acceso irrestricto, de allí que, su tratamiento está permitido sólo (sic) para el titular de la Administración Pública interesada, cuando persiga fines públicos, o bien, se cuente con el consentimiento expreso del titular. (...)” En ese sentido, se reitera lo señalado en el punto A del presente informe, toda vez que en la materia opera la jerarquía de las fuentes y a ese tenor debe observarse lo dispuesto en los Tratados, de esta forma la Ley N° 8622 “Tratado de Libre Comercio República Dominicana - Centroamérica - Estados Unidos (TLC)”, en su Anexo 13 del CAFTA “Compromisos Específicos de Costa Rica en Materia de Servicios de Telecomunicaciones”, observa en su artículo 6 lo relativo al acceso a y uso de redes, de la siguiente manera: 6. Acceso a y Uso de Redes (...) (b) No obstante lo dispuesto en el subpárrafo (a), Costa Rica podrá tomar las medidas que sean necesarias para garantizar la seguridad y confidencialidad de los mensajes, o proteger la privacidad de datos personales no públicos de los suscriptores de servicios públicos de telecomunicaciones, sujeto al requisito de que tales medidas no se apliquen de tal manera que pudieran constituir un medio de discriminación arbitraria o injustificable, o alguna restricción encubierta al comercio de servicios. (c) Costa Rica también garantizará que no se impongan condiciones al acceso a y el uso de redes o servicios públicos de telecomunicaciones, distintas a las necesarias para salvaguardar las responsabilidades del servicio público de los prestadores de redes o servicios públicos de telecomunicaciones, en particular su capacidad para poner sus redes o servicios a disposición del público en general, o proteger la integridad técnica de las redes o servicios públicos de telecomunicaciones. En esa misma línea, el artículo 3 incisos c), d), f), i), j), de la Ley N° 8642, Ley General de Telecomunicaciones, establece que nuestro ordenamiento jurídico sectorial se basa en principios rectores como lo son el beneficio al usuario final de los servicios de telecomunicaciones, la transparencia, la optimización del recurso escaso, privacidad de la información, competencia efectiva, principios orientadores de la función administrativa de este Ente Rector, de la actividad del Poder Ejecutivo, así como de los operadores y proveedores de los servicios de telecomunicaciones, que derivan de la norma constitucional referida ut supra. De la mano con lo anterior, debe resaltarse que el Preámbulo del Anexo 13 de la Ley N° 8622 “Tratado de Libre Comercio República Dominicana - Centroamérica - Estados Unidos (TLC)”, en su Anexo 13 del CAFTA “Compromisos Específicos de Costa Rica en Materia de Servicios de Telecomunicaciones” enfatiza que el proceso de apertura será en beneficio del usuario. En ese sentido, es importante manifestar que la Declaración Universal de los Derechos Humanos, adoptada por Resolución de la Asamblea General de las Naciones Unidas el día 10 de diciembre de 1948, resalta en su artículo 1 el valor de la dignidad humana en los siguientes términos: “Todos los seres humanos nacen libres e iguales en dignidad y derechos y, dotados como están de razón y conciencia, deben comportarse fraternalmente los unos con los otros.” (El resaltado es propio) En ese mismo sentido, se lee del artículo 2 que la tutela de la dignidad humana como valor fundamental, debe prevalecer en igualdad de condiciones, de la siguiente forma: 1. Toda persona tiene todos los derechos y libertades proclamados en esta Declaración, sin distinción alguna de raza, color, sexo, idioma, religión, opinión política o de cualquier otra índole, origen nacional o social, posición económica, nacimiento o cualquier otra condición. 2. Además, no se hará distinción alguna fundada en la condición política, jurídica o internacional del país o territorio de cuya jurisdicción dependa una persona, tanto si se trata de un país independiente, como de un territorio bajo administración fiduciaria, no autónomo o sometido a cualquier otra limitación de soberanía. (El resaltado es propio) Corolario de lo anterior, nuestro país es signatario de la Convención Americana sobre Derechos Humanos (Pacto de San José), Ley N°4543 de fecha 23 de febrero de 1970, que dispone una serie de obligaciones para el Estado costarricense según se observa a continuación: “Artículo 1. Obligación de Respetar los Derechos 1. Los Estados Partes en esta Convención se comprometen a respetar los derechos y libertades reconocidos en ella y a garantizar su libre y pleno ejercicio a toda persona que éste sujeta a su jurisdicción, sin discriminación alguna por motivos de raza, color, sexo, idioma, religión, opiniones políticas o de cualquier otra índole, origen nacional o social, posición económica, nacimiento o cualquier otra condición social. 2. Para los efectos de esta Convención, persona es todo ser humano.” (El resaltado es propio) En esa misma línea, el artículo 2 de la citada Convención señala que los Estados Parte se comprometen a adoptar las medidas internas en el ordenamiento nacional para hacer valer los derechos y libertades consagrados en dicho Pacto, así el ordinal reza: “Artículo 2 Deber de Adoptar Disposiciones de Derecho Interno Si el ejercicio de los derechos y libertades mencionados en el artículo 1 no estuviere ya garantizado por disposiciones legislativas o de otro carácter, los Estados Partes se comprometen a adoptar, con arreglo a sus procedimientos constitucionales y a las disposiciones de esta Convención, las medidas legislativas o de otro carácter que fueren necesarias para hacer efectivos tales derechos y libertades”. En relación con lo anterior, el artículo 26 de la referida Convención dispone que el desarrollo de las medidas internas ha de ser en forma progresiva para contribuir con el desarrollo y cooperación entre países en función a la debida protección de los derechos económicos, sociales, sobre educación, ciencia y cultura entre otros, de esta forma dispone: “Artículo 26 Desarrollo Progresivo Los Estados Partes se comprometen a adoptar providencias, tanto a nivel interno como mediante la cooperación internacional, especialmente económica y técnica para lograr progresivamente la plena efectividad de los derechos que se derivan de las normas económicas, sociales y sobre educación, ciencia y cultura, contenidas en la Carta de la Organización de los Estados Americanos, reformada por el Protocolo de Buenos Aires, en la medida de los recursos disponibles, por vía legislativa u otros medios apropiados.” De especial relevancia también se observa que el artículo 29 del Pacto de San José fija las reglas de interpretación de dicho instrumento para garantizar que los derechos y libertades fundamentales no resulten vulnerados mediante leyes o prácticas adoptados a lo interno, así indica: “Artículo 29 Normas de Interpretación Ninguna disposición de la presente Convención puede ser interpretada en el sentido de: a) permitir a alguno de los Estados Partes, grupo o persona, suprimir el goce y ejercicio de los derechos y libertades reconocidos en la Convención o limitarlos en mayor medida que la prevista en ella; b) limitar el goce y ejercicio de cualquier derecho o libertad que pueda estar reconocido de acuerdo con las leyes de cualquiera de los Estados Partes o de acuerdo con otra convención en que sea parte uno de dichos Estados; c) excluir otros derechos y garantías que son inherentes al ser humano o que se derivan de la forma democrática representativa de gobierno, y d) excluir o limitar el efecto que puedan producir la Declaración Americana de Derechos y Deberes del Hombre y otros actos internacionales de la misma naturaleza. (El resaltado es propio) Como puede verse, el régimen de protección de los derechos fundamentales humanos de Costa Rica se encuentra integrado por las normas del Derecho Internacional o Comunitario vigente en la República, incorporado formalmente en el ordenamiento jurídico a través de la adhesión de los distintos instrumentos que se suman a la protección de los derechos humanos. Para los efectos internos corresponde observar además las disposiciones que el Constituyente reguló en la Carta Magna y que se analizarán más adelante en el presente documento. Como bien se ha indicado, la incorporación del derecho supranacional al local no se agota en el proceso de adhesión a los instrumentos internacionales, sino que obedece a una lectura progresiva, de esta manera la puesta en ejecución de los instrumentos internacionales, requiere la intervención de los órganos del Poder Judicial que ejercen un control de constitucionalidad. Este ejercicio progresivo y necesario involucra también el análisis de convencionalidad ex officio, entre las normas internas y los instrumentos internacionales en el marco de las respectivas competencias de los órganos públicos. En virtud de lo anterior, se requiere la participación de todos los funcionarios del Estado para ejercer un control de convencionalidad, quiénes en ejercicio de sus funciones deberán interpretar las normas internas de forma tal que sean compatibles con las obligaciones internacionales, en garantía de los derechos humanos. Una adecuada hermenéutica jurídica implica que este control de convencionalidad se realice además en armonía con los principios de Derecho Internacional de los Tratados, que implican estimular a todos los órganos del aparato estatal para que se adopten las medidas necesarias para asegurar que los términos de un acuerdo internacional tengan efectos en armonía con el derecho interno (effet utile exige del Estado), seguido de la obligatoriedad del tratado entre las partes (pacta sunt servanda), que deben ser cumplidos tal y como se consagran de buena fe (bona fides), esta posición ha sido abordada por la Sala Constitucional, en la Resolución 2017-002800 de las 9:30 horas de 24 de febrero de 2017: “VIII- Sobre la obligatoriedad de la aplicación de los Convenios Internacionales para Costa Rica. El parámetro de control de constitucionalidad, según el artículo 1º de la Ley de la Jurisdicción Constitucional, no solo se encuentra compuesto por las normas de la Ley Fundamental, sino también por “los principios constitucionales y del Derecho Internacional o Comunitario vigente en la República, su uniforme interpretación y aplicación, así como los derechos y libertades fundamentales consagrados en la Constitución o en los instrumentos internacionales de derechos humanos vigentes en Costa Rica”. Ergo, todas las fuentes jurídicas, principios y derechos citados, que comprenden tanto principios constitucionales como otros del Derecho Internacional o Comunitario, en el ejercicio del control de constitucionalidad, deben aplicarse de modo armónico, de forma tal que sus contenidos protectores se optimicen de la mejor manera posible y no se afecte el contenido esencial de ninguno de ellos. Asimismo, el principio de derecho internacional effet utile exige del Estado, en la interpretación y aplicación de los Tratados, y de aquellos no autoaplicables (non-self executing), la obligación de estimular a todos los órganos del aparato estatal para que se generen efectos duraderos en el orden interno de acuerdo con las obligaciones internacionales adquiridas, de modo que se deben tomar las medidas necesarias en todo su conjunto, para asegurar que los términos de un acuerdo internacional tengan efectos en armonía con el derecho interno. A esto siguen los mecanismos de cooperación entre los Estados y organizaciones internacionales, y de seguimiento sobre la compatibilidad de la legislación interna con la de los convenios internacionales. En igual sentido, los principios de pacta sunt servanda y bona fides determinan que los tratados deben ser cumplidos tal y como se consagran de buena fe, por cuanto la obligatoriedad del tratado entre las partes les impone establecer políticas tendentes a su adecuado acatamiento. Los principios anteriores obligan a una interpretación del derecho interno, incluida por supuesto la Constitución y de las normas de los tratados suscritos por Costa Rica, a la luz del principio de coherentia, en virtud del cual, ante dos enunciados, uno de una norma de un tratado internacional y otra de una del derecho interno, en la medida de lo posible, no debe atribuírseles un significado que produzca una incompatibilidad entre ellas. La exigencia de coherencia es una consecuencia lógica de los principios de pacta sunt servanda, bona fides y effet utile a los que ya hemos hecho referencia. Si los Estados se comprometen en el orden internacional, es porque tienen la voluntad de cumplir las obligaciones contraídas y es obligación de los Estados y sus órganos internos adoptar todas las medidas requeridas, incluido aquellas de carácter interpretativo, para adaptar el ordenamiento interno de manera que se alcance el objetivo perseguido en el convenio internacional ratificado. Por tales razones, el Tribunal Constitucional, en ejercicio del control de constitucionalidad, tiene el deber de armonizar las obligaciones derivadas de la Constitución Política y el Derecho Internacional, todo ello en la medida que el razonamiento técnico jurídico preciso y fundado en el bloque de constitucionalidad así lo permita, de manera que los contenidos protectores de las diversas fuentes se optimicen de la mejor manera posible, eso sí sin que eso afecte el contenido esencial de ninguno derecho fundamental. Ciertamente, en el plano interno, el derecho constitucional tiene prioridad sobre el internacional; sin embargo, en el plano externo, lo anterior no justifica el incumplimiento unilateral de un Estado de una obligación convencional vinculante, lo que irremediablemente acarrearía responsabilidad para el Estado que incumple por tratarse de la violación del derecho internacional, y solo tendría la posibilidad complicada de proceder con la regulación de la nulidad, terminación o suspensión de la aplicación de los tratados conforme a la Parte V de la Convención de Viena sobre el Derecho de los Tratados de 1969. (...) Así las cosas, Costa Rica debe poner en práctica las disposiciones de los instrumentos internacionales en materia de Derechos Humanos, los cuales en armonía con los mandatos de la Constitución Política visualizan a la persona como centro de la jurisdicción y en consecuencia debe garantizarse el régimen de protección de sus derechos y libertades fundamentales. De esta manera, nuestro orden constitucional es conciliatorio con el régimen de protección internacional de los derechos y libertades fundamentales de la persona humana, toda vez que el artículo 33 reconoce y proclama el valor constitucional de la dignidad humana, que constituye la piedra angular de todos los derechos fundamentales y humanos, de la siguiente forma: “ARTÍCULO 33.- Toda persona es igual ante la ley y no podrá practicarse discriminación alguna contraria a la dignidad humana.” (El resaltado es propio) Ahora bien, conviene remitir a las consideraciones vertidas por esta Sala Constitucional en la Resolución N° 16069-2020 de las 09 horas 15 minutos de fecha 26 de agosto de 2020, y que guarda relación con respecto al reconocimiento de la dignidad humana y el trato igualitario que subyace a ésta, sobre lo cual indicó: “El ser humano, por el simple hecho de serlo, por haber nacido tal, es depositario de una serie de derechos que le son reconocidos en protección de su dignidad. En definitiva, uno de los valores y principios fundamentales del Derecho de la Constitución lo constituye, precisamente, la dignidad, sobre el cual se erige el edificio entero de la parte dogmática de la Constitución, esto es, de los derechos fundamentales de las personas. Es a partir del reconocimiento de la dignidad intrínseca al ser humano que los instrumentos internacionales de Derechos Humanos y las Constituciones le otorgan una serie de libertades y derechos indiscutibles y universalmente aceptados. En este sentido, la Asamblea General de las Naciones Unidas al adoptar la Declaración Universal de Derechos Humanos en su resolución No. 217 A (III) del 10 de diciembre de 1948, consideró en el Preámbulo que la libertad, la justicia y la paz en el mundo tienen por base el reconocimiento de la dignidad intrínseca y de los derechos iguales e inalienables de todos los miembros de las comunidades. En esa inteligencia, se acordó en el artículo 1o que “Todos los seres humanos nacen libres e iguales en dignidad y derechos ...”. Asimismo, el artículo 2° reconoce que toda persona tiene los derechos y libertades proclamados en dicha Declaración sin distinción alguna. Idénticas consideraciones realizó la Asamblea General de las Naciones Unidas al dictar el Pacto Internacional de Derechos Civiles y Políticos y el Pacto Internacional de Derechos Económicos, Sociales y Culturales, adoptados en la resolución No. 2200 A (XXI) del 16 de diciembre de 1966 e incorporados a nuestro ordenamiento jurídico por Ley No. 4229 del 11 de diciembre de 1968, en los que se decretó que el reconocimiento de los derechos allí dispuestos derivan de la dignidad inherente a la persona humana. Por su parte, los Estados Americanos adoptaron la Convención Americana sobre Derechos Humanos que es Ley de la República No. 4534 de 23 de febrero de 1970 y, en el preámbulo, reconocieron que los derechos esenciales del hombre no surgen del hecho de ser nacional de un determinado Estado, sino que tienen como fundamento los atributos de la persona humana. El artículo 1o se dispone que los Estados Partes en la Convención se comprometen a respetar los derechos y libertades reconocidos en ella y a garantizar su libre y pleno ejercicio a toda persona sin discriminación”. (El resaltado es propio) Como bien se indica, la dignidad humana es inherente a cualquier ser humano y por tanto, representativa de una serie de derechos y libertades cuyo goce y protección debe ser garantizado a todos por igual. De lo anterior, el régimen de protección de los Derechos Humanos se sustenta en el principio de igualdad ante la ley consagrado en el artículo 24 del Pacto de San José, conforme al cual: “Artículo 24 Igualdad ante la Ley Todas las personas son iguales ante la ley. En consecuencia tienen derecho, sin discriminación, a igual protección de la ley”. Resulta de especial relevancia analizar lo dispuesto en el artículo 24 del Pacto de San José junto con el mandato constitucional del artículo 33, citados en líneas anteriores, pues ambos invocan el valor de la dignidad humana de la mano con el principio de igualdad libre de toda discriminación. En concreto, la Sala Constitucional ha dimensionado que la discriminación ocurre cuando en una determinada situación se trate en forma desigual a los iguales, sin mediar justificación alguna. En ese sentido, mediante Resolución N°03421-2020, de las 12 horas 10 minutos, de fecha 19 de febrero de 2020 estimó: “En relación con el Principio de Igualdad y el Derecho a la no Discriminación, el artículo 33 de la Constitución establece la igualdad, no sólo como principio que informa todo el ordenamiento, sino además como un auténtico derecho subjetivo en favor de los habitantes de la República. En razón de ello se proyecta sobre todas las relaciones jurídicas, especialmente las que se traban entre los ciudadanos y el poder público. De ahí que el derecho a la igualdad se resume en el derecho a ser tratado igual que los demás en todas y cada una de las relaciones jurídicas que se constituyan. Por otra parte, la igualdad es también una obligación constitucionalmente impuesta a los poderes públicos, lo cual consiste en tratar de igual forma a los que se encuentren en iguales condiciones de hecho, constituyéndose, al mismo tiempo, en un límite a la actuación del poder público. No obstante ello y que, en tesis de principio, todos son iguales ante la ley, en la realidad se pueden dar situaciones de desigualdad. Aquí es importante indicar que existen dos conceptos básicos que suelen confundirse al hablar del tema de la igualdad ante la Ley, como lo son la discriminación y la diferenciación. La Constitución prohíbe la discriminación, pero no excluye la posibilidad de que el poder público pueda otorgar tratamientos diferenciados a situaciones distintas, siempre y cuando se funde en una base objetiva, razonable y proporcionada. Resulta legítima y hasta obligatoria, una diferenciación de trato cuando exista una desigualdad en los supuestos de hecho, lo que implicaría que el principio de igualdad sólo se viola cuando se trata desigualmente a los iguales y, por ende, es inconstitucional el trato desigual para situaciones idénticas”. De lo anterior es relevante traer a la discusión el carácter del principio de igualdad, el cual es una obligación para el Poder Público, que se transforma en el deber de materializar un justo trato entre todos los seres humanos que se encuentran en iguales condiciones de hecho, porque nacen libres e iguales en dignidad y derechos. En este sentido, se parte de lo más básico como lo establece la Declaración Universal de Derechos Humanos, en el que al estar los seres humanos dotados de raciocinio, eleva nuestro deber de comportarnos racionalmente los unos con los otros, con lo cual el Estado debe construir un entramado jurídico que trate a quienes están en iguales condiciones de hecho a ser tratados de igual forma. Es evidente, que hay situaciones de hecho en las que no se trata a todos de igual forma, especialmente cuando se debe compensar por aquellas situaciones de hecho producidas por las alteraciones propias de la naturaleza y de las cosas, las cuales pueden hacer que el Estado al omitir medidas correctivas incurra en injusticias, pues pueden resultar en desigualdades contrarias a la dignidad humana. Como lo establece el precedente anterior, es claro que la dificultad radica en determinar la connotación negativa que trae tratar diferentemente a las personas, cuando se puede caer en la discriminación y no en una diferenciación. Una discriminación es un trato diferente que carece de una base objetiva, razonable y proporcionada. Al referirse a la diferenciación, se trata de establecer tratamientos jurídicos diferenciados cuando hay una base objetiva, razonable y proporcionada. (...)” (El resaltado es propio) De los aspectos antes esbozados por esa respetable Sala Constitucional, se evidencia que en la casuística al discutir el principio de igualdad y el derecho a la no discriminación, debe examinarse necesariamente si en el caso existe alguna base fáctica objetiva que permite brindar una diferencia de trato, supuesto que en consecuencia se denomina diferenciación de trato y resulta ser un escenario perfectamente factible y válido, con fundamento en el principio de igualdad. Esta precisión conceptual implica que los poderes públicos deben tratar de igual forma a los que se encuentren en iguales condiciones de hecho, de manera motivada. En consecuencia, el principio de igualdad sólo es vulnerado cuando se trata desigualmente a los iguales en ausencia de justificación, que se traduce en discriminación. Ahora bien, este Ministerio estima de mérito reiterar que el “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196MSP-MICITT, pretende resguardar los referidos derechos de los usuarios finales de telecomunicaciones que derivan del artículo 24 constitucional (ya citado) como lo son la intimidad, inviolabilidad de los documentos privados, privacidad de las comunicaciones, y calidad de los servicios, al establecer medidas técnicas y objetivas en el despliegue de las redes 5G y superiores, ya que estos derechos encuentran su fundamento en la dignidad de la persona y su ejercicio supone la autodeterminación consciente y responsable de la propia vida. La dignidad humana es el mínimo jurídico que se le debe asegurar a los usuarios finales de telecomunicaciones, con el objeto de que se respete su condición de tal y un mínimo de calidad de vida humana. El desarrollo de las nuevas tecnologías y las posibilidades de invasión en la esfera privada de las personas son susceptibles de atentar contra la dignidad y la intimidad de las personas. De ahí deriva la verdadera necesidad de la emisión “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT, ya que tutela la protección de los citados derechos desde un ámbito que es sumamente vulnerable como lo es el establecimiento de la propia red, lo cual es trascendental toda vez que ese Tribunal Colegiado ha reconocido el papel fundamental de la misma en la satisfacción del cumplimiento del bien demanial: “cual es proteger el servicio público y la calidad del servicio público que se pretende brindar” (...) En ese mismo sentido, la Resolución Nº 03089-2011, de las 08:38 horas de fecha 11 de marzo del 2011, esa misma Sala Constitucional indicó en relación con los equipos que se pretenden conectar a la red de telefonía móvil: “(...) cumplan una condiciones o estándares mínimos, de forma que se garantice la salud, la seguridad y los intereses económicos de los propios usuarios, resulta congruente con lo dispuesto en el artículo 46 de la Constitución Política. (...). Entre las razones de índole técnico se incluyen, entre otras, asegurar que los equipos terminales permitan al usuario el poder elegir y cambiar libremente al proveedor de servicios, recibir el servicio en forma continua y equitativa, tener acceso a las mejoras que el proveedor implemente, recibir servicios de calidad en los términos estipulados previamente y pactados con el proveedor, y poder acceder a la información en idioma español. (...)” (El resaltado es propio) Por lo anteriormente expuesto, a continuación me referiré al régimen jurídico de protección a la intimidad y derechos del usuario final en materia de servicios de telecomunicaciones. C. SOBRE EL RÉGIMEN JURÍDICO DE PROTECCIÓN A LA INTIMIDAD Y DERECHOS DEL USUARIO FINAL EN MATERIA DE SERVICIOS DE TELECOMUNICACIONES. Como bien se desarrolló en párrafos anteriores, el Poder Ejecutivo posee la obligación dentro del marco de asignación del espectro, de garantizar que dicha asignación no sólo se realice en estricto apego al principio de legalidad. Además, que los servicios a prestar por medio de redes de telecomunicaciones se ajusten a las consideraciones del Título II, Capítulo II denominado Régimen de Protección a la intimidad y derechos de los usuarios finales de la Ley N° 8642, Ley General de Telecomunicaciones. Ello por cuanto dicha ley especial regula el régimen de privacidad y de protección de los derechos e intereses de los usuarios finales de los servicios de telecomunicaciones, y de forma específica los artículos 41 y 42 de este cuerpo legal disponen: “ARTÍCULO 41.- Régimen jurídico El presente capítulo desarrolla el régimen de privacidad y de protección de los derechos e intereses de los usuarios finales de los servicios de telecomunicaciones. Los acuerdos entre operadores, lo estipulado en las concesiones, autorizaciones y, en general, todos los contratos por servicios de telecomunicaciones que se suscriban de conformidad con esta Ley, tendrán en cuenta la debida protección de la privacidad y los derechos e intereses de los usuarios finales. A la Sutel le corresponde velar por que los operadores y proveedores cumplan lo establecido en este capítulo y lo que reglamentariamente se establezca. ARTÍCULO 42.- Privacidad de las comunicaciones y protección de datos personales Los operadores de redes públicas y proveedores de servicios de telecomunicaciones disponibles al público, deberán garantizar el secreto de las comunicaciones, el derecho a la intimidad y la protección de los datos de carácter personal de los abonados y usuarios finales, mediante la implementación de los sistemas y las medidas técnicas y administrativas necesarias. Estas medidas de protección serán fijadas reglamentariamente por el Poder Ejecutivo. Los operadores y proveedores deberán adoptar las medidas técnicas y administrativas idóneas para garantizar la seguridad de las redes y sus servicios. En caso de que el operador conozca un riesgo identificable en la seguridad de la red, deberá informar a la Sutel y a los usuarios finales sobre dicho riesgo. Los operadores y proveedores deberán garantizar que las comunicaciones y los datos de tráfico asociados a ellas, no serán escuchadas, gravadas, almacenadas, intervenidas ni vigiladas por terceros sin su consentimiento, salvo cuando se cuente con la autorización judicial correspondiente, de conformidad con la ley.” Puede verse, dichos artículos establecen tres aspectos de relevancia a los efectos del presente informe, a saber: a)La obligación a la que están sujetos los operadores de observar la debida protección de la privacidad y los derechos e intereses de los usuarios finales. b) La competencia impuesta a la Sutel de velar por que los operadores y proveedores cumplan con dichas obligaciones. c) La competencia del Poder Ejecutivo de establecer vía reglamento medidas de protección. Todo ello a favor del régimen jurídico de protección a los usuarios finales en el acceso y disfrute efectivo de los servicios de telecomunicaciones. En adición, el artículo 49 incisos 1, 2 y 3, de la Ley N° 8642, Ley General de Telecomunicaciones, establece las obligaciones de los operadores y proveedores en los siguientes términos: ARTÍCULO 49.- Obligaciones de los operadores y proveedores Los operadores de redes y proveedores de servicios de telecomunicaciones tendrán las siguientes obligaciones: 1) Operar las redes y prestar los servicios en las condiciones que establezcan el título habilitante respectivo, así como la ley, los reglamentos y las demás disposiciones que al efecto se dicten. 2) Cumplir las obligaciones de acceso universal, servicio universal y solidaridad que les correspondan, de conformidad con esta Ley. 3) Respetar los derechos de los usuarios de telecomunicaciones y atender sus reclamaciones, según lo previsto en esta Ley. (...) Por su parte, el artículo 74 inciso f) del Reglamento a la Ley General de Telecomunicaciones, Decreto Ejecutivo Nº 34765, establece dentro de las obligaciones generales de los titulares de las concesiones para el uso y explotación del espectro radioeléctrico el deber de adoptar las medidas necesarias para garantizar la privacidad de las telecomunicaciones. Como bien se precisará en apartados posteriores del presente informe, el Reglamento de marras incorpora los estándares más altos y mejores prácticas internacionales en materia de ciberseguridad, de cara al proceso concursal para servicios de telecomunicaciones mediante sistemas de Telecomunicaciones Móviles Internacionales (IMT, por sus siglas en inglés), incluida la tecnología de quinta generación 5G y superiores. La incorporación de dichos elementos constituye parámetros objetivos para afianzar la prevención contra la ciberdelincuencia, que como bien se verá ha generado importantes repercusiones en el país. Como parte de las medidas de ciberseguridad que regula el “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196MSP-MICIT, se identifica la necesidad de que tanto operadores como proveedores no presenten parámetros de riesgo alto a la hora de prestar el servicio de telecomunicaciones. En ese sentido, es importante recalcar que el citado Reglamento únicamente contempla parámetros de riesgo alto por cuanto se ha procurado que la intervención estatal sea mínima, de modo tal que la valoración y gestión de riesgos de impacto medio y bajo sea llevada a cabo por los operadores de redes o proveedores de servicios de telecomunicaciones. Finalmente, conviene apuntar que la tutela de la dignidad humana y el goce de los derechos que de ella emanan prevalece sobre cualquier otra materia, así lo ha apuntado la Sala Constitucional en el voto N°03421-2020, de las 12 horas 10 minutos, de fecha 19 de febrero de 2020, al reseñar que: “(...) es importante recordar una cuestión elemental del Derecho Internacional Público. Los Tratados sobre Derechos Humanos tienen, por su materia, un objeto y fin muy distinto a los tratados internacionales bilaterales o multilaterales en temas comerciales, de relaciones de cooperación técnica, científica, cultural, etc. En estos tratados, los sujetos de derecho internacional acuerdan obligaciones mutuas entre sí en los respectivos temas pactados; sin embargo, en los relacionados con los derechos humanos, los Estados ponen como objeto y fin a la persona humana que se encuentre dentro de su jurisdicción. En este sentido, los Estados conceden de conformidad con la regla de oro del derecho internacional, obligaciones internacionales a favor de la persona humana, que deben ser cumplidas de buena fe (de conformidad con el artículo 26. Pacta sunt servanda del Convenio de Viena sobre el Derechos de los Tratados).(El resaltado es propio) En consecuencia, prevalece la regla del derecho internacional pacta sunt servanda de cumplir las obligaciones internacionales a favor de la persona humana, que es precisamente lo que Costa Rica ha procurado con la implementación del Reglamento de análisis. Todo ello entendiendo que, el ser humano es la piedra angular en la Sociedad de la Información y el Conocimiento, y por tanto debe de dotarse de toda protección, máxime cuando se trata de entornos complejos digitales tal y como representa la inminente implementación de la tecnología de quinta generación móvil conocida como 5G. Para una mejor comprensión de las disposiciones y estándares contenidos en el Reglamento de estudio, se procederá a abordar en apartados siguientes los aspectos que se valoraron para la elaboración del mismo. Es así como en la protección del régimen jurídico de los derechos fundamentales de los usuarios finales de telecomunicaciones, que el Poder Ejecutivo en ejercicio de sus cometidos y potestades reglamentarias delegadas constitucional y legalmente puede adoptar las medidas necesarias para garantizar la privacidad, el secreto de las comunicaciones, y la autodeterminación informativa de estos. D. SOBRE LA NECESIDAD DE FORTALECER Y ADAPTAR EL MARCO REGULATORIO SECTORIAL POR RAZONES DE SEGURIDAD NACIONAL EN VIRTUD DE LOS CIBERATAQUES SUFRIDOS POR NUESTRO PAÍS. Como antecedente, en fecha 12 de abril de 2022, Costa Rica recibió un fuerte ataque cibernético a las bases de datos del Ministerio de Hacienda y en fechas posteriores se recibieron ciberataques a diferentes bases de datos de otras instituciones. Por lo anterior, nuestro país ha sido foco de titulares internacionales en los cuales se reveló la magnitud del ciberataque, así como la vulnerabilidad del Estado costarricense ante este tipo de acontecimientos. Como muestra de la afectación generada a los diferentes Sistemas públicos, el Plan Nacional de Emergencia a los Ciberataques,[3] mostró en su Tabla N°1, las instituciones afectadas por el ciberataque de la siguiente forma: TABLA 1 Decreto de Emergencia N°43542 – MP - MICITT Instituciones afectadas por los Ciberataques INSTITUCIÓN FECHA INCIDENTE Ministerio de Hacienda 17 de abril ● Exfiltración de información publicado sitio web del grupo cibercriminal CONTI ● Cifrado de información ● Afectación funcionalidad de sistemas informáticos MICITT 18 de abril ● Defacement (modificación del sitio web) ● Afectación de funcionalidad de sistemas informáticos Instituto Meteorológico Nacional (IMN) ● Exfiltración de información publicado sitio web del grupo cibercriminal CONTI ● Afectación de funcionalidad de sistemas informáticos RACSA ● Exfiltración de información publicado sitio web del grupo cibercriminal CONTI ● Afectación de funcionalidad de sistemas informáticos Caja Costarricense del Seguro Social (CCSS) 20 de abril ● Robo de credenciales de RRSS ● Ataque por medio de SQL inyección ● Afectación de funcionalidad de sistema informático de Recursos Humanos de la CCSS ● Exfiltración de información de una tabla con datos de bitácora, pero no datos sensibles Ministerio de Trabajo y Seguridad Social (MTSS) 21 de abril ● Exfiltración de información publicado sitio web del grupo cibercriminal CONTI ● Cifrado de información ● Afectación funcionalidad de sistemas informáticos Junta Administrativa del Servicio Eléctrico Municipal de Cartago (JASEC) 23 de abril ● Cifrado de información ● Afectación funcionalidad de sistemas informáticos Sede Interuniversitaria de Alajuela (SIUA) ● Exfiltración de información publicado sitio web del grupo cibercriminal CONTI ● Afectación funcionalidad de sistemas informáticos En las otras instituciones (Municipalidad de Golfito, Municipalidad de Turrialba, INDER, Municipalidad de Santa Bárbara, Municipalidad de Garabito, MEIC, Colegio Universitaria de Cartago, FANAL, Municipalidad de Alajuelita, CONAPE, Ministerio de Justicia y Paz) las medidas técnicas desplegadas logran detectar y contener el posible CONTI en sus sistemas.

Fuente: MICITT, citando Plan General de Emergencia Ciberataques. Debido a lo anterior, el Poder Ejecutivo mediante Decreto N°43542-MP-MICITT, “Declara estado de emergencia nacional en todo el sector público del Estado costarricense, debido a los cibercrímenes que han afectado la estructura de los sistemas de información”, declaratoria que se fundamenta en el impacto inmediato en los sistemas informáticos vinculados al funcionamiento de servicios críticos del Estado. Ahora bien, estos quebrantos a los diferentes sistemas institucionales generaron importantes consecuencias a largo plazo, en ese sentido la Contraloría General de la República mediante el oficio N°DFOE-CAP-OS-00001-2023 de fecha 01 de mayo de 2023, denominado “Opiniones y sugestiones: “Emergencia cibernética: Obstáculo para la transformación digital y el bienestar social; retrocesos para la transparencia y rendición de cuentas” identificó las siguientes: ● Pérdida de eficiencia interna, ya que la inhabilitación de los sistemas informáticos provoca retrasos en sus procesos, para de labores o recarga de funciones técnico administrativas para el personal. ● Pérdida de ingresos, así por ejemplo se reportó en el Ministerio de Trabajo y Seguridad Social, un atraso en la captación de ingresos por ₡1.431 millones por concepto de cuotas obrero patronales que deben recibirse por parte de la Caja Costarricense de Seguro Social y en la Junta Administrativa del Servicio Eléctrico Municipal de Cartago, por ₡93 millones por venta de servicios no se efectuaron durante el periodo de interrupción de los sistemas. Estos retrasos adquirieron una dimensión significativa porque no solo provocaron pérdidas financieras en los ingresos de estas instituciones, sino que además se generan sesgos en el gasto público y con ello la adecuada prestación de los servicios públicos. ● Pérdida de información que impacta sin lugar a dudas la continuidad en las operaciones y la toma de decisiones. El valor de la información trasciende la toma de decisiones, también incide en la confianza, la transparencia y la rendición de cuentas. Por ejemplo, proveer una mayor apertura y acceso a la información estimula y fortalece el control ciudadano y facilita el desarrollo de servicios públicos más centrados en las necesidades de las personas, más confiables y más abiertos. A mayor abundamiento la Contraloría General de la República en el citado documento indicó: “(...) Los ciberataques repercuten directamente en la rendición de cuentas y la transparencia de las instituciones en la forma de pérdida de información y confiabilidad de los datos. Los ciberataques también afectaron la disponibilidad de información financiera y fiscal relevante para la toma de decisiones. De acuerdo con el Programa Estado de la Nación [12], los ciberataques evidenciaron que “(...) la disponibilidad y apertura de la información fiscal no solo es más limitada, sino que, a la fecha, no se han logrado reestablecer (SIC) los registros históricos (...)” • Afectación directa al bienestar de las personas, que se han visto afectadas por la interrupción de los servicios de salud, en ese sentido la Caja Costarricense del Seguro Social identificó impactos en las listas de espera y reprogramación de citas, específicamente en procedimientos quirúrgicos, consulta externa, procedimientos ambulatorios, laboratorio y radiología e imágenes que constituyeron un total de 158.255 reprogramaciones durante los meses de junio a septiembre de 2022. De este modo los habitantes debieron asumir costos relacionados con tiempos de respuesta más largos, alternativas más costosas e inclusive difícil acceso a la información al tener que trasladarse de una ventanilla a otra en la misma institución. En relación con el impacto económico a las instituciones afectadas únicamente en cuanto a acciones relacionadas a la recuperación de las áreas afectadas, el Plan Nacional de Emergencia a los Ciberataques,[4] mostró en su Tabla N°6 algunos datos que resultan de interés al presente documento de esta forma: “TABLA 6 Decreto de Emergencia N°43542–MP–MICITT Fase de Reconstrucción: Propuestas de Acciones por Unidad Ejecutora” Institución Propuesta de Acciones Monto Ministerio de Hacienda Adquisición de herramientas tecnológicas que permitan realizar una analítica de la red, identificar y bloquear ataque de malware, ransomware y cualquier tipo de nueva amenaza de Internet o a nivel interno y que permite también poder tener visibilidad completa de la actividad de todos los usuarios (y del rastro dejado por sus dispositivos), para bloquear cualquier amenaza. Adquisición de servicios de productividad segura, servicios online en la nube, servicios de monitoreo y respuesta de seguridad, servicios en la nube Azure y horas de servicio para sanitización de equipos faltantes.

₡1 049 388 494,63 Ministerio de Ciencia, Innovación, Tecnología y Telecomunicacion es (MICITT) Implementar un nuevo sitio web bajo una versión de plataforma actualizada y segura que minimice ser nuevamente blanco de ataque.

Herramientas para la defensa de aplicaciones web en forma inteligente y automatizada y de protección de correo electrónico. Equipo de respaldo de información y equipo para labores del CSIRT-CR.

Contratación de personal temporal (por emergencia) para reforzar la capacidad de respuesta del CSIRT-CR.

Pago de licencias de microCLAUDIA a Centro Criptológico Nacional de España.

l ₡641 475 400,00 Instituto Meteorológico Nacional (IMN) Renovación de las licencias de Antivirus, EDR.

Renovación de las licencias de los 3 FireWall que tiene el IMN. Renovación del certificado digital.

Renovación del licenciamiento del sistema de respaldo Institucional.

Renovación del contrato de licenciamiento de nuestra Base de Datos Oracle.

Renovación de licencia para el clúster, que contiene vCenter Service.

₡66 000 000 Ministerio de Trabajo y Seguridad Social (MTSS) Adquisición de Plataforma SIEM XDR opción incluyendo HW Appliance, licenciamiento de Cortex de PaloAlto, Kaspersky EDR Expert (700) + KATA para servidores (50), Web Application Firewall (WAF) (Hasta 1 Gb/seg) ₡345 000 000 Junta Administrativa del Servicio Eléctrico Municipal de Cartago (JASEC) Contratación de consultoría experta en medios de almacenamiento (SAN) NetApp que permita realizar los análisis y recuperación de los datos críticos.

Adquisición de un equipo Firewall para detectar y controlar el tráfico de datos de entrada y salida, actualizar las licencias de Microsoft Windows 2007 y 2010 por licenciamiento Windows más actual, actualización de la licencia ORACLE y adquirir dos licencias de tipo Enterprise.

₡164 000 000 Sede Interuniversitaria de Alajuela (SIUA) Se requiere la obtención de al menos un servidor físico para poder implementar una solución SIEM/EDR en la SIUA.

Compra de un equipo firewall-ng que permita identificar ataques DDoS, DoS, exploits, malware, aplicaciones no deseadas, brinde protección de correo, entre otros, se necesitan al menos un equipo con inteligencia contra amenazas y emparejamiento de firmas, para garantizar la seguridad y el acceso a los servicios públicos y privados del dominio siua.ac.cr.

₡28 500 000 TOTAL ₡2,294,363,894.63 Fuente: Sistema de Reportes de Daños, Pérdidas y Propuestas de Atención por Declaratorias de Emergencia Nacional, 2022. A ese tenor, según la Comisión Nacional de Emergencias las acciones del citado Plan Nacional de Emergencia a los Ciberataques, “(...) se orientan atender los sistemas informáticos, rehabilitar los servicios públicos afectados, reforzar la seguridad de estos; todo bajo condiciones satisfactorias que aseguren la continuidad de estos servicios sin que se repita, hasta donde es posible, un evento de esta naturaleza”. No obstante, a largo plazo se hace imprescindible adoptar medidas que van más allá de atender los sistemas y servicios afectados, en razón de que el peligro de ciberataques sigue siendo latente. De este modo, el estado emergencia debe atenderse además mediante el establecimiento de normativa y protocolos de seguridad para actuar defensivamente y ante eventos futuros de forma preventiva, siendo el establecimiento de medidas de ciberseguridad a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores, un elemento esencial para un manejo integral de los indicados riesgos. Por ello, el Poder Ejecutivo en el citado Decreto N°43542-MP-MICITT, estableció una serie de medidas que comprenden todas las acciones, obras y servicios necesarios para poder contener, solucionar y prevenir nuevos ataques en contra de los Sistemas de Información del Estado Costarricense. El mismo Decreto N°43542-MP-MICITT, expresa que declarará la cesación del estado de emergencia nacional cuando se cumplan las fases de la emergencia definidas en el artículo 30 de dicha Ley y el artículo 2 del presente Decreto Ejecutivo y se cuente con el criterio técnico emitido por la Comisión Nacional de Prevención de Riesgos y Atención de Emergencias que así lo respalde. En este sentido el artículo 2 dispone: Artículo 2.- Se tienen comprendidas dentro de esta declaratoria de emergencia todas las acciones, obras y servicios necesarios para poder contener, solucionar y prevenir nuevos ataques en contra de los Sistemas de Información del Estado Costarricense. Por lo anterior, y debido a la gravedad de los ciberataques recibidos, el estado de emergencia nacional a la fecha de emisión del “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT se mantiene, y el Poder Ejecutivo continúa realizando acciones preventivas que permitan una mejor respuesta ante este tipo de transgresiones. Los ciberataques explotan cualquier brecha o vector de exposición en las redes y servicios, o fallos en las tecnologías, para vulnerar los principios de la ciberseguridad y la seguridad de la información: confidencialidad, integridad y disponibilidad. Sin embargo, la evolución hacia redes 5G permitirá una amplia gama de nuevos y mejorados servicios críticos, desde vehículos autónomos y telemedicina hasta la fabricación automatizada. Esto implica que el vector de exposición se amplía y el riesgo aumenta, ya que una violación de los principios de la triada de seguridad de la información podría ocasionar desde fallos en servicios esenciales hasta la pérdida de vidas. Por tanto, es necesario fortalecer la seguridad en las redes 5G y protegerlas adecuadamente, aplicando salvaguardas para reducir el riesgo de que estas redes sean utilizadas en ataques informáticos. Cabe resaltar que, a pesar de los ciberataques, Costa Rica continúa promoviendo y propiciando el avance tecnológico y con ello el fomento de nuevas tecnologías en beneficio de los usuarios de telecomunicaciones en el marco de la Sociedad de la Información y del conocimiento, esto con mayor cautela. A manera de ejemplo, la Promotora del Comercio Exterior de Costa Rica (PROCOMER) ha señalado en relación con las exportaciones de servicios:“(...) Al 2022, las exportaciones de servicios de Costa Rica sumaron los $11.790 millones, un 29% más que en el 2021, siendo este crecimiento es el más alto de los últimos cinco años y superando los niveles de la época prepandemia. Al excluir el subsector de viajes, el crecimiento es de 16% y las exportaciones suman $8.653. Servicios empresariales (45%), viajes (27%), telecomunicaciones, informática e información (16%) y servicios de transformación (6%) son los principales subsectores de servicios. (El resaltado no pertenece al original) (...)” A partir de las consideraciones anteriores, es importante tener presente que las medidas de ciberseguridad deben ser continuas ya que los riesgos no se comportan de forma estática, se manifiestan presentes en la cotidianidad. Es por lo anterior, que con la próxima introducción de la tecnología 5G, como se analizará más adelante, exige la articulación de esfuerzos continuos, debiendo reforzar el marco normativo entre otras acciones, por medio de la incorporación de medidas de seguridad en dos vertientes, la primera de ellas a las redes IMT-2020, y en segundo lugar para la protección de la privacidad, el secreto de las comunicaciones, y la autodeterminación informativa de los usuarios finales de telecomunicaciones. Otro elemento que debe de considerarse, tal y como lo manifiesta el Programa Sociedad de la Información y el Conocimiento (PROSIC) de la Universidad de Costa Rica, es que “Hoy el cibercrimen representa “la mitad de todos los delitos contra la propiedad que tienen lugar en el mundo” (BID, 2021, p.10) lo que demuestra la magnitud de este problema, tan ausente en la mayoría de planes de gobierno.” Y particularmente en relación con el ciberataque de abril de 2022, PROSIC expone que la “experiencia vivida con los ciberataques nos muestra la necesidad de reforzar la preparación y la adopción de medidas que aseguren la resiliencia y la gestión adecuada de las ciber amenazas. (...)” En la Estrategia Nacional de Ciberseguridad de Costa Rica 2023-2027, publicada el 13 de noviembre, se aborda de manera integral los riesgos de ciberseguridad, y bajo este enfoque el pilar 3 consiste en: “fortalecer la protección de infraestructuras y la ciber resiliencia nacional, protegiendo las infraestructuras críticas nacionales y gestionando adecuadamente los riesgos de ciberseguridad para que las partes interesadas puedan maximizar los beneficios del entorno digital y la ciudadanía esté más segura en línea (...)”. Así, es importante recalcar que a mayor complejidad de tecnología, mayor es el grado de vulnerabilidad y en consecuencia las medidas que se adopten poseen un nivel de rigurosidad distinto al que tal vez funcione para otras tecnologías. Es así como la gestión de riesgos para la tecnología 5G y superiores adquiere un carácter diferenciado, en donde incluso las mejores prácticas deberían contemplar la cadena de suministro, como se incorpora en el “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT. Dadas las consecuencias de los ataques cibernéticos del año 2022 que afectaron el acceso a los servicios esenciales de los habitantes, se decide adoptar a nivel nacional, entre otras acciones que se suman a la declaratoria de emergencia, el “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196MSP-MICITT, que como ya se ha dicho se encuentra fundamentado en los estándares más altos y mejores prácticas internacionales en esta materia, de cara al proceso concursal para servicios de telecomunicaciones mediante sistemas IMT incluido 5G. E. SOBRE LA IMPORTANCIA DE LAS REDES Y LOS SERVICIOS DE TELECOMUNICACIONES BASADOS EN LA TECNOLOGÍA DE QUINTA GENERACIÓN MÓVIL (5G) Y SUPERIORES. El despliegue de redes y la prestación de servicios de telecomunicaciones basados en tecnología de 5G, revisten para el país un proceso de importancia, por las consecuentes mejoras en las condiciones económicas y sociales de los costarricenses. Existen razones superiores de interés público y conveniencia nacional, derivadas de las políticas públicas que orientan el Sector de Telecomunicaciones dispuestas en el Plan Nacional de Desarrollo de las Telecomunicaciones y la normativa sectorial, que buscan, ante el modelo de apertura del mercado de las Telecomunicaciones, dinamizar la participación de operadores, posibilitar la ampliación de la oferta, por ende la posibilidad de elección a favor los usuarios de los servicios de telecomunicaciones en el país. Como se ha dicho, el espectro radioeléctrico como bien de dominio público, tiene un destino especial y su destino atiende a un interés público. El interés público se puede definir como: “el resultado de un conjunto de intereses compartidos y coincidentes de un grupo mayoritario de individuos, que se asigna a toda la comunidad como consecuencia de esa mayoría, y que encuentra su origen en el querer axiológico de esos individuos, apareciendo con un contenido concreto y determinable, actual, eventual o potencial, personal y directo respecto de ellos, que pueden reconocer en él su propio querer y su propia valoración, prevaleciendo sobre los intereses individuales que se le opongan o lo afecten, a los que desplaza o sustituye, sin aniquilarlos.” Cuando se habla del uso y asignación del espectro radioeléctrico, estos aspectos de interés público se pueden ver vulnerados si el Poder Ejecutivo no adopta las acciones correspondientes en forma oportuna, a fin de cumplir sus mandatos legales y con ello generar los procesos licitatorios necesarios para la asignación dicho bien demanial, y por ende el despliegue de redes de telecomunicaciones que permita la prestación de servicios de telecomunicación mediante sistemas IMT incluido 5G. Por lo que, para esta Rectoría resulta necesario hacer ver a la Sala Constitucional, aspectos relacionados con la implementación de los sistemas IMT incluido el 5G y el costo que dicha decisión representa para el país, en caso de retrasar esta implementación, por lo que se procederá de seguido a ahondar en los siguientes apartados. a. Implementación de servicios de telecomunicaciones mediante sistemas IMT incluido 5G. El artículo 2 de la Ley General de Telecomunicaciones, Ley Nº 8642, establece como objetivos de esta, entre otros: “a) Garantizar el derecho de los habitantes a obtener servicios de telecomunicaciones, en los términos establecidos en esta Ley. (…) f) Promover el desarrollo y uso de los servicios de telecomunicaciones dentro del marco de la sociedad de la información y el conocimiento y como apoyo a sectores como salud, seguridad ciudadana, educación, cultura, comercio y gobierno electrónico. g) Asegurar la eficiente y efectiva asignación, uso, explotación, administración y control del espectro radioeléctrico y demás recursos escasos. h) Incentivar la inversión en el sector de las telecomunicaciones, mediante un marco jurídico que contenga mecanismos que garanticen los principios de transparencia, no discriminación, equidad, seguridad jurídica y que no fomente el establecimiento de tributos.i) Procurar que el país obtenga los máximos beneficios del progreso tecnológico y de la convergencia. (…)”. Por su parte el artículo 3 de la Ley N° 8642 postula el principio rector “Optimización de los recursos escasos”, de la siguiente forma: “(…) i) Optimización de los recursos escasos: asignación y utilización de los recursos escasos y de las infraestructuras de telecomunicaciones de manera objetiva, oportuna, transparente, no discriminatoria y eficiente, con el doble objetivo de asegurar una competencia efectiva, así como la expansión y mejora de las redes y servicios”. La optimización del recurso escaso es una tarea continua y un reto para el Poder Ejecutivo, y para la Rectoría del Sector, por lo que constantemente debe realizar gestiones para que este principio se cumpla. El espectro radioeléctrico al ser un bien demanial escaso, debe maximizarse en cuanto a su uso y asignación, para que la satisfacción del interés público pueda realizarse. Puesto que, de lo contrario se incide negativamente en el cumplimiento de los objetivos del marco jurídico de las telecomunicaciones, contemplado en el numeral 2 de la Ley General de Telecomunicaciones transcrito en lo conducente anteriormente. En esa línea de pensamiento, el Poder Ejecutivo ha identificado, que el despliegue de sistemas “IMT” incluyendo 5G, es una prioridad y necesidad, como parte del cumplimiento de los principios rectores y objetivos de política pública del Sector de Telecomunicaciones, por lo que al igual que en otros países, en Costa Rica, la asignación del espectro actualmente disponible mediante concurso público, permitiría proveer nuevos servicios de telecomunicaciones, y con ello buscar el cierre de la brecha digital, promover la mejor calidad y servicios innovadores y fomentar una competitividad en términos de igualdad en el mercado, lo cual redunda en mayores beneficios a favor de los usuarios finales. La SUTEL en el dictamen técnico emitido mediante el oficio Nº 4225-SUTEL-OTC-2021 de fecha 19 de mayo del 2021, “Informe sobre Asignación de Espectro para Despliegue Futuro de Redes 5G desde la Perspectiva de la Competencia”, en ejercicio de sus atribuciones como Autoridad Sectorial de Competencia, señaló lo siguiente acerca del despliegue de Redes 5G: “(…) “C. DESPLIEGUE DE REDES DE QUINTA GENERACIÓN A NIVEL MUNDIAL. (…) La tecnología 5G es más que un cambio tecnológico, por cuanto consiste en una revolución del ecosistema de las comunicaciones inalámbricas mediante la habilitación de diferentes casos de uso en los distintos campos de la sociedad, tomando en consideración los beneficios asociados a mayor velocidad, menor latencia y una mayor capacidad para conectar múltiples dispositivos de forma simultánea. En comparación con las redes actuales, esta próxima generación proporcionará velocidades 200 veces más rápidas de descarga y 100 veces de carga, así como una décima parte de la latencia[1], por lo cual, su desarrollo está siendo enfocado en tres escenarios genéricos de uso: banda ancha móvil mejorada (eMBB), comunicaciones masivas tipo máquina (mMTC) y comunicaciones ultra fiables y de baja latencia(uRLLC). De tal manera, 5G permite el desarrollo de sistemas de comunicación convergentes, integra redes, hardware y software; sin embargo, al igual que como en cualquier servicio de naturaleza de comunicaciones inalámbricas, el insumo esencial es el espectro. Para el año 2020 el requerimiento de espectro para un despliegue 5G oscilaba entre 1340 y 1960 MHz por lo cual, a pesar de la densificación de la red y el uso eficiente del espectro es de esperar que sea insuficiente para satisfacer la demanda futura de servicios y por lo tanto, poder atender el creciente tráfico en redes móviles depende de la disponibilidad de recursos adicionales de espectro. Para desplegar la tecnología 5G se requiere de una combinación de diversos grupos de bandas de frecuencia, cada uno de estos tipos de bandas cumple una funcionalidad específica en el despliegue de la tecnología. Así, los requisitos de espectro para despliegue 5G se pueden segmentar en tres rangos de frecuencia principales: • Bandas bajas (menores 1GHz) En las bandas bajas, las bandas de 600 y 700 MHz se han identificado con frecuencia como candidatos adecuados que ayudarían con la transición de 4G a 5G. Las bandas bajas tienen propiedades de cobertura y penetración de interiores. Asimismo, estas bandas bajas por sus características de propagación permiten usos de 5G en grandes superficies como extensiones agrícolas, parques industriales y agroindustriales y carreteras rurales con topografía regular. • Bandas medias (entre 1 GHz y 6 GHz) Las bandas medias, permitirán el despliegue de 5G en ciudades, dada su versatilidad tanto en propagación o cobertura como en capacidad, son las bandas centrales del despliegue de 5G. Entre estas bandas, se encuentran las bandas de 2.3 GHz, 2.6 GHz y 3.5 GHz. (…) • Bandas altas (mayores a 24 GHz) En la tercera categoría, se ubica el espectro de ondas milimétricas que se ubica por encima de 24 GHz se convierta el cual es clave para 5G ya que, por sus características de capacidad, permitirán la conectividad masiva de miles de objetos en un área reducida. Por ejemplo, la banda 5G pionera identificada por Grupo de Política del Espectro Radioeléctrico en Europa es 24,25-27,5 GHz (26 GHz). En muchas partes de América y Asia, la banda de 28 GHz, seguida de partes de la banda de 37-43,5 GHz también se han identificado para 5G. (…) En virtud de lo anterior, se encuentra que es sólo (sic) a través de una combinación de frecuencias distribuidas a lo largo de los tres tipos de rangos que se podría desplegar de manera exitosa la tecnología 5G. Asimismo, conviene tener presente que la OCDE ha reconocido que ‘para beneficiarse de las capacidades que ofrece la nueva tecnología de radio 5G, es posible que se necesiten grandes bloques contiguos de espectro por operador’. El escenario implica que la gestión del espectro se convierta en una tarea primordial y compleja para los reguladores y las empresas. En diversos países se han tomado medidas para promover la introducción de 5G y junto con la definición de los estándares de la industria se han logrado importantes avances, facilitando esto que la nueva tecnología se extendiera rápidamente en aquellos países que reaccionaron y tomaron acciones, propiciando que actualmente exista un número relevante de países con un importante número de operadores que ofrecen servicios comerciales 5G, esperándose que la adopción del 5G sea la más rápida y que alcance los mil millones de usuarios en 3,5 años. (…)” Aunado a lo anterior, el Ente Sectorial de Competencia estableció en el referido dictamen técnico que el espectro radioeléctrico constituye: “(…) el insumo más relevante para el despliegue de servicios IMT y, por lo tanto, su disponibilidad oportuna es de vital importancia para el despliegue de redes 5G. //Sobre la asignación de espectro para servicios IMT el Tribunal de Defensa de la Libre Competencia de Chile indicó en su Resolución 59/2019 ‘En definitiva, se consideró que ‘el espectro radioeléctrico, además de constituir una barrera de entrada, incide en la estructura de costos de los operadores incumbentes y, con ello, en la intensidad de competencia en el mercado relevante’, por lo que se dispuso que un entrante que se adjudique una porción menor de espectro radioeléctrico que la de los operadores incumbentes’ deberá enfrentar mayores costos de inversión y de operación que estos para un mismo nivel de cobertura y tráfico.” Por lo que, tomando en consideración la tenencia actual del espectro radioeléctrico, y la necesidad de los operadores de telecomunicaciones de dicho elemento escaso en bandas bajas, medias y altas para implementar 5G en Costa Rica, la Superintendencia de Telecomunicaciones concluyó en el dictamen técnico de cita, respecto a este extremo lo siguiente:“15. (...) a. Para lograr los estándares perseguidos por las IMT-2020 para 5G resulta necesario que un operador aproveche la complementariedad entre distintas bandas de frecuencias, lo cual sólo se logra a través de portafolio de frecuencias bajas, medias y altas. b. En relación con las necesidades de espectro para 5G en el país los tres operadores móviles deberán concursar para obtener frecuencias en la banda baja, frecuencia de 700 MHz, lo mismo ocurriría en relación con las bandas milimétricas, bandas de 26 MHz y 28 MHz, por lo anterior se considera que en el caso de estas frecuencia no se requiere un análisis de impacto en la competencia, toda vez que todas las empresas móviles al requerir participar del eventual concurso para la asignación de frecuencias estarían en la misma situación a nivel competitivo. En virtud de lo anterior este análisis se centra sobre las bandas de frecuencias medias, donde el ICE posee la concesión del 100% de las bandas de frecuencias de 2600 MHz y (…), en el tanto el MICITT coincida con lo señalado en los dictámenes técnicos emitidos por la SUTEL. c. En las bandas medias, la necesidad de espectro ideal requerida por los operadores para el despliegue de 5G es de 80-100 MHz de espectro continuo, lo cual contrasta con el espectro que posee el ICE en las bandas medias, donde posee 190 MHz (140 MHz FDD y 50 MHz en TDD) de espectro IMT en la banda de 2600 MHz y 225 MHz en la banda de 3500 MHz, lo que en total corresponde a 415 MHz. (…).” Dentro de esta concepción muchos países en diferentes regiones se encuentran en proceso de realizar, o ya establecieron procesos de asignación planificados, de la siguiente forma: “(…) De los despliegues mundiales mostrados en la figura anterior, las bandas mayormente utilizadas son la banda C (3300 MHz a 3700 MHz), las bandas milimétricas de 26 GHz y 28 GHz, 700 MHz y 2600 MHz, en este orden. Además, es posible estimar que alrededor del 80% de los operadores, que han desplegado o se encuentran realizado [SIC] pruebas para la implementación de redes 5G, utilizan las citadas bandas. De tal manera que, si bien las estrategias para el desarrollo e implementación de 5G han sido diversas y disimiles [SIC] , es un hecho que se están realizando cambios, a nivel regulatorio e inversión privada, para la implementación en esta tecnología. En relación con lo anterior, y en el caso de las bandas medias para el despliegue de las redes 5G, se considera pertinente destacar la situación de las bandas de 2,6 GHz y 3,5 GHz, como bandas centrales en el despliegue de la tecnología 5G. (…)” De tal manera que, la importancia de la implementación de servicios de telecomunicaciones mediante sistemas IMT incluido 5G, es que se promueva no solo la prestación de nuevos servicios innovadores y accesibles, así como que se brinde mayores posibilidades a los usuarios de elegir cuál de las ofertas es la que más satisface sus necesidades particulares, posibilitando la asequibilidad de los mismos y que esto contribuya al cierre de la brecha digital en todos sus componentes (de acceso, uso y apropiación). b. Acceso de los usuarios a más y mejores servicios de telecomunicaciones, beneficio del usuario y competencia efectiva. En temas de beneficio al usuario y competencia, la Ley General de Telecomunicaciones establece regulaciones acordes con el esquema que se dio a partir de la apertura del Sector de Telecomunicaciones en Costa Rica. En ese sentido, el artículo 2 de la Ley General de Telecomunicaciones, Ley 8642, los contempló dentro sus objetivos de la siguiente forma: “a) Garantizar el derecho de los habitantes a obtener servicios de telecomunicaciones, en los términos establecidos en esta Ley. e) Promover la competencia efectiva en el mercado de las telecomunicaciones, como mecanismo para aumentar la disponibilidad de servicios, mejorar su calidad y asegurar precios asequibles. (...)” El artículo 3 de la Ley 8642 define dentro de sus principios rectores los siguientes: “c) Beneficio del usuario: establecimiento de garantías y derechos a favor de los usuarios finales de los servicios de telecomunicaciones, de manera que puedan acceder y disfrutar, oportunamente, de servicios de calidad, a un precio asequible, recibir información detallada y veraz, ejercer su derecho a la libertad de elección y a un trato equitativo y no discriminatorio. f) Competencia efectiva: establecimiento de mecanismos adecuados para que todos los operadores y proveedores del mercado compitan en condiciones de igualdad, a fin de procurar el mayor beneficio de los habitantes y el libre ejercicio del Derecho constitucional y la libertad de elección. g) No discriminación: trato no menos favorable al otorgado a cualquier otro operador, proveedor o usuario, público o privado, de un servicio de telecomunicaciones similar o igual. (…)”. Esto se traduce en el deber de garantizar a los ciudadanos el acceso a más y mejores servicios de telecomunicaciones, entre los cuales estaría el desarrollo de servicios innovadores. Para ello, necesariamente se requiere otorgar mediante concurso público la asignación de espectro radioeléctrico para el desarrollo de sistemas IMT, que permita a todos los operadores proponer nuevos servicios y esquemas de negocios, y a su vez que amplíe la oferta en beneficio de los usuarios, siendo que esto posibilita el ejercicio y disfrute de derechos tales como libertad de elección del consumidor, y el acceso a nuevas tecnologías. En este sentido la Superintendencia de Telecomunicaciones estableció en su dictamen técnico N° 05348-SUTEL-DGC-2019 de fecha 19 de junio del 2019, lo siguiente: “El desarrollo de las telecomunicaciones, específicamente el impulsado por las tecnologías móviles englobadas en la designación Tecnologías Móviles Internacionales (en adelante, IMT), generan impactos socioeconómicos notorios, lo cual se evidencia en el cambio radical que han implicado en el estilo de vida, tanto en lo relativo al ocio como en el plano laboral. Las tecnologías IMT han permitido que la comunicación de las personas esté al alcance de su mano, y conforme se han potenciado las capacidades de acceso a Internet móvil, es claro que a través de estas tecnologías se desarrollan fenómenos como las redes sociales que permiten interactuar en cualquier momento y en cualquier lugar con otras personas. Es claro también que estas tecnologías, han influenciado en la creación de un nuevo entorno laboral, donde la oficina igualmente puede conformarse en cualquier momento y en cualquier lugar, estas oficinas virtuales implican nuevos escenarios de interacción, permiten el teletrabajo y posibilitan la conformación de equipos profesionales desde una perspectiva global; siendo que aún existe mucho potencial por explotar como el papel de las Comunicaciones Máquina a Máquina (en adelante, M2M) y el Internet de las cosas (en adelante, IoT). Algunos de estos impactos no cuentan aún con una descripción cuantitativa (...).”. Tendiendo (sic) en cuenta la relevancia del desarrollo de nuevas tecnologías como IMT y su impacto en el entorno social del ciudadano, es que la Sala Constitucional ha reconocido en su Resolución Nº 12790-2010 de las 8:58 horas del 30 de julio de 2010, que estas se comportan como un vehículo para el ejercicio de diferentes derechos humanos y por tanto la correlativa necesidad de optimizar el uso y asignación del espectro radioeléctrico mediante la promoción de los procedimientos de concurso: “En cuanto a este último punto, debe decirse que el avance en los últimos veinte años en materia de tecnologías de la información y comunicación (TIC´s) ha revolucionado el entorno social del ser humano. Sin temor a equívocos, puede afirmarse que estas tecnologías han impactado el modo en que el ser humano se comunica, facilitando la conexión entre personas e instituciones a nivel mundial y eliminando las barreras de espacio y tiempo. En este momento, el acceso a estas tecnologías se convierte en un instrumento básico para facilitar el ejercicio de derechos fundamentales como la participación democrática (democracia electrónica) y el control ciudadano, la educación, la libertad de expresión y pensamiento, el acceso a la información y los servicios públicos en línea, el derecho a relacionarse con los poderes públicos por medios electrónicos y la transparencia administrativa, entre otros. Incluso, se ha afirmado el carácter de derecho fundamental que reviste el acceso a estas tecnologías, concretamente, el derecho de acceso a la Internet o red de redes. En tal sentido, el Consejo Constitucional de la República Francesa, en la sentencia No. 2009-580 DC de 10 de junio de 2009, reputó como un derecho básico el acceso a Internet, al desprenderlo, directamente, del artículo 11 de la Declaración de los Derechos del Hombre y del Ciudadano de 1789. Lo anterior, al sostener lo siguiente: En este contexto de la sociedad de la información o del conocimiento, se impone a los poderes públicos, en beneficio de los administrados, promover y garantizar, en forma universal, el acceso a estas nuevas tecnologías. Partiendo de lo expuesto, concluye este Tribunal Constitucional que el retardo verificado en la apertura del mercado de las telecomunicaciones ha quebrantado no solo el derecho consagrado en el artículo 41 de la Constitución Política sino que, además, ha incidido en el ejercicio y disfrute de otros derechos fundamentales como la libertad de elección de los consumidores consagrada en el artículo 46, párrafo in fine, constitucional, el derecho de acceso a las nuevas tecnologías de la información, el derecho a la igualdad y la erradicación de la brecha digital (info-exclusión) –artículo 33 constitucional-, el derecho de acceder a la internet por la interfase que elija el consumidor o usuario y la libertad empresarial y de comercio. “Considerando que de conformidad con el artículo 11 de la Declaración de los derechos del hombre y del ciudadano de 1789: «La libre comunicación de pensamientos y opiniones es uno de los derechos más valiosos del hombre: cualquier ciudadano podrá, por consiguiente, hablar, escribir, imprimir libremente, siempre y cuando responda del abuso de esta libertad en los casos determinados por la ley»; que en el estado actual de los medios de comunicación y con respecto al desarrollo generalizado de los servicios de comunicación pública en línea así como a la importancia que tienen estos servicios para la participación en la vida democrática y la expresión de ideas y opiniones, este derecho implica la libertad de acceder a estos servicios; (…)” (El resaltado es propio) El Estado debe garantizar el ejercicio de estos derechos, para lo cual considera que es necesario fomentar la competencia entre los operadores de los servicios que beneficie a los usuarios. Sin embargo, tal como lo indicó la SUTEL en el dictamen técnico N° 04225-SUTEL-OTC-2021 de fecha 19 de mayo del 2021, estos servicios no podrían ser puestos a disposición de los usuarios si los operadores no cuentan con espectro radioeléctrico para dicho fin, como se indica a continuación: “ (…) Existe un amplio consenso en que la competencia puede generar beneficios significativos al mejorar el bienestar del consumidor mediante la provisión de mejores productos y servicios a un costo menor. Estos beneficios están igualmente disponibles en mercados puramente privados, así como donde compiten empresas públicas y privadas. Sin embargo, las empresas públicas a menudo pueden beneficiarse de las ventajas que les confieren los marcos legislativos y administrativos existentes, que pueden tener un efecto sobre la calidad y el costo de los bienes y servicios que proporcionan. Estos efectos incluyen, entre otros, menores costos de capital, menores cargas fiscales y menores riesgos de adquisición y quiebra. Como consecuencia, se puede distorsionar la competencia entre empresas públicas y privadas. Dado que estas distorsiones no siempre pueden abordarse mediante la aplicación de la ley de competencia, se puede encontrar una posible solución en políticas destinadas a lograr la neutralidad competitiva en los mercados donde compiten las empresas públicas y privadas” En este sentido, según la Superintendencia de Telecomunicaciones existe un alto costo social y económico, de no poner a disposición del mercado el espectro radioeléctrico, lo cual transgrede los objetivos legales sectoriales de asegurar una asignación equitativa y equilibrada de dicho bien del demanio público escaso y estratégico. A manera de ejemplo, en el dictamen técnico emitido mediante el oficio N° 05071SUTEL-DGC-2020 de fecha 09 de junio de 2020 la SUTEL estableció el impacto social directo e indirecto de los diferentes casos de uso de la tecnología 5G, para lo cual en su análisis identifica los impactos sociales y por objetivo de Desarrollo sostenible que la tecnología 5G puede ofrecer en 15 de sus 17 áreas, dentro de la cuales destacan “contribuir a la salud y el bienestar, mejorar la infraestructura, promover la industrialización sostenible y fomentar la innovación. Otras áreas clave en las que se crea valor social a través de 5G incluyen la contribución al consumo responsable, ciudades y comunidades sostenibles, a la reducción de desigualdades y la promoción del trabajo decente y el crecimiento económico.” Al respecto de estos impactos identificados el referido dictamen técnico retoma la información, entre otras, de la industria que beneficiaria y los casos de uso, y su vinculación con el cumplimiento de objetivos del desarrollo sostenible que se ven impactados, de tal forma que ha señalado: “(…) Tabla 2. Impacto social por ODS y por industria Industria Tendencias Casos de uso ODS impactados Transformación Manufactura Incremento de la competencia sin ventajas competitivas sostenibles.

Incremento de la volatilidad de los ciclos comerciales y los ciclos de vida del producto.

Fábricas inteligentes debido a desarrollos en IoT y automatización.

Necesidad de conectar sistemas de forma segura en una infraestructura común.

Aumento de la demanda de los consumidores de productos personalizados Demanda de productos más complejos de construir y entregar.

Demanda de la sociedad de adquisición de productos cuyo proceso productivo procure no afectar el medio ambiente Fábricas inteligentes Colaboraciones hombre robot Mantenimientos predictivos Realidad aumentada Gestión del rendimiento digital ODS 6 ODS 7 ODS 8 ODS 9 ODS 12 ODS 13 ODS 14 ODS 15 El mantenimiento predictivo resulta en una mayor disponibilidad y rendimiento del equipo.

Reducción de costos operativos a través del mantenimiento remoto.

Mayor eficiencia operativa como consecuencia de la gestión del rendimiento digital y los procedimientos operativos digitales.

Reducción emisiones, de los desechos y desperdicios Movilidad Conducción autónoma y viajero conectado con telemática Compartir vehículo y cambio de hábitos de viaje Movilidad eléctrica en línea con la agenda verde Ecosistema digital del vehículo Info entretenimiento en movimiento Conciencia ambiental Estilo de vida urbano y Mantenimientos predictivos Control inteligente del tráfico Monitoreo remoto de la salud del vehículo Información y entretenimiento a bordo ODS 3 ODS 7 ODS 9 ODS 11 ODS 15 Movilidad autónoma conduce a una mayor productividad individual (menor tiempo dedicado a la conducción) Movilidad verde y sostenible reduce los impactos ambientales Salud Aumento del foco de los consumidores sobre el bienestar.

Costos crecientes para cumplir con los cambios sociodemográfico s Aumento de la demanda de calidad, de la seguridad del paciente y del almacenamiento de datos Cambios en el comportamiento del consumidor, libertad de elección y proveedores de servicios alternativos Monitoreo remoto de pacientes Cirugías remotas Transferencia de imágenes Cuidados de salud a través de realidad virtual y realidad aumentada Entrega de insumo mediante drones ODS 3 ODS 4 ODS 5 ODS 8 ODS 9 m-health (salud móvil) y la introducción de telemedicina resultan en un incremento del acceso a los servicios de salud de calidad Medidas de salud preventivas (por ejemplo, mediante dispositivos “wearables”) reducen los costos de cuidados de salud en el largo plazo Servicios financieros Disrupción de las Fintech: pagos online, billeteras digitales, etc.

Cambios en la relación con el cliente hacia transacciones online y soluciones personalizables Cambios estructurales: intervención gubernamental, proteccionismo y medidas fiscales Banca móvil “Wearables” para pagos Asesor financiero virtual Depósitos digitales, préstamos entre pares (“peer-topeer”) Billeteras digitales Cajero remoto ODS 4 ODS 5 ODS 8 ODS 9 ODS 10 ODS 13 Los ciclos de liquidación más cortos en los mercados de capitales conducen a una mayor actividad económica Servicios virtuales personalizados y billeteras móviles mejoran La experiencia del cliente Incremento de la inclusión al sistema financiero Administración pública Digitalización del estado Identidad digital del ciudadano Gobierno abierto Aumento de la demanda de transparencia por parte de los ciudadanos Ciudades inteligentes Conexión con el ciudadano a través de múltiples canales Interoperabilidad de sistemas Gobierno electrónico Computación en la nube Plataformas SaaS Chatbots ODS 8 ODS 9 ODS 10 ODS 11 ODS 13 ODS 15 ODS 16 Servicios centrados en el ciudadano Papel cero en la administración pública Reducción de la brecha digital al, mediante computación en la nube y SaaS, dotar a entes de gobierno de menor escala con las mismas herramientas que la administración central Incremento de la comunicación entre el estado y el ciudadano Comercio Estrategias omnicanalidad Experiencias personalizadas Creciente cultura de la inmediatez Aumento de relevancia billeteras virtuales Reducción de los tiempos entrega Aumento del commerce mediante suscripciones de la de de e- Realidad aumentada Check-out automatizado Optimización de la disposición de productos Relación con el cliente inteligente Promociones personalizadas Algoritmos y machine learning Prevención de reducción del inventario ODS 2 ODS 3 ODS 8 ODS 10 ODS 12 ODS 13 Pruebas previo a la compra mediante realidad virtual o realidad aumentada, resultan en una mejora de la experiencia del cliente Publicidad personalizada resulta en incremento de ventas Reducción de la brecha digital entre los centros urbanos con mayor conectividad y los que no la tienen permite acceder a la misma oferta de productos Energía y provisión de servicios públicos Energías renovables Modelos de negocio descentralizados Presión social y política por sistema energéticos sustentables Producción y transmisión Redes inteligentes Monitoreo por drones Gestión inteligente de la energía Mantenimiento y detección de incidentes Vehículos eléctricos ODS 6 ODS 7 ODS 8 ODS 9 ODS 13 ODS 14 ODS 15 Plantas más pequeñas que dependen de energía renovable y de las redes inteligentes, mejoran la fiabilidad y la disponibilidad.

La digitalización de las redes de localizados zonas remotas Necesidad de mejora de Relación con cliente en la la el Medidores inteligentes residenciales Alumbrado público inteligente gas conduce a una toma de decisiones más rápida, minimizando las pérdidas potenciales Entretenimientos Consumidores actuando como generadores de contenido Creciente entretenimiento interactivo Nueva dimensión sensorial para el entretenimiento Complejidad del ecosistema Aplicaciones de medios inmersivos (ultra alta definición, realidad aumentada, realidad virtual) vivo Pantallas holográficas en 3D Juegos (en la nube y realidad aumentada) Suscripción de entretenimiento en casa para automóvil ODS 3 ODS 4 ODS 5 Las interacciones alimentadas Por el contenido que encienden las conexiones emocionales conducen a un mayor gasto del cliente El consumidor como cocreador de contenido resulta en una mayor participación de éste Juegos inducidos por otras industrias Sobre lo anterior, el World Economic Forum en el citado documento, amplió la información sobre el impacto socio económico indirecto en cuatro ambientes: Tabla 3. Impacto socio económico indirecto por el uso de la tecnología 5G Beneficios Ciudades inteligentes Ambientes rurales Hogares inteligentes Lugares de trabajo inteligentes Beneficios sociales Mayor acceso a la información e interconexión entre ciudades Habilidad de reducir la congestión de tráfico y accidentes Incremento de oportunidades de educación a través de cursos en línea masivos gratuitos Mejorar atención de salud, mediante acceso rápido y remoto a los servicios de salud - Mayor acceso a información debido a la mejora de conectividad - Mejora del soporte médica y la asistencia de vida - Mejora en privacidad, seguridad y protección - Mejor acceso de control Mayor asistencia al adulto mayor y personas con discapacidad Mejora general en la calidad de vida Beneficios ambientales Reducción de contaminación y emisiones de CO2 - Mejorar el manejo de los recursos naturales Reducción de contaminación y emisiones de CO2 Reducción de los desperdicios Reducción de consumo de energía y emisiones CO2 Más informado y mejor manejo de los desechos electrónicos Ambientes más limpios Esto quiere decir que, al considerar la implementación de casos de uso, las empresas, en consistencia con los planes y agendas emitidas por la Administración en cuanto a la generación de empleos, cuidado ambiental y cambio climático, deben incorporar estos objetivos durante su estrategia de planificación. De esta manera, todas las partes involucradas en el desarrollo de 5G avanzarán en constante comunicación e impulsando el beneficio a la población.” Lo anterior concuerda con lo indicado por la OCDE, en cuanto a la importancia del acceso a la banda ancha y los beneficios sociales y económicos que ello implica: “El acceso a Internet de banda ancha está desempeñando un papel transformador cada vez más significativo en todos los sectores económicos y sociales de la región de América Latina y el Caribe (LAC). Se ha convertido en una herramienta digital clave para que ciudadanos, empresas y gobiernos interactúen entre sí. Empodera a los ciudadanos en su vida cotidiana a través del fomento de la inclusión social y la comunicación en sectores desfavorecidos; incrementa la productividad al aumentar la base de información, la eficacia y la innovación, y mejora la gobernanza gracias a menores costos de coordinación y una mayor participación y rendición de cuentas.” Finalmente, la Superintendencia de Telecomunicaciones, ha señalado algunas consideraciones sobre impactos económicos que supone el hecho de seguir retrasando el desarrollo de tecnologías móviles principalmente las 5G, acotando que: “6.2. Impacto económico en el PIB (…) Por último, considerando un WACC del 11,28% establecido por el Consejo de la SUTEL mediante resolución RCS-365-2018, se estima el valor presente neto del impacto en el PIB en función del año en que se instruyan los procesos de asignación de espectro. Así, en la medida que dichos procesos sean demorados, el valor presente neto del impacto positivo en el PIB será menor. Es decir, por cada año que se demoren los procesos concursales de espectro IMT, el Estado verá disminuido el aporte en el PIB por el despliegue de redes 4G y 5G. En caso de instruirse los procesos sin demora, el valor presente neto del impacto en el PIB es de 3.166 millones USD. Tal como se indicó previamente, dicha demora se refiere a un atraso respecto al nivel de avance y preparación del mercado para la asignación de espectro de estas tecnologías. (…) Así se puede ver que, producto de la demora en la instrucción de los procesos de asignación de espectro, el impacto positivo del PIB podría verse reducido en hasta un 36% o 1.134 millones USD (expresado en términos del valor presente del mismo) en el caso que dicha demora sea de 4 años. Para demoras de 1, 2 o 3 años el impacto es de 10%, 19% o 27% respectivamente (321, 609 y 868 millones USD). De las situaciones apuntadas, se puede señalar que el interés público se encuentra comprometido si se generan retrasos para el proceso de concurso público, lo cual lesiona los principios de beneficio al usuario y competencia contenidos en la Ley General de Telecomunicaciones, así como los objetivos de política pública dispuestos en el Plan Nacional de Desarrollo de las Telecomunicaciones. Respecto a este aspecto resulta necesario retomar lo señalado por el Órgano Regulador en el dictamen técnico emitido mediante el oficio N° 02823-SUTEL-DGC2021 de fecha 8 de abril de 2021, sobre el tema en análisis advirtió de los altos costos sociales y económicos, así como los perjuicios a la industria en general y a la competitividad del país de no licitar en el menor tiempo posible la mayor cantidad de espectro radioeléctrico, principalmente para la implementación de servicios de telecomunicaciones móviles internacionales. Particularmente en esa oportunidad dispuso lo que sigue: “Además, que como se indicó mediante el acuerdo 014-045-2020 de la sesión ordinaria 045-2020 del 19 de junio de 2020, donde se aprobó el informe 05071-SUTEL-DGC-2020 del 9 de junio de 2020 (…), en la medida en que los procesos concursales para disponer al mercado del espectro IMT sean demorados, el valor presente neto del impacto positivo en el PIB será cada vez menor. Es decir, por cada año que se demoren los procesos concursales de espectro IMT, el Estado verá disminuido el aporte en el PIB por el despliegue de redes 4G y 5G. En caso de instruirse los procesos sin demora, el valor presente neto del impacto en el PIB es de 3.166 millones USD. Tal como se indicó previamente, dicha demora se refiere a un atraso respecto al nivel de avance y preparación del mercado para la asignación de espectro de estas tecnologías. Así las cosas, producto de la demora en la instrucción de los procesos de asignación de espectro, el impacto positivo del PIB podría verse reducido en hasta un 36% o 1.134 millones USD (expresado en términos del valor presente del mismo) en el caso que dicha demora sea de 4 años. Para demoras de 1, 2 o 3 años el impacto es de 10%, 19% o 27% respectivamente (321, 609 y 868 millones USD). (…) Respecto a la posición el país en cuanto al avance de despliegue de redes 5G en comparación con otras administraciones de la región, el Viceministro señaló que ‘[e]n el tema latinoamericano, estamos en el grupo superior en términos del tiempo… nosotros estamos en la porción que va avanzando’. Ciertamente Costa Rica ha realizado los primeros pasos para un eventual proceso concursal: ajustar el Plan Nacional de Atribución de Frecuencias de conformidad con lo dispuesto en el Reglamento de Radiocomunicación de la Unión Internacional de Telecomunicaciones sobre el uso de segmentos de frecuencias para sistemas IMT y la realización de los estudios previos requeridos para la eventual licitación.” c. Sobre la satisfacción de la demanda presente y futura de espectro radioeléctrico en IMT (5G). Estudios de Factibilidad y Necesidad para el concurso de IMT Bajo este contexto, la Superintendencia de Telecomunicaciones, en ejercicio de sus potestades de Autoridad Sectorial de Competencia estableció que, el desarrollo tecnológico en nuestro país ha sufrido una evolución en los últimos años, siendo que se pasó de la utilización de dispositivos de transporte de voz a tecnologías que en poco tiempo permitieron la transmisión de datos, lo cual fue de gran importancia y acercando a Costa Rica a nuevas posibilidades de desarrollo. Con la tecnología 5G las posibilidades se expanden y permiten nuevas aplicaciones en diversos sectores, con mayor capacidad y velocidad de lo que actualmente conocemos.En el oficio N° 5071-SUTEL-DGC-2020 titulado “PROPUESTA DE ACTUALIZACIÓN DEL CRONOGRAMA DE ASIGNACIÓN DE ESPECTRO PARA EL DESARROLLO DE SISTEMAS IMT E IMT-2020 EN COSTA RICA PARA EL PERIODO 2021-2025", SUTEL consideró oportunidades de desarrollo mediante el empleo de tecnologías móviles, principalmente 5G y su respectivo impacto en campos como: industria, movilidad, salud, banca, administración pública y otros, lo anterior de cara a los resultados de la Conferencia Mundial de Radiocomunicaciones del año 2019. Con ello, la Superintendencia de Telecomunicaciones realizó posteriormente una valoración de diversas bandas para fines IMT respecto a su situación actual, problemática e implicaciones y finalmente propuestas de soluciones y alternativas. De ahí que, con el análisis realizado en el documento de marras, concluyó entre otras cosas que, con base en las “tendencias mundiales en cuanto al uso del espectro radioeléctrico, es necesario llevar a cabo esfuerzos para atribuir, liberar, licitar y asignar espectro para el desarrollo de sistemas IMT, buscando así que el país posea el escenario idóneo para la implementación de 5G.” Por ello, también concluyen que “(…) se deben priorizar para permitir que el mercado tenga a su disposición bandas bajas, medias y altas, espectro clave para el desarrollo de 5G.”. Aunado a lo anterior, el Ente Sectorial de Competencia estableció que el espectro radioeléctrico constituye: “(…) el insumo más relevante para el despliegue de servicios IMT y, por lo tanto, su disponibilidad oportuna es de vital importancia para el despliegue de redes 5G. //Sobre la asignación de espectro para servicios IMT el Tribunal de Defensa de la Libre Competencia de Chile indicó en su Resolución 59/2019 ‘En definitiva, se consideró que ‘el espectro radioeléctrico, además de constituir una barrera de entrada, incide en la estructura de costos de los operadores incumbentes y, con ello, en la intensidad de competencia en el mercado relevante’, por lo que se dispuso que un entrante que se adjudique una porción menor de espectro radioeléctrico que la de los operadores incumbentes’ deberá enfrentar mayores costos de inversión y de operación que estos para un mismo nivel de cobertura y tráfico.”De forma particular en cuanto al interés que revisten las futuras redes de quinta generación la Superintendencia de ha manifestado en su dictamen N°09228-SUTEL-OTC2022 de fecha 20 de octubre de 2022”, cuando mencionó en referencia a la tecnología de quinta generación móvil (5G) que: “(…) prometen generar cambios en muchas industrias. La tecnología 5G es una gran innovación capaz de ayudar a muchas otras innovaciones complementarias a desarrollarse. Los aspectos más prometedores de la tecnología son el aumento de la capacidad (ancho de banda), el aumento de las velocidades de carga y descarga de datos, la disminución de la latencia (retraso) en las transmisiones de datos y una mayor eficiencia de entrada. (...)” Bajo esta consideración el MICITT conforme a la acción 2.1. detallada en el Plan Nacional de Desarrollo de las Telecomunicaciones 2022-2027 (PNDT), 2.1 “Ejecutar el Cronograma de Asignación de Espectro Radioeléctrico para sistemas IMT”, área estratégica “Espectro Radioeléctrico para la competitividad”, determinó la necesidad de dar cumplimiento al objetivo de programación que se establece en el PNDT, y por ende solicitar el estudio de necesidad y factibilidad a la SUTEL como requisitos previo del concurso de asignación de espectro radioeléctrico para servicios de telecomunicaciones disponibles al público Mediante el oficio N° MICITT-DM-OF-013-2023 de fecha 9 de enero de 2023, se solicitó al Regulador por parte de este Ministerio la ampliación del estudio de necesidad y factibilidad emitido mediante los oficios Nº 00138-SUTEL-DGC-2021 de fecha 07 de enero de 2021, N° 02156-SUTEL-DGC-2021 de fecha 12 de marzo de 2021, N° 04482-SUTEL-DGC-2021 de fecha 28 de mayo de 2021, aprobado por su Consejo mediante el Acuerdo N° 022-046-2021, adoptado por su Consejo Directivo en la sesión ordinaria N° 046-2021, celebrada el día 24 de junio de 2021, con el fin de que se considerara: a) El espectro recuperado en la banda de 3500 MHz por acuerdo mutuo con las empresas del Grupo ICE, b) Los procedimientos jurídicos en curso en relación con los segmentos de frecuencias de las bandas de 3500 MHz y 2600 MHz, c) La manifestación de representantes del Sector al respecto de la importancia para el país de continuar con el concurso en el corto plazo con el espectro disponible al día de hoy sin estar condicionado a los procesos jurídicos en curso, d) El espectro disponible registralmente en bandas bajas, medias y altas (que se encontraba ocioso), el cual era técnicamente suficiente y por tanto puede ser aprovechado para el desarrollo de sistemas IMT incluyendo 5G, y e) El costo país del atraso del despliegue de las redes 5G en el país, como parte del análisis que permitiera acreditar la factibilidad del concurso público planteado, de manera que ese Consejo procediera a pronunciarse de forma expresa sobre la acreditación o no de la factibilidad del concurso público de espectro radioeléctrico para sistemas IMT incluyendo 5G. Mediante oficio N° 01601-SUTEL-SCS-2023 de fecha 24 de febrero de 2023 la Superintendencia de Telecomunicaciones remitió el dictamen técnico emitido mediante oficio N° 01355-SUTEL-DGC-2023 de fecha 22 de febrero de 2023, aprobado por su Consejo mediante el cual recomendó al Poder Ejecutivo la factibilidad de realizar realización del proceso concursal, según el artículo 12 de la Ley N° 8642, Ley General de Telecomunicaciones. El Poder Ejecutivo procedió a emitir el Acuerdo Ejecutivo N° 031-2023-TEL-MICITT de fecha 2 de mayo de 2023 mediante el cual procede a dar la instrucción de inicio del proceso concursal. En este punto resulta de interés señalar que el Poder Ejecutivo en las disposiciones del (sic) la instrucción de inicio del proceso concursal establece estableció en su artículo 1 que la Sutel debía realizar la instrucción del procedimiento concursal público para el otorgamiento de concesiones de las bandas del espectro radioeléctrico de frecuencias de 700 MHz (de 703 MHz a 748 MHz y de 758 MHz 803 MHz), de 2300 MHz (de 2300 MHz a 2400 MHz), de 3500 MHz (de 3300 MHz a 3500 MHz y de 3600 MHz a 3625 MHz), de 26 GHz (únicamente el segmento de 24,25 GHz a 25,50 GHz) y de 28 GHz (de 27,5 GHz a 29,5 GHz), así como cualquier espectro que eventualmente se encuentre disponible en la banda de 2600 MHz (de 2500 MHz a 2690 MHz) y de 3500 MHz (de 3500 MHz a 3600 MHz y de 3625 MHz a 3700 MHz) de acuerdo con la importancia señalada por la SUTEL y según los resultados de diversos procesos jurídicos actualmente en curso, hasta tanto la etapa del procedimiento concursal así lo permita, con el fin de satisfacer la necesidad de la prestación de servicios de telecomunicaciones disponibles al público a través de sistemas IMT2020, incluyendo 5G, de manera que se garantice cumplimiento de los objetivos del Plan Nacional de Desarrollo de Telecomunicaciones 2022-2027, el cual debe abordar, entre otros aspectos : “k) Seguridad de las redes IMT-2020 y la privacidad de los usuarios de los servicios de telecomunicaciones” Derivado de dicha instrucción y como complemento a la misma, el MICITT emitió sus lineamientos de política pública para consideración en el concurso público de 5G, en el cual mediante oficio MICITT-DM-OF-416-2023 de fecha 19 de mayo de 2023, en el cual expresamente se indicó respecto a la seguridad de las redes IMT-2020 y privacidad de usuarios de servicios de telecomunicaciones, lo siguiente:“(...) k. Seguridad de las redes IMT-2020 y la privacidad de los usuarios de los servicios de telecomunicaciones: En miras de la seguridad de las redes móviles IMT-2020, incluyendo 5G, y dadas las implicaciones que tiene esta temática en la arista de la seguridad nacional, así como de la privacidad y seguridad de los usuarios de los servicios de telecomunicaciones, es imprescindible que, para la realización del proceso concursal de espectro para redes móviles IMT-2020, incluyendo 5G, dada la gran gama de recomendaciones internacionales existentes en materia de seguridad en el ámbito de telecomunicaciones, se incorpore dentro de las condiciones técnicas de despliegue que se exijan a los eventuales adjudicatarios, los aspectos y estándares relativos a la seguridad de las redes móviles IMT-2020, incluyendo 5G, considerando para ello las distintas medidas técnicas, de gestión del riesgo, de arquitectura de red y de cadena de suministro que puedan generar vulnerabilidades de seguridad y privacidad de los usuarios finales de las redes de telecomunicaciones, como fin primordial de esta medida, en protección de los principios de ley y de nivel constitucional, y se propicien entornos adecuados para fomentar la inversión, la innovación, y el desarrollo de infraestructura, y con ello alcanzar mayores niveles de bienestar en la sociedad. Para esto, deberá exigirse a los oferentes el cumplimiento de todas las disposiciones legales y reglamentarias aplicables existentes y que para el caso se emitan.” (El resaltado es intencional) En este contexto es que se aprueba el Decreto Ejecutivo N.º 44196-MSP-MICITT “Reglamento Sobre Medidas de Ciberseguridad Aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores”, para asegurar que el desarrollo del proceso de concurso público establecido en la normativa sectorial y la futura implementación de las redes de telecomunicaciones y la prestación de servicios bajo la tecnología de quinta generación 5G y superiores, se realice de manera segura a partir de las competencias delegadas al Poder Ejecutivo para establecer las condiciones y obligaciones que permitan una explotación segura del espectro radioeléctrico como bien demanial constitucional. Ello por cuanto el concesionario de telecomunicaciones a partir de la transferencia parcial de las potestades públicas a su favor se eleva a la categoría de sujeto calificado como instrumento de satisfacción de intereses públicos. A través del acto jurídico de concesión la Administración Concedente, es decir el Poder Ejecutivo, transfiere temporal y limitadamente parte de sus potestades o facultades a un sujeto particular, sea persona física o jurídica, para su coparticipación activa en la satisfacción de los intereses públicos. Por consecuencia de lo anterior, la intervención pública debe basarse, en todo caso, en una definición objetiva de lo que se considera interés general y en un análisis vinculado con la necesidad de intervención pública que se materializa, entre otras formas, mediante la imposición de obligaciones jurídicas concretas, en el caso del “Reglamento Sobre Medidas de Ciberseguridad Aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores” Decreto Ejecutivo N.º 44196-MSP-MICITT, mediante el establecimiento a través de disposiciones generales de carácter normativo de las medidas técnicas y administrativas que permitan una explotación segura de las redes de telecomunicaciones en resguardo de la intimidad, la privacidad y el secreto de comunicaciones y la autodeterminación informativa de los usuarios finales. . De esta forma el principal efecto del otorgamiento de una concesión y por ende de la celebración de un contrato que ratifica los extremos de dicho acto jurídico, es precisamente su fuerza obligatoria que “(…) se traduce en el imperativo de que las partes den cumplimiento, de buena fe, a las obligaciones surgidas del acuerdo de voluntades, así como a aquellas que emanan de la naturaleza de las obligaciones pactadas o que por ley pertenecen a ellas.”; en el caso concreto del resguardo delegado al Poder Ejecutivo a partir de las disposiciones del artículo 42 de la Ley General de Telecomunicaciones al régimen jurídico de derechos e intereses de los usuarios finales. Surge entonces para ambas partes -Administración Concedente y Concesionario- el deber jurídico de cumplir de buena fe con todas y cada una de las condiciones y obligaciones emanadas directamente de la normativa sectorial, de su título de concesión y el respectivo contrato administrativo, y de aquellas que surgen de su naturaleza misma al amparo de un marco de seguridad jurídica conforme al artículo 34 de nuestra Carta Fundamental. Dichas bondades técnicas se desarrollaron con mayor profundidad en el Informe técnico del conjunto del Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones denominado “Consideraciones de Ciberseguridad para el despliegue de Redes 5G” N°DGDCFD-INF-011-2023//MICITT-DERRT-INF-0072023//MICITT-DCNT-INF-011-2023, cuyo objetivo fue ampliar para los efectos del Poder Legislativo, el fundamento técnico y jurídico del “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores”. En forma ilustrativa obsérvese el detalle elaborado por la Unión Europea en su documento titulado “Caja de Herramientas de la Unión Europea para la seguridad de las redes 5G” que enlista los siguientes beneficios propiciados por el establecimiento de estas redes, a saber: BENEFICIOS DEL ESTABLECIMIENTO DE REDES 5G (…) En el caso de las redes 5G, las medidas de ciberseguridad son cruciales debido a que como se indicó previamente, las mismas están altamente conectadas a una gran cantidad de dispositivos y sistemas en diversos tipos de ambientes y aplicaciones, lo que aumenta la probabilidad de que se produzcan ataques cibernéticos e intentos de robos de datos de los usuarios. Además, las redes 5G también pueden ser utilizadas para el control de sistemas críticos, como la energía, y el transporte, por lo que cualquier fallo en la ciberseguridad podría tener consecuencias graves para la seguridad pública. La comunidad internacional en su experiencia, ha reseñado algunos de los riesgos asociados al despliegue de la tecnología 5G tal y como se puede observar en la imagen a continuación: PRINCIPALES RIESGOS DE LA TECNOLOGÍA 5G (…) En Costa Rica, por disposición constitucional del artículo 24 en concordancia con los artículos 3 inciso j), 41, 42, siguientes y concordantes de la Ley N°8642, Ley General de Telecomunicaciones (previamente citados), los operadores y proveedores de servicios de telecomunicaciones, tienen la obligación de garantizar el derecho a la intimidad, la libertad y el secreto de las comunicaciones, así como de proteger la confidencialidad de la información que obtengan de sus clientes o de otros operadores. Esto implica que los operadores deben implementar medidas adecuadas de ciberseguridad de la información para prevenir el acceso no autorizado a la información de los usuarios y evitar la filtración de datos sensibles. La implementación de las redes 5G ha generado preocupaciones sobre la seguridad nacional, pues existe la posibilidad de que información confidencial y sensible pueda ser interceptada y utilizada por agentes extranjeros de manera no autorizada, o bien que estas redes sean vulneradas para afectar la seguridad pública. Por esta razón, el resguardo de la seguridad nacional debe ser una prioridad en la implementación de las redes 5G, y el Gobierno debe trabajar en estrecha colaboración con los operadores y proveedores para garantizar la seguridad y la integridad de la información que se transmite a través de estas redes. Todo esto por supuesto, incluye la incorporación de medidas de ciberseguridad en la propia arquitectura de las redes 5G; la formación de expertos en ciberseguridad; y la concientización de los usuarios finales de telecomunicaciones sobre las amenazas informáticas. Es de esta manera que se promueve una conexión segura y confiable de los dispositivos a la red 5G, lo que permitirá aprovechar al máximo los beneficios que esta tecnología reduciendo la posibilidad de que la seguridad de los usuarios se comprometa. De forma particular las redes 5G presentan ventajas y características por sobre otras generaciones de redes móviles, que permiten habilitar una serie de escenarios de uso, como lo son la atención de salud (telemedicina), gestión de infraestructuras críticas (como generación y distribución de energía eléctrica, gas o agua potable; estas últimas con impacto normalmente nacional y de gran relevancia en distintos sectores productivos), la industria en general, la agricultura, ciudades inteligentes, Internet de las cosas masivo, Inteligencia Artificial, vehículos autónomos, metaverso, aplicaciones de realidad virtual y aumentada (usos industriales y en educación), etc. A partir del desarrollo de redes IMT-2020 (5G), se hace más crítica la implementación de medidas enfocadas en reducir los riesgos en materia de ciberseguridad en razón de sus características técnicas destacadas como: tasa de transferencia de datos experimentada por el usuario (10 veces mayor que 4G), latencia (10 veces menor que 4G), densificación de conexiones (10 veces más que 4G, hasta 1M de dispositivos por kilómetro cuadrado), escenarios de movilidad (hasta 500 km/h), eficiencia espectral (3 veces mayor), “Network slicing” (capacidad de segmentar redes), entre otras. Esta masificación de la conectividad móvil y su profunda integración con el quehacer de la sociedad y la industria es lo que precisamente genera una mayor superficie de ataques cibernéticos en el entorno de estas redes móviles. Es decir, se almacenan y trasiegan grandes cantidades de datos, incluyendo información personal y sensible de los usuarios. En ese sentido los operadores y proveedores en Costa Rica tienen la obligación jurídica de garantizar el derecho a la intimidad, la privacidad y el secreto de las comunicaciones, así como de proteger la confidencialidad de la información que obtengan de sus clientes o de otros operadores. Ante una nueva realidad técnica, que hace un uso intenso de técnicas como la virtualización y brinda nuevas características a los usuarios, es evidente que se requiere de la instauración de una serie de medidas técnicas y administrativas mucho más rigurosas en virtud de su complejidad, siendo que las telecomunicaciones son un eje facilitador del ejercicio de los derechos humanos, por lo tanto se deben establecer medidas de ciberseguridad para garantizar el uso y la explotación segura y con resguardo de la privacidad de las personas (principio rector según el artículo 3 inciso j de la Ley General de Telecomunicaciones, N° 8642), de las redes y los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores. Características de las redes 5G • Eficiencia espectral: bajo las especificaciones de la 3GPP24, y en cumplimiento de los requerimientos establecidos por la Unión Internacional de Telecomunicaciones (UIT), estas redes implementan esquemas técnicos que habilitan un uso mucho más eficiente del espectro, bajo condiciones de utilización de frecuencias portadoras que habilitan escenarios de eficiencia espectral pico para el enlace de descarga (hacia el usuario de la red móvil) de hasta 30 bits/s/Hz, y de hasta 10 bits/s/Hz, en el enlace de subida (desde el usuario de la red móvil). (Ahmadi, 2019).

• Tasa de datos máxima: bajo condiciones ideales, estas redes pueden ofrecer tasas de descarga de datos de hasta 20 Gbit/s, en comparación con la tasa máxima asociada a las tecnologías 4G, que alcanzan bajo condiciones ideales de hasta 1 Gbit/s. Esto se logra gracias a la utilización de esquemas de modulación, codificación y esquemas de acceso múltiple (Kumar, 2021), que permiten un uso más eficiente del espectro radioeléctrico en las redes de acceso; así como de la utilización de grandes bloques de espectro, según la disponibilidad de ancho de banda de cada banda de frecuencias. Estas redes móviles, a diferencia de las generaciones anteriores, permiten el uso de bandas de frecuencias por arriba de los 6 GHz que, por los anchos de banda disponibles en éstas, permiten alcanzar las tasas de datos previstas para estas redes móviles en áreas de cobertura de algunas decenas de metros (GSMA, 2022).

•Escenarios de movilidad: estas redes móviles permiten escenarios de movilidad, en velocidades de km/h superiores a anteriores generaciones de redes móviles, donde pueden alcanzarse y mantenerse los umbrales de calidad de experiencia de usuario final esperados. Para despliegues comerciales de estas nuevas tecnologías del tipo 5G, por ejemplo, es posible alcanzar y mantener las condiciones de QoE[5] bajo velocidades, teóricas, de hasta 500 km/h (Fan, 2016), siendo estas velocidades superiores a las posibles de alcanzar bajo tecnologías anteriores (estos escenarios asociados a ciertos valores umbrales de eficiencia espectral, según cada tecnología).

• “Network slicing”: Las redes móviles del tipo IMT-2020, incluyendo 5G, prevén la posibilidad técnica de emplear de manera dinámica los recursos de la red que, en conjunto con las capacidades de software y virtualización de estas redes, sea posible definir o crear de manera “virtual” distintas redes lógicas (GSMA, 2020), que de manera específica atienden los requerimientos de distintos casos de uso de estas redes móviles, y que, desde el punto de vista del operador, abre posibilidades de mercado como lo es el NSaaS[6] y posibilidades de autogestión y mejora de su propia red móvil a través del modelo "network slices as NOP internals" (3GPP, 2023; ETSI, 2021) .

● Densificación de conexiones: Se prevé técnicamente que estas redes puedan ofrecer condiciones para una mayor densidad de dispositivos conectados a las redes móviles por km2 de superficie (GSMA, 2019). En específico, estas redes permitirían una densidad 10 veces mayor a lo que era técnicamente posible en generaciones anteriores de redes móviles, permitiendo ahora hasta 106 (un millón) de dispositivos conectados o accesibles a través de la red móvil por km2 de superficie, variando estos escenarios entre casos de uso urbanos, densos urbanos, rurales, entre otros. Esto es muy importante para el desarrollo de ciertas aplicaciones, en particular de Internet de las cosas masivo (MIoT, “massive internet of things”,por sus siglas en inglés) en usos industriales, ciudades inteligentes, logística, y muchos otros, donde se requieren grandes cantidades de dispositivos conectados de forma simultánea a las redes inalámbricas.

Bajo las premisas técnicas anteriores, es que se han definido una serie de casos de uso para las redes móviles del tipo IMT-2020, incluyendo 5G, que hacen uso de las distintas capacidades de estas redes, que, de acuerdo con los objetivos delimitados por la misma Unión Internacional de Telecomunicaciones, se clasifican según lo siguiente: •Banda ancha móvil mejorada (eMBB, “enhanced mobile broadband”, por sus siglas en inglés) •Comunicaciones de gran fiabilidad y baja latencia (uRLLC, “ultra reliable low latency communications”, por sus siglas en inglés). •Comunicaciones masivas y de tipo máquina (mMTC, “massive machine-type communications”, por sus siglas en inglés) . d. Sobre la presunta obligación de desarrollar redes Stand Alone, en el marco de la aplicación del Decreto Ejecutivo N.º 44196-MSP-MICITT “Reglamento Sobre Medidas de Ciberseguridad Aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores”. Para desarrollar redes 5G existen varias opciones técnicamente posibles que debe analizar cada operador de red, dependiendo de su infraestructura actual y planes de expansión, entre otros elementos. En una de las opciones, es posible utilizar parte de la infraestructura y equipamiento de las redes 4G para construir la red que prestará servicios 5G, en lo que se llama una configuración de red Non Stand Alone (NSA). Esto puede ofrecer algunas ventajas en el corto plazo en términos de costo y rapidez en salir al mercado con servicios 5G, pero también tiene algunas desventajas en la provisión de los servicios de quinta generación, ya que estos no pueden ser ofrecidos con todas las características técnicas posibles (referidas en la tabla anterior) ni todos los casos de uso de la tecnología 5G, ya que se ven limitados por los elementos de hardware y software de generación anterior, así como por las diferencias en las frecuencias que utilicen. Usualmente, los operadores que deciden salir al mercado con redes 5G que aprovechan elementos de las redes 4G en sistemas Non Stand Alone, eventualmente se plantean evolucionar a redes 5G Stand Alone (SA), para poder incluir servicios en bandas de frecuencias milimétricas y poder sacar todo el potencial que ofrece la tecnología. La Global System for Mobile Communications Association (GSMA), ha señalado que “Investigaciones de GSMA Intelligence demuestran que el 55% de los operadores de América Latina con redes 5G activas han anunciado planes para actualizar y migrar a 5G SA (en línea con el promedio global)”. Además, dicha organización ha manifestado que "Esto ayudará a los operadores a ofrecer todos los beneficios de la tecnología 5G en lo que respecta a latencia, partición de la red y soporte IoT, lo que será imprescindible para los nuevos casos de uso." Por otro lado, es importante señalar que, de acuerdo con el “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196MSP-MICITT, los elementos de las redes 5G y superiores que deben ser incluidos en el análisis de riesgos correspondiente están indicados en el artículo 7 de dicho reglamento (incluyen el núcleo, transporte y transmisión, acceso, control y gestión, entre otros). En ese sentido, cualquiera de estos elementos de una red 4G que pretendan ser utilizados por un Operador como parte de una red 5G deberán cumplir con los requerimientos de seguridad indicados en el citado Reglamento. En este sentido, es claro de la propia lectura del articulado del Decreto Ejecutivo N° 44196-MICITT-MSP que dicho cuerpo reglamentario no establece requerimiento alguno a los operadores sujetos a su ámbito de aplicación para desplegar redes Stand Alone, o Non Stand Alone. La decisión con respecto a la arquitectura de red con la que iniciará el despliegue es del propio operador, quien debe velar en todo caso por el cumplimiento de lo establecido en términos de riesgo y estándares en el Reglamento en mención. F. SOBRE EL RESGUARDO DE LA SEGURIDAD NACIONAL Y EL CIBERESPACIO (MEDIDAS DE CIBERSEGURIDAD). Sobre este particular es importante aclarar que este informe ha sido emitido a partir del marco competencial delegado legalmente al MICITT en su condición de Ente Rector del Sector Telecomunicaciones, conforme lo dispuesto en los artículos 7, 10 y concordantes de la Ley N°8642, Ley General de Telecomunicaciones, artículo 39 de la Ley Fortalecimiento y Modernización de las Entidades Públicas del Sector Telecomunicaciones Nº 8660, la Ley N° 7169, Ley de Promoción del Desarrollo Científico y Tecnológico para fortalecer las competencias del MICITT, así como en el Decreto Ejecutivo N° 37052-MICIT "Crea Centro de Respuesta de Incidentes de Seguridad Informática CSIRT-CR" emitido el 09 de marzo de 2012, y publicado en el Diario Oficial La Gaceta N°72 de fecha 13 de abril de 2012. A este tenor, como lo ha informado la Procuraduría General de la República en su dictamen N°C-156-2016 de fecha 15 de julio de 2016, la competencia administrativa representa la capacidad de los organismos públicos para el ejercicio de las funciones que han sido conferidas por el ordenamiento jurídico, Sobre el particular en lo que interesa ha manifestado: “…Cada organismo público posee capacidad para actuar jurídicamente la competencia de que es titular. La competencia administrativa es un corolario del principio de legalidad, cuyo objeto es señalar los poderes y deberes con que cuenta la Administración Pública para actuar conforme el ordenamiento. La competencia es la aptitud de obrar de las personas públicas o de sus órganos y se resume en los poderes y deberes que han sido atribuidos por el ordenamiento a un órgano o ente público, lo que delimita los actos que puede emitir válidamente. (...)” Bajo esa referencia, resulta claro que al Poder Ejecutivo le corresponde ejercitar las acciones de defensa necesarias para prevenir menoscabos a la seguridad nacional, definida ésta en el Diccionario Usual del Poder Judicial como: “Seguridad Nacional: Noción militar que se refiere a la prevención y defensa de la nación ante la amenaza bélica o situación de guerra. || Noción sociológica y militar que supone la protección del país contra amenazas militares, terroristas, peligros ambientales, migraciones masivas y refugio de desplazados. || Concepto militar, social y político que comprende directrices, normas y conductas tendentes a reprimir a fuerzas opositoras al Gobierno y a prevenir acciones que pretendan un cambio político”. Desde luego que esta conceptualización en la era actual, abarca amenazas que se generan en el ámbito cibernético y por tanto posibles ciberataques a las redes de telecomunicaciones que tienen impacto en la privacidad, el secreto de las comunicaciones, y la autodeterminación informativa de los usuarios finales de telecomunicaciones, por lo que el Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones debe ejercer su Rectoría en resguardo de los citados derechos. Siendo la ciberseguridad una expresión del concepto de seguridad nacional, pretende garantizar la existencia de controles que minimicen los riesgos ante posibles brechas o ataques cibernéticos. Estos riesgos pueden comprometer los datos e integridad de la información que residen o se transmiten en infraestructuras tecnológicas. Verificar la presencia de dichos controles reduce el riesgo y el impacto de un evento adverso. En este sentido, debe señalarse que las medidas de ciberseguridad forman parte de los mecanismos regulatorios en materia de telecomunicaciones para resguardar el uso y explotación segura de las redes por parte de los operadores. Por lo anterior, no es un tema que resulta ajeno o aislado a la protección de la intimidad, privacidad y secreto de las comunicaciones, sino que se constituye en un mecanismo que responde a la evolución propia de la tecnología utilizable para su prestación con la finalidad de asegurar que los operadores cumplan efectivamente con esta responsabilidad. Como bien se ha profundizado en el presente documento, Costa Rica se vio afectada en diferentes ámbitos como económico, social, institucional, de seguridad social entre otros, ante el socavón los sistemas de información del Estado costarricense ocasionados por múltiples ciberataques, todo ello configurando un estado de emergencia nacional de atención inminente, estas circunstancias apremiantes, son las que precisamente motivaron al Poder Ejecutivo a adoptar una serie de medidas en forma pronta y oportuna como lo es el “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT. Existe además un mandato proveniente de la Ley General de la Administración Pública, Ley Nº6227, cuyo artículo 14 inciso 1), establece que “Los principios generales de derecho podrán autorizar implícitamente los actos de la Administración Pública necesarios para el mejor desarrollo de las relaciones especiales creadas entre ella y los particulares por virtud de actos o contratos administrativos de duración.”. En complemento de lo anterior, la Ley de cita, en su artículo 113 inciso 3) determina que “En la apreciación del interés público se tendrá en cuenta, en primer lugar, los valores de seguridad jurídica y justicia para la comunidad y el individuo, a los que no puede en ningún caso anteponerse la mera conveniencia.”. Ahora bien, en lo que atañe a la emergencia nacional declarada mediante el Decreto Ejecutivo N°43542-MP-MICITT, ya referido, artículo 1 de la Ley N° 8488, Ley Nacional de Emergencias y Prevención del riesgo, establece que “(…) regulará las acciones ordinarias, establecidas en su artículo 14, las cuales el Estado Costarricense deberá desarrollar para reducir las causas de las pérdidas de vidas y las consecuencias sociales, económicas y ambientales, inducidas por los factores de riesgo de origen natural y antrópico; así como la actividad extraordinaria que el Estado deberá efectuar en caso de estado de emergencia, para lo cual se aplicará un régimen de excepción”; régimen de excepción que actualmente se presenta en relación con lo dispuesto en el Decreto Ejecutivo de cita. En esa línea, el a autor Jaime Romero Galicia citando a Orozco en el documento digital denominado “CONCEPTUALIZACIÓN DE UNA ESTRATEGIA DE CIBERSEGURIDAD PARA LA SEGURIDAD NACIONAL DE MÉXICO”[7] señala que “la seguridad nacional en general tiende a ser definida como una “condición” que debe brindar el Estado para el desarrollo de la sociedad a la que sirve”. En ese sentido, añade que las definiciones actuales se encuentran influenciadas por el surgimiento del concepto de seguridad humana (que se centra más en la seguridad del individuo), así como por el fenómeno de la globalización, los factores económicos y la importancia de las Tecnologías de Información y Comunicaciones (TIC) en las estrategias de seguridad nacional. En ese mismo orden de ideas Romero Galicia explota que, las TIC son un puente de desarrollo humano, así como un instrumento fundamental en las nuevas estrategias de seguridad nacional e internacional, toda vez que el mundo interconectado se transforma en una aldea global. De esta forma, el autor explica la relación estrecha que existe entre las materias de ciberseguridad y seguridad nacional en tanto la primera, “(...) permite determinar qué cuidar en el ciberespacio, para que los efectos negativos en contra de la seguridad nacional no se materialicen en el mundo físico”. Asimismo adiciona Romero Galicia que: (...) el ciberespacio se afianzó en el lenguaje de ciberseguridad con la publicación de la National Strategy to Secure Cyberspace, publicada por la administración Bush en 2003 (Bush, 2003). Pero no fue hasta el año final de la administración Bush que el término fue completamente definido por el Gobierno federal como “Las redes interdependientes de infraestructuras de tecnologías de información incluyendo Internet, redes de telecomunicaciones, sistemas de cómputo y procesadores, y controladores embebidos en industrias críticas” (Hare, 2010:13). Esta definición deja en claro que el ciberespacio es considerado más grande que Internet. (...) De esta forma, el ciberespacio es tan importante hoy en día y su protección tan fundamental, porque ahí tienen lugar muchos procesos productivos y se establece la comunicación de las sociedades, que ha sido considerada militarmente por la mayoría de los países como el quinto dominio de la guerra, aunado a los dominios de tierra, mar, aire y espacio exterior (Murphy, 2010; Schreie et al., 2015). De este modo, la ciberseguridad, similar a la seguridad de la información desde el punto de vista de los riesgos, es un asunto que tiene que ver con tres dimensiones. Por un lado, con la protección de la integridad, confidencialidad y disponibilidad de la información, aunque existen otras características como la confiabilidad y el no repudio; en segundo término la ciberseguridad tiene que ver con proteger la información desde su procesamiento, transmisión y almacenamiento; y finalmente la ciberseguridad es un asunto que tiene que ver desde el punto de vista de la gestión con gente, procesos y tecnología. (...)” De lo anterior es posible extraer que, el ciberespacio es un activo económico de gran interés mundial, y dadas todas las posibilidades que permite en cuanto al trasiego de información, es un blanco constante para amenazas, frente a lo cual los países deben articular esfuerzos continuos que les faciliten prevenir y mitigar tales riesgos. En adición, en el modelo de protección que involucra al Gobierno, los operadores y a los individuos, tenemos en la cúspide al Poder Ejecutivo que es el encargado de establecer todas las medidas para garantizar una adecuada ciberseguridad en el Sector telecomunicaciones. Según lo anterior, es conveniente señalar lo manifestado por la Procuraduría General de la República, en su dictamen N°C-239-1995 de fecha 21 de noviembre de 1995, que en lo que interesa para el presente informe reza: “(...) La finalidad de la acción pública es el interés público y la protección del orden público institucional. El interés público, principio de orden y de unidad, es un interés propio de la colectividad política, que se diferencia y que transciende, por ende, los intereses particulares de sus miembros . Concepto jurídico indeterminado, el "interés público" debe ser precisado en cada caso: “...Norma variable, el interés general adquiere un sentido preciso en el contexto de una situación particular. Sin embargo, esta adaptación a las situaciones concretas supone un principio de orden, una lógica que guía la aplicación de la norma" . En el caso que nos ocupa, esa lógica está informada por el principio de seguridad y mantenimiento del orden público que presupone una estabilidad institucional y social. (...)” Tomando como referencia lo manifestado por por el órgano Procurador, la ciberseguridad (como manifestación de la seguridad nacional) se configura en ese elemento de interés general que da lugar a la emisión de normas que minimicen los riesgos ante posibles brechas o ataques cibernéticos y consecuentemente transgredan derechos fundamentales de los usuarios finales de telecomunicaciones. En ese sentido, las medidas de ciberseguridad también surgen como herramientas para proteger el interés público, entendido este como los derechos de los administrados a que accedan a las telecomunicaciones en su calidad de usuarios finales para el ejercicio de otros derechos fundamentales como lo son la educación, la salud, la comunicación e información, el Gobierno Abierto, la justicia, entre otros. La Sala Constitucional de la Corte Suprema de Justicia se refirió al interés público y la importancia de la infraestructura en telecomunicaciones indicando: “(…) IMPORTANCIA, INTERÉS PÚBLICO Y VOCACIÓN NACIONAL DE LA INFRAESTRUCTURA DE LAS TELECOMUNICACIONES EN EL ORDENAMIENTO CONSTITUCIONAL E INFRACONSTITUCIONAL. A partir de un análisis sistemático del ordenamiento jurídico constitucional e infraconstitucional vigente, es factible concluir que la infraestructura, en materia de telecomunicaciones, tiene una relevancia que excede la esfera de lo local o cantonal, asumiendo un claro interés público y, desde luego, erigiéndose como una cuestión que atañe a la órbita de lo nacional con, incluso, proyecciones en el terreno del Derecho Internacional Público al suponer su desarrollo el cumplimiento de una serie de obligaciones internacionales asumidas previamente por el Estado costarricense. En primer término, como lo ha indicado este Tribunal Constitucional, el tema de las telecomunicaciones tiene gran relevancia constitucional, tanto que en el artículo 121, inciso 14), subinciso c), de la Constitución se indica que los “servicios inalámbricos” o el espectro electromagnético forma parte del dominio público constitucional y concretamente es un bien propio de la Nación, siendo que no puede ser desafectado o salir del dominio del Estado. La Ley General de Telecomunicaciones No. 8642 de 4 de junio de 2008 – en adelante LGT-, al enunciar los principios rectores en este sector, indica en su artículo 3°, inciso i), que debe haber una “optimización de los recursos escasos”, destacando que la utilización de las infraestructuras de telecomunicaciones debe ser “(…) objetiva, oportuna, transparente, no discriminatoria y eficiente, con el doble objetivo de asegurar una competencia efectiva, así como la expansión y mejora de las redes y servicios (…) Por su parte la Ley de la Autoridad Reguladora de los Servicios Públicos, No. 7593 de 9 de agosto de 1993, en su artículo 74, modificado por la Ley de Fortalecimiento y Modernización de las Entidades Públicas del Sector Telecomunicaciones No. 8660 de 8 de agosto de 2008, hizo una declaratoria de interés público de la infraestructura y las redes en telecomunicaciones al preceptuar lo siguiente: ʻConsidérase una actividad de interés público el establecimiento, la instalación, la ampliación, la renovación y la operación de las redes públicas de telecomunicaciones o de cualquiera de sus elementosʼ. Tal declaratoria tiene grandes repercusiones, por cuanto, se reconoce, por ley, que el tema de la infraestructura en la materia reviste un claro e inequívoco interés público o general que trasciende la esfera de lo local o regional a lo interno del país, para proyectarse en el ámbito nacional e internacional, al permitirle al Estado costarricense cumplir, de buena fe, una serie de obligaciones y compromisos asumidos en el contexto del Derecho Internacional Público.” En ese mismo orden ideas, la Sala Constitucional indicó en su Resolución Nº 2010012790 de las 08 horas 58 minutos, de fecha 30 de julio de 2010, lo siguiente: “(…) debe decirse que el avance en los últimos veinte años en materia de tecnologías de la información y comunicación (TIC´s) ha revolucionado el entorno social del ser humano. Sin temor a equívocos, puede afirmarse que estas tecnologías han impactado el modo en que el ser humano se comunica, facilitando la conexión entre personas e instituciones a nivel mundial y eliminando las barreras de espacio y tiempo. En este momento, el acceso a estas tecnologías se convierte en un instrumento básico para facilitar el ejercicio de derechos fundamentales como la participación democrática (democracia electrónica) y el control ciudadano, la educación, la libertad de expresión y pensamiento, el acceso a la información y los servicios públicos en línea, el derecho a relacionarse con los poderes públicos por medios electrónicos y la transparencia administrativa, entre otros. Incluso, se ha afirmado el carácter de derecho fundamental que reviste el acceso a estas tecnologías, concretamente, el derecho de acceso a la Internet o red de redes”. (El resaltado es propio) Por ello, el Decreto Ejecutivo denominado “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT, al tratarse de un tema de defensa del Estado y seguridad nacional, así como del interés público que revisten las redes de telecomunicaciones, su tratamiento resulta más sensible que otras materias, por lo que adquirió en su elaboración un carácter reservado con fundamento en la normativa vigente. Finalmente, en lo que respecta a la seguridad nacional y al resguardo desde la óptica de la Rectoría de las Telecomunicaciones, debe tenerse en consideración que, mediante el Decreto Ejecutivo N°37052-MICIT se establece en Costa Rica el Centro de Respuesta de Incidentes de Seguridad Informática denominado CSIRT-CR, con sede en el Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones (establecido desde el año 2012), este Centro tiene facultades suficientes para coordinar con los poderes del Estado, instituciones autónomas, empresas y bancos del Estado todo lo relacionado con la materia de seguridad informática y cibernética y concretar el equipo de expertos en seguridad de las Tecnologías de la Información que trabajará para prevenir y responder ante los incidentes de seguridad cibernética e informática que afecten a las instituciones gubernamentales. G. SOBRE EL PROCESO DE CONSULTA REALIZADA EN EL CASO CONCRETO EN VIRTUD DE LA MATERIA DE SEGURIDAD NACIONAL DE LA REGULACIÓN DEL DECRETO EJECUTIVO N.º 44196-MSP-MICITT “REGLAMENTO SOBRE MEDIDAS DE CIBERSEGURIDAD APLICABLES A LOS SERVICIOS DE TELECOMUNICACIONES BASADOS EN LA TECNOLOGÍA DE QUINTA GENERACIÓN MÓVIL (5G) Y SUPERIORES”. El artículo 361 inciso 2) de la Ley N° 6227, Ley General de la Administración Pública establece que: “2) Se concederá a las entidades representativas de intereses de carácter general o corporativo afectados por la disposición la oportunidad de exponer su parecer, dentro del plazo de diez días, salvo cuando se opongan a ello razones de interés público o de urgencia debidamente consignadas en el anteproyecto.”. En el caso que nos ocupa, consta que mediante oficio MICITT-DM-OF-651-2023 de fecha 04 de agosto de 2023 el MICITT, dirigió consulta a la Junta Directiva de la Autoridad Reguladora de los Servicios Públicos y a la Superintendencia de Telecomunicaciones para que en el ámbito de sus competencias emitieran observaciones al proyecto normativo, confiriéndoles el plazo de diez días hábiles. En respuesta a la consulta mencionada en el párrafo que antecede, el Consejo Directivo de la Superintendencia de Telecomunicaciones remitió el oficio Nº 06900SUTEL-CS-2023 de fecha 17 de agosto de 2023, con fundamento en la Ley Nº 9736, Ley de Fortalecimiento de las Autoridades de Competencia de Costa Rica, con las consideraciones del anteproyecto de decreto ejecutivo. Consideraciones que fueron revisadas y analizadas para la emisión de la presente reglamentación. Resulta de mérito indicar que el Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones, mediante oficio N°MICITT-DM-OF-687-2023, de fecha 31 de agosto de 2023, remitió a la Superintendencia de Telecomunicaciones el detalle del tratamiento y valoración de cada una de las observaciones que dicho órgano regulador remitió. Como se indicó, la Ley General de la Administración Pública en el artículo 361 establece en sus incisos 2 y 3 la facultad de someter a conocimiento público el anteproyecto o disposiciones de carácter general. Sobre el particular es importante reiterar que esta audiencia es optativa en los casos en los que objetivamente la propia Ley lo ha dispuesto. De este modo, el Tribunal Contencioso Administrativo Sección VI en su N°Resolución Nº 00046 - 2020, de fecha 16 de Abril del 2020 de las 15 horas 30 minutos, en relación con la consulta pública a manifestado: “(...) ii. Audiencia preceptiva a entidades representativas de interés general o corporativo (inciso 2). En este supuesto, si bien se establece la necesidad de conferir la citada audiencia ante la potencial afectación de intereses de orden general o corporativo económico, profesional o gremial-, la norma permite que se prescinda de dicho trámite, a reserva de que se exponga en el respectivo proyecto las razones de interés público o de urgencia que dan paso a dicha dispensa. Ergo, no se trata de una liberalidad irrestricta, sino de una facultad sometida a condiciones sine qua non, consistentes en la motivación debida de las condiciones o circunstancias que determinen, en cada caso concreto, mérito para no divulgar el proyecto de regulación a fin de obtener observaciones u objeciones. La ausencia de inclusión de esa motivación o bien, el ejercicio indebido de esa facultad, por ausencia de los presupuestos que le dan cabida, afectaría el procedimiento legal previsto para la emisión de ese tipo de disposiciones; iii) Audiencia facultativa a la información pública (inciso 3). Se trata de una potestad de la Administración que adopta determinada conducta de alcance general, respecto de la cual, puede establecer, por criterio de conveniencia, la realización de una audiencia pública genérica. En el contexto de ese mandato, a diferencia del supuesto previsto en el párrafo primero de dicha norma, no se trata de una audiencia obligatoria, sino de una liberalidad de la Administración Pública, por lo cual, la ausencia de su otorgamiento, supondría la decisión de no someterla a debate público. Ergo, en tanto facultativa, su desatención no incidiría en la validez de ese tipo de conductas. Cabe destacar que según sea el caso, la sola ausencia de la audiencia en cuestión no llevaría, per se, a una patología de grado absoluto, siendo menester, en esos casos, el análisis de la trascendencia de la invalidez que se pueda reclamar respecto de ese tipo de actos. Lo anterior como derivación del principio de sustancialidad de la nulidad, en virtud de la cual, no es cualquier defecto del acto el que lleva a su nulidad absoluta y, por ende, a su supresión, sino solamente aquellas deficiencias que hayan producido un estado de indefensión, hayan lesionado el debido proceso, o supongan una formalidad que, de haber sido satisfecha, pudiera haber modificado el contenido de la decisión. Esto de conformidad con los preceptos 128, 158, 168 y 223 de la LGAP. Dicho esto, cabe señalar que, en la especie, el Estado aduce una falta de legitimación de parte de la accionante para cuestionar la validez del decreto de marras. (...)”(El resaltado es propio) Sea que, aún (sic) cuando el numeral 361 incisos 2 y 3 dispone de la prerrogativa de una audiencia, ante la potencial afectación de intereses de orden general o corporativo, el legislador previó que cuando la naturaleza de la propia disposición lo aconseje dicho trámite se puede prescindir a juicio del Poder Ejecutivo ante de razones de interés público o de urgencia debidamente demostradas en el expediente del caso. Al tenor de lo anterior, es importante resaltar que en su parte considerativa, el “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT, consigna todos los elementos de hecho y derecho que motivaron su elaboración para la adecuada satisfacción del interés público frente al estado de emergencia nacional. Esta posición ha sido claramente desarrollada por el propio Tribunal Contencioso Administrativo Sección VI, destacando en la Resolución Nº 00147-2021, de las 09 horas de fecha 04 de noviembre del 2021, que la decisión de no otorgar audiencia no genera un vicio de nulidad que acarree consecuencias por sí misma, sino es ante una lesión demostrada, así esbozó: “(...) Por otra parte, este Tribunal estima que la sola omisión de la referida audiencia, tampoco llevaría necesariamente a una patología de grado absoluto. Lo anterior porque es indispensable, en esos casos, analizar la trascendencia de la invalidez que se pueda reclamar respecto de ese tipo de actos. Lo anterior como derivación del principio de sustancialidad de la nulidad, en virtud de la cual, no es cualquier defecto del acto el que lleva a su invalidez absoluta, sino solamente aquellos que hayan producido un estado de indefensión, lesionado el debido proceso o supongan una formalidad que, de haber sido satisfecha, pudiera haber modificado el contenido de la decisión. Lo anterior de conformidad con los artículos 128, 158, 168 y 223 de la LGAP. (...)”(El resaltado es propio). Este criterio ha sido ampliamente reiterado por el Tribunal Contencioso Administrativo, Sección VII, que en la Resolución Nº00082-2022, de las 11 horas de fecha de 11 de agosto de 2022, resaltó: “(...) Como puede verse, la audiencia previa constituye un elemento esencial de validez en los asuntos donde, por el contenido de la norma y su alcance deba concederse de forma obligatoria; pero no en todos los casos es indispensable, como tampoco lo es que se curse a todas las personas que caerían dentro de su ámbito normativo, ni tampoco su ausencia vicia de invalidez toda disposición normativa general, por lo que es necesario un análisis casuístico para determinar si existe o no vicio. En el caso que nos ocupa encontramos varios elementos relevantes que deben exponerse. En primer lugar, nótese que el referido artículo 361 de la Ley General de la Administración Pública dispone que: “2. Se concederá a las entidades representativas de intereses de carácter general … (...) (El resaltado es propio) De la jurisprudencia de cita es posible extraer que no todos los casos ameritan proceder con el requisito de la audiencia, siempre y cuando el Poder Ejecutivo determine que la situación califica para prescindir de su trámite, documentando para ello las valoraciones del caso. Como se ha reiterado en el presente informe, Costa Rica sufrió ataques a múltiples de sus sistemas debido a los ciberataques iniciados en el año 2022, todo ello configurando un estado de emergencia nacional de atención inminente pero continuada. En esa línea la Procuraduría General de la República, en su dictamen vinculante N°C-022-89 de fecha 25 de enero de 1989 ha manifestado: “(...) la gran mayoría de las situaciones de urgencia que se han presentado y se presentan en Costa Rica son atípicas. Ello debido a que las normas jurídicas que regulan tales situaciones no las precisan en grado suficiente como supuestos constitutivos de urgencia, así como tampoco contemplan el efecto o contenido que habrá de tener las medidas que se adopten; sino que dichas situaciones deben ser asumidas mediante el acto cuyo motivo está definido con harta imprecisión, el cual puede consistir en el hecho puro y simple de una necesidad apremiante, previsto sin ulterior especificación ni cualidad, y en el cual el contenido del acto se deja en blanco para que la autoridad respectiva lo cubra y lo determine, caso por caso, dentro de una gama amplia de posibilidades. (…)” (El resaltado es propio) En ese mismo sentido, mediante Resolución Nº 16359-2016 de fecha 04 de noviembre de 2016, la Sala Constitucional manifestó en relación con la materia de seguridad nacional del Estado lo siguiente: “(…) El secreto de Estado es un límite al derecho de acceso a la información; Existe secreto de Estado, en términos generales, en materia de seguridad nacional, defensa nacional y relaciones exteriores, no sólo con otros Estados, sino con los demás sujetos de Derecho Internacional Público (...)” Como se indicó, la defensa del Estado y seguridad nacional requieren un manejo diferenciado de otros asuntos ordinarios, de este modo como se indicó ut supra en su etapa previa, es decir antes de la publicación en el Diario Oficial La Gaceta, el proyecto del Decreto Sobre Medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores, se consideró con las características que son propias al secreto de Estado como límite al derecho constitucional de acceso a la información pública, por lo que, está sometido al principio de reserva de Ley, de conformidad con el artículo 19.1 de la Ley General de la Administración Pública, Ley N° 6227, el cual dispone: “Artículo 19. 1. El régimen jurídico de los derechos constitucionales estará reservado a la ley, sin perjuicio de los reglamentos ejecutivos correspondientes. 2. (…)” En relación con el concepto “secreto de Estado”, nuestro Tribunal Constitucional ha señalado reiteradamente que éste está referido únicamente a asuntos de seguridad, de defensa o de relaciones exteriores de la Nación, en ese sentido el voto N° 01362003 de las 15 horas 22 minutos de fecha 15 de enero de 2003, retomado en múltiples pronunciamientos indicó: “(…) El secreto de Estado como un límite al derecho de acceso a la información administrativa es reserva de ley (artículo 19, párrafo 1º, de la Ley General de la Administración Pública), empero, han transcurrido más de cincuenta años desde la vigencia de la Constitución y todavía persiste la omisión legislativa en el dictado de una ley de secretos de estado y materias clasificadas. Esta laguna legislativa, obviamente, ha provocado una grave incertidumbre y ha propiciado la costumbre contra legem del Poder Ejecutivo de calificar, por vía de decreto ejecutivo, de forma puntual y coyuntural, algunas materias como reservadas o clasificadas por constituir, a su entender, secreto de Estado. Tocante el ámbito, extensión y alcances del secreto de Estado, la doctrina es pacífica en aceptar que comprende aspectos tales como la seguridad nacional (interna o externa), la defensa nacional frente a las agresiones que atenten contra la soberanía e independencia del Estado y las relaciones exteriores concertadas entre éste y el resto de los sujetos del Derecho Internacional Público (vid. artículo 284 del Código Penal, al tipificar el delito de "revelación de secretos"). (…)” (El resaltado es propio) Así las cosas, es posible afirmar en concordancia con lo indicado por esta respetable Sala Constitucional, que la información considerada como secreto de Estado atañe a asuntos de seguridad nacional (interna o externa), la defensa nacional frente a las agresiones que atenten contra la soberanía e independencia del Estado y las relaciones exteriores concertadas entre éste y el resto de los sujetos del Derecho Internacional Público. Este criterio a su vez es compartido por la Procuraduría General de la República en su dictamen N°C-175-83 de fecha 31 de mayo de 1983, al manifestar: “(...) en criterio de esta Procuraduría, el legislador es competente para definir en qué consiste el secreto de Estado, cuál es el ámbito de aplicación, ello sin perjuicio de la regulación constitucional al respecto. Pero, una vez definido dicho concepto, corresponde al Poder Ejecutivo declarar en un caso concreto la existencia de dicho secreto. Es decir, determinar que la comunicación de determinados hechos, informaciones o documentos ponen en peligro la seguridad estatal, las relaciones internacionales y la defensa nacional. Obviamente, dicha determinación constituye un acto discrecional. 3. Oportunidad de la declaratoria La declaratoria de “secreto de Estado” procede cuando la divulgación de ciertos hechos, informaciones o documentos perjudique la seguridad, la defensa y las relaciones internacionales de la República. Para emitir el decreto correspondiente, el Poder Ejecutivo debe tomar en cuenta diversos factores internos y externos, la oportunidad de la declaratoria, el ambiente político interno y externo. Las circunstancias en que puede comprometerse los fines protegidos por el secreto de Estado son diversas, por lo que no puede regularse de antemano el momento en que debe declararse el secreto de Estado. Serán criterios de oportunidad –sujetos a los objetivos y materia del secreto de Estado- los que determinarán el momento en que se declara el secreto. (...)” (El resaltado es propio) Ahora bien, en lo que atañe a la emergencia nacional declarada mediante el Decreto Ejecutivo N°43542-MP-MICITT, ya referido, artículo 1 de la Ley N° 8488, Ley Nacional de Emergencias y prevención del riesgo, establece que “(…) regulará las acciones ordinarias, establecidas en su artículo 14, las cuales el Estado Costarricense deberá desarrollar para reducir las causas de las pérdidas de vidas y las consecuencias sociales, económicas y ambientales, inducidas por los factores de riesgo de origen natural y antrópico; así como la actividad extraordinaria que el Estado deberá efectuar en caso de estado de emergencia, para lo cual se aplicará un régimen de excepción”; régimen de excepción que actualmente se presenta en relación con lo dispuesto en el Decreto Ejecutivo de cita. De manera tal que, en principio el acceso a la información de las oficinas estatales es público, condición que se puede restringir al amparo de los supuestos que cobijan el secreto de Estado para resguardar la protección de su soberanía. Ya de manera extensa se han precisado las razones de interés público que el Reglamento de análisis pretende proteger. En esa línea, como ya ha sido manifestado en este informe se le brindó oportunidad a las Autoridades Sectoriales para manifestarse sobre el contenido de la propuesta, en ese sentido se sensibilizó y se ajustó el texto propuesto en relación con las observaciones recibidas. Es de especial relevancia señalar que el texto del Reglamento no impone nuevas competencias en contravención del principio de reserva de ley, por el contrario en observancia a lo dispuesto en el Capítulo II denominado Régimen de protección a la intimidad y los derechos del usuario final, del Título II Régimen de Garantías Fundamentales de la Ley General de Telecomunicaciones, Ley N°8642, es que se emite dicho cuerpo normativo con el fin de asegurar la debida protección de la privacidad y los derechos e intereses de los usuarios finales. Particularmente el artículo 41 de la Ley General de Telecomunicaciones, previamente citado, deja claramente establecidos dos mandatos, el primero de ellos la debida protección a la privacidad derechos de los usuarios finales y por otro la obligatoriedad de la Superintendencia de Telecomunicaciones de velar por el cumplimiento de lo dispuesto en la Ley y sus reglamentos. Por su parte, el numeral 42 de la Ley General de Telecomunicaciones dispone la potestad reglamentaria del Poder Ejecutivo en esta materia para el establecimiento de medidas técnicas y administrativas a favor de una efectiva tutela de los derechos fundamentales contemplados en el artículo 42 en relación con la operación de redes de telecomunicaciones. Por su parte, de forma sistemática, el artículo 60 incisos a), d), e) y k) de la Ley de la Autoridad Reguladora de los Servicios Públicos, Ley N°7593 enumera un conjunto de obligaciones fundamentales de la Superintendencia de Telecomunicaciones, señalando: Artículo 60.- Obligaciones fundamentales de la Superintendencia de Telecomunicaciones (Sutel) Son obligaciones fundamentales de la Sutel: a) Aplicar el ordenamiento jurídico de las telecomunicaciones, para lo cual actuará en concordancia con las políticas del Sector, lo establecido en el Plan nacional de desarrollo de las telecomunicaciones, la Ley general de telecomunicaciones, las disposiciones establecidas en esta Ley y las demás disposiciones legales y reglamentarias que resulten aplicables. (...) d) Garantizar y proteger los derechos de los usuarios de las telecomunicaciones. e) Velar por el cumplimiento de los deberes y derechos de los operadores de redes y proveedores de servicios de telecomunicaciones. (...) k) Conocer y sancionar las infracciones administrativas en que incurran los operadores de redes y los proveedores de servicios de telecomunicaciones; así como establecer la responsabilidad civil de sus funcionarios. (...)” Así como, el artículo 73 inciso a) de las funciones del Consejo de esa Superintendencia de la siguiente forma: Artículo 73. Funciones del Consejo de la Superintendencia de Telecomunicaciones (Sutel) Son funciones del Consejo de la Sutel: a) Proteger los derechos de los usuarios de los servicios de telecomunicaciones, asegurando eficiencia, igualdad, continuidad, calidad, mayor y mejor cobertura, mayor y mejor información, más y mejores alternativas en la prestación de los servicios, así como garantizar la privacidad y confidencialidad en las comunicaciones, de acuerdo con la Constitución Política.(...)”. De esta forma, el Tribunal Contencioso Administrativo, Sección VI, mediante su Resolución N°001-2017-VI de las a 08 horas de fecha 13 de enero de 2017, manifestó: “(...) Acorde a estas competencias, y atendiendo a los principios que impone la Ley General de Telecomunicaciones, No. 8642, la SUTEL se constituye como una instancia que ingresa en una dinámica triangular, en la que concurren los operadores y proveedores de los servicios de telecomunicación, a quienes regula, fiscaliza y controla en lo referente al cumplimiento de los deberes y obligaciones asociados a esa condición y además, tutela los derechos de los usuarios de estos servicios. Esto hace surgir niveles de relaciones diversas que se presentan entre SUTEL-operadores (y proveedores), SUTEL-usuarios, y el control de las relaciones entre operador-usuario, operador-operador, a fin de que se satisfagan debidamente los principios impuestos por el ordinal 3 de la Ley No. 9462 (universalidad, solidaridad, beneficio al usuario, transparencia, publicidad, competencia efectiva, no discriminación, neutralidad tecnológica, optimización de recursos, privacidad de información y sostenibilidad ambiental). (...)”. En este sentido, debe señalarse que las medidas de ciberseguridad forman parte de los mecanismos regulatorios en materia de telecomunicaciones para resguardar el uso y explotación segura de las redes por parte de los operadores. Por lo anterior, no es un tema que resulta ajeno o aislado a la protección de la intimidad, privacidad y secreto de las comunicaciones, sino que se constituye en un mecanismo que responde a la evolución propia de la tecnología utilizable para su prestación, por lo que la adhesión y referencia a marcos reconocidos internacionalmente, así como lo establecido en el Reglamento en estudio proporcionan una base sólida para asegurar que los operadores cumplan efectivamente con esta responsabilidad. Puede verse que el anteproyecto del Reglamento fue de conocimiento de las Autoridades Sectoriales designadas por el propio legislador, atendiendo además la materia para la que precisamente fueron creadas, es decir el Reglamento no se extrapola con respecto a competencias reservadas exclusivamente a la ley. Para finalizar, la Sala Primera de la Corte Suprema de Justicia en reiteradas ocasiones ha dicho que, la nulidad, como sanción o como consecuencia lógica de la inobservancia de formas del procedimiento, no se aplica en forma irrestricta, es así como la Resolución Nº 02769-2020, de las 09 horas 50 minutos de fecha 24 de noviembre de 2020 manifiesta en lo conducente:“(...) Más bien procede sólo cuando no sea posible enmendar un defecto y este cause indefensión imposible de subsanar, de ahí que no proceda la nulidad por la nulidad misma. (Véase, entre otras, las resoluciones No. 848 de las 9 horas del 31 de julio de 2015 y No. 950 de las 9 horas 45 minutos del 17 de agosto de 2017). (...) No debe perderse de vista, las normas procesales son instrumentales al derecho sustantivo, y en esa línea de pensamiento deben entenderse como medios para concretar el derecho constitucional a la justicia pronta y cumplida. No pueden, entonces, interpretarse con tal rigidez, en abandono de esa instrumentalidad, tornándolas en fines últimos y en obstáculo para la decisión que demandan los justiciables. Las nulidades no tienen como fin enmendar yerros formales per se, sino subsanar los perjuicios derivados de aquellos, de ahí que no haya nulidad si la desviación no tuvo trascendencia en garantías esenciales de las partes. (...)”. (El resaltado es propio) Por último, el Poder Ejecutivo en ejercicio de las funciones conferidas en esta materia especialísima emite el presente Reglamento con los insumos aportados por la Superintendencia de Telecomunicaciones como regulador del Sector y Autoridad Sectorial en la rama de competencia, atendiendo a criterios objetivos de oportunidad, dado que de haber prolongado estas acciones podría haber trasladado riesgos al administrado y así incurrir en responsabilidad que luego podría derivar en demandas cuantiosas contra el Estado. Esto en un nivel local, sin perjuicio de que la inactividad pudiese significar un menoscabo a la imagen del país a nivel internacional. H. SOBRE LA SUJECIÓN DEL PRINCIPIO DE FLEXIBILIDAD EN LAS OPCIONES TECNOLÓGICAS Y EL PRINCIPIO RECTOR SECTORIAL DE NEUTRALIDAD TECNOLÓGICA A LOS INTERESES LEGÍTIMOS DE LA POLÍTICA PÚBLICA Y A ESTÁNDARES COMUNES Y GARANTIZADOS. El principio de flexibilidad en las opciones tecnológicas (neutralidad tecnológica) surge en el marco del proceso de apertura comercial del sector telecomunicaciones, como parte de los “IV. Principios Regulatorios aprobados en el Anexo 13 de los “Compromisos Específicos de Costa Rica en Materia de Servicios de Telecomunicaciones” del Tratado de Libre Comercio República Dominicana- Centroamérica - Estados Unidos (TLC) Ley N° 8622. De dicho principio regulatorio se desprende que en materia de telecomunicaciones los operadores y proveedores de servicios disponibles al público, gozan efectivamente de la flexibilidad para escoger las tecnologías que prefieran para operar las redes públicas y suministrar sus servicios, por ejemplo para prestar servicios de Telecomunicaciones Móviles Internacionales conocidas como IMT por sus siglas en inglés (en cualquiera de sus generaciones técnicamente disponibles), siempre y cuando, se satisfagan los intereses legítimos de política pública. En este ámbito es importante señalar que la política pública en materia de telecomunicaciones se define a través del Plan Nacional de Desarrollo de las Telecomunicaciones (PNDT) 2022-2027 “Costa Rica: Hacia la disrupción digital inclusiva”, el cual fue aprobado por el Poder Ejecutivo mediante Decreto Ejecutivo N° 43843-MICITT publicado en el Diario Oficial La Gaceta N°5 de fecha 13 de enero de 2023, previa celebración durante el año 2022 de un proceso participativo mediante la realización de talleres y sesiones de trabajo abiertas en múltiples áreas de las telecomunicaciones, en el que pudieron concurrir libremente representantes de la sociedad civil, los diversos sectores del país, con inclusión de los operadores y proveedores de servicios de telecomunicaciones, proveedores de servicios de información, representantes de redes sociales, entre otros, quienes pudieron expresar y compartir su visión sobre el futuro del Sector telecomunicaciones, hasta el año 2027. Por lo cual, la política pública para la operación de redes y la prestación de servicios de telecomunicaciones está plasmada en Plan Nacional de Desarrollo de las Telecomunicaciones (PNDT) 2022-2027 “Costa Rica: Hacia la disrupción digital inclusiva”, con el objetivo de marcar el desarrollo del sector desde la perspectiva de la política pública sectorial, que permita durante los próximos años atender los retos y desafíos de las telecomunicaciones. Debe de subrayarse que en su sección “3.3.3.3 Estrategia Nacional de Ciberseguridad Costa Rica” el PNDT 2022-2027 señala que “La estrategia en materia de ciberseguridad data de 2017 y procura la búsqueda de acciones conducentes al aseguramiento de datos y la protección en línea en diferentes aspectos, considera a la persona como prioridad, el respeto a los derechos humanos y la privacidad, la coordinación con múltiples partes interesadas y la cooperación internacional.” Además, el PNDT señala que “en materia de seguridad cibernética y los retos que esto representa para las diferentes poblaciones, desde las infraestructuras críticas, los servicios en línea, servicios financieros, las MIPYMES, las poblaciones en condición de vulnerabilidad, entre otros, para las que se debe considerar transversalmente el tema en los ejes de la planificación sectorial con visión al 2027.” En esta línea en su sección “3.3.4 Síntesis de los instrumentos publicados asociados al PNDT” añade que “hay diversos instrumentos en los que Costa Rica ha formulado directrices y líneas de acción para la atención de problemas de interés público en temas relacionados al sector de telecomunicaciones, tales como: infraestructura, espectro radioeléctrico y televisión digital; poblaciones específicas en el área de TIC; ciencia, innovación y tecnología, economía digital, transformación digital y ciberseguridad; (...)”. Se complementa lo anterior precisando que conforme al Índice Global de Ciberseguridad (IGC), que es una iniciativa de la Unión Internacional de Telecomunicaciones establecida con el objetivo de medir el compromiso de los países sobre la ciberseguridad y ayudarles a identificar áreas de mejora, la posición de Costa Rica en relación a los países miembros de la OCDE, es el penúltimo en la lista (posición 37 de 38), únicamente superando a Colombia. A partir de ello, y procurando materializar los objetivos establecidos para nuestro país desde la política pública es que se aprueba el “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT, el cual forma parte de las medidas técnicas de ciberseguridad para garantizar el uso y la explotación segura de las redes y con resguardo de la privacidad de las personas. Esta normativa se orienta a la satisfacción de un conjunto de derechos fundamentales e intereses legítimos de los usuarios finales de los servicios de telecomunicaciones. Colectividad que está conformada por quienes accedemos diariamente a estos servicios y que tenemos el derecho a que nos garantice una prestación segura en cuanto a la privacidad y confidencialidad de la información, el secreto de las comunicaciones y la protección de los datos personales de toda naturaleza. De este modo, debe existir total claridad de que la ciberseguridad en materia de telecomunicaciones está definida desde la política pública y los instrumentos normativos que la conforman como el “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT, así como cualquier otro instrumento normativo, plan o estrategia que se apruebe para la satisfacción de los intereses legítimos y derechos subjetivos protegidos en la privacidad y confidencialidad de los datos personales y las comunicaciones, conforme con el principio regulatorio de Flexibilidad en las opciones tecnológicas (neutralidad tecnológica) establecido en el CAFTA, y es por ende, un asunto que nos interesa a todos como usuarios finales y destinatarios de estos derechos. Por su parte, desde la óptica técnica quisiera dejar muy claro que la emisión del “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT: •No prohíbe ni obliga al uso de ninguna tecnología específica, como pueden ser las tecnologías móviles de quinta generación, sino que establece unos requisitos mínimos de seguridad que deben cumplir todos los operadores de redes móviles de telecomunicaciones que decidan implementar redes de quinta generación o superiores. Estos requisitos consideran el Convenio de Budapest sobre la Ciberdelincuencia y una serie de estándares relativos a la seguridad de la información, de manera que el reglamento busca garantizar que los operadores puedan confiar en la integridad, disponibilidad y confidencialidad de sus redes y servicios, y que los usuarios puedan disfrutar de los beneficios de la 5G sin riesgos para su privacidad, seguridad o derechos humanos. •No limita la competencia ni la innovación en el mercado de la 5G, sino que promueve un nivel de juego equitativo para todos los proveedores, independientemente de su origen o tamaño. Al exigir que los proveedores estén sujetos a un marco legal que respete los principios del Convenio de Budapest, así como los demás estándares destacados en el reglamento, éste evita que se produzcan ventajas competitivas desleales o distorsiones del mercado por parte de aquellos proveedores que puedan eventualmente operar bajo normativas más laxas o incompatibles con las requeridas por el Decreto de referencia. El reglamento también fomenta la diversidad y la interoperabilidad de las tecnologías y plataformas para el despliegue de sistemas IMT-2020, incluyendo 5G y superiores, al permitir que los operadores puedan elegir entre una variedad de proveedores confiables de equipamiento, que cumplan con los requisitos de seguridad establecidos. • No viola el principio de neutralidad tecnológica, sino que lo respeta y lo refuerza. La neutralidad tecnológica implica que el gobierno no debe favorecer ni discriminar a ninguna tecnología o plataforma específica en la provisión de servicios de comunicaciones. El reglamento no hace ninguna distinción entre las diferentes tecnologías o plataformas para el despliegue de sistemas IMT2020, incluyendo 5G y superiores, sino que se aplica por igual a todas ellas. El reglamento tampoco impone ninguna restricción al acceso o uso de esas redes o servicios móviles innovadores por parte de los usuarios, sino que garantiza que estos puedan ejercer su libertad de expresión, información y comunicación a través de redes y medios de comunicación seguros. Finalmente, en relación con este principio sectorial de flexibilidad en las opciones tecnológicas, se considera fundamental citar la comparecencia del señor Sergio Ortíz Pérez como representante de la Asociación Sindical Costarricense de Telecomunicaciones y Electricidad (ACOTEL) ante la Comisión de Asuntos Internacionales y Comercio Internacional de la Asamblea Legislativa, celebrada en fecha 06 de diciembre de 2023, la cual ha formado parte del escrutinio de tal Poder de la República en el ejercicio de sus facultades de control político al Poder Ejecutivo. De esta forma el señor Ortíz manifestó: “Este asunto del Decreto que versa sobre la ciberseguridad de cara al desarrollo de la tecnología 5G en el país, actualmente pues como ustedes saben es objeto de análisis tanto de esta Comisión como de la propia Sala Constitucional, que atiende una acción de inconstitucionalidad planteada por la empresa Huawei por lo que estamos ante un panorama que no es solo un análisis y debate, legal y político que está bien, sino que también es necesario para que se aclaren estos distintos de la motivación y consecuencias que pudo haber tenido este Decreto (...) Sobre este Reglamento existen una serie de motivaciones que viéndolas desde una manera objetiva son necesarias para un mundo globalizado y los retos a nivel de ciberseguridad no solo deben ser técnicos, sino también administrativos, normativos y políticos, en dado caso de que este Reglamento o Decreto se declare inconstitucional en parte o totalmente, se debería estar pensando ya en otras herramientas que nos brinde y obliguen a los apoyos entre los Gobiernos del mundo para cooperación multilateral en caso de detectarse violaciones a nuestras redes a partir de vulneraciones de los equipos que pertenecen a fabricantes específicos. (...) a lo interno del ICE donde este Decreto aunque ustedes no lo crean vendría a propiciar que en el ICE exista realmente neutralidad tecnológica de una empresa como es el ICE que es una empresa de telecomunicaciones que lo necesita como mejores prácticas, pero también vendría este Decreto a frenar posibles casos de corrupción generados desde hace muchos años por la dependencia entre el ICE y por ejemplo la empresa Huawei. En el ICE hoy en día no existe neutralidad tecnológica ya que Huawei y sus equipos ejercen prácticamente un monopolio en nuestra red esto debido a que posee presencia en 8 de los 10 componentes más importantes del sistema de Telecomunicaciones del ICE, a saber la red de transporte, plataforma de televisión, sistema de acceso fijo, red de acceso móvil 3G, 4G, terminales móviles, data center, core móvil de 3G, 4G y plataformas de voz sobre IP (...) Por ende es correcto preguntarse ¿dónde está la neutralidad tecnológica a lo interno del ICE por la que algunos o muchos están abogando?. La dependencia de un solo fabricante en el ICE que se incrementa a través de los años, lastimosamente también ha traído pérdidas multimillonarias para el ICE y ganancias multimillonarias para Huawei y por ello es que insisto en que este Decreto irónicamente también frenaría esta relación ruinosa para el ICE y que generaría, y que genera posible corrupción.(...)” (El resaltado es propio) El empleo de ese control político que ha llevado a cabo la Asamblea Legislativa, ha dado como resultado el poder afirmar que el “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT se constituye en una herramienta fundamental para el ejercicio de la neutralidad tecnológica. I. INTRODUCCIÓN A LAS MEDIDAS Y PARÁMETROS ALUSIVOS A LA GESTIÓN DE RIESGOS REGULADAS EN EL DECRETO EJECUTIVO N.º 44196-MSPMICITT “REGLAMENTO SOBRE MEDIDAS DE CIBERSEGURIDAD APLICABLES A LOS SERVICIOS DE TELECOMUNICACIONES BASADOS EN LA TECNOLOGÍA DE QUINTA GENERACIÓN MÓVIL (5G) Y SUPERIORES”. Sobre el particular, resulta de mérito contextualizar, que el “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT, contiene un total de quince artículos. Puntualmente su artículo 1 establece como objeto: “Artículo 1º-Objeto. El presente reglamento tiene por objeto establecer medidas de ciberseguridad para garantizar el uso y la explotación segura y con resguardo de la privacidad de las personas, de las redes y los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores”. Como bien se ha plasmado en el articulado de dicho cuerpo reglamentario y de lo desarrollado en el presente informe, el Decreto lo que regula son medidas de ciberseguridad inspiradas en las mejores prácticas y estándares internacionales, para salvaguardar la seguridad y la privacidad de las personas usuarias de las redes y los servicios de telecomunicaciones. Continúa indicando dicho Decreto en el numeral 2, el ámbito de aplicación de la gestión y mitigación de riesgos contemplada para las redes y los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G), a saber: “Artículo 2º-Ámbito de aplicación. Está sometida al presente reglamento la operación activa de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, por parte de las personas físicas o jurídicas, públicas o privadas, nacionales o extranjeras, que operen redes o presten servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores que se originen, terminen o transiten por el territorio nacional, exceptuando la operación de redes privadas de telecomunicaciones. En el caso de procesos de compra pública que tengan por objeto la habilitación de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, así como de equipamiento tecnológico activo necesario para el despliegue de éstas, para el uso y explotación del espectro radioeléctrico, la Administración o entidad contratante deberá adoptar los mecanismos idóneos para verificar que los potenciales oferentes han considerado todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en la presente normativa, a la hora de planificar, diseñar e implementar su oferta técnica. En caso de resultar adjudicatario, las disposiciones de la presente norma serán de acatamiento obligatorio durante la operación de las redes y prestación de los servicios basados en la tecnología de quinta generación móvil (5G) o superiores”. Resulta de mérito realizar una serie de precisiones con respecto a la cobertura indicada en el numeral de cita. Como punto inicial, el artículo advierte en su primer párrafo que las medidas de seguridad contempladas en dicha normativa y todas las actuaciones aplicables para el manejo de gestión de riesgos resultan de carácter obligatorio y vinculante para todas aquellas personas físicas o jurídicas, públicas o privadas, nacionales o extranjeras que posean un título habilitante para la operación de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores. Ahora bien, el supuesto que regula el párrafo segundo resulta de aplicación para una primera etapa del ciclo de la contratación pública, que es precisamente ante el concurso donde los potenciales oferentes deben de construir su oferta técnica tomando en consideración las medidas de seguridad y gestión de riesgos que les serán de carácter vinculante y obligatorio en caso de resultar beneficiados con una adjudicación. En ese sentido, se reservó bajo responsabilidad de la Administración promovente del concurso, adecuar bajo su potestad discrecional el requisito a consignar en el pliego de condiciones, mediante el cual verificará que dichos oferentes conocen los alcances de dicha normativa necesarios para planificar, diseñar e implementar su oferta técnica. Lo anterior previendo que a posteriori, - conforme se lee del párrafo tercero-, en una etapa de ejecución y fiscalización el contratista seleccionado posea pleno conocimiento de las condiciones y términos que serán verificadas para la operación segura de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, y así no colocarle en una posición de indefensión al desconocer las obligaciones que le serán fiscalizadas durante la ejecución del servicio. Lo anterior incluso obedece a la máxima de la sana inversión de los fondos públicos, toda vez que la Administración Pública no sólo debe promover los concursos para asegurar la prestación eficiente de cara a la la satisfacción del interés público, sino que la conducta administrativa incluso debe ser diligente en asegurar que la selección no solo refleje al oferente más idóneo sino que se trate de además un objeto ejecutable en forma segura y apegada al bloque de legalidad y ciberseguridad. En esta línea, se consideró que la previsión estimada en el párrafo segundo obedece al debido resguardo de bienes jurídicos tutelados superiores como lo son la dignidad humana, la intimidad y la seguridad. Es aquí donde el principio de la autonomía de la voluntad de los particulares encuentra su límite para pretender explotar tales bienes demaniales, pues cualquier operador de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores está obligado a respetar las medidas técnicas reglamentarias fijadas por el Poder Ejecutivo. Por lo antes examinado, el artículo de cita debe de interpretarse en su integralidad, en el sentido de que es el operador de redes y servicios mediante tecnología 5G quien estará obligado en sentido estricto a cumplir con la adopción de estándares y análisis de riesgos toda vez que se trata de un servicio en carácter activo, mientras que el potencial oferente lo que está es obligado a prever, que en caso de adjudicación, le corresponderá atender y efectuar tales medidas para garantizar la seguridad de sus redes. Ahora bien, se aprecia en el Capítulo II, artículo 4 denominado “Riesgos Nacionales de Ciberseguridad en Redes 5G y Superiores”, los escenarios de riesgo en materia de ciberseguridad y que han sido identificados y agrupados según las recomendaciones y experiencia de la comunidad internacional, en concreto la Unión Europea, como puede verse del Informe N° MICITT-DGDCFD-INF-011-2023/ MICITT-DERRT-INF-0072023/ MICITT-DCNT-INF-011-2023. En este orden de ideas, continúa indicando el Reglamento de marras en sus artículos 6 y 7 la necesidad de que los sujetos comprendidos en el ámbito de aplicación de la norma, adopten una serie de estándares y un análisis de riesgos de las redes que operan, para determinar si alguno de los elementos de la red califica bajo los parámetros de riesgo alto dimensionados en el numeral 10, y por tanto deben ser atendidos bajo el debido proceso que dispone el artículo 11. Ahora bien, dado que este Ministerio posee conocimiento de que la empresa [Nombre 002] ha alegado que los estándares y parámetros de riesgo regulados en el presente Decreto infringen el principio constitucional de razonabilidad técnica, es que se expondrá a continuación el ejercicio realizado por parte de esta cartera, en cuanto a la definición de los parámetros en discusión. Puntualmente, se puede determinar la razonabilidad de la regulación establecida en el artículo 10 del Decreto Ejecutivo Nº 44196-MSP-MICITT, bajo los criterios determinados por la Sala Constitucional en resoluciones 03933-98 de las 9:59 del 12 de junio de 1998 y 08858-98 de las 16:33 del 15 de diciembre de 1998, con base en las siguientes consideraciones que versan específicamente sobre los artículos 6 y 10 respectivamente. A continuación se desarrolla el análisis de razonabilidad técnica de los parámetros de riesgos regulados en el artículo 4 del Decreto Ejecutivo Nº 44196-MSP-MICITT: I. Escenarios de riesgo relacionados con medidas de seguridad insuficientes - R1 Fallos de configuración de las redes. Se fundamenta bajo el parámetro de necesidad, por cuanto en el actual panorama cibernético, donde las amenazas evolucionan constantemente, es crucial reconocer y prepararse para los riesgos asociados con medidas de seguridad inadecuadas y fallos de configuración de redes. Estos escenarios pueden llevar a brechas de seguridad, pérdida de datos y acceso no autorizado, lo que subraya la necesidad de identificar y abordar proactivamente estos riesgos para proteger los activos de información críticos. Los escenarios de riesgo derivados de medidas de seguridad inadecuadas o fallos de configuración pueden resultar en vulnerabilidades significativas. La identificación y mitigación de estos riesgos requieren un enfoque técnico riguroso, incluyendo revisiones de configuración, auditorías de seguridad y la implementación de controles técnicos adecuados. La inclusión de estos escenarios es idónea, adecuada y relevante, dado que las configuraciones incorrectas y las deficiencias en las medidas de seguridad son causas comunes de incidentes de seguridad. Reconocer estos riesgos permite a las organizaciones tomar medidas específicas para reforzar sus defensas y ajustar sus configuraciones de red, alineando estas acciones con las mejores prácticas y estándares de la industria. La gravedad y la frecuencia potencial de incidentes derivados de medidas de seguridad insuficientes o fallos de configuración justifican la atención a estos escenarios, por tanto, se cumple con un criterio de proporcionalidad en sentido estricto el señalar la previsión de este riesgo. La inversión en la identificación y mitigación de estos riesgos es proporcional a los costos asociados con un incidente de seguridad, incluyendo daños financieros, legales y reputacionales. En cuanto a su legitimidad, desde una perspectiva legal, abordar estos riesgos no solo es una práctica recomendada, sino que en muchos casos es un requisito reglamentario. Las regulaciones de protección de datos y ciberseguridad a menudo exigen que las organizaciones tomen medidas razonables para proteger la información, lo que incluye garantizar configuraciones de red adecuadas y medidas de seguridad efectivas.- R2 Controles de acceso insuficientes. En el ámbito de la ciberseguridad, el control de acceso cumple con un criterio de necesidad para proteger los activos de información de accesos no autorizados, manipulaciones o robos. La falta de controles de acceso adecuados es una vulnerabilidad significativa que puede llevar a brechas de seguridad, pérdida de datos confidenciales y otros incidentes de seguridad. Por lo tanto, es necesario identificar y abordar estos riesgos para asegurar la integridad, confidencialidad y disponibilidad de la información. Es esencial implementar soluciones de seguridad robustas como la defensa en profundidad que aplica diferentes tipos de controles como autenticación multifactor, zero trust, gestión de privilegios y segmentación de red, entre otros, para mitigar este riesgo. Estas medidas técnicas son vitales para prevenir el acceso no autorizado y garantizar que solo los usuarios legítimos tengan acceso a los recursos necesarios. La evaluación de riesgos relacionados con controles de acceso insuficientes es idónea, adecuada y pertinente dado que el acceso no autorizado es una de las formas más comunes y dañinas de ataque cibernético. Abordar estos escenarios permite a las organizaciones establecer medidas específicas para fortalecer la autenticación, la autorización y la gestión de identidades. La inversión en mejorar los controles de acceso es proporcional a los beneficios obtenidos en términos de seguridad mejorada. Los costos asociados con la implementación de controles de acceso más robustos son menores en comparación con los potenciales daños financieros, legales y de reputación que pueden resultar de un incidente de seguridad causado por controles de acceso deficientes. Garantizar controles de acceso adecuados es un requisito que cumple con un criterio de legitimidad al estar presente en muchas regulaciones de protección de datos y ciberseguridad. La falta de controles de acceso adecuados puede llevar a incumplimientos legales y sanciones. Por lo tanto, su inclusión en la gestión de riesgos de ciberseguridad es no sólo una práctica recomendada, sino también un requisito legal en muchos contextos. II. Escenarios de riesgo relacionados con la cadena de suministro de la 5G. - R3: Productos de baja calidad. Se justifica su necesidad ya que las redes 5G son infraestructuras críticas que soportan una amplia gama de aplicaciones y servicios esenciales. Los productos de baja calidad pueden introducir vulnerabilidades significativas en estas redes, lo que podría resultar en graves brechas de seguridad, interrupciones del servicio y compromiso de datos. Es necesario identificar y mitigar estos riesgos para mantener la integridad, seguridad y confiabilidad de la red 5G. Los productos de baja calidad pueden afectar el desempeño y la seguridad de la red 5G. Pueden ser más susceptibles a vulnerabilidades, no estar optimizados para el rendimiento de alta velocidad de 5G, o ser incompatibles con otros componentes de la red, por lo que es importante incluir estos escenarios en la evaluación de riesgos. La evaluación de riesgos relacionados con productos de baja calidad en la cadena de suministro de 5G es idónea y adecuada dada la complejidad y la naturaleza crítica de estas redes. La identificación proactiva y la gestión de tales riesgos son fundamentales para garantizar que los componentes y sistemas de 5G cumplan con los estándares de seguridad y rendimiento requeridos. La inversión en la identificación y mitigación de riesgos asociados con productos de baja calidad es proporcional a los potenciales daños que pueden causar. Estos riesgos no solo tienen implicaciones de seguridad cibernética, sino también consecuencias económicas y legales, lo que justifica la necesidad de un control riguroso y una evaluación detallada de la cadena de suministro de 5G. Se reafirma la legitimidad de precisar el riesgo señalado, por cuanto desde un punto de vista legal, garantizar la calidad de los productos en la cadena de suministro de 5G es esencial para cumplir con las regulaciones y estándares de seguridad. Muchas jurisdicciones imponen requisitos legales y normativos estrictos sobre la seguridad de las infraestructuras críticas, lo que incluye la cadena de suministro de 5G. - R4: Dependencia de un único suministrador en determinadas redes o falta de diversidad a nivel nacional, cuando este se encarga de configurar e integrar todos los equipos activos y software de la solución, o si la red está compuesta por equipos activos y software de un único fabricante Se justifica bajo un parámetro de necesidad, para reducir el riesgo de punto único de falla. Depender de un único suministrador aumenta significativamente el riesgo de un punto único de falla en la red. Si este suministrador experimenta problemas, como fallos de seguridad, problemas técnicos, o interrupciones del servicio, todo el sistema podría verse comprometido. Identificar y gestionar este riesgo es crucial para garantizar la resiliencia y continuidad operativa. Técnicamente, depender de un solo suministrador puede limitar la capacidad de una red para adaptarse a nuevos desafíos de seguridad y evolucionar tecnológicamente. La diversificación permite una mayor flexibilidad y adaptabilidad, así como la posibilidad de implementar distintas capas de seguridad y enfoques de resiliencia. Como criterio de idoneidad para la Gestión de Riesgos de Ciberseguridad, la inclusión de este riesgo es adecuada ya que aborda directamente uno de los desafíos clave en la gestión de riesgos de ciberseguridad: la diversificación y redundancia de los proveedores. Evaluar la dependencia de un único suministrador permite a las organizaciones tomar medidas para diversificar sus proveedores y reducir la vulnerabilidad a incidentes aislados. Como parámetro de proporcionalidad frente a los riesgos potenciales, la diversificación de suministradores puede requerir más inversión inicial y esfuerzo de gestión, pero es proporcional al riesgo potencial que se mitiga. Un incidente que afecte a un suministrador único podría tener consecuencias devastadoras, tanto en términos de seguridad como de operatividad, justificando así la necesidad de múltiples proveedores. La previsión cumple con un criterio de legitimidad en el contexto de Seguridad Nacional y Regulaciones ya que desde una perspectiva de seguridad nacional y cumplimiento normativo, la dependencia de un único suministrador puede ser problemática, especialmente si involucra infraestructuras críticas. Diversificar los suministradores es una medida necesaria para disminuir los riesgos y esto es un enfoque de seguridad en capas o defensa en profundidad y resiliencia cibernética. Considerar los riesgos asociados con la dependencia de un único suministrador es una decisión prudente y justificada en ciberseguridad. Aborda una necesidad crítica de resiliencia, es adecuada para una gestión de riesgos efectiva, es proporcional a los peligros que se pretenden mitigar, cumple con consideraciones de seguridad nacional, y se alinea con las mejores prácticas para disminuir el riesgo de concentrar todo en un único proveedor. III. Escenarios de riesgo relacionados con el modus operandi de los principales agentes de riesgo - R5: Intromisiones por parte de Estados a través de la cadena de suministro de la 5G, cuando esto pueda comprometer la seguridad, disponibilidad, integridad y privacidad de la información. En la era de la tecnología 5G, que promete una conectividad masiva y de alta velocidad, la seguridad de la cadena de suministro es crítica. Las intromisiones estatales pueden representar amenazas significativas, como la inserción de puertas traseras o la manipulación de equipos y software, lo que puede comprometer la seguridad nacional y la protección de datos sensibles. Por lo tanto, cumple con el criterio de ser necesario para identificar y mitigar estos riesgos para garantizar la integridad de las redes 5G. Técnicamente, la protección contra la intromisión estatal requiere medidas sofisticadas, como la revisión y validación de la seguridad del hardware y software, la supervisión continua de la red y la implementación de controles de seguridad robustos. Estas medidas técnicas son necesarias para detectar y mitigar cualquier actividad maliciosa que pueda comprometer la red 5G. La evaluación de estos riesgos es idónea y adecuada, ya que aborda uno de los desafíos más complejos y críticos en la ciberseguridad actual. La cadena de suministro de 5G involucra múltiples actores y componentes, y cualquier vulnerabilidad introducida por un Estado podría tener implicaciones devastadoras. Por lo tanto, es adecuado y esencial considerar estos riesgos en cualquier estrategia de ciberseguridad. Dada la potencial gravedad de las intromisiones estatales en la cadena de suministro de 5G, las medidas adoptadas para prevenir o mitigar estos riesgos son proporcionales. La protección contra tales amenazas puede requerir inversiones significativas en seguridad, pero estos costos son justificados en comparación con los posibles daños a la infraestructura crítica, la economía y la privacidad de los datos. Como criterio de legitimidad en el prever este riesgo, debe indicarse que muchas jurisdicciones están implementando regulaciones para proteger las infraestructuras críticas, incluyendo las redes 5G, de posibles intromisiones estatales. Estas regulaciones reconocen la legitimidad de abordar estos riesgos, y las organizaciones tienen la responsabilidad legal de proteger sus redes y datos. - R6: Aprovechamiento de las redes 5G por parte de grupos de delincuentes organizados para atacar a usuarios finales. Con la implementación de las redes 5G, que ofrecen mayor velocidad y capacidad de conexión, surge un aumento en el número y la sofisticación de los vectores de ataque disponibles para los delincuentes organizados. Estos grupos pueden explotar vulnerabilidades en las redes 5G para atacar a usuarios finales, lo que hace necesario identificar y mitigar estos riesgos para proteger tanto la red como a sus usuarios. La implementación de tecnologías avanzadas de detección y prevención de intrusiones, la gestión de la seguridad en la interfaz de radio y la protección de la privacidad y los datos del usuario, todo lo cual es crucial para contrarrestar los esfuerzos de los grupos delictivos organizados. La evaluación y mitigación de estos riesgos cumple el criterio de idoneidad debido a la naturaleza inherente y las capacidades avanzadas de las redes 5G. Estas redes facilitan una mayor interconexión de dispositivos y servicios, ampliando el alcance y el impacto potencial de los ataques. Por tanto, es apropiado centrarse en estas amenazas específicas para garantizar una seguridad integral de la red. Las medidas adoptadas para abordar los riesgos de ataques por parte de delincuentes organizados son proporcionales a la amenaza que representan. Estos grupos pueden llevar a cabo ataques devastadores, como el robo masivo de datos, la interrupción de servicios críticos y la implementación de ransomware, justificando así una inversión significativa en medidas de seguridad. Abordar estos riesgos es un aspecto legítimo y a menudo necesario de la gestión de la seguridad de las redes 5G. Muchas legislaciones nacionales e internacionales requieren que los proveedores de servicios y las empresas tomen medidas razonables para proteger las redes y los datos contra actividades delictivas, lo que incluye amenazas de delincuentes organizados. IV. Escenarios de riesgo relacionados con las interdependencias entre las redes 5G y otros sistemas críticos - R7: Daños significativos a infraestructuras o servicios críticos. Las infraestructuras y servicios críticos, como redes eléctricas, sistemas de salud, servicios financieros y de comunicaciones, son esenciales para el funcionamiento de la sociedad. Un ataque exitoso a estas infraestructuras puede tener consecuencias devastadoras, incluyendo la interrupción de servicios vitales, daños económicos significativos y, en casos extremos, poner en peligro vidas humanas. Por lo tanto, es imperativo y se cumple con el criterio de necesidad, al identificar y abordar proactivamente estos riesgos para garantizar la continuidad y la resiliencia de estos servicios esenciales. La inclusión de estos riesgos es idónea, adecuada y relevante, dada la creciente sofisticación y frecuencia de los ataques cibernéticos dirigidos a infraestructuras críticas. Las técnicas y tácticas de los ciberdelincuentes están evolucionando constantemente, lo que hace que la protección de estas infraestructuras sea un desafío continuo y dinámico que debe abordarse de manera integral y específica. Las medidas de seguridad implementadas para proteger infraestructuras y servicios críticos son proporcionales a la gravedad y el impacto potencial de un incidente de seguridad. Dado el alto costo de los daños potenciales, la inversión en seguridad avanzada, controles robustos y planes de recuperación y respuesta a incidentes es justificada y necesaria. Desde un ámbito de legitimidad, la protección de infraestructuras y servicios críticos es un requisito en muchas jurisdicciones. Las leyes y regulaciones a menudo exigen a las organizaciones que implementen medidas de seguridad adecuadas para proteger contra amenazas cibernéticas, lo que valida la necesidad de incluir y abordar estos riesgos como parte de una estrategia de ciberseguridad integral. - R8: Caída general de las redes debido a la interrupción de suministro eléctrico u otros sistemas de soporte. Las redes de comunicación y datos son vitales para el funcionamiento de la sociedad moderna, y su dependencia del suministro eléctrico y otros sistemas de soporte es un factor crítico. La interrupción de estos servicios puede llevar a una caída general de las redes, resultando en pérdidas económicas significativas, interrupción de servicios esenciales, y en algunos casos, impactos en la seguridad y el bienestar de las personas. Por lo tanto, existe una necesidad de evaluar y mitigar estos riesgos para asegurar la continuidad y la resiliencia de las redes. Técnicamente, la protección contra la caída de redes implica más que solo ciberseguridad. Requiere una comprensión integral de la infraestructura de soporte y la implementación de soluciones técnicas que puedan mantener la operatividad de la red ante la pérdida de servicios críticos. Esto puede incluir la diversificación de fuentes de energía, sistemas de control y monitoreo avanzados y estrategias de redundancia. Incluir estos riesgos en la gestión de la ciberseguridad es idóneo y adecuado, ya que reconoce la naturaleza interconectada de los sistemas modernos y la importancia crítica de la infraestructura de soporte. Esto es particularmente relevante en el contexto de infraestructuras críticas, donde la falla de un sistema puede tener efectos cascada en otros. Las medidas para mitigar el riesgo de caídas de redes deben ser proporcionales al impacto potencial de tales incidentes. La inversión en sistemas de respaldo, como generadores de emergencia y sistemas de alimentación ininterrumpida (UPS), así como en la planificación de continuidad del negocio y en la redundancia de la infraestructura, son justificadas dada la importancia de mantener la operatividad de las redes. La previsión de este riesgo se fundamenta en un criterio de legitimidad. Desde un punto de vista legal y regulatorio, muchas jurisdicciones exigen a las organizaciones que tomen medidas para asegurar la resiliencia y la continuidad de sus operaciones. Esto incluye la preparación para interrupciones en el suministro eléctrico y otros servicios de soporte, lo que hace que la inclusión de estos riesgos sea legítima y en muchos casos, un requisito reglamentario. V. Escenarios de riesgo relacionados con dispositivos de los usuarios finales - R9: Utilización abusiva del Internet de las cosas, microteléfonos o dispositivos inteligentes. La proliferación de dispositivos IoT (internet de las cosas) y dispositivos inteligentes ha ampliado significativamente el panorama de amenazas cibernéticas, ya que la gran mayoría de estos dispositivos no contemplan la seguridad por diseño y esto aumenta la probabilidad de explotación de vulnerabilidades que pueden comprometer las redes de servicios esenciales. Estos dispositivos suelen estar conectados a redes y pueden ser vulnerables a explotaciones, lo que puede llevar a ataques de gran escala, compromiso de datos personales y corporativos, y utilización abusiva para fines maliciosos como redes botnet y ser utilizados para ataques de denegación de servicios distribuidos DDos. La determinación de abordar estos riesgos es necesaria para proteger tanto a individuos como a organizaciones de posibles daños. La protección de dispositivos IoT y dispositivos inteligentes implica desafíos únicos debido a su diversidad, conectividad y, en muchos casos, limitaciones de recursos. Las consideraciones técnicas incluyen la implementación de encriptación robusta, autenticación segura, segmentación de redes y capacidad para recibir actualizaciones de seguridad. Incluir estos riesgos en la evaluación y gestión de la ciberseguridad es idóneo dada la creciente integración de estos dispositivos en la vida cotidiana y en operaciones empresariales. La idoneidad se refleja en la necesidad de proteger la integridad de las redes y los datos, y de garantizar la confiabilidad y seguridad de los dispositivos conectados. Las medidas para mitigar el riesgo de utilización abusiva de dispositivos IoT y dispositivos inteligentes deben ser proporcionales a la gravedad y el impacto potencial de los incidentes. Esto incluye la implementación de seguridad en el diseño de los dispositivos, la gestión regular de actualizaciones y parches, y la educación de los usuarios finales. Estas medidas son fundamentales dada la escala potencial y la naturaleza omnipresente de los ataques que involucran dispositivos IoT. Desde una óptica de legitimidad, la protección contra el uso indebido de dispositivos IoT y dispositivos inteligentes es cada vez más una preocupación reguladora. Las leyes y regulaciones en torno a la seguridad de los datos y la ciberseguridad en general reconocen la importancia de asegurar estos dispositivos, lo que legitima la inclusión de estos riesgos en una estrategia integral de ciberseguridad. J. SOBRE LA ADOPCIÓN DE ESTÁNDARES SEGÚN EL ARTÍCULO 6 DEL DECRETO REGLAMENTARIO Nº 44196-MSP-MICITT “REGLAMENTO SOBRE MEDIDAS DE CIBERSEGURIDAD APLICABLES A LOS SERVICIOS DE TELECOMUNICACIONES BASADOS EN LA TECNOLOGÍA DE QUINTA GENERACIÓN MÓVIL (5G) Y SUPERIORES”. Los estándares a adoptar son necesarios porque brindan una guía y buenas prácticas que se deben aplicar o implementar en las plataformas tecnológicas para minimizar los riesgos de seguridad que puedan presentarse. De lo contrario, la falta de cumplimiento de los estándares puede ocasionar o llevar a deficiencias en la protección de la confidencialidad, integridad y disponibilidad de la información, que son los pilares de la ciberseguridad. Se debe tomar en cuenta que los estándares de ciberseguridad, como cualquier otro estándar, es un proceso detallado que involucra múltiples etapas y la participación de expertos del área de varios países y organizaciones con el fin de brindar una guía de buenas prácticas, políticas y procedimientos para disminuir los riesgos de seguridad en plataformas tecnológicas y combatir las amenazas crecientes en el ciberespacio. Cabe mencionar que la lista incluida en el decreto no es exhaustiva, por lo que se espera que estos estándares se cumplan de manera complementaria con otros estándares comunes para la industria y aplicables a redes 5G, como los señalados por la Superintendencia de Telecomunicaciones (Sutel) y otros actores en el caso del estándar 3GPP (Third Generation Partnership Project) y NESA (National Electronic Security Authority). A continuación se desarrolla la importancia y razonabilidad técnica y jurídica de cada uno de los estándares regulados en el Reglamento. a) Sobre el estándar SCS-9001. Incorporar estándares de ciberseguridad es esencial para establecer un marco sólido y coherente que garantice la protección efectiva de sus activos de información. Estos estándares proporcionan pautas probadas y reconocidas internacionalmente para la prevención, detección y respuesta a amenazas cibernéticas, asegurando así la confidencialidad, integridad y disponibilidad de los datos. Además, el cumplimiento de estándares de ciberseguridad no solo mejora la postura de seguridad de una organización frente a las amenazas cada vez más sofisticadas, sino que también fortalece la confianza, y asegura la conformidad con regulaciones legales y requisitos de cumplimiento, lo cual es vital en el panorama digital actual altamente interconectado y regulado. El estándar SCS 9001 es un estándar basado en procesos centrado en la seguridad de la cadena de suministro para la industria mundial de las TIC, se desarrolló activamente durante aproximadamente dos años durante 2020 y 2021 por QuEST Forum, comunidad de mejora del rendimiento empresarial dentro de TIA (Telecommunications Industry Association). TIA QuEST Forum sigue los procedimientos y lineamientos de desarrollo de estándares internacionales. Por lo cual TIA QuEST Forum siguió el proceso riguroso y bien estructurado para la publicación del estándar SCS 9001, para asegurar que sea global, relevante y de alta calidad. Este proceso involucró a expertos de seguridad del campo, diferentes organizaciones y fabricantes del sector que trabajaron para el desarrollo del estándar SCS 9001, por lo tanto, no se puede considerar este estándar como inmaduro, ya que su desarrollo y publicación han cumplido con los requisitos y lineamientos exigidos por cualquier estándar ISO, un proceso que requirió su debido tiempo. Además, es importante destacar que este estándar responde a una necesidad creciente en el sector, garantizando la aplicación de medidas de seguridad para minimizar un riesgo que está en aumento en la cadena de suministro como lo apunta el informe de Gartner y ENISA. El SCS 9001 es un estándar global más completo de ciberseguridad y seguridad de la cadena de suministro, adaptable a cualquier tipo de red de comunicaciones en todas las industrias y sectores. Las amenazas cibernéticas están en constante evolución, como lo evidencia el informe de la Agencia de la Unión Europea para la Ciberseguridad (ENISA), entidad establecida por la Unión Europea (UE) con el objetivo de mejorar la ciberseguridad en toda la región, sobre "Amenazas Cibernéticas hacia 2030" en el cual el ataque a la cadena de suministro estará en el en el primer lugar de los ciberataques. Hay que destacar el dinamismo y la sofisticación creciente de estos riesgos. Ante este panorama cambiante, la implementación de estándares como SCS 9001 se hace imprescindible, especialmente para abordar la seguridad en la cadena de suministro. Este estándar específico responde a la necesidad de adaptarse a las amenazas emergentes y crecientes, proporcionando un marco que garantiza prácticas de seguridad robustas y coherentes en todos los eslabones de la cadena de suministro. Su adopción es crucial para proteger las infraestructuras críticas y mantener la integridad, confidencialidad y disponibilidad en la seguridad de los sistemas en un entorno de amenazas que evoluciona rápidamente. Además, el análisis de Gartner, que predice que para 2023, el riesgo cibernético se convertirá en una consideración primordial en las decisiones de compra en las cadenas de suministro. Este enfoque creciente en la seguridad cibernética refleja la necesidad de mejorar la protección entre la ciberseguridad y la cadena de suministro, destacando la importancia de adoptar estándares como SCS 9001. Este estándar responde a las amenazas cibernéticas en evolución, proporcionando un marco robusto para asegurar y proteger la cadena de suministro frente a riesgos emergentes. La adopción de SCS 9001 no solo mejora la seguridad, sino que también es un paso crucial para alinear las prácticas en la cadena de suministro con las necesidades de seguridad cibernética en constante cambio, un aspecto ahora reconocido como fundamental por líderes en la gestión de cadenas de suministro. Los controles de seguridad y protección deben cubrir todo el ciclo de vida de productos, incluida la cadena de suministro completa de software, hardware, sistemas y el rendimiento operativo de la propia organización. A continuación se ejemplifica el modelo de arquitectura del estándar SCS-9001: (…) - EJERCICIO DE RAZONABILIDAD TÉCNICA. Este estándar responde a la necesidad de adaptarse a las amenazas emergentes y crecientes, proporcionando un marco que garantiza prácticas de seguridad robustas y coherentes en todos los eslabones de la cadena de suministro. Su adopción es crucial para proteger las infraestructuras críticas y mantener la integridad, confidencialidad y disponibilidad en la seguridad de los sistemas en un entorno de amenazas que evoluciona rápidamente. El riesgo cibernético se convertirá en una consideración primordial en las decisiones de compra en las cadenas de suministro. Este enfoque creciente en la seguridad cibernética refleja la necesidad de mejorar la protección entre la ciberseguridad y la cadena de suministro, destacando la importancia de adoptar estándares como SCS 9001. La adopción de SCS 9001 no solo mejora la seguridad, sino que también es un paso crucial para alinear las prácticas en la cadena de suministro con las necesidades de seguridad cibernética en constante cambio, un aspecto ahora reconocido como fundamental por líderes en la gestión de cadenas de suministro. En cuanto a la idoneidad de prever el cumplimiento de este estándar en el Reglamento, debe indicarse que las amenazas cibernéticas a la cadena de suministro han aumentado en frecuencia y sofisticación, incluyendo ataques para comprometer el software y hardware, y la manipulación de la integridad de los productos. El SCS 9001 está específicamente diseñado para abordar estas vulnerabilidades, estableciendo un marco que refuerza la seguridad en cada eslabón de la cadena de suministro. Desde la perspectiva del análisis de riesgos, el estándar SCS 9001 responde como una medida necesaria para minimizar el riesgo de seguridad a la emergente amenaza a la cadena de suministro. Dicha contramedida reduce el riesgo porque aborda los aspectos técnicos más en detalle de los eslabones a la cadena de suministro y todos los aspectos relacionados para reducir los riesgos latentes que están en creciente evolución tal como lo demuestran organismos internacionales especializados en la materia. Sobre la proporcionalidad en sentido estricto en la determinación de la aplicación de este estándar, debe indicarse que la implementación del estándar SCS 9001 en la cadena de suministro de ciberseguridad es una medida necesaria, justificada y adecuada dada la magnitud y severidad de las amenazas actuales y proyecciones futuras de la evolución de los ataques a las cadenas de suministro. Las redes 5G, como infraestructuras críticas, son complejas y altamente interconectadas, lo que hace susceptibles a una variedad de ataques cibernéticos que pueden tener repercusiones devastadoras en servicios esenciales y en la seguridad nacional. De acuerdo a los estudios mencionados, la creciente evolución de las amenazas cibernéticas a la cadena de suministro aumenta la probabilidad de sufrir una brecha de seguridad en los elementos que participan en las cadenas de suministro. La aplicación del estándar cumple, además, con un criterio de legitimidad, por cuanto implementar estos estándares es una práctica legítima y ampliamente aceptada en la comunidad global. Estos estándares son el resultado de un amplio consenso entre expertos de seguridad, la industria y diferentes organizaciones expertas en el área, para reflejar las mejores prácticas actuales en el campo. Desde el punto de vista técnico los estándares ofrecen guías en fortalecer la cadena de suministro. El estándar parte de trabajos existentes y se alinea con iniciativas de agencias gubernamentales. Agrega requisitos cruciales que no habían sido abordados para la protección a la cadena de suministro la cual está creciendo las amenazas en este campo. La no conformidad con estos estándares significa que los productos y servicios podrían carecer de medidas de seguridad fundamentales, exponiendo a los usuarios a riesgos significativos y al país a riesgos de seguridad nacional. b) Estándares de la familia ISO. La familia de normas ISO 27000, desarrollada por la Organización Internacional de Normalización (ISO), comprende una serie de estándares enfocados en la gestión de la seguridad de la información. Estos estándares proporcionan un marco para establecer, implementar, mantener y mejorar continuamente la seguridad de la información dentro de las organizaciones. A continuación se expone el EJERCICIO DE RAZONABILIDAD TÉCNICA de los estándares ISO detallados en el artículo 6 del Reglamento: b.1. ISO 27001:2022 En cuanto a la necesidad de la implementación de este estándar, debe indicarse que en un entorno donde las amenazas cibernéticas son una realidad constante y evolutiva, la implementación de un sistema de gestión de seguridad de la información (SGSI) es más que necesaria. El ISO 27001 proporciona un marco para identificar, evaluar y gestionar riesgos de seguridad de la información, crucial para proteger datos sensibles y mantener la continuidad del negocio. El ISO 27001 aborda las necesidades técnicas relacionadas con la ciberseguridad, ofreciendo un marco para la implementación de controles efectivos y la mejora continua. Su enfoque en la evaluación de riesgos y la gestión basada en la evidencia es fundamental para adaptarse a las cambiantes amenazas cibernéticas y evoluciones tecnológicas. En cuanto a la idoneidad en el ejercicio de razonabilidad para la aplicación de este estándar, debe decirse que el ISO 27001 es ampliamente reconocido y adaptado a organizaciones de diferentes tamaños y sectores. Ofrece un enfoque sistemático y estructurado que es adecuado para gestionar de manera integral la seguridad de la información, abarcando aspectos tanto técnicos como no técnicos (legales, físicos y humanos), lo cual lo vuelve idóneo para el fin de garantizar la calidad en la operación de los sujetos indicados en el artículo 2 del Reglamento. La adopción del ISO 27001 supera un análisis de proporcionalidad en sentido estricto para los fines que pretende salvaguardar, ya que es proporcional a los riesgos y consecuencias potenciales que enfrentan las organizaciones en términos de ciberseguridad. La inversión en este estándar ayuda a prevenir incidentes de seguridad costosos y daños a la reputación, lo que puede ser mucho más oneroso que la implementación y mantenimiento del SGSI. Este se enmarca dentro del criterio de legitimidad por cuanto como estándar internacionalmente reconocido, el ISO 27001 proporciona confianza en la gestión de la seguridad de la información, demostrando el compromiso de una organización con las prácticas óptimas en ciberseguridad. Esto es fundamental para la confianza de las partes interesadas, incluyendo clientes, socios y reguladores. b.2. ISO 27002:2022 Al igual que el estándar ISO anterior, la utilización de este se encuentra cubierta por un criterio de necesidad, por cuanto en un entorno digital donde las amenazas cibernéticas son una constante, la necesidad de una gestión efectiva de la seguridad de la información es imperativa. El ISO 27002 proporciona un conjunto de controles de seguridad de la información, abordando necesidades críticas como la protección de datos confidenciales, prevención de brechas de seguridad y mitigación de ataques cibernéticos. El ISO 27002 proporciona una guía detallada para la implementación de controles de seguridad eficaces. Estos controles son fundamentales para proteger contra amenazas tecnológicas en evolución y asegurar la integridad, confidencialidad y disponibilidad de la información. Define un conjunto de buenas prácticas para la implantación del SGSI, a través de 93 controles, estructurados en 4 grandes dominios. Este estándar presenta la condición de ser idóneo para el fin del Reglamento, por cuanto este estándar es adecuado para cualquier tipo de organización, independientemente de su tamaño o sector, ya que ofrece un enfoque adaptable y extenso para la gestión de la seguridad de la información. Sus directrices abarcan desde la seguridad operativa hasta el control de accesos y la gestión de incidentes, cubriendo así una amplia gama de necesidades de seguridad. La utilización del estándar cumple con un criterio de proporcionalidad en sentido estricto, por cuanto es proporcional a los beneficios que ofrece. Aunque implica una inversión en términos de recursos y tiempo, los costos se ven justificados por la mejora significativa en la postura de seguridad, la reducción del riesgo de incidentes costosos y la protección frente a posibles sanciones legales por incumplimientos de seguridad. Asimismo, en cuanto a la legitimidad de la aplicación de este estándar, debe decirse que el ISO 27002 es un estándar internacionalmente reconocido, lo que le confiere una gran legitimidad. Su implementación es coherente con las mejores prácticas globales en ciberseguridad y protección de datos, y ayuda a las organizaciones a cumplir con las obligaciones legales y reglamentarias. b.3. ISO 27003:2017 En un entorno digital en constante evolución, caracterizado por amenazas cibernéticas sofisticadas, es esencial contar con un sistema de gestión de seguridad de la información (SGSI) robusto. El ISO 27003, al proporcionar directrices detalladas para la implementación efectiva de un SGSI según el ISO 27001, responde a esta necesidad crítica, ayudando a las organizaciones a proteger sus activos de información contra riesgos y vulnerabilidades. Dicho ISO es esencial para abordar de manera efectiva las complejidades técnicas asociadas con la protección de la información en un entorno tecnológico en constante cambio. Este estándar es idóneo para cualquier tipo de organización que busque mejorar su seguridad de la información. Ofrece un enfoque personalizable y práctico, lo que lo hace adecuado para una amplia variedad de contextos operativos y tipos de organizaciones. La adopción del ISO 27003 es proporcional a los beneficios de seguridad que aporta. Aunque requiere recursos y esfuerzo para su implementación, los costos se justifican ampliamente por la mejora significativa en la gestión de riesgos, la reducción de incidentes de seguridad y el cumplimiento de obligaciones legales y regulatorias. El ISO 27003 es un estándar internacionalmente reconocido, lo que le confiere una gran legitimidad. Su implementación es coherente con las mejores prácticas internacionales y a menudo es vista favorablemente por reguladores y auditores, lo cual es importante para mantener la confianza de las partes interesadas y cumplir con las normativas vigentes. b.4. ISO 27011:2016 El ISO/IEC 27011 es un estándar específico dentro de la familia de normas ISO/IEC 27000, dedicado a la seguridad de la información en el sector de las telecomunicaciones. Este estándar ofrece directrices para la implementación de un sistema de gestión de seguridad de la información (SGSI) específicamente adaptado a las necesidades del sector de las telecomunicaciones. Establece los principios para implantar, mantener y gestionar un SGSI en organizaciones de telecomunicaciones, indicando cómo implantar los controles de manera eficiente. Dada la naturaleza crítica de las telecomunicaciones en la infraestructura global, la necesidad de salvaguardar esta área contra amenazas cibernéticas es primordial. El ISO/IEC 27011:2016 proporciona directrices específicas para la seguridad de la información en este sector, abordando riesgos únicos y desafíos operativos, y garantizando la protección de la infraestructura y los datos críticos. Este estándar es particularmente idóneo para organizaciones dentro del sector de telecomunicaciones, ya que está diseñado teniendo en cuenta sus necesidades específicas y desafíos. Ofrece un enfoque adaptado para la implementación de un sistema de gestión de seguridad de la información (SGSI), alineado con los estándares generales de la familia ISO 27000 pero con un enfoque en las telecomunicaciones. La implementación del ISO/IEC 27011:2016 es proporcional a los riesgos significativos asociados con la seguridad de la información en las telecomunicaciones. La protección efectiva contra brechas de seguridad, fraudes y otros incidentes cibernéticos justifica la inversión en este estándar, dadas las posibles consecuencias de no hacerlo, incluyendo interrupciones del servicio, pérdidas financieras y daños a la reputación. Como parte de la reconocida familia de estándares ISO/IEC 27000, el ISO/IEC 27011:2016 goza de una alta legitimidad. Su adopción refleja un compromiso con las mejores prácticas internacionales y puede mejorar la confianza de los clientes y reguladores en la capacidad de una organización para gestionar la seguridad de la información. K. SOBRE LOS PARÁMETROS DE RIESGO ALTO DEFINIDOS EN EL ARTÍCULO 10 DEL DECRETO EJECUTIVO N.º 44196-MSP-MICITT “REGLAMENTO SOBRE MEDIDAS DE CIBERSEGURIDAD APLICABLES A LOS SERVICIOS DE TELECOMUNICACIONES BASADOS EN LA TECNOLOGÍA DE QUINTA GENERACIÓN MÓVIL (5G) Y SUPERIORES”. Para una mejor comprensión, se precisará a lo largo de cada inciso, cuáles fue el ejercicio de razonabilidad valorado en cada caso no sólo desde el punto de vista técnico, además su fundamentación jurídica. A) Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento cuenten con un único suministrador de hardware y software en su cadena de suministro, cuando este se encarga de configurar e integrar todos los equipos activos y software de la solución, o si la red está compuesta por equipos activos y software de un único fabricante.” - EJERCICIO DE RAZONABILIDAD TÉCNICA Al respecto, se fundamenta la necesidad de dicha medida en que la dependencia o monocultura tecnológica aumenta el riesgo significativo de que se pueda comprometer todo el ecosistema, ya que si un atacante encuentra una vulnerabilidad para un tipo de sistema, se pone en riesgo a todos los componentes de la red y por ende, afectaría toda la información que pase por esos dispositivos, datos, información de los usuarios y servicios que por ellos transitan. A nivel de capas de seguridad, no es la misma seguridad si se trata de sistemas, equipos con especificaciones y componentes diferentes, siendo más complejo encontrar la vulnerabilidad si existe diversidad de fabricantes, por tanto, la complejidad de la explotación aumenta. La diversidad de proveedores es necesaria para mitigar los riesgos, aumentando la resiliencia del sistema o los sistemas, frente a ataques y fallas que se puedan ocasionar. Por su parte, se determina que la previsión de esta disposición cumple con un criterio de idoneidad, por cuanto, la dependencia de un solo proveedor puede traer un único punto de falla, ya que si se sufre una interrupción, todo el sistema se puede ver comprometido. En contraposición, tener múltiples proveedores permite disminuir la posibilidad de que una única vulnerabilidad o falla afecte todo el sistema. Además, diferentes proveedores pueden ofrecer distintas capacidades y fortalezas en seguridad, lo que mejora la protección general. Hay que tomar en cuenta que a nivel de ciberseguridad, hay técnicas de protección denominadas defensa en capas, siendo que aplicar múltiples medidas de seguridad y de protección, beneficia al conjunto del ecosistema, combinando múltiples barreras y eliminando una única dependencia de protección. Diversificar los proveedores ayuda a asegurar la seguridad operativa y la resiliencia del sistema en caso de fallos de un proveedor. Ahora bien, desde una perspectiva de proporcionalidad en sentido estricto, la valoración de la medida impuesta versus el fin de seguridad salvaguardado, se fundamenta en que existe un balance de tener más de un proveedor y no depender de uno único minimiza el riesgo, el vector de amenazas para ese proveedor se reduce, por tanto, limitar tener un único proveedor es proporcional con el fin técnico buscado. El contar con múltiples proveedores permite reducir la dependencia de las actualizaciones de seguridad de un único proveedor, con la ventaja de tiempos de respuesta y disponibilidad de opciones de seguridad mejoradas y eficaces, por tanto, la medida es proporcional al fin de seguridad que se pretende asegurar. El impacto de la contramedida, por tanto, no es mayor al riesgo que ocasiona la dependencia hacia un único proveedor, por las razones apuntadas. La medida como tal, técnicamente tiene plena legitimidad, además, por cuanto por cuanto técnicamente es posible que sistemas o componentes de distintos proveedores interactúen entre sí, por tanto no es técnicamente imposible ni predispone la generación de fallas en la operación y más bien, aunado a las razones anteriormente descritas, representa un fin legítimo para la salvaguardia de la seguridad de la información y las redes, así como en el cumplimiento de los fines de la ciberseguridad. - EJERCICIO DE RAZONABILIDAD JURÍDICA Desde una perspectiva jurídica, se recalca la necesidad de la medida, toda vez que pretende garantizar la funcionalidad de la tecnología y que no exista un nivel de dependencia tal del fabricante que en caso de fallos en la operación de la red como los que se han ejemplificado supra, impacten la continuidad y acceso al servicio. Con la medida, se previene además la afectación al régimen jurídico de los derechos e intereses de los usuarios finales de telecomunicaciones, que derivan precisamente de la protección y resguardo de los derechos fundamentales y derechos humanos a la intimidad, privacidad y secreto de las comunicaciones, autodeterminación informativa, el acceso a la libre información, comunicación, salud, entre otros. La presente medida se estima idónea, ya que al diversificar la cantidad de proveedores en la cadena de suministro se disminuye el riesgo de que la funcionalidad de la red dependa de las vulnerabilidades que pueda presentar un único fabricante en su Hardware o Software. La medida procura garantizar que a mayor cantidad de proveedores, mayor cantidad de soluciones ante el servicio final de telecomunicaciones sin necesidad de interrumpir la continuidad del servicio en beneficio del usuario final. Ante un incidente de ciberdelincuencia con un único suministrador se elevaría la criticidad del siniestro, como resultado de la dependencia de un único suministrador. En cuanto a la proporcionalidad de la medida, El beneficio que se persigue es dotar a la población de una red avanzada y segura previendo que no exista dependencia de un único suministrador y por tanto exista riesgo de no conseguir componentes, compatibilidad obstaculizada, cierre de fábricas, discontinuidad de repuestos, problemas en la cadena de producción entre otros. El objetivo primordial es evitar que la materialización de los riesgos asociados al funcionamiento de la red tengan consecuencias en los usuarios finales de telecomunicaciones perjudicando el ejercicio de sus derechos fundamentales de rango constitucional. En ese sentido la medida es proporcional porque pretende equilibrar la posibilidad de un servicio continuo frente a las dificultades de comercio a que puedan enfrentarse los suministradores. La medida posee legitimidad, siendo que los habitantes tienen derecho de acceder a las telecomunicaciones para su desarrollo personal, cultural, educativo, entre otros. En ese sentido el espectro radioeléctrico como bien demanial constitucional merece una protección por parte del Estado quien debe velar por el uso y explotación segura de las redes y servicios prestados a través de este bien demanial constitucional, mediante el ejercicio de su potestad pública reglamentaria, particularmente dispuesta en el Régimen de Protección de los derechos de los usuarios finales de telecomunicaciones de los numerales, 41, 42 y siguientes de la Ley General de Telecomunicaciones. El establecimiento de esta medida se hace sobre la base de los criterios de la ciencia y la técnica dispuestos en el artículo 16 de la Ley General de la Administración Pública, todo ello sabiendo que la existencia de un único proveedor en la cadena de suministro podría significar que la red dependa de un único elemento para su óptimo funcionamiento. B) Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento o sus suministradores de hardware y software tengan algún informe de incidente publicado por el CSIRT-CR sobre brechas en la ciberseguridad de sus sistemas que no han sido atendidas y por ende implican un riesgo para la seguridad, disponibilidad, integridad o privacidad de la información de los usuarios finales.” - EJERCICIO DE RAZONABILIDAD TÉCNICA La disposición indicada, sobre la garantía de que los incidentes generados hayan sido atendidos como corresponde, es necesaria, por cuanto la consideración de no haber atendido el incidente publicado implica necesariamente un riesgo, las alertas deben ser atendidas para la seguridad disponibilidad y privacidad de la información, el no hacerlo expone al operador a riesgos significativos de seguridad y brechas de datos, por tanto la consideración de no atender alertas, expone a ciberataques con brechas conocidas, siendo medios que utilizan los ciberatacantes para vulnerar una infraestructura. La medida es necesaria para que los atacantes no exploten las debilidades, que puedan comprometer la confidencialidad, disponibilidad e integridad de la información que en ellos alojan. No atender alertas aumenta el riesgo de accesos no autorizados y de actividades maliciosas, así como interrupción de los servicios, la accesibilidad de los sistemas, alteración o corrupción de los datos que en esa plataforma viajan y la exposición de datos sensibles privados o personales que transitan en esas infraestructuras que los alojan. La medida es necesaria para prevenir que se explote una vulnerabilidad que ya fue identificada por un tercero de confianza, debido a la no aplicación de los parches de seguridad, puede traer implicaciones económicas, en términos de costos de mitigación, pérdidas por la interrupción a nivel general, tanto para el proveedor como para los usuarios que utilizan esas plataformas. La previsión de este riesgo cumple con un criterio de idoneidad técnica, por cuanto la atención a los informes de incidentes es una medida adecuada, porque ataca la causa raíz de muchas brechas de seguridad. Corregir las vulnerabilidades conocidas es un paso fundamental en la protección contra ataques cibernéticos y en la preservación de la integridad, confidencialidad y disponibilidad de la información así como de los servicios que en ellos se alojan o transitan. La no corrección de esas brechas conocidas son blanco fácil para los atacantes ya que cuando hay una brecha de seguridad siempre hay muchas formas de explotación de estas. Asimismo, desde un criterio de razonabilidad en sentido estricto, las consecuencias de no atender estas vulnerabilidades son muchos mayores que los esfuerzos para corregir estos problemas, siendo más sencillo resolver el incidente que atenderlo después del impacto, las pérdidas, filtración, afectación a los servicios, la disponibilidad de la información, es una consecuencia mucho mayor. La probabilidad del impacto en estas plataformas es un riesgo alto. El impacto ocasionado en una brecha de seguridad que afecte la información va a ser mucho mayor. A nivel de proporcionalidad se analiza la probabilidad por el impacto menos las contramedidas. Las contramedidas del CSIRT-CR deben ser aplicadas para reducir el riesgo, al existir brechas de seguridad conocidas, aumentan la probabilidad de que una infraestructura pueda ser vulnerada y al materializarse un incidente de seguridad que aprovechó dicha brecha de seguridad, el cual no se haya remediado, el impacto que puede producir una vulneración a estas plataformas es incuantificable, ya que el daño no solo va al proveedor, sino a todos los datos, servicios e información que en esas plataformas se aloja y transitan, siendo que el usuario final puede verse impactado en la no utilización de servicios esenciales, en la exposición y filtración de información sensible de los habitantes de Costa Rica y en costos económicos para solventar los problemas ocasionados a raíz de esa brecha de seguridad. Por lo anterior, considerar que la no atención de los incidentes calificandolo (sic) como riesgo alto es más que proporcional a las consecuencias de no atenderse y los potenciales graves daños que se ocasionarían. En cuanto a la legitimidad de esta medida corresponde con las buenas prácticas desde la técnica, lo cual se legítima en la comunidad de Ciberseguridad, respaldada por normativas y estándares internacionales de Ciberseguridad, que enfatizan la importancia de gestionar adecuadamente las vulnerabilidades y los incidentes de ciberseguridad. La no atención de estas vulnerabilidades exponen a las organizaciones a brechas de seguridad ya que pueden ser explotadas por actores maliciosos para comprometer la seguridad de esos sistemas. - EJERCICIO DE RAZONABILIDAD JURÍDICA El criterio de necesidad de la presente medida se sustenta en el ciberataque acaecido en abril de 2022 las consecuencias para el país fueron nefastas, incluyendo pérdida de información sustancial, afectación de servicios esenciales de salud, pérdidas para la hacienda pública, dificultades para el registro y pago de planillas, entre otras, todas estas afectaciones a la institucionalidad tuvieron a su vez un impacto directo en los usuarios de los diferentes servicios. En consecuencia una de las prioridades de las Autoridades Sectoriales competentes es prevenir nuevas situaciones de tal envergadura, por ello cualquier incidente identificado debe atenderse con la mayor celeridad y adoptar todas las medidas inmediatas necesarias para salvaguardar los bienes jurídicos tutelados (intimidad, seguridad, autodeterminación informativa, salud, cultura, educación, información y comunicación entre otros); por lo que la lucha contra la ciberdelincuencia no permite tolerar la presencia de incidentes no atendidos. Con respecto a la idoneidad, la presente medida constituye un medio para un fin que de no ejecutarse carecería de todo interés el cometido para el cual fue creado el CSIRT que en esencia es coordinar con los poderes del Estado, instituciones autónomas, empresas y bancos del Estado todo lo relacionado con la materia de seguridad informática y cibernética y concretar el equipo de expertos en seguridad de las Tecnologías de la Información que trabajará para prevenir y responder ante los incidentes de seguridad cibernética e informática que afecten a las instituciones gubernamentales. De ahí que la sola detección de un incidente (la norma no regula niveles de permisibilidad) ya que es un riesgo inminente para la seguridad con lo cual no hay justificación para que los sujetos obligados desatiendan cualquier alerta emitida por el CSIRT. Por su parte en relación con la proporcionalidad, este parámetro observa el criterio de proporcionalidad en la medida que la conducta perseguida recae sobre el operador de la red vulnerada en una sana administración del recurso radioeléctrico (bien demanial). Lo que busca es prevenir cualquier interferencia maliciosa que lesione los derechos fundamentales y los derechos humanos de los usuarios finales de las telecomunicaciones, mediante el establecimiento de una acción en el funcionamiento de la red y de esta forma aumentar el aprovechamiento de las oportunidades que brinda la ciencia y la tecnología para ser un habilitador efectivo para el ejercicio de los derechos a la Sociedad de la Información y el Conocimiento. En cuanto a la legitimidad, esta medida responde a los objetivos de creación del CSIRT y además a todas las medidas en el ordenamiento interno e internacional como parte de los esfuerzos en la lucha contra la ciberdelincuencia, que desde luego implica identificar actos deliberados e ilegítimos en contra de los sistemas informáticos, resulta de especial relevancia en el despliegue y funcionamiento de las redes 5G que a diferencia de las anteriores tecnologías se trasiegan grandes cantidades de datos permitiendo almacenar información personal y sensible de los usuarios, de manera tal que cualquier alerta de trasgresión debe ser atendida de manera inmediata para evitar mayores consecuencias. “C) Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento o sus suministradores de hardware y software sean susceptibles de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones.” - EJERCICIO DE RAZONABILIDAD TÉCNICA La consideración de alto riesgo en este inciso es necesaria por cuanto es crítico garantizar que los proveedores de hardware o software operen con independencia de presiones gubernamentales extranjeras, con el fin de proteger la disponibilidad, confidencialidad e integridad de los datos. Existe riesgo de que el gobierno genere presión y obtenga acceso no autorizado a datos confidenciales o a manipular o el hardware o software para fines de espionaje o sabotaje, siendo que esto comprometería la disponibilidad, confidencialidad e integridad de estos productos o plataformas, por tanto, generar la previsión del riesgo es necesario para garantía de la seguridad, disponibilidad, confidencialidad e integridad de la información. Asimismo, la previsión de este riesgo es idónea, ya que garantizar la independencia de los proveedores frente a la influencia de gobiernos extranjeros es adecuada para la seguridad y el objetivo de preservar la seguridad nacional. La medida es idónea ya que del análisis de situaciones e incidentes detectados, se han encontrado actores de amenazas ligados a gobiernos extranjeros que pueden ejercer presión sobre los sujetos de aplicación del art. 2. La medida cumple con ser proporcional en sentido estricto, por cuanto las consecuencias potenciales de espionaje o sabotaje cibernético son proporcionales a la medida que procura disminuir el riesgo, ya que se pueden comprometer servicios críticos de 5G, implicando la necesidad de evaluaciones de seguridad rigurosas. En cuanto a la consideración sobre la legitimidad de esta medida, la preocupación por la influencia de gobiernos extranjeros sobre dichos proveedores es legítima y a la vez, se fundamenta en criterios de seguridad nacional dado el riesgo potencial y los daños de diversa índole que pueden materializarse si se da un ataque o sabotaje directa o indirectamente ligado a la actuación de un gobierno extranjero que ejerza influencia sobre los operadores. Por tanto, se ejerce como una facultad que tiene el Estado de garantizar la independencia de los operadores frente a presiones de gobiernos extranjeros.- EJERCICIO DE RAZONABILIDAD JURÍDICA Para una mejor comprensión ambos parámetros contenidos en el presente y el inciso d) serán analizados de manera conjunta. Ambos parámetros se califican de necesarios. En ese sentido es posible afirmar que siendo que nos encontramos en la Sociedad de la Información y el Conocimiento (SIC) los datos revisten de alto valor, en ese sentido, se han multiplicado los riesgos de que las redes informáticas y la información electrónica sea utilizada para cometer delitos. Esto trasciende la soberanía de cada país debido a la facilidad con que se pueden cometer los abusos, por lo anterior, medidas como estas son imprescindibles para garantizar que no haya menoscabo en la confidencialidad, integridad y disponibilidad de los sistemas informáticos, de las redes, los datos personales y los datos de tráfico, por parte de la presión de otros Estados que requieran la información para fines distintos a los objetivos por los cuales fueron recabados a nivel nacional bajo el principio de consentimiento informado y libre información de los usuarios. Esta medida es idónea toda vez que el Estado es el único llamado a ponderar la existencia de normativas en contraposición a la nacional contravención a los derechos fundamentales, de este modo, es el único también con facultades para establecer condiciones diferenciadas cuando la información vaya a transitar fuera de sus fronteras, tránsito que debe ser compatible con el régimen especial de protección que el constituyente ha impuesto sobre los datos. Es importante reconocer que no toda legislación extranjera es afín o compatible a la nacional razón por la cual se han considerado estos parámetros para reforzar la importancia de la protección de los derechos fundamentales de los usuarios finales de telecomunicaciones Sobre la proporcionalidad, debo acotar que el Estado democrático costarricense está llamado a actuar de forma conservadora en dos vertientes, primeramente en el resguardo al sano uso del espectro radioeléctrico como bien demanial y en segundo lugar en la protección de los derechos fundamentales que derivan del uso y explotación de dicho espectro radioeléctrico, de manera que está obligado a señalar las pautas conforme a las cuales se hará el trasiego de la información, dicho esto, los operadores que no tengan la posibilidad legal de garantizar el tránsito seguro de los datos en sus redes implican un alto riesgo de vulneración debido a la posible coacción de otros gobiernos. Realizando un ejercicio de legitimidad, debemos de partir que de conformidad con las buenas prácticas internacionales, entre ellas la Directriz sobre protección de la privacidad y flujos transfronterizos de datos personales (1980) de la OCDE, puede imponer restricciones a algunas categorías de datos personales para lo cual el ordenamiento nacional incluye regulaciones específicas debido a la naturaleza de esos datos y que el otro Estado no considere de forma similar en su normativa, en ese sentido se interpreta que ante el evento de encontrar normativas que no garanticen una protección equiparable a la nacional, el Estado costarricense podrá establecer restricciones al trasiego de datos cuando los operadores o sus suministradores no puedan garantizar sustancialmente el cumplimiento la normativa doméstica sobre protección de datos, intimidad, privacidad, autodeterminación informativa y secreto de las comunicaciones. “D) Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento o sus suministradores de hardware y software tienen su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses.” - EJERCICIO DE RAZONABILIDAD TÉCNICA La previsión de este riesgo es necesaria, por cuanto es crítico garantizar que los proveedores de hardware o software operen con independencia de presiones gubernamentales extranjeras, con el fin de proteger la disponibilidad, confidencialidad e integridad de los datos. Existe riesgo de que el gobierno genere presión y obtenga acceso no autorizado a datos confidenciales o a manipular o el hardware o software para fines de espionaje o sabotaje, siendo que esto comprometería la disponibilidad, confidencialidad e integridad de estos productos o plataformas, por tanto, generar la previsión del riesgo es necesario para garantía de la seguridad, disponibilidad, confidencialidad e integridad de la información. Si un gobierno extranjero tiene la posibilidad de introducir backdoors (puertas traseras), tendría la posibilidad de generar espionaje, sabotaje, extraer información de seguridad nacional y de las personas usuarias, asimismo, dadas las características del tipo de gobierno, existe ausencia de un garantías adecuadas para los derechos intereses. La medida cumple con el criterio de idoneidad, de igual manera como se ha indicado en el inciso anterior, por cuanto la independencia de los proveedores frente a la influencia de gobiernos extranjeros es adecuada para la seguridad el objetivo de preservar la seguridad nacional. La medida es idónea ya que del análisis de situaciones e incidentes detectados, se han encontrado actores de amenazas ligados a gobiernos extranjeros que pueden ejercer presión sobre los sujetos de aplicación del art. 2. De igual forma, es proporcional en sentido estricto ya que las consecuencias potenciales de espionaje o sabotaje cibernético son proporcionales a la medida que procura disminuir el riesgo, ya que se pueden comprometer servicios críticos de 5G, implicando la necesidad de evaluaciones de seguridad rigurosas. La previsión de este riesgo cumple con el criterio de legitimidad, ya que la preocupación por la influencia de gobiernos extranjeros sobre dichos proveedores es legítima y a la vez, se fundamenta en criterios de seguridad nacional dado el riesgo potencial y los daños de diversa índole que pueden materializarse si se da un ataque o sabotaje directa o indirectamente ligado a la actuación de un gobierno extranjero que ejerza influencia sobre los operadores. - EJERCICIO DE RAZONABILIDAD JURÍDICA Para los efectos, se remite al análisis jurídico indicado en el inciso C) anterior. E) Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento utilizan suministradores de hardware y software que tengan su sede en un país que no ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). - EJERCICIO DE RAZONABILIDAD TÉCNICA a. Consideraciones particulares sobre el Convenio Budapest Es fundamental en un mundo donde las amenazas cibernéticas no reconocen fronteras geográficas y la naturaleza descentralizada y a menudo anónima del ciberespacio ha permitido que actores maliciosos realizan ataques desde cualquier lugar del mundo, complicando enormemente los esfuerzos de persecución y respuesta. En este contexto, tecnologías emergentes como las redes 5G y superiores presentan tanto oportunidades como desafíos significativos. Si bien la tecnología 5G promete revolucionar numerosos sectores con su alta velocidad y capacidad de conexión masiva, también amplifica los riesgos asociados con la ciberseguridad. La infraestructura 5G es crítica y sensible, dada su implicación en la conectividad de dispositivos esenciales en sectores como la salud, la industria y los servicios públicos. Un ataque a estas redes no solo podría tener consecuencias devastadoras en términos de interrupción de servicios esenciales, sino que también podría comprometer la seguridad y privacidad de enormes volúmenes de datos. El Convenio de Budapest, por lo tanto, representa un marco esencial para la cooperación internacional en la lucha contra la ciberdelincuencia. Facilita la colaboración y el intercambio de información entre países, estableciendo procedimientos para la investigación y persecución efectiva de delitos cibernéticos. En una era donde las redes avanzadas como 5G se convertirán en la columna vertebral de nuestra infraestructura crítica, este convenio ofrece una herramienta fundamental para proteger nuestra sociedad digital globalizada contra las amenazas cibernéticas transfronterizas. El Convenio de Budapest es una medida de control de ciberseguridad que minimiza el riesgo de seguridad, en este caso, un riesgo de seguridad nacional. El convenio actúa como un control tanto disuasorio, preventivo, como punitivo en la persecución de delitos que atentan contra la tríada de la seguridad de la información: confidencialidad, integridad y disponibilidad de los sistemas, redes y datos informáticos. La disciplina de la ciberseguridad no solo se enfoca en aspectos como el monitoreo, la detección y la protección, sino que también aborda campos cruciales como la respuesta a incidentes de ciberseguridad y el análisis forense. Estos últimos son de vital importancia para obtener evidencia digital, como los logs (registros) de los sistemas, que resulta esencial para determinar la causa raíz de los incidentes. Debido a la naturaleza transfronteriza de los ataques cibernéticos, muchas veces se requiere de cooperación internacional para obtener estas evidencias, no solo para la persecución del ciberdelincuente sino también para identificar cuáles fueron las vulnerabilidades explotadas y así solucionar los huecos de seguridad en el menor tiempo posible para que los ciberdelincuentes no vuelvan a explotarlas. En 2022, Costa Rica experimentó un episodio devastador en el que un grupo cibercriminal conocido como CONTI, cuyos muchos integrantes residen en países no firmantes del convenio, no pudieron ser detenidos a pesar de estar identificados. Esto mantiene una amenaza latente y eleva la probabilidad de futuros daños. En ciberseguridad, el riesgo se mide como el producto del impacto y la probabilidad, menos las contramedidas implementadas. Una contramedida eficaz para reducir los riesgos de seguridad nacional es la aplicación de nuestro marco normativo, reforzado por el Convenio de Budapest. Además, se cuenta con reportes confidenciales los cuales se aportan como evidencia confidencial por ser de seguridad nacional, que indican que las infraestructuras de varias instituciones gubernamentales costarricenses han sido comprometidas por ataques originados en países que no son firmantes del convenio. La utilización del convenio de Budapest como una medida o control de seguridad para minimizar los riesgos también se fundamenta en el propio convenio que indica: “Convencidos de que el presente Convenio es necesario para prevenir los actos que pongan en peligro la confidencialidad, la integridad y la disponibilidad de los sistemas, redes y datos informáticos, así como el abuso de dichos sistemas, redes y datos, garantizando la tipificación como delito de dichos actos, tal como se definen en el presente Convenio, y la asunción de poderes suficientes para luchar eficazmente contra dichos delitos, facilitando su detección, investigación y sanción, tanto a nivel nacional como; internacional, y estableciendo disposiciones materiales que permitan una cooperación internacional rápida y fiable;” (El resaltado es propio). Fuente: Convenio Budapest, página 2, párrafo 9 Es de vital importancia recalcar que el convenio aborda los pilares de la ciberseguridad que es la tríada de la seguridad de la información (confidencialidad, integridad y disponibilidad) en plataformas tecnológicas entre ellas las redes. Al referirse a "redes" en general, la ley puede aplicarse a una gama más amplia de tecnologías, incluyendo aquellas que existen actualmente y las que puedan surgir en el futuro. La tecnología evoluciona rápidamente y mencionar una tecnología específica, como 5G, puede hacer que la ley se vuelva obsoleta en poco tiempo. En cambio, una ley que se refiere a "redes" en términos generales puede seguir siendo relevante y aplicable a medida que surgen nuevas tecnologías. Asimismo, es importante tener en cuenta que la ciberseguridad no solo consiste en la aplicación de controles técnicos; estos deben ser más holísticos y transversales, abarcando no solo aspectos técnicos, con el fin de obtener mejores resultados en la protección de los activos de información. Entre los ejemplos de controles de ciberseguridad no técnicos recomendados por los estándares internacionales, se encuentran: • Políticas de Uso Aceptable: Documentos que detallan qué comportamientos son aceptables y cuáles no lo son en una red o sistema. El conocimiento de que ciertas acciones están prohibidas y pueden ser motivo de sanciones puede disuadir a los usuarios de participar en actividades maliciosas. • Advertencias Legales: Mensajes que informan a los usuarios que el acceso no autorizado o el mal uso de los sistemas es ilegal y puede llevar a consecuencias legales. Estas advertencias suelen aparecer durante el proceso de inicio de sesión en sistemas informáticos. • Formación y Concienciación en Seguridad: Programas de formación que educan a los empleados sobre las consecuencias de violar las políticas de seguridad. La concienciación sobre las implicaciones de las acciones de seguridad puede disuadir a los usuarios de cometer errores o violaciones de seguridad. • Sanciones por Incumplimientos de Seguridad: Establecer y comunicar claramente las consecuencias (como sanciones laborales o acciones legales) de violar las políticas de seguridad puede disuadir a los empleados y usuarios de actuar de manera insegura. La Unión Internacional de Telecomunicaciones (ITU), la cual es una agencia especializada de las Naciones Unidas, se dedica a la regulación y el desarrollo de las tecnologías de la información y la comunicación (TIC). Ofrece asesoramiento técnico, formación y apoya la ciberseguridad y la protección de datos. Compuesta por 193 países miembros y más de 900 entidades, la ITU organiza conferencias mundiales y fomenta la cooperación internacional en el ámbito de las telecomunicaciones. En su índice de Ciberseguridad Global (ICG) evalúa el nivel de madurez en ciberseguridad de los países y describe las medidas de ciberseguridad que estos han adoptado. Entre sus componentes de evaluación: medidas jurídicas, técnicas, institucionales y capacitación. Las medidas jurídicas comprenden una medición de las leyes y reglamentos sobre ciberdelincuencia y ciberseguridad. Por lo cual, la ITU indica la importancia de las medidas jurídicas como aspecto relevante para medir el nivel de madurez de ciberseguridad: “En este sentido, la creación de un marco jurídico y reglamentario para proteger a la sociedad y promover un entorno digital seguro resulta indispensable y debe ser el primer paso de cualquier iniciativa nacional en materia de ciberseguridad. Los marcos jurídicos y reglamentarios comprenden la promulgación de una legislación que defina lo que constituye actividades ilícitas en el ciberespacio y los instrumentos necesarios para investigar, perseguir y hacer cumplir dicha legislación; el establecimiento de parámetros de referencia sobre ciberseguridad y mecanismos de observancia para un conjunto de actores nacionales; y procedimientos para garantizar la coherencia con las obligaciones internacionales.” (…) Fuente: https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2021-PDF-S.pdf Otro punto de referencia de organismos reconocidos a nivel internacional, el BID y la OEA realizaron un reporte de Ciberseguridad 2020: riesgos, avances y el camino a seguir en América Latina y el Caribe y describen el reporte de la siguiente manera: “Este reporte brinda un panorama detallado y actualizado de las políticas y prácticas de ciberseguridad en los países de América Latina y el Caribe, ofreciendo una perspectiva sobre el progreso alcanzado desde su primera edición en 2016. Incluye ensayos sobre las tendencias de la seguridad cibernética en la región, aportados por reconocidos expertos internacionales. También examina la madurez cibernética de cada país mediante la aplicación del Modelo de Madurez de Capacidad de Seguridad Cibernética (CMM). Identifica brechas serias en las cinco dimensiones que definen la capacidad de seguridad cibernética, teniendo en cuenta la importancia de la seguridad cibernética en el crecimiento económico y la sostenibilidad, al tiempo que enfatiza el respeto por los derechos humanos. Esta visión objetiva de las fortalezas y del espacio de crecimiento de la región apunta a sustentar el diseño de políticas e iniciativas que aborden la urgente tarea de incrementar la resiliencia cibernética.” (El resaltado es propio). Este reporte aplica el Modelo de Madurez de Capacidad de Seguridad Cibernética (CMM) desarrollado por el Centro Global de Capacidad en Seguridad Cibernética (GCSCC, por sus siglas en inglés) de la Universidad de Oxford. La evaluación de los niveles de madurez se divide en cinco dimensiones que corresponden a aspectos esenciales y específicos de la ciberseguridad, entre ellos: (i) política y estrategia de ciberseguridad; (ii)cultura cibernética y sociedad; (iii) educación, capacitación y habilidades en ciberseguridad; (iv) marcos legales y regulatorios; y (v) estándares, organizaciones y tecnologías. Estos se subdividen en un conjunto de factores que describen y definen lo que significa poseer capacidad de seguridad cibernética en cada factor, e indican cómo mejorar la madurez. Costa Rica en la medición de la dimensión de marcos legales y regulatorios es uno de los factores con mejor calificación al igual que se señalaba en el reporte de la ICG de la ITU: (…) Como se desprende en los diferentes informes, la ciberseguridad no solo abarca aspectos técnicos, sino también incluye diferentes tipos de medidas tanto técnicas, administrativas y legales, entre otras para salvaguardar los activos de información. b. Otros factores de valoración relativos al Convenio de Budapest En la siguiente tabla se muestran los países que han incluido en su estrategia nacional de ciberseguridad el convenio de Budapest.

País y año Parte de la ENC Mención República Dominicana (2022) En los considerandos y las vistas del Decreto No. 313-22 (Ver página 2) VISTA: La resolución del Congreso Nacional núm. 158-12, del 11 de junio de 2012, que aprueba el Convenio sobre la Cibercriminalidad, suscrito el 23 de noviembre de 2001, en Budapest.

Ecuador (2022) En el capítulo de contexto (ver páginas 8 y 10), en la descripción del Pilar Prevención y Combate a la Ciberdelincuencia (Ver página 4) y en acciones para alcanzar el Objetivo 3.1: Actualizar el marco legal y regulatorio de Ecuador en materia de ciberdelincuencia para garantizar la seguridad ciudadana y la protección de los derechos y libertades en el ciberespacio (Ver página 48) Acciones para alcanzar el Objetivo 3.1:

● Revisar el derecho penal existente y adoptar las medidas legislativas necesarias para definir claramente qué constituye delito cibernético y delitos relacionados (delitos contra o a través de sistemas o datos informáticos), considerando la armonización con los instrumentos legales internacionales y regionales existentes, en particular el Convenio de Budapest sobre la Ciberdelincuencia.

● Revisar y alinear los poderes y procedimientos apropiados para la aplicación de la ley, el enjuiciamiento y la judicialización para la investigación y el enjuiciamiento del delito cibernético, incluida la recopilación y el procesamiento de pruebas e instrumentos electrónicos para una cooperación internacional rápida y eficaz, considerando la armonización con el Convenio de Budapest sobre la Ciberdelincuencia y otros instrumentos internacionales.

Panamá (2021) En las acciones para lograr el objetivo establecido en el Pilar II. Disuadir y castigar el comportamiento criminal en el ciberespacio (Ver página 44) 2.4 Continuar el involucramiento con entidades regionales e internacionales En 2014, Panamá exitosamente ratificó la Convención de Budapest5 , el primer tratado internacional que busca abordar el cibercrimen armonizando las leyes nacionales, mejorando las técnicas de investigación y aumentando la cooperación entre las naciones. Panamá también firmó acuerdos en el marco de la Convención de las Naciones Unidas contra la Delincuencia Organizada Transnacional. Si bien representan pasos iniciales importantes, es necesario mejorar la coordinación y la cooperación internacional. Además es necesario incorporar al ordenamiento jurídico leyes que estén alineadas con los convenios o acuerdos internacionales, de los cuales Panamá es signataria.

Belize (2020) En una actividad para cumplir el objetivo estratégico 5 del Área Prioritaria 1 (Ver página 26) Area of Priority 1: Develop the National Legal Framework to adequately address cybersecurity threats Objective 5. Ministry of Foreign Affairs National Security & Attorney General’s Office participate in bilateral and multilateral international cybersecurity agreements Activity 5.1. Government to review the process for acceding to the Convention on Cybercrime (Budapest Convention) Costa Rica (2017) En el capítulo 3 de contexto actual (Ver páginas 23 y 34) En busca de mejorar aún más el marco normativo costarricense y lograr un mejor accionar ante la delincuencia informática, Costa Rica concretó el proceso de adhesión a la “Convención sobre el Cibercrimen” conocida como el “Convenio de Budapest” mediante la firma del Decreto Ejecutivo N° 40546-RREE el 3 de julio del 2017 el cual coadyuva en la lucha frente a los delitos Informáticos.

(…)

La legislación sobre delincuencia cibernética debe tener en cuenta el contexto nacional, los convenios internacionales, los mecanismos para facilitar la investigación inter-institucional y multi-jurisdiccional y la mayor complejidad de avances tecnológicos. Costa Rica cuenta con legislación relacionada con delitos informáticos, no obstante, a medida que cambia la sofisticación de estos crímenes, debe haber un proceso dedicado para su revisión y actualización para asegurar que existe la autoridad necesaria para investigar y procesar eficazmente. La adhesión al Convenio sobre Delincuencia Cibernética (también conocido como Convenio de Budapest) es un hecho y las discusiones están en curso dentro del Poder Judicial para la formación de jueces y fiscales en materia de delincuencia cibernética.

Colombia (2016) En el contexto, en el marco normativo, en las estrategias para el Plan de Acción y en el Anexo con instrumentos internacionales (Ver páginas 15, 22, 63 y 79) Cooperación y posicionamiento internacional En 2013, a través del Ministerio de Relaciones Exteriores, el país solicitó formalmente la adhesión a la Convención de Europa sobre cibercriminalidad, también conocido como Convenio de Budapest.

(…)

2.3.2. Normativa internacional Entre los instrumentos internacionales que tienen relación con la seguridad digital se encuentran el Convenio sobre Ciberdelincuencia del Consejo de Europa (conocido como el convenio sobre Cibercriminalidad de Budapest) mediante el cual se adopta una legislación que facilita la prevención de las conductas delictivas y contribuye con herramientas eficientes en materia penal que permitan detectar, investigar y sancionar las conductas antijurídicas.

(…)

E5.1. Generar mecanismos para impulsar la cooperación, colaboración y asistencia a nivel internacional, en materia de seguridad digital (DE1) Bajo esta estrategia, se busca la adhesión de Colombia a convenios internacionales en torno a la seguridad digital, tales como la Convención de Budapest (…)

Anexo D: Normativa internacional relacionada con asuntos de seguridad digital

Instrumento: Convenio sobre Ciberdelincuencia del Consejo de Europa CCC (conocido como el convenio sobre Cibercriminalidad de Budapest) Adoptado en noviembre de 2001 y entrada en vigor desde el 1° de julio de 2004 El Convenio de Budapest no solo representa un marco supralegal crucial para combatir la ciberdelincuencia, sino que también es un esfuerzo colectivo para fortalecer la resiliencia cibernética a nivel mundial. Su implementación y adaptación continua, junto con un enfoque holístico en ciberseguridad, son clave para proteger los activos de información en un mundo digital cada vez más interconectado y dependiente de tecnologías avanzadas como 5G. Por lo anterior, en síntesis, el inciso cumple con el principio de razonabilidad desde la perspectiva técnica, por lo siguiente: La necesidad de la medida reside en prevenir los actos que pongan en peligro la confidencialidad, la integridad y la disponibilidad de los sistemas, redes y datos informáticos, así como el abuso de dichos sistemas, redes y datos, garantizando la tipificación como delito de dichos actos. Condicionar la operación de los sujetos a que el Estado casa matriz de sus operaciones forme parte del convenio o se predisponga a formar parte, garantiza la persecución de los delitos y la aprehensión de los ciberdelincuentes. La ciberseguridad no solo es un elemento técnico sino también controles de diferentes índoles, tanto administrativos, de gobernanza y normativos que funcionan como controles disuasorios. Además, en caso de un ataque cibernético que requiera información sobre vulnerabilidades o registros de eventos asociados a equipos de hardware o software, de un proveedor cuyo país de origen esté obligado a colaborar bajo el Convenio de Budapest, se habilita la posibilidad de obtener toda la información necesaria para atender el incidente. Esto es crucial tanto para la persecución y aprehensión de los delincuentes cibernéticos, reduciendo el riesgo de futuros ataques, como para la respuesta al incidente de seguridad. De acuerdo con los marcos y estándares internacionales para la respuesta a incidentes, como la NIST 800-61 'Guía de manejo de incidentes de seguridad' o la ISO 27035 'Gestión de incidentes de seguridad de la información', una fase crucial es la erradicación de la amenaza y la corrección de las vulnerabilidades que causaron la brecha. Sin embargo, esto requiere de diversos análisis y de obtener la mayor cantidad de información posible en el menor tiempo para remediar la causa raíz y restablecer el servicio. (…)Fuente: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf La medida resulta idónea por cuanto la generación de un ambiente de control en los Estados donde tengan casa matriz los sujetos de aplicación del Reglamento, permite disminuir el riesgo de delitos informáticos a infraestructuras tecnológicas, ya que tipifican los delitos y con ello funcionan como elementos disuasorios, además de la parte punitiva, sino también el análisis, ya que el convenio de Budapest permite a los Estados colaborar en la generación de elementos de investigación forense, para prevenir a futuro nuevos actos. El convenio ofrece una herramienta fundamental para proteger la seguridad digital contra las amenazas transfronterizas. A nivel de proporcionalidad en sentido estricto, técnicamente la medida que se pretende asegurar con esta previsión es proporcional a la situación vivida en Costa Rica con los ataques en 2022 de grupos criminales provenientes de países no firmantes o no dispuestos a adherirse al convenio de Budapest, siendo que estos cibercriminales, si bien es cierto cambian de estructuras constantemente para seguir delinquiendo y atacando infraestructuras, permanecen en los mismos países no firmantes, con lo cual es un riesgo que sigue latente. Además, a nivel de ciberseguridad hay un componente denominado ciberseguridad forense digital, lo cual busca encontrar evidencias técnicas del abuso y de cómo se explotan las vulnerabilidades en los sistemas y con ello encontrar la causa raíz para subsanar el problema por el cual se abrió la brecha de seguridad. Por lo cual el convenio de Budapest brinda una activa comunicación con los países firmantes para conseguir evidencia fundamental tanto para subsanar la vulnerabilidad como para perseguir los cibercriminales por el hecho delictivo. Por lo anterior la medida es consecuente y proporcional al beneficio que se pretende generar en beneficio de la seguridad, ya que hay hechos corroborados de situaciones acontecidas en el país y es fundamental para la seguridad nacional brindar tanto una seguridad jurídica en la persecución de los cibercriminales como en la remediación de dichas brechas obteniendo información crucial para subsanarlas. El convenio es una contramedida de ciberseguridad para reducir los riesgos a la seguridad nacional e informática, por tanto, el Estado tiene la facultad de, en el análisis de riesgos, buscar reducir el potencial impacto de ataques, siendo la medida proporcional ya que el convenio es un elemento disuasorio, preventivo y punitivo, adecuado al fin de garantizar la seguridad de las redes y la seguridad nacional. La medida es legítima por cuanto el convenio se encuentra firmado y ratificado por Costa Rica, permitiendo la colaboración entre Estados partes para garantizar la persecución adecuada de los ciberdelincuentes, la prevención de ataques futuros, como elemento disuasorio (preventivo) y cuando los hechos se gestaron, para poder obtener la información vital para determinar las brechas mediante análisis forense digital que se puede obtener mediante estos convenios. La aplicación o condicionamiento a tener la sede en un Estado firmante o que se pretende adherir es una medida legítima para asegurar la adecuada seguridad informática y seguridad nacional. Muchos países, incluyendo a Costa Rica, han incluido este convenio dentro de la estrategia nacional de ciberseguridad. EJERCICIO DE RAZONABILIDAD JURÍDICA Es una norma necesaria para combatir el cibercrimen y la delincuencia organizada con autoridad superior a la ley conforme al ordinal 7 de la Constitución Política; inclusive fue ratificada por el propio legislador a través de los mecanismos constitucionales establecidos. Como bien ya se ha indicado en el documento, el Convenio de Europa sobre Ciberdelincuencia (Budapest, 2001) fue aprobado por Costa Rica mediante la Ley N° 9452 “Aprobación de la Adhesión al Convenio sobre la Ciberdelincuencia”, emitida en fecha 26 de mayo de 2017 y publicada en el Alcance N°161 al Diario Oficial La Gaceta N°125 de fecha 03 de julio de 2017. De esta forma dicho Convenio forma parte de la normativa internacional incorporada al Ordenamiento Jurídico costarricense y tiene por objeto garantizar el respeto de los Derechos Humanos y Fundamentales consagrados en la Constitución Política de Costa Rica y en otros instrumentos como el Convenio del Consejo de Europa para la Protección de los Derechos Humanos y de las Libertades Fundamentales (1950), el Pacto Internacional de Derechos Civiles y Políticos de las Naciones Unidas (1966),Convención Americana sobre Derechos Humanos (Pacto de San José) (1970), entre otros. Es proporcional pues en este inciso e) del artículo 10 no se exige expresamente la calidad de Estado que haya ratificado e incorporado dicho instrumento en su ordenamiento nacional conforme a los procedimientos internos de cada país; sino que, considera el proceso de “Adhesión” establecido para acceder a este Convenio. En relación con este tema, conviene indicar que, el proceso de “Adhesión” al Convenio de Budapest implica 3 pasos que son los siguientes: 1. Una vez que esté disponible un proyecto de ley que indique que un Estado ya ha implementado o es posible que pueda implementar las disposiciones del Convenio de Budapest en su legislación nacional, el Ministro de Relaciones Exteriores (u otro representante autorizado) deberá enviar una carta dirigida al Secretario General del Consejo de Europa en la que manifieste el interés de su Estado en adherirse al Convenio de Budapest. 2. Una vez que exista consenso entre los actuales Estados Partes del Convenio, se invita al Estado a adherirse. 3. Las autoridades de ese Estado deberán formalizar sus procedimientos internos similares a la ratificación de cualquier tratado internacional antes de depositar el instrumento de adhesión ante el Consejo de Europa. Según se desprende de las tratativas anteriores el Reglamento únicamente requiere la acreditación del primer estadío, distinto a exigir formal ratificación conforme al derecho interno, desde luego que se seleccionó este primer peldaño siendo que se comprueba el interés de otras naciones de tutelar los mismos valores jurídicos protegidos por nuestro país y la Comunidad. De esta forma normativa contempla el primer estadío (sic) del procedimiento para adherirse al Convenio, que a su vez conlleva la manifestación del interés En ese sentido, es importante recalcar que el citado Reglamento únicamente contempla parámetros de alto riesgo por cuanto se ha procurado que la intervención estatal sea mínima, de modo tal que la valoración y gestión de riesgos de impacto medio y bajo sea llevada a cabo por los operadores de redes o proveedores de servicios de telecomunicaciones. El Consejo de Europa le ha catalogado como la norma internacional más completa hasta la fecha, ya que proporciona un marco integral y coherente en contra del ciberdelito y la evidencia electrónica. Sirve como una guía para cualquier país que desee desarrollar una legislación nacional integral sobre ciberdelitos y como un marco para la cooperación internacional entre los Estados Parte de este Tratado. (COE, 2021). Es así como el inciso e) del artículo 10 del Decreto Ejecutivo N.º 44196-MSP-MICITT “Reglamento Sobre Medidas de Ciberseguridad Aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores debe ser considerado a partir de la aplicación sistemática de un conjunto de normas legales y reglamentarias relacionadas con las telecomunicaciones y la materia de contratación pública, en el caso de aquellos Operadores sujetos a este régimen jurídico de interpretación, y cuyo objeto sea el equipamiento para el uso y explotación de los segmentos de frecuencias del espectro radioeléctrico. Lo anterior, por cuanto la definición de las obligaciones y condiciones para la explotación de dicho bien demanial compete al Poder Ejecutivo, con inclusión de las medidas de gestión y mitigación riesgos contempladas en el Decreto Ejecutivo N.º 44196-MSP-MICITT. De forma particular el artículo 2 del Reglamento comprende en su ámbito de aplicación a los operadores y proveedores de servicios de telecomunicaciones basados en tecnología de 5G o superior sujetos al régimen de contratación pública que tenga por objeto el equipamiento tecnológico para el despliegue de sus redes y conlleve el uso y explotación de bandas de frecuencias del espectro radioeléctrico, quienes deberán adoptar los mecanismos idóneos para que sus oferentes hayan considerado la gestión y mitigación de la normativa en su oferta técnica. Esto por cuanto de conformidad con el artículo 121 inciso 4) sub inciso c), el principio regulatorio IV denominado Asignación y utilización de recursos escasos de la Ley N°8622 (CAFTA), en relación con los artículos 7, 10 ,11 y 12 de la Ley General de Telecomunicaciones el Poder Ejecutivo dicta el Plan Nacional de Atribución de Frecuencias y otorga las concesiones para el uso y explotación del espectro radioeléctrico, definiendo las obligaciones y condiciones para su otorgamiento, con inclusión de este tipo de medidas vía reglamentaria, a partir de lo establecido en el artículo 42 de la Ley General de Telecomunicaciones. Por su parte, el artículo 3 en su inciso o) del Decreto Ejecutivo N.º 44196-MSP-MICITT “Reglamento Sobre Medidas de Ciberseguridad Aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores establece el concepto de suministrador de software y hardware el cual incluye a los fabricantes de equipos de telecomunicaciones de transmisión, así como a otros proveedores externos. Seguidamente el artículo 4 contempla los escenarios de riesgo nacionales para redes 5G y superiores vinculados con la cadena de suministro, algunos de los que se vinculan de forma directa son los siguientes: II Escenarios de riesgo relacionados con la cadena de suministro de la 5G:• R3: Productos de baja calidad. • R4: Dependencia de un único suministrador en determinadas redes o falta de diversidad a nivel nacional, cuando este se encarga de configurar e integrar todos los equipos activos y software de la solución, o si la red está compuesta por equipos activos y software de un único fabricante. III. Escenarios de riesgo relacionados con el modus operandi de los principales agentes de riesgo: •R5: Intromisiones por parte de Estados a través de la cadena de suministro de la 5G, cuando esto pueda comprometer la seguridad, disponibilidad, integridad y privacidad de la información. • R6: Aprovechamiento de las redes 5G por parte de grupos de delincuentes organizados para atacar a usuarios finales. • R7: Daños significativos a infraestructuras o servicios críticos Asimismo, el artículo 6 establece que los operadores regulados por su ámbito de aplìcacion deberán adoptar, implementar, y mantener estándares de referencia, dentro de los cuales se encuentra el estándar SCS 9001 denominado “Estándar de Seguridad de la Cadena de Suministro y Ciberseguridad”; y el artículo 7 del Reglamento determina como un elemento a contemplar por Operadores sujetos al régimen jurídico de contratación pública, en su análisis de riesgos de las redes 5G y superiores, lo siguiente:“d) Dependencias de determinados suministradores en elementos críticos de la red 5G y superiores.” El artículo 8 por su parte establece el deber de adoptar las medidas adecuadas para gestionar los riesgos identificados de conformidad con el artículo 7, en lo que interesa las siguientes: “(...) e) Cumplir con la implementación de los estándares señalados en el artículo 6 del presente Reglamento. (...) g) Exigir a sus suministradores de hardware y software involucrados en las redes 5G y superiores el cumplimiento de estándares de ciberseguridad, desde el diseño de los productos y servicios hasta su puesta en funcionamiento. h) Controlar su propia cadena de suministro para garantizar una operación y explotación segura de las redes de telecomunicaciones móviles y sus servicios. i) Diseñar una estrategia de diversificación en la cadena de suministro de los equipos de telecomunicación, sistemas de transmisión, equipos de conmutación o encaminamiento y demás recursos que permitan el transporte de señales en una red 5G o superior, de forma tal que dichos equipos, sistemas o recursos sean proporcionados, como mínimo, por dos suministradores de hardware y software diferentes. También el numeral 9 en su último párrafo reitera la necesidad de considerar en dichos procedimientos de contratación pública el estándar SCS 9001 (cadena de suministro). Ahora bien, el artículo 10 inciso e) del Reglamento objeto de análisis define como parámetro de riesgo alto que los Operadores utilicen suministradores de hardware y software que tengan su sede en un país que no ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). Debiendo comprenderse su “sede” como el núcleo principal del suministrador de hardware y software, o la sede principal de su organización empresarial, debiendo recordarse que el artículo 3 en su inciso o) comprende como suministradores a los fabricantes de equipos de telecomunicaciones o de transmisión, así como a otros proveedores externos. Por lo tanto es un deber jurídico de los Operadores sujetos al ámbito de aplicación del “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT, que promuevan procedimientos de contratación pública que comprenda dentro de su objeto el equipamiento para el uso y explotación del espectro radioeléctrico que ha sido habilitado mediante título de concesión, verificar que su cadena de suministro (fabricantes/proveedores) cumpla con las disposiciones para la mitigación y gestión de riesgos para garantizar una operación y explotación segura de las redes de telecomunicaciones móviles y sus servicios, lo cual implica que sus suministradores tengan su sede en un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). En este sentido debe valorarse por este Órgano Colegiado que el accionante no cuenta actualmente con título habilitante de concesión para la prestación de servicios de telecomunicaciones, la operación de redes o la prestación de servicios bajo tecnología de quinta generación o superior 5G, por lo cual no está comprendido dentro del ámbito de aplicación de la normativa reglamentaria; además dado que es un comerciante costarricense no estaría cubierto por dicho parámetro de riesgo, lo cual evidencia la improcedencia de cualquier discrminación (sic) alegada en este particular. Es legítima por cuanto procura garantizar la seguridad nacional y el orden público. Al respecto, el Convenio de Europa sobre Ciberdelincuencia ha sido catalogado por el Consejo de Europa como la norma internacional más completa en esta materia, toda vez que intensifica la cooperación entre países, la evidencia electrónica y la prevención de la ciberdelincuencia. Dicho Convenio surge además en un contexto de necesidad de prevenir los actos dirigidos contra la confidencialidad, la integridad y la disponibilidad de los sistemas informáticos, redes y datos informáticos, estableciendo obligaciones para los países signatarios como lo es el caso de Costa Rica, quien debe adoptar su normativa en apego a la tutela de la máxima jurídica de la dignidad humana. De esta forma el Convenio de Budapest promueve a través de un marco legal para la cooperación internacional cuyo fin es la protección de la persona humana y sus derechos en el ciberespacio. Este Convenio surge en un contexto de necesidad y de instauración para prevenir los actos dirigidos contra la confidencialidad, la integridad y la disponibilidad de los sistemas informáticos, redes y datos informáticos, así como el abuso de dichos sistemas, redes y datos, estableciendo obligaciones para los países signatarios como lo es el caso de Costa Rica quien debe adoptar su normativa en apego a la tutela de la máxima jurídica de la dignidad humana. Ahora bien, es importante precisar que el Decreto en cuestión en relación con la adopción del Convenio de Budapest, definió entre sus parámetros aquellos de menor afectación. Al respecto puede observarse que dentro de las medidas el Reglamento requiere la simple “manifestación de obligarse al cumplimiento del Convenio”, véase que de la literalidad de dicha disposición no se exige la calidad de país signatario per se. El Convenio además se comporta como un instrumento con ventajas adicionales en materia de ciberseguridad a favor de las personas y en esa línea pueden extraerse las siguientes: • El Convenio proporciona un marco legal para la cooperación internacional en materia de ciberdelito y evidencia digital. • Los Estados Parte podrán ser miembros del Comité del Convenio sobre la Ciberdelincuencia que actualmente es el organismo intergubernamental más relevante que se ocupa del ciberdelito. • Los Estados Parte comparten información y experiencias, evalúan la implementación del Convenio o lo interpretan a través de Notas de Orientación. • El Comité del Convenio sobre la Ciberdelincuencia también puede preparar Protocolos adicionales a este tratado. Por lo tanto, incluso si un Estado no participó en la negociación del tratado original, un nuevo Estado Parte podrá participar en la negociación de futuros instrumentos y la futura evolución del Convenio de Budapest. • Los Estados Parte del Convenio se comprometen entre sí para una cooperación confiable y eficiente. • Los Estados Parte que soliciten la adhesión o que se hayan adherido pueden convertirse en países prioritarios para los programas de creación de capacidad. Dicha asistencia técnica es para facilitar la plena aplicación del Convenio y mejorar la capacidad de cooperación internacional. Es así como el Reglamento en estudio introduce elementos objetivos diferenciadores totalmente permisible conforme al derecho local y el internacional comunitario, que no deben ser calificados como discriminatorios, en tanto responden a la necesidad de garantizar un ambiente de respeto del régimen de los derechos humanos de los usuarios finales de telecomunicaciones, lo cual sólo podría ocurrir entre países que hayan manifestado su intención de adherirse al Convenio de Budapest, en aras de no tolerar actos que atenten contra la ciberseguridad y la dignidad humana. F) Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este reglamento utilizan suministradores de hardware y software que no cumplen con los estándares de ciberseguridad dispuestos en el artículo 6 de este Reglamento. - EJERCICIO DE RAZONABILIDAD TÉCNICA Los estándares son necesarios porque brindan una guía y buenas prácticas que se deben aplicar o implementar en las plataformas tecnológicas para minimizar los riesgos de seguridad que puedan presentarse. De lo contrario, la falta de cumplimiento de los estándares puede ocasionar o llevar a deficiencias en la protección de la confidencialidad, integridad y disponibilidad de la información, que son los pilares de la ciberseguridad. Se debe tomar en cuenta que los estándares de ciberseguridad, como cualquier otro estándar, es un proceso detallado que involucra múltiples etapas y la participación de expertos del área de varios países y organizaciones con el fin de brindar una guía de buenas prácticas, políticas y procedimientos para disminuir los riesgos de seguridad en plataformas tecnológicas y combatir las amenazas crecientes en el ciberespacio. La idoneidad reside en que los estándares abordan las principales amenazas y riesgos en la prestación de servicios tecnológicos para la mitigación de los mismos y una mejor gestión de los riesgos de seguridad ante las amenazas cibernéticas que puedan comprometer las infraestructuras tecnológicas y con ello afectar los servicios esenciales y críticos del país, la información de los habitantes y la continuidad de los servicios tecnológicos. Dichos estándares abordan todo un ciclo de la ciberseguridad en sus diferentes etapas tanto en la detección, protección, identificación, respuesta y recuperación de los servicios tecnológicos, y con ello se garantiza existan los controles de seguridad para minimizar los riesgos existentes en el ciberespacio. Estas medidas son fundamentales ya que aplican el debido cuidado y la debida diligencia cuando se brindan servicios críticos. En cuanto a la proporcionalidad en sentido estricto se indica que la gravedad y frecuencia de los ataques cibernéticos justifican la necesidad de adherirse a los estándares de ciberseguridad, por lo que la decisión de considerar alto riesgo a los proveedores que no cumplan con los estándares es proporcional a los riesgos potenciales de seguridad que estos proveedores puedan presentar como brechas de datos, ataques de malware y otras amenazas que se hubieran evitado o minimizado cumpliendo los estándares de ciberseguridad. Ya el país ha sufrido dichos ataques que con solo haber aplicado dichos estándares, el impacto que se hubiera tenido tanto en pérdida de información, continuidad de los servicios, filtración de información sensible, no disponibilidad de los servicios, daños y pérdidas económicas, se hubieran minimizado en gran medida. Es por esta razón que diferentes organizaciones empresas y demás, implementen este tipo de estándares, para minimizar estos riesgos y cumplir con normativas internacionales es adecuado y proporcional al beneficio que puede obtener. Asimismo, en cuanto a la legitimidad de la previsión de este riesgo, Implementar estos estándares es una práctica legítima y ampliamente aceptada en la comunidad global. Estos estándares son el resultado de un amplio consenso entre expertos de seguridad, la industria y diferentes organizaciones expertas en el área, para reflejar las mejores prácticas actuales en el campo. Desde el punto de vista técnico los estándares ofrecen guías para fortalecer sistemas y redes. Estos incluyen aspectos como el cifrado, autenticación, gestión de parches, respuesta a incidentes, continuidad del servicio, entre otros. La no conformidad con estos estándares significa que los productos y servicios podrían carecer de medidas de seguridad fundamentales, exponiendo a los usuarios a riesgos significativos y al país a riesgos de seguridad nacional. - EJERCICIO DE RAZONABILIDAD JURÍDICA En relación con el parámetro de análisis, debido a su naturaleza meramente técnica y dado que el presente informe refiere en otros apartados vastamente a la necesidad, idoneidad, proporcionalidad y legitimidad de los estándares requeridos por el artículo 6 del “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT, de modo que se reiteran los extremos ya documentados. Particularmente, en lo que respecta a la cadena de suministro se remite a lo ya desarrollado en el apartado del ejercicio de razonabilidad jurídica para el inciso e). L. SOBRE LA PONDERACIÓN DEL INTERÉS GENERAL QUE REVISTE LA SEGURIDAD NACIONAL, LA GARANTÍA DE LOS DERECHOS A LA INTIMIDAD, LA PRIVACIDAD Y LA AUTODETERMINACIÓN INFORMATIVA DE LOS USUARIOS FINALES, SOBRE EL INTERÉS PARTICULAR DE LA EMPRESA ACCIONANTE EN RELACIÓN CON EL DESARROLLO E IMPLEMENTACIÓN DE LAS REDES Y LA PRESTACIÓN DE SERVICIOS BAJO LA TECNOLOGÍA DE QUINTA GENERACIÓN 5G5G Y SUPERIORES. Resulta conveniente iniciar esta sección desde la perspectiva pública en donde hay un elemento que se considera debe analizarse a la luz del Modelo del Estado Social de Derecho y la Constitución Económica contenidos en nuestra Norma Fundamental, como lo es el referente a la obligatoriedad de proteger los derechos humanos y fundamentales derivados del artículo 24 constitucional ampliamente referido en secciones anteriores, puesto que resulta además de interés general. De esta forma nuestro Estado Social de Derecho es el resultado de un Estado que establece garantías sociales y derechos individuales, que mantiene rasgos paternalistas, pero que procura una intervención mínima. En ese sentido la Sala Constitucional, en el Voto N° 311-1997 emitido en fecha 15 de enero de 1997, indicó lo siguiente: (…) La Constitución vigente, en su artículo 50, consagra un criterio importante en esta materia, dando fundamento constitucional a un cierto grado de intervención del Estado en la economía, en el tanto no resulte incompatible con el espíritu y condiciones del modelo de "economía social de mercado" establecido constitucionalmente, es decir, se postula en esa norma, y en su contexto constitucional, la libertad económica pero con un cierto grado, razonable, proporcionado y no discriminatorio de intervención estatal, permitiéndose al Estado, dentro de tales límites, organizar y estimular la producción, así como asegurar un "adecuado" reparto de la riqueza. Esta Sala en su sentencia #1441-92, de las 15:45 horas del 2 de junio de 1992, dispuso: ‘El principio general básico de la Constitución Política está plasmado en el artículo 50, al disponer que "el Estado procurará el mayor bienestar a todos los habitantes del país, organizando y estimulando la producción y el más adecuado reparto de la riqueza" lo que unido a la declaración de adhesión del Estado costarricense al principio cristiano de justicia social, incluido en el artículo 74 ibídem, determina la esencia misma del sistema político y social que hemos escogido para nuestro país y que lo definen como un Estado Social de Derecho’ (El resaltado es propio)” Por ello, como garantía social dentro de este Estado Social de Derecho Costarricense la libertad de empresa se advierte como uno de esos derechos fundamentales que han de ser protegidos no sólo en la normativa legal que se emita por el Legislador ordinario, sino tan también por parte de todas las instituciones del Estado en el desarrollo de su función administrativa a tenor de lo dispuesto en el artículo 46 de nuestra Constitución Política. En ese sentido, Sala Constitucional, en el citado Voto N° 311-1997, indicó: “(…) La Libertad de Empresa: Esta libertad contenida en el artículo 46 en relación con el 28, ambos de la Constitución Política, garantiza a toda persona el derecho a emprender cualquier actividad económica, siempre y cuando ésta no atente contra el orden público, las buenas costumbres o perjudique a terceros. En la medida que la Carta Política consagra esta libertad como derecho constitucional, ello significa que se quiere evitar una política intervencionista por parte del Estado que termine por suprimir aquel derecho. Ello no quiere decir que el Estado no esté facultado para controlar aquella actividad, preservando lógicamente un ámbito suficiente de libertad comercial entre los particulares o de estos con el Estado. En una democracia como la costarricense, en la que se adoptó una economía de mercado, el Estado debe hacer uso de una buena planificación, para inducir a que determinados individuos desarrollen una actividad económica que considere beneficiosa y conveniente para el desarrollo del país. (…)” (El resaltado es propio) Ello es esencial en concordancia con la Constitución Económica, reconocida por esta respetable Sala Constitucional en reiterados pronunciamientos, como el conjunto de valores, principios y preceptos que regulan la economía y el mercado. En ese orden de ideas mediante la Resolución N° 3495-92 del 19 de noviembre de 1992, dicho órgano jurisdiccional dispuso: “En esta materia –la económica– la Constitución es particularmente precisa, al establecer un régimen integrado por las normas que resguardan los vínculos existentes entre las personas y las distintas clases de bienes... Así, la Constitución establece un orden económico de libertad que se traduce básicamente en los derechos de propiedad privada (Artículo 45) y libertad de comercio, agricultura e industria (Artículo 46) –que suponen a su vez, el de libre contratación–... y a ellos se suman otros, como la libertad de trabajo y demás que completan el marco general de la libertad económica (VI, Ibidem).” Es decir, el modelo costarricense propicia la protección de la libertad y particularmente mediante la Constitución Económica la libertad de empresa y la libre concurrencia en el mercado con una intervención estatal mínima, considerando además las disposiciones del artículo 46 de la Constitución Política, que reconoce un principio fundamental de nuestro sistema económico, como es la libertad de comercio y, particularmente, el aseguramiento de la libre competencia como elemento del sistema social de mercado. La Procuraduría General de la República en relación con la libertad de empresa señaló en su opinión jurídica N° OJ-026-2002 de fecha 15 marzo de 2002 lo siguiente: “(...) La Libertad de Empresa: Esta libertad contenida en el artículo 46 en relación con el 28, ambos de la Constitución Política, garantiza a toda persona el derecho a emprender cualquier actividad económica, siempre y cuando ésta no atente contra el orden público, las buenas costumbres o perjudique a terceros. En la medida que la Carta Política consagra esta libertad como derecho constitucional, ello significa que se quiere evitar una política intervencionista por parte del Estado que termine por suprimir aquel derecho. Ello no quiere decir que el Estado no esté facultado para controlar aquella actividad, preservando lógicamente un ámbito suficiente de libertad comercial entre los particulares o de estos con el Estado. En una democracia como la costarricense, en la que se adoptó una economía de mercado, el Estado debe hacer uso de una buena planificación, para inducir a que determinados individuos desarrollen una actividad económica que considere beneficiosa y conveniente para el desarrollo del país. Sin embargo, una orientación creciente en la política económica del Estado, ha ido produciendo paulatinamente limitaciones a la libertad de comercio, justificadas en el interés social de evitar ciertos peligros en detrimento de la misma sociedad” (...)” No obstante lo anterior, la Sala Constitucional y a su vez la Procuraduría General de la República han resaltado que la libertad de comercio posee el carácter de libertad relativa y no absoluta, por cuanto no es posible su ejercicio irrestricto cuando se trata de un bien finito, sujeto a los límites constitucionales. Al respecto puede verse el Dictamen C-149-2001 del 24 de mayo de 2001, en donde la Procuraduría indicó: “(...) situación que regula la Ley N. 2726, particularmente en orden a la protección al productor nacional, agrega la Sala: "(...) el Estado interviene regulando uno de los elementos de esa actividad, por estricto interés público de protección al sector productivo (...) que de lo contrario se vería afectado, generándose también un perjuicio para todo el sistema económico. En virtud de lo anterior, la Sala entiende que en cuanto a la autorización que la ley otorga al Poder Ejecutivo para que fije el precio mínimo del banano, se está en uno de los casos de excepción del artículo 28, párrafo segundo, de la Constitución, toda vez que con esa medida se pretende la protección efectiva de la libertad de empresa y el cumplimiento de las obligaciones que corresponden al Estado en la distribución equitativa de los beneficios que produce la explotación de esa actividad, conforme con la protección del interés público existente en el mantenimiento y mejoramiento del sistema productivo y de la economía nacional. (Ibid.). Si la libertad de comercio fuera una libertad absoluta, habría que concluir en sentido contrario a lo expuesto por la Sala, sea que dicha fijación es una negación del principio de libre competencia como mecanismo adecuado para la asignación de recursos escasos en la sociedad. Empero, precisamente porque es una libertad relativa, porque su contenido se delimita por el resto del ordenamiento constitucional, se sigue que esas limitaciones son constitucionalmente válidas”. Siendo así, el artículo 15 de la Ley No. 2762, que prohibe a los beneficiadores recibir café de quienes no sean productores, no es más que otra de las medidas necesarias del Estado para brindar protección y resguardo a un sector que así lo requiere: el productor nacional. Y con ello no sólo se establece una medida que resulta necesaria para la parte débil de la actividad cafetalera, sino que se garantiza un beneficio para la economía en su conjunto en tanto se mantiene una actividad que tradicionalmente ha constituido una importante fuente de trabajo y remuneración para la población nacional. Se trata, simplemente, de una concreción más del Estado Social de Derecho en su función de procurar el mayor bienestar de sus habitantes”. En forma análoga al antecedente antes transcrito, se aprecia el límite de la libertad de comercio frente al uso y explotación del espectro radioeléctrico, y la correlativa obligación del Poder Ejecutivo de garantizar el resguardo en las redes 5G y superiores de los derechos fundamentales a la intimidad, la privacidad y el secreto de las comunicaciones, y el derecho de autodeterminación informativa en los cuales se sustentan en la dignidad de la persona y la autodeterminación consciente y responsable de la propia vida, lo cual conlleva la necesidad de garantizar el libre ejercicio de estos derechos humanos y derechos fundamentales con el ejercicio de la libertad de empresa. De esta manera, las medidas adoptadas por el Poder Ejecutivo se orientan precisamente a regular el ejercicio de la libertad de empresa en un bien finito demanial como lo es el espectro radioeléctrico frente al eslabón más débil de la cadena del servicio de telecomunicaciones, es decir, el usuario final, quien a fin de cuentas aprovechará el servicio y ante un riesgo inminente es (sic) puede ver menoscabado del régimen de los derechos fundamentales ya citados y que son garantizados por el régimen jurídico de las telecomunicaciones, a través no solo del reconocimiento de dichos derechos sino de la delegación para el Poder Ejecutivo de establecer reglamentariamente las medidas técnicas y administrativas idóneas para asegurar su resguardo y libre ejercicio. Esta posición a su vez la dimensiona la Procuraduría General de la República, en el Dictamen C-151-2011 del 05 de julio de 2011, en los siguientes términos: “ (...) la consagración constitucional del espectro como demanio público determina que la explotación del bien no sea libre. Los particulares no pueden fundarse en la libertad de empresa o la autonomía de la voluntad para pretender explotar tales bienes (Sala Constitucional, 3067-95 de las 15:42 hrs. de 13 de junio de 1995 y cinco. y 6053-2002 de 14:38 hrs. de 19 de junio del 2002). Como es sabido, dicha explotación privada requiere de un acto de naturaleza pública que la funde y la permita. La consecuencia inmediata del artículo 121, inciso 14, de la Constitución reside en que no está permitido un uso privativo de este bien y, por ende, el particular no puede obtener una utilidad privada en ausencia de una habilitación legal. La cual deriva de una concesión especial otorgada por la Asamblea Legislativa o de un acto administrativo emitido de acuerdo con la ley que establezca las condiciones y estipulaciones correspondientes. El Texto Constitucional no ha sufrido variación alguna, por lo que continúa siendo inválida la explotación privada de este bien sin una concesión que la funde, como estableció la Sala Constitucional en su resolución N. 5386-93 de 16:00 hrs. de 26 de octubre de 1993. Lo anterior por cuanto: "... es la propia norma constitucional la que califica de bienes de la Nación el espectro electromagnético, afectándolo a ciertos servicios públicos -que corresponden específicamente al Instituto Costarricense de Electricidad y a la empresa RACSA- pero no autoriza a un uso público de éste, por lo cual se trata de un bien que no puede salir bajo ninguna circunstancia del dominio del control del Estado, razón por la que tales servicios inalámbricos únicamente pueden ser explotados por particulares en los términos previstos por la Constitución, ya que están en juego bienes propios de la Nación. En este sentido, puede afirmarse que existe una propiedad pública o demanial sobre el uso y explotación de este bien, que se afirma por la necesidad de una explotación pública de la utilidad que puede comportar el bien para la sociedad, en tanto que se trata de una riqueza colectiva. Así, tanto el bien -ondas electromagnéticas, como su uso y explotación están fuera del comercio de los hombres, por lo que no es cualquier persona la que puede explotarlos fundamentándose en su voluntad y libertad de comercio, como pretende el accionante, por lo cual no existe infracción alguna a los artículos 28 y 46 de la Constitución Política. ..", Sala Constitucional, N. 3067-95 de las 15:42 hrs. del 13 de junio de 1995. “Los servicios inalámbricos no constituyen un bien que el particular tenga el derecho innato a usarlo o que ejerza sobre el mismo algún tipo de derechos o que el Estado tenga la obligación que ponerlo a disposición del particular, lo que ocurrse es que si el Estado a bien lo tiene y estima que puede disponer de ese bien para que sea explotado por el particular o bien por la misma Administración lo realice mediante la correspondiente concesión administrativa o legislativa otorgada en forma temporal, según el caso, en virtud que las ondas etéreas forman parte del espectro el cual es un bien demanial perteneciente a la Nación". Sala Constitucional, resolución 6053-2002 de 14:38 hrs. de 19 de junio de 2002”. (...)” En este sentido, la Sala Constitucional ya se ha enfrentado a la necesidad realizar esa ponderación de intereses, así, por ejemplo en la Resolución Nº 07044-1996 de las 10 horas 09 minutos de fecha 24 de diciembre del 1996, contempló que cuando se trata del órden (sic) público y la seguridad nacional, debe el Poder Ejecutivo tener especial sensibilidad para optar por lo que sea más beneficioso para la colectividad, así se extrae que: V.- Por otra parte, al confrontar las normas cuestionadas con la noción de orden público que habilita al legislador para restringir, entre otras, la libertad de comercio, supuestamente amenazada por la creación del monopolio de combustibles, la Sala hace suyos los razonamientos expuestos tanto por la Procuraduría como por el Representante de RECOPE, en cuanto hace notar la enorme importancia que los derivados del petróleo tienen en el desenvolvimiento de la vida del país, no sólo (sic) en sus aspectos económicos en donde son prácticamente parte fundamental e indispensable para el desarrollo de las actividades productivas, sino en lo relacionado con la seguridad pública, que implica el manejo y control de un recurso peligroso para la salud y la vida de los ciudadanos, amén de que por neurálgico y valioso, resulta blanco idóneo para lograr -mediante su manejo y control malintencionados- la postración del país en beneficio de cualquier tipo de intereses. Así pues, no es siquiera necesario profundizar mayormente en el concepto de orden público para concluir que éste se haya indudablemente involucrado en la importación, refinación y distribución al por mayor de derivados del petróleo; basta únicamente imaginarse lo que ocurriría si se presentaran problemas -provocados o no- en alguna de las facetas monopolizadas y percatarse de lo desastroso que ello resultaría para el país. Por lo dicho, concluye la Sala que no existe transgresión al límite constitucional establecido al legislador mediante el concepto de orden público, porque es indiscutible que los combustibles derivados del petróleo -en tanto que bienes económicos- tienen una particular característica, cual es la de ser recurso escaso y vital según se explicó, por lo cual resultan de orden público y deben ser controlados estrictamente por el Estado, y en algún caso, ser objeto de monopolio, si se considera necesario y oportuno para el país” Debido a todo lo anterior, es posible afirmar que el contenido esencial de la libertad de empresa corresponde a garantizar el derecho de toda persona a emprender cualquier actividad económica, siempre que ésta no atente contra el orden público. Este Ministerio estima de mérito acudir ante esta honorable Sala Constitucional, para que se valore la línea argumentativa aquí resaltada, en la medida que la empresa [Nombre 002]. dentro de sus pretensiones impugna el contenido del “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT, a efecto de que se eliminen disposiciones que a su criterio resultan discriminatorias y lesionan en forma injustificada su participación en diferentes concursos. En concreto, consta en autos del expediente del recurso de amparo, que la empresa recurrente requirió: “(...) suspender la publicación de cualquier pliego de condiciones o en caso de que ya esté publicado, la suspensión de cualquier proceso licitatorio por parte del ICE en que deba aplicarse el Reglamento (...)”. Particularmente el presente Ministerio aprecia que en el marco de los expedientes conexos, la empresa accionante intenta dilucidar la existencia de graves daños y perjuicios contra su patrimonio de continuar con cualquier procedimiento de contratación, ya que las pérdidas a su empresa guardan estrecha relación con el negocio que actualmente sostiene con el Instituto Costarricense de Electricidad, para lo cual de sus propias manifestaciones: “el ICE representa el 60% del negocio de Huawei en Costa Rica, si Huawei se ve impedido de participar en el concurso, se estarían afectando de forma directa a cerca de 80 empleados en Costa Rica, además de las pérdidas financieras para la empresa”. Llama poderosamente la atención el presente argumento, toda vez que en materia de contratación administrativa los potenciales oferentes pueden participar en un esquema de igualdad de condiciones, y una vez demostrada su idoneidad, es que pueden resultar beneficiados de una adjudicación. Tal y como ha sido desarrollado en este informe, el principio de igualdad que deriva del régimen de protección de los Derechos Humanos no admite formas discriminatorias, solo elementos diferenciadores cuya distinción radica en la existencia de una justificación objetiva. Esta misma interpretación jurídica aplica al principio de igualdad y libre concurrencia en materia de contratación administrativa, donde el principio posee dos vertientes. Debe garantizarse la más amplia participación en igualdad de condiciones, en ausencia de restricciones injustificadas. A contrario sensu, también pueden participar oferentes bajo una serie de restricciones que hayan sido debidamente motivadas, ergo, justificadas, cuando el objeto de la contratación así lo requiera por la especialidad técnica que le caracteriza. “(...) si bien es claro que la Administración es quien mejor conoce la necesidad que pretende satisfacer mediante la promoción de un concurso público, y por ello es a ésta a quien le corresponde definirla en forma discrecional, evidentemente en el ejercicio de dicha discrecionalidad, la Administración debe respetar las reglas unívocas de la ciencia y la técnica, así como los principios elementales de la justicia, la lógica y la conveniencia, en aplicación de lo dispuesto por el artículo 16 de la Ley General de la Administración Pública, y el principio de eficiencia, en el sentido de que el procedimiento tienda a la selección de la oferta más conveniente al interés público. De forma tal que la estructuración de la necesidad pública a satisfacer mediante la realización del concurso debe responder a un análisis razonado y sustentado desde el punto de vista técnico y jurídico que permita respaldar adecuadamente las características, funcionalidades y requerimientos técnicos que deben satisfacer las adquisiciones que pretenda realizar. No debe perderse de vista que incluso resulta posible que la definición de requerimientos técnicos pueda entrañar, una limitación a la libre participación en la medida en que ello se encuentre adecuadamente fundamentado” (El resaltado es propio) De allí que, las limitaciones a la participación son totalmente legítimas siempre y cuando se ajusten a los principios de convencionalidad, razonabilidad, proporcionalidad, bloque de legalidad, y a las reglas de la ciencia y de la técnica y la lógica jurídica, parámetros que según se ha demostrado, fueron observados a la hora de emitir dicho Reglamento y que en consecuencia deben observarse por cualquier Administración contratante a la hora de licitar mediante fondos públicos. Por lo anterior, cualquier empresa con interés en licitar, lo que posee es una expectativa de derecho, por lo que no se puede pretender que la Administración adecúe sus actuaciones y pliegos a sus intereses. De tal manera, no es posible entender que las condiciones de negocio actuales de Huawei le confieran la suerte de derecho preconstituido como lo quiere hacer ver la accionante, que pareciera llevar a la convicción de que su giro de negocio debe mantenerse en forma perpetua en tales condiciones para garantizar la sostenibilidad financiera de la empresa. Incluso véase que si el 60% es dedicado a operaciones de esta naturaleza, posee otra alternativa de un 40% como posibilidad de ingreso a explotar. Es en virtud de lo anterior y de los intereses en juego que aquí se ha vertido extensamente, que el Poder Ejecutivo tiene las potestades legales y constitucionales de regular las condiciones y obligaciones para la asignación del espectro en el país en cuanto a su uso y explotación posterior, por lo que su conducta administrativa de dmoraestablecer medidas objetivas de carácter técnico y administrativo, se encuentra amparada a un interés público superior de mantener el orden en materia de telecomunicaciones, el resguardo de la seguridad nacional, y la efectiva tutela de los derechos a la intimidad, la privacidad y la autodeterminación informativa de los usuarios finales de los servicios de telecomunicaciones. En consecuencia, se solicita respetuosamente a la Sala ponderar este interés particular y sin la existencia de daños y perjuicios graves, con los intereses públicos que protege el Poder Ejecutivo mediante el “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT. En este sentido debe valorarse por este Órgano Colegiado la información de seguridad nacional que es aportada a los efectos de ponderar realmente los intereses nacionales que están en riesgo. M. SOBRE OTRAS CONSIDERACIONES OFICIOSAS EN CUANTO A LAS ARGUMENTACIONES E INSUMOS APORTADOS POR [Nombre 002]. a. La empresa accionante no cuenta con título habilitante para la operación de redes y prestación de servicios de telecomunicaciones en tecnología 5G y superiores conforme a la normativa sectorial costarricense. Sobre el particular se debe contextualizar que de conformidad con el artículo 1 de la Ley N°8642, están sometidas a la normativa sectorial, las personas, físicas o jurídicas, públicas o privadas, nacionales o extranjeras, que operen redes o presten servicios de telecomunicaciones que se originen, terminen o transiten por el territorio nacional. En concreto dispone: “ARTÍCULO 1.- Objeto y ámbito de aplicación El objeto de esta Ley es establecer el ámbito y los mecanismos de regulación de las telecomunicaciones, que comprende el uso y la explotación de las redes y la prestación de los servicios de telecomunicaciones. Están sometidas a la presente Ley y a la jurisdicción costarricense, las personas, físicas o jurídicas, públicas o privadas, nacionales o extranjeras, que operen redes o presten servicios de telecomunicaciones que se originen, terminen o transiten por el territorio nacional.” En ese sentido, el Reglamento en referencia surge como parte de las potestades reglamentarias del Poder Ejecutivo para regular la actividad que requiere precisamente del uso o explotación del espectro radioeléctrico y que solo puede ser realizada por aquellos operadores que al efecto cuente con un título habilitante. En ese sentido, las disposiciones reglamentarias que aquí se discuten refieren a obligaciones de los Operadores y Proveedores sujetos a la regulación, en cuanto a la gestión y mitigación de sus riesgos atendiendo a los escenarios definidos para la operación de las redes y la prestación de sus servicios. Como bien se ha indicado, es el operador quien tiene la obligación de velar por que su cadena de suministro se ajuste al cumplimiento de los parámetros y estándares establecidos para estos propósitos. Para efectos informativos, se aclara que la empresa [Nombre 002]. actualmente no posee título habilitante registrado y vigente ante el Registro Nacional de Telecomunicaciones, para lo cual se aporta la certificación registral N° 178-SUTEL-2023 para los efectos declarativos que corresponda. Por lo anterior, deberá tomar en cuenta la Sala Constitucional, que dicha empresa no se encontraría sujeta por el ámbito de aplicación establecido en el artículo 2 del “Reglamento Sobre Medidas de Ciberseguridad Aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores”, Decreto Ejecutivo N.º 44196-MSP-MICITT. Nótese en este sentido que en su artículo 2 el Decreto Ejecutivo N.º 44196-MSPMICITT dispone que “Está sometida al presente reglamento la operación activa de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, por parte de las personas físicas o jurídicas, públicas o privadas, nacionales o extranjeras, que operen redes o presten servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores que se originen, terminen o transiten por el territorio nacional, exceptuando la operación de redes privadas de telecomunicaciones.”; es por ello que se adolece de legitimación activa, al pretender una afectación normativa que no le alcanza. b. Sobre el estudio denominado “Evaluación del impacto económico de la exclusión de proveedores en las inversiones de la red 5G en Costa Rica” emitido por el Centro Internacional de Política Económica para el Desarrollo Sostenible-UNA (CINPE) en octubre de 2023. Se conoce en autos de los expedientes N°23-023887-0007-CO (Recurso de amparo) y N°23-025158-0007-CO (Acción de inconstitucionalidad) el estudio aportado como prueba por la empresa Huawei titulado “Evaluación del Impacto Económico de la Exclusión de Proveedores de la Red 5G”, elaborado por el Centro Internacional de Política Económica para el Desarrollo Sostenible (CINPE) de la Universidad Nacional. En este sentido, se emiten las siguientes observaciones con finalidad de que sean consideradas por los señores Magistrados a efectos de mejor proveer, de la siguiente forma: i. Aspectos generales del estudio •El estudio fue elaborado por cinco profesionales en la rama de la economía, todos con maestría en esta ciencia social. En este sentido, no se observa quién o qué organismo o entidad de índole técnica de ingeniería asesoró en el desarrollo de los escenarios técnicos empleados como base del estudio de marras. •El CINPE indica que: “La investigación fue solicitada por la empresa [Nombre 002]. ante la inminente exclusión de esa empresa para proveer el servicio de 5G en Costa Rica; sin embargo, es fundamental enfatizar que los investigadores trabajamos con total independencia y sin presión de ningún tipo.” A pesar de lo señalado por los investigadores, en relación con la imparcialidad, transparencia y objetividad del estudio realizado argumentado por los autores, no se observa que el estudio haya sido validado por expertos externos al CINPE, que pueda abonar a la visión de independencia de criterio señalado, así como tampoco se observa el origen de la información que se empleó en el desarrollo de los escenarios técnicos de ingeniería que se utilizaron como origen de análisis del estudio. La ausencia de elementos como los señalados anteriormente, desde el punto de vista de metodología, no permite descartar ad portas la posibilidad de cualquier conflicto de intereses del auspiciante en relación con el resultado del estudio bajo análisis. •El nombre y números de las tablas descritas en el índice de tablas del estudio, no coinciden con la información consignada en el estudio. • Rigurosidad técnica de una evaluación de impacto: a lo largo del documento se utiliza el término impacto en múltiples ocasiones, incluso en capítulos de naturaleza descriptiva. Sin embargo, en el cuerpo del documento no se hace mención sobre la conceptualización de impacto que se está utilizando como base en el estudio, ni tampoco a cuáles metodologías de evaluación responden. •Es importante recalcar que por lo descrito en el documento, pareciera que la intención de la investigación responde a una evaluación de impacto ex ante, sin embargo esto tampoco se explica en el cuerpo del documento, lo cual se considera importante porque ex ante se nutre de otras evaluaciones, especialmente aquellas que aborden temas o áreas similares y que ya hubiesen culminado o realizado la evaluación final y se les dio continuidad (Gertler et al., 2016; OECD, 2001; Solano & Alonso, 2020). •En esta misma línea de pensamiento, se resalta que a pesar de que el estudio se presenta como una evaluación de impacto, el desarrollo del documento pareciera responder más a un análisis de proyecciones, especialmente en tanto las evaluaciones de impacto son instrumentos de largo plazo, pues se requiere de una recolección de resultados lo suficientemente significativa para precisamente poder determinar la existencia de un impacto o no en términos científicamente estrictos (Gertler et al., 2016; OECD, 2001; Baker, 2000; Asian Development Bank, 2006). • La mayoría de las tablas que se presentan en el informe, no indican sus fuentes, sino que mencionan que son “datos promedio de la industria”, “elaboración propia” o simplemente no indican. Dado lo anterior, esta Rectoría procedió a solicitar información sobre las fuentes de información utilizadas, mediante oficio MICITT-DVT-OF-841-2023 de fecha 1° de noviembre del 2023. En ese orden de ideas, el CINPE, mediante oficio UNA-CINPE-OFIC-3442023 de fecha 6 noviembre de 2023, remitió los resultados del estudio supra citado; no obstante, omitió remitir las fuentes de información solicitadas. Dado lo anterior, MICITT reiteró la solicitud planteada, esta vez mediante oficio MICITT-DVT-OF-850-2023 de fecha 17 de noviembre del 2023. Posteriormente, el CINPE, mediante oficio UNA-CINPE-OFIC-358-2023 de fecha 22 de noviembre de 2023, remitió parcialmente la información solicitada. Resulta importante aclarar que, si bien el CINPE envió cuatro fuentes de información y enlaces web para solventar la solicitud de MICITT en el oficio MICITT-DVT-OF-850-2023, no fue posible corroborar los datos del estudio del CINPE con estas fuentes, ya que no se detalló el procedimiento metodológico para la extracción de esos datos. • Existen al menos dos versiones del estudio del CINPE, el que consta en los expedientes N° 23-025158-0007-CO y 23-025158-0007-CO (sujetos a estudio por esta Rectoría) y el que está disponible en: https://www.cinpe.una.ac.cr/index.php/investigacion/nucleos-deinvestigacion/exclusio-n-de-proveedores-para-5g que según aclaración del CINPE, es el documento final y oficial; dicho de otra manera, pareciera ser que el documento que consta en los expedientes en mención y que es utilizado como prueba en el Recurso de Amparo y en la Acción de inconstitucional presentada por la empresa [Nombre 002] es considerado por el CINPE como una versión preliminar, y no la final y oficial. ii.- En relación con el Capítulo I sobre la evolución de las generaciones de teléfonos celulares y el impacto de la tecnología 5g en la economía costarricense El estudio inicia con un primer capítulo donde se aborda la evolución de la generación de teléfonos celulares y el impacto de la tecnología 5G en la economía costarricense. Este capítulo presenta una descripción del desarrollo de las telecomunicaciones a nivel general, no necesariamente solo a nivel costarricense. Sin embargo, lo que llama la atención es que las afirmaciones que se presentan en este capítulo, si bien pareciera ser una sección construida con base en información secundaria, no cuentan con referencias bibliográficas que sustenten dichas afirmaciones, esto según los principios de rigurosidad técnica y científica que se espera de una investigación de carácter académico. Asimismo, en esta sección se dan criterios y recomendaciones para las cuáles no se indica bajo cuál marco metodológico se fundamentan, lo que pareciera responder a juicios de valor y no a valoraciones que necesariamente cuenten con un respaldo evidente. Se hace una insistente mención a impactos generados por la implementación de políticas en el sector de telecomunicaciones (especialmente enfocadas a regulaciones de ciberseguridad), no obstante, tampoco se menciona: i) cuál es la definición de impacto que está utilizándose cómo base en el estudio, lo que a su vez incide directamente en el segundo elemento faltante que es ii) cuál es el marco metodológico que se utiliza para determinar la afirmación de los impactos que se mencionan en este capítulo. iii.- En relación con el apartado 2.1 costo financiero para los operadores de telefonía móvil Al respecto, el CINPE menciona que: “(…) el estimado de inversión tiene tres componentes, i) el gasto en capital de infraestructura que acá, Huawei al tener una base instalada por los proyectos de 2G, 3G y 4G tiene una ventaja comparativa sobre los competidores; ii) el gasto en capital de servicios que incluye el diseño, la instalación, configuración, integración y mantenimiento para la red 5G. Esto último es fundamental ya que las redes están conectadas entre ellas de modo que la llegada de un nuevo competidor implicaría inversiones adicionales por rupturas en las economías de escala que ha generado Huawei.” (El resaltado es propio) No obstante, como se puede observar, solo se presentan dos componentes; por lo tanto, no es posible conocer cuál es el tercer componente que afirma el CINPE. En este apartado además, se habla como si las torres y sitios donde se ha desplegado infraestructura celular pertenecen al proveedor HUAWEI o por lo menos eso da a entender, cuando en realidad los sitios donde se ha instalado infraestructura son de los operadores directamente, o las rentas de terceros. Por tal, indiferentemente del proveedor o de la tecnología, el operador tiene ya sus sitios o deberá buscar otros nuevos para los despliegues según sea las necesidades de cobertura y esto no tiene relación con los sitios que actualmente tiene instalados equipos de la marca Huawei para los tres (3) operadores móviles (celulares) en Costa Rica. También, en este mismo apartado del informe el CINPE menciona que “(...) en promedio Huawei ofrece un precio 3,47 veces menor que el resto de los distribuidores, llevando esto a un impacto importante en términos de planificación financiera para los operadores locales”. Cabe recalcar que, en términos metodológicos, basarse en la estimación de un promedio, no es necesariamente suficiente para afirmar la posibilidad de un impacto, sin que exista un respaldo metodológico. Asimismo, esto puede ser contrastado con lo presentado en el subapartado b de esta sección, donde se señala verbigracia que existen ofertas más bajas que la presentada por la empresa Huawei. Por otra parte, es importante mencionar desde la perspectiva ingenieril que, si bien es cierto que los equipos de cualquier suministrador de hardware y software que no cumpla con lo requerido en el decreto ejecutivo de referencia, como pueden ser componentes de las radiobases y del Core Network, en algunos casos, podrían resultar más baratos, con la aplicación del decreto no significa que se deben desechar, por tal, estos equipos pueden continuar operando como parte de la solución 4G o anterior hasta que naturalmente se degraden y requieren una sustitución del componente, el cual en su momento deberá considerar normalmente las cotizaciones del caso y la aplicación de las reglas del decreto. La decisión de cómo, cuándo y dónde se desplegará la red 5G y cómo se pueden aprovechar o no los recursos de generaciones previas depende de cada operador, del desarrollo previamente realizado a la fecha, de su modelo de negocios para 5G, de su estrategia comercial, de sus planes de desarrollo, de su topología de red 5G elegida, de las características de sus redes de generaciones previas, entre otros, por lo que solamente el operador podrá determinar lo que desea realizar con sus inversiones en soluciones 4G y anteriores. iv. En relación con el apartado 2.2 costo económico para el país de restringir proveedores en las inversiones de tecnología 5G En este apartado el CINPE menciona que: “(…) Esa estimación se realizó para el horizonte de 5 años y se calculó el valor presente utilizando una tasa de descuento de 11,57% que corresponde a la dictada por la Superintendencia de Telecomunicaciones” (El resaltado es propio). No obstante, en el apartado 3.2 Enfoque tarifario basado en “Cost-Plus análisis", se indica que “(…) Para el caso de la tasa de retorno para este ejercicio, se asume una tasa de rédito del 12,82% pre impuestos. Esta es la tasa de retorno de capital de la industria de telecomunicaciones indicada en el Expediente GCOTMA-00252-2021”. De igual forma, es insoslayable resaltar que la Superintendencia de Telecomunicaciones, mediante resolución de su Consejo directivo RCS-223-2022 “ACTUALIZACIÓN DE LA TASA DE RETORNO DE CAPITAL DE LA INDUSTRIA DE TELECOMUNICACIONES (CPPC)” expediente GCO-TMA-01367-2022, actualizó para el periodo 2020 las tasas citadas en el párrafo anterior, por lo que se establecieron de la siguiente forma: tasa post impuestos en 10,94% y la pre impuestos en 11,61%. Posteriormente, la Superintendencia de Telecomunicaciones actualizó nuevamente el CPPC para el periodo 2021 mediante resolución de su Consejo RCS-120-2023, estableciendo las tasas en 11,98% post impuestos y en 13,46% la pre-impuestos. Finalmente, para el periodo 2022 la Superintendencia mediante resolución RCS-2522023 actualizó las tasas en 13,91% post impuestos y en 15,26% pre impuestos. Lo anterior llama la atención dado que, aunque el estudio en análisis fue elaborado en el año 2023, se utilizaron datos del periodo 2019, estando disponibles datos recientes que se ajustan a la realidad nacional y al mercado de telecomunicaciones del país, máxime que según el CINPE “el modelo tarifario utilizado en el estudio corresponde al modelo de regulación por Tasa Interna de Retorno (TIR)”. Desde la perspectiva de ingeniería se aclara que, a pesar de los avances tecnológicos que presenta la empresa Huawei a hoy, quien realizó, evaluó y desplegó las primeras redes 5G a nivel mundial fueron las empresas Ericsson y Nokia en Europa. Aunado a lo anterior, es menester mencionar que firmas consultoras internacionales como lo es Gartner, anualmente publican sus hallazgos y análisis respecto al ecosistema 5G y el comportamiento de las compañías proveedoras de soluciones en este ámbito, y para el año 2023 se observa, tal como sucedió para años anteriores, un “liderazgo” compartido entre las empresas Ericsson, Nokia y Huawei, mismas que se catalogan como “Líderes” del 5G en dicho análisis de mercado. Sin embargo, también se observa que la empresa Ericsson con el paso del tiempo ha crecido en su “habilidad de ejecución”, liderando en este aspecto, entendiendo esa habilidad como la evaluación que realiza la empresa Gartner de los productos de los proveedores, servicios, su salud financiera, su respuesta hacia el mercado, y la experiencia de sus clientes en el ámbito de las redes 5G. (…) El estudio CINPE-UNA menciona además que, la tecnología 5G no sustituye “de forma abrupta” las tecnologías y redes anteriores, con lo cual técnicamente se coincide por parte de este Ministerio. No obstante, en el estudio se señala al respecto que al utilizar otro proveedor diferente a Huawei, hablando específicamente del caso del ICE, que tiene sus redes 2G, 3G y 4G con dicho proveedor, deberán prácticamente hacer un “arranque nuevo”, de acuerdo con lo señalado en el estudio en referencia, lo cual a criterio de los autores de dicho estudio implicaría desconocer o descartar las inversiones ya realizadas por el ICE al introducir eventualmente equipamiento de otros vendors distintos, lo cual no resulta preciso desde la perspectiva técnica de ingeniería. En primera instancia, es importante anotar técnicamente que el paso de redes 2G, a 3G, y posteriormente hacia 4G y su evolución 4.5G es precisamente eso, la evolución tecnológica de las redes móviles, las cuales basan su funcionamiento en estándares bien definidos para la industria y el sector de las telecomunicaciones. Históricamente la modernización de las tecnologías celulares, han venido desarrollándose con el único sentido de mejorar y aumentar sus cualidades; por tal, cada una de las generaciones efectivamente se creó para sustituir paulatinamente a las anteriores, lo cual es técnicamente normal y continuará de esta forma no solo con las tecnologías celulares sino con el resto de las tecnologías que el ser humano utiliza. Lo que sí está estipulado en las reglas dictadas por la Unión Internacional de Telecomunicaciones (UIT), y en los estándares de la 3GPP, es la compatibilidad multi vendor, de tal forma que no es necesario comprar la red de inicio a fin de una sola marca. Esto significa que es posible tener redes, ya sea de una misma generación o de distinta generación, conviviendo y operando de forma transparente hacia el usuario final. Para el caso particular de las redes 5G, es posible contar con una red en una arquitectura del tipo “Non Stand Alone” por su denominación en idioma inglés del hipotético proveedor de equipo “A”, pero que por su arquitectura de red deba hacer uso de la red de core existente de la red 4G, misma que puede ser del hipotético proveedor de equipo “B”. En este sentido, retomando lo señalado en el estudio, se observa desde la perspectiva técnica de ingeniería que, al existir una estandarización general en la operación de las distintas generaciones de redes móviles, y en lo particular de las distintas arquitecturas de red 5G, no es preciso señalar que implementar una red o distintas redes interconectadas de distinto vendor significa directa o necesariamente despliegues con un “arranque en cero”, o que resulte financieramente no rentable para un operador. En la siguiente figura se observa que la convivencia de redes de ambas generaciones (4G y 5G), y de diferentes vendors es técnicamente factible, incluso ante escenarios donde se cuenten con equipos core del tipo 5G directamente. (…) De esta forma, se observa que lo aseverado técnicamente, desde el punto de vista de ingeniería por parte de los economistas que formulan el estudio bajo análisis, no resulta preciso, y hace que el estudio, a partir de este punto no cuente con bases técnicas sólidas para llegar a conclusiones que puedan considerarse técnicamente válidas, dado que, como se indicó párrafos arriba, es posible técnicamente, hasta desde un punto de vista de rentabilidad de las inversiones, la coexistencia de redes de distinta generación y/o incluso provistas por distintos vendors o suministradores, sin que ello necesariamente represente una desventaja desde la óptica financiera de un operador, en este caso el ICE. Eventualmente se apagarán las redes de 2G, 3G y 4G por obsolescencia y desuso por una migración natural de los usuarios a las nuevas redes con mejores prestaciones, situación que se ha presentado ya en varios países del mundo, incluso llegándose a apagar en algunos países totalmente las redes del tipo 3G, al tiempo que otros operadores aún conservan, y fortalecen sus redes del tipo 2G para brindar conectividad a dispositivos del tipo IoT, lo cual hace que los operadores en vez de buscar sustituir redes, como sugiere el estudio en su línea de análisis, es posible para los operadores complementar la operación de distintas redes de telecomunicaciones, de distinta generación, para distintos casos de uso. Contrario sentido tendría la visión, como contrapeso a lo señalado por el estudio, el hecho de que se emplee un mismo vendor para el equipamiento de toda la red o de las redes de distinta generación bajo el argumento del tema de costos, siendo que más bien, desde una perspectiva de mercado, este mismo argumento podría abrir un camino de ventaja competitiva a un proveedor incumbente y crear un ambiente que no permita, ad portas, valorar ofertas por equipamiento por parte de distintos vendors al tener una idea de que emplear un proveedor incumbente será siempre la solución financieramente más rentable, cuando no necesariamente así lo sea, como ha sucedido para otros segmentos y tipos de red del mismo ICE. Si bien es cierto que la compatibilidad de los equipos 3G y 4G es muy alta por sus cambios muy sutiles a nivel de red de core y red de acceso inalámbrico, las nuevas redes 5G tienen anchos de banda muy por encima de los máximos que podría alcanzar con los equipos de red core anteriores, limitando estos equipos. A pesar de que, por ejemplo, la gran mayoría de bandas de frecuencias empleadas para redes del tipo 4G pueden ser empleadas para despliegues en 5G, para estas últimas se tiene la posibilidad de emplear bandas milimétricas por arriba de los 24 GHz, lo que hace que los sistemas radiantes que se utilizan en la actualidad para 3G y 4G, deberán ser sustituidos en muchos casos. Por tal razón, la red nueva de 5G podrá reutilizar sitios en los que están actualmente instalados otros equipos, pero por las cualidades de uso de las frecuencias de 5G se necesitará instalar más sitios. De ahí que, desde el punto de vista de infraestructura, el caso de despliegue de una red del tipo 5G per se resulta en una inversión alta para los operadores, en vista de la necesidad de densificación de los sitios de ubicación de la nueva infraestructura y las modificaciones de hardware que implica estas redes. Los equipos en referencia que actualmente se encuentran instalados del vendedor Huawei, necesariamente no solamente ocuparán de una actualización, cambiar o instalar nuevos equipos, sino también deberá preverse su coexistencia con equipamiento de redes de nueva generación como lo es del tipo 5G, que, en caso de tratarse de proveedores distintos, no implica de forma directa o unívoca que se trata de una inversión más elevada, máxime pensando que existen vendors distintos a Huawei que cuentan con iguales economías de escala y comportamiento y liderazgo desde el punto de vista de mercado. Esta situación también se ha presentado en otros países, como Canada. Por otro lado, si la experiencia en despliegue en nuestro país es una gran ventaja por la complejidad que tiene el relieve y nuestro urbanismo, la experiencia de otros proveedores a nivel mundial no es para nada despreciable, con instalaciones en otros países con condiciones de terreno muy similares o peores a las nuestras, tal como la experiencia del operador Swisscomm en la escarpada topografía de los Alpes Suizos, Nepal Telecom en las zonas de Kathmandú y Pokhara, o los despliegues del operador Telenor en la remota zona de Svartnes y de Telia en algunos fiordos Noruegos. v. En cuanto al apartado 3.2 Enfoque tarifario basado en “Cost Plus” análisis El estudio CINPE-UNA indica que “El enfoque tarifario está basado en una metodología “cost plus” que considera variables como la inversión, costos de operación y tasa de retorno. Esta metodología pretende estimar los ingresos necesarios para cubrir los costos de la operación y de esta manera establecer la variación porcentual de la tarifa. Exp N° 19.615 Alcance digital número 63, Gaceta número 154”. (resaltado intencional); no obstante, al revisar el proyecto de ley en mención, pareciera ser que se trata de la aprobación del Convenio de cooperación entre el gobierno de la República de Costa Rica y el gobierno de la República del Ecuador para la protección, conservación, recuperación y restitución de bienes del patrimonio cultural, que hayan sido materia de robo, hurto, saqueo, transporte, tráfico y/o comercialización ilícitos. Dado lo anterior, se desconoce la relación que existe entre el expediente en mención y la metodología indicada. vi.- En relación con el apartado 3.3.3 Análisis de Escenarios de Aplicación o no del Decreto. En cuanto a la tabla 11 el estudio CINPE-UNA menciona: “En cuanto a los costos operativos se presenta en la siguiente tabla. Se observa que los gastos de operación y mantenimiento representan una proporción representativa de los gastos. Estos representan el 97% del total de gastos, tabla 11”. (Resaltado intencional) No obstante, al constatar la información de la tabla supra citada, se aprecia que los gastos de operación y mantenimiento ascienden a $15,80 millones y el opex total es de $462 millones, por lo tanto, pareciera ser que dichos gastos representan solo el 3% (15,80 / 462) y no el 97% que afirma el CINPE. De igual forma, se aprecia que la relación de gastos e ingresos es 0,00 empero pareciera que la relación es de 86,81% (462 / 532,20). A continuación, se muestra la tabla en mención: (…) Fuente: CINPE, 2023 Al respecto, cabe subrayar que con la información de dicha tabla el CINPE procedió a construir un estado de resultados financieros para estimar el efecto sobre la tarifa que tendría la aplicación o no del decreto. Adicionalmente, desde el punto de vista ingenieril, cabe destacar que las redes 5G los CORE Network, son diferentes en proporciones físicas y de requerimientos de climatización, ya que los tamaños han disminuido significativamente en comparación a sus generaciones antecesoras. De Igual forma la Operación y Mantenimiento (OYM) al ser equipos mucho más pequeños, con una tendencia al reemplazo simple de piezas, y desarrollados para intemperie y condiciones climáticas que actualmente se viven en el planeta, el rubro destinado va a variar y tenderá a la disminución, ahora bien la tabla 11 da costos estimados de referencias a nivel mundial, lo cual se puede tomar como referencia únicamente y no se puede puntualizar para una zona, ya que dependerá de múltiples factores de cada región en específico, siendo tan variante con solo desplazarse un par de decenas de kilómetros como lo es para el caso de nuestro país. Por otra parte, en la tabla 14 denominada Análisis de Sensibilización del Valor Remanente de la Inversión, USD $, el CINPE presenta los resultados del análisis de dos escenarios, el primero presenta un planteamiento sin el decreto y el segundo con el decreto. No obstante, se identificaron inconsistencias en la información presentada, que imposibilitan determinar con exactitud el aumento del costo financiero que argumenta el CINPE en el escenario con decreto. A continuación, se muestra la tabla en mención: (…) Fuente: CINPE, 2023. Adicionalmente, la forma en que se presenta la información no es clara, dado que los datos están superpuestos. En cuanto a los datos del escenario sin decreto se aprecia lo siguiente: En la fila del valor de la inversión en la columna quinquenio se indica que el monto es de $1 293 328 911; no obstante, al realizar la sumatoria de los cinco años pareciera que el monto corresponde a $864 065 567. De igual forma, en la fila de Gastos operación en la columna Quinquenio se menciona que el monto es de $261 000 000; no obstante, al realizar la sumatoria el monto corresponde a $87 000 000. Lo mismo ocurre en la fila de Rentabilidad en la columna Quinquenio que se observa que el monto es de $692 332 536; empero al revisar los datos, pareciera ser que el monto es de $230 777 510. A su vez, en la fila de ingresos requeridos, en la columna Quinquenio se observa que el monto es de $1 313 359 856; sin embargo, pareciera ser que el monto es de $677 804 832. Dicho de otra manera, de la información consignada en las cinco filas del escenario sin Decreto, cuatro presentan presuntas inconsistencias. Algo semejante ocurre en el escenario con decreto, en la fila de Gastos de operación se aprecia que para todos los años es de $17 400 000 y el total en la columna quinquenio es de $261 000 000 (igual que en el escenario sin decreto); no obstante, al realizar la sumatoria el monto corresponde a $87 000 000. Adicionalmente, cabe señalar que, en la tabla 12 el CINPE definió que para el año 1 el monto es de $19 140 000, siendo el supuesto que el valor se mantiene constante durante los cinco años, el monto debería ser de $19 140 000 para cada año, por consiguiente, la suma del quinquenio ascendería a $95 700 000. Lo mismo sucede en la columna de Quinquenio en la fila de Rentabilidad que indica que el monto corresponde a $996 95 852 (sic), empero pareciera ser que el monto asciende a los $332 319 615. A su vez, en la fila de ingresos requeridos para el año 1, se observa el monto de $213 473 759; sin embargo, en la tabla 12 denominada “Estado de Resultado: Resultados de la 5G, año 1, USD $ (escenario)” se menciona que para el escenario con decreto se requieren ingresos para el primer año de $215 213 759. Por consiguiente, no es posible conocer cuál es el monto respectivo. En otras palabras, de cinco filas de información correspondientes al escenario con decreto, al menos tres presentan presuntas inconsistencias. En aras de ilustrar los datos descritos anteriormente, a continuación, se muestra una tabla con mayor detalle, en la que se consigna en la columna Quinquenio el resultado de la suma de cada uno de los cinco años: (…) Fuente: elaboración propia con datos CINPE, 2023. Adicionalmente, el estudio CINPE-UNA destaca que “el costo económico financiero de continuar con la implementación del Decreto Ejecutivo N° 44196-MSP-MICIT, es de USD $463 millones” los cuales pareciera que provienen de la diferencia de los ingresos requeridos del escenario con decreto ($1 776 398 193) menos los ingresos requeridos sin decreto ($1 313 359.856) indicados en la tabla 14 supra citada. Sin embargo, como se logra apreciar en la tabla anterior, el monto sería de $268 654 123 ($946 458 955 - $677 804 832), utilizando los valores y supuestos planteados por el mismo Centro. En otro orden de ideas, cabe mencionar que el estudio emplea, a criterio de los autores, el modelo cost-plus para análisis y proyección tarifaria de los servicios de telecomunicaciones. Este modelo considera, efectivamente, el tema de costos de inversión, los gastos operativos y de retorno de inversión. Como se ha señalado, el estudio emplea el tema de costos de inversión, bajo ciertos modelos técnicos cuestionables, pero no aborda la problemática que desde el OPEX implica el no dimensionar correctamente los escenarios de uso y la densificación de sistemas radiantes, así como tampoco aborda el retorno de inversión que implica el desarrollo de los distintos casos de las redes 5G, que no se encuentran presentes como modelos de monetización de redes de generaciones anteriores, tal como lo es la virtualización de parte de las redes móviles o la provisión de servicios de tipo cloud, lo cual hace que la estimación de tarifas tradicionalmente empleadas pueda no resultar de aplicación tan directa como lo determina el estudio. Desde la perspectiva técnica de ingeniería, se recalca que la implementación de cualquier red nueva implica necesariamente una inversión por parte de los operadores, la cual está ligada directamente al presupuesto y a la necesidad a cubrir, por tal la red será tan cara como tan grande y compleja se quiera hacer. Por lo tanto, cualquier aseveración que en el citado informe del CINPE se ligue a un escenario “con decreto” induce al lector al error, ya que dicho escenario evalúa y contempla condiciones que técnicamente no se pueden ligar a la aplicación del decreto ejecutivo en análisis. En el estudio, por otra parte, no se muestran evidencias del eventual impacto negativo en temas de presupuestos de inversión, rentabilidad y CAPEX, para aquellos operadores que a nivel mundial ya hayan decidido el despliegue de redes móviles del tipo 5G con proveedores de equipamiento distintos a Huawei, lo cual no permite tampoco contrastar el ejercicio numérico y las proyecciones realizadas para el caso de estudio del operador costarricense. Existen evidencias de que las afectaciones actuales al CAPEX y niveles de inversión a nivel global para los operadores de telecomunicaciones tiene más relación con la situación económica mundial y la desaceleración de algunas de las grandes economías, lo cual tiene impactos en precios de bienes y servicios, que en la escogencia de un proveedor de equipamiento de red. En términos del modelo de negocio de las redes móviles, es sabido que el costo total de propiedad (TCO) de una red móvil, y principalmente para aquellas que incorporan nuevas tecnologías, se compone de la suma de gastos de capital y de operación de la red de acceso, transporte (backhaul) y de core. Lo señalado por los autores del estudio bajo análisis se refiere a parte de los gastos de capital que, a su criterio, implicaría emplear equipamiento de un proveedor sobre otra oferta de equipamiento. Sin embargo, el estudio no aborda u omite analizar los aspectos asociados al OPEX de una solución móvil, que de manera directa tiene asociado un alto porcentaje al costo por consumo energético del equipamiento de red y de transmisión, así como de enfriamiento de éste. En este sentido, una solución del tipo 5G que emplee equipamiento de densificación de sistemas radiantes (tipo Massive MIMO) resultará en costos más elevados desde el punto de vista de OPEX respecto a sistemas radiantes menos complejos o densos. Por otro lado, el uso o no de esquemas densos o menos densos en el sistema radiante de una solución del tipo 5G tiene relación directa con el objetivo de cobertura del operador, y del dimensionamiento de tráfico que se realice en virtud de la cantidad de usuarios o conexiones de datos que se pretendan en cada estación base de la red. De ahí que, se observa que el estudio (elaborado únicamente por profesionales en ciencias económicas) parte de la premisa del uso de una solución del tipo 32T32R, por ejemplo, para el caso “urbano”, y detalla que dicha solución puede ser provista únicamente por el proveedor Huawei, siendo que efectivamente otros proveedores cuentan con soluciones de este tipo. Este escenario de 32T32R efectivamente podría ser empleado en casos de uso urbanos; no obstante, se observa que por temas de OPEX y algunas componentes de CAPEX asociadas al despliegue de esas soluciones, parece tener un impacto positivo en tema de rendimientos de inversión únicamente en casos particulares donde exista una demanda intensiva de datos por parte de usuarios que justifique el elevado consumo eléctrico de una solución de esta índole. En este sentido, los escenarios también planteados para los casos “nacionales” y “rurales” en dicho estudio, realizados sin la participación de un responsable de asesorar en aspectos técnicos ingenieriles, no parecen contemplar detalles como los señalados anteriormente, ni el dimensionamiento técnico en temas de tráfico y cobertura de las soluciones empleadas, así como el impacto en el CAPEX y OPEX de los operadores móviles en el desarrollo de éstas. Desde la perspectiva técnica de ingeniería, es conocido que los distintos escenarios se desarrollan por parte de los distintos operadores de telecomunicaciones de la mano de los proveedores de equipamiento que consideren, como se señaló párrafos arriba, elementos como objetivos de cobertura, tráfico, cantidad de usuarios, entre muchos otros, más allá de la disponibilidad o no de cierto tipo de solución por parte los proveedores de equipamiento de red. Se reitera en este punto que llamar al escenario desarrollado por los autores del estudio como el escenario “con decreto” por parte de los autores induce a errores graves desde la perspectiva técnica. En relación con el capítulo IV: conclusiones y Recomendaciones En relación con las conclusiones, el estudio CINPE-UNA menciona que: “La implementación del decreto podría traducirse en la necesidad de un incremento de inversión de aproximadamente USD 196,69 millones en un periodo de 5 años.” (el resaltado pertenece al original).No obstante, en la página 19 del estudio menciona que: “(...) la implementación del decreto podría traducirse en un incremento de inversión de aproximadamente USD 1.474,68 millones(...)”. Dado lo anterior, se sugiere al CINPE que aclare cuál es el monto respectivo. A su vez, el CINPE indica que: “(...) De acuerdo con nuestra investigación y los datos presentados en tabla 2.3, si se lleva a cabo el despliegue 5G sin restricciones, su inversión contribuiría con USD 748,4 millones al Producto Interno Bruto (PIB) de Costa Rica en un lapso de 5 años. Esto representa un significativo 3,19% del PIB. (...) esta contribución se desploma a apenas USD 419,1 millones. Estamos hablando de una reducción de USD 329,3 millones en tan solo cinco años (...)”. Al respecto, es menester indicar que el estudio del CINPE no cuenta con una tabla 2.3, por lo que no es posible analizar los datos que mencionan. Ahora bien, en la tabla 5 del estudio en análisis, se indica que la contribución de la inversión 5G al PIB asciende a USD 1 550,8 millones. Dado lo anterior, no se tiene certeza de cuál es la contribución al PIB que menciona el CINPE. Por otra parte, según la perspectiva técnica de ingeniería, este punto dista de la realidad vivida en implementaciones anteriores de las redes 2G, 3G y 4G, esto porque el despliegue inicial es donde se tiene la parte más fuerte de la inversión, y claro también se paga el costo de obtener tecnologías nuevas. Conforme avanza el tiempo el costo de los equipos tecnológicos disminuye y el crecimiento de la red llega a tender a disminuir no aumentar ya que se llega a un punto en el cual es solo operación y mantenimiento y no más expansión; si se ve la historia las redes celulares de una tecnología en específico crecen relativamente poco luego del quinto año de su implementación y esto es porque el objetivo meta ya está cubierto y además se comienza con los estudios para el despliegue de la nueva generación. No obstante, es importante considerar que, contrario a lo que se señala en el estudio, la “ventaja comparativa” de Huawei sobre otros vendors podría no resultar tal, en virtud de que el estudio parece partir de la premisa que los costos por operación y mantenimiento serán menores ante un escenario de utilización del proveedor incumbente, lo cual, en todo caso, no es una verdad demostrada o evidenciada. Asimismo, para este punto debe considerarse lo mencionado respecto al TCO de una red móvil detallado anteriormente. Por otra parte, el CINPE hace alusión al concepto o principio técnico de “neutralidad tecnológica” para argumentar las supuestas “repercusiones tan profundas en la economía y bienestar del país” de la puesta en marcha de los lineamientos reglamentarios sobre seguridad en redes móviles IMT-2020, incluyendo 5G, y superiores. No obstante, en una cuidadosa, y técnicamente rigurosa, revisión de la definición que provee la Ley General de Telecomunicaciones, Ley Nº 8642, sobre la neutralidad tecnológica, se observa que ésta no se incumple en los términos que se señalan en el Decreto en referencia, dado que dicha neutralidad debe entenderse como la libertad que tienen operadores de redes de telecomunicaciones, o de los mismos proveedores de servicios, de escoger las tecnologías más apropiadas para la prestación de esos servicios de usuario final, que permitan trasladar el mayor beneficio social y tecnológico a la población del país, sin que para ello sea requerido o mandatorio que el Estado imponga una visión de despliegue de una tecnología en particular. En el ámbito de redes inalámbricas, esto se traduce en la posibilidad que tienen operadores y proveedores de emplear las tecnologías más novedosas, dentro de los servicios radioeléctricos habilitados reglamentariamente. Esto es, en temas de redes móviles, los operadores podrán desplegar redes comerciales/privadas del tipo 2G, 3G, 4G y 5G, sin que el Estado exija el despliegue de alguna de ellas en particular. Sin embargo, como se explicó en secciones anteriores del presente escrito, la misma ley señala que esta libertad debe encontrarse delimitada dentro del marco de referencia que demarca la estandarización de las redes de telecomunicaciones, para con ello asegurar, a través de los despliegues que se realicen por parte de actores del sector, el mayor beneficio social a la población, y que también permite disfrutar de los beneficios que permiten las economías de escala. Esto, a su vez, en vista de los preceptos constitucionales, también debe realizarse, no solo de una forma estandarizada por parte de operadores y proveedores de servicios, sino también de una forma segura hacia la población, de tal forma que los usuarios finales puedan disfrutar de los servicios de telecomunicaciones con el menor riesgo posible, en un entorno tecnológico que permita dar cumplimiento a esto sin detrimento del libre comercio del país, pero que asegure la privacidad de las comunicaciones individuales. De ahí que, la discusión del tema de neutralidad tecnológica no se aborda adecuadamente en el estudio de ese centro académico, sino que parece emplearse para erróneamente tratar de desacreditar las disposiciones de seguridad del Decreto en referencia, relacionando la neutralidad tecnológica con la escogencia de proveedores de equipamiento; sin embargo, como se señaló anteriormente, la neutralidad tecnológica tiene asociado por definición la necesidad de desplegar tecnologías estandarizadas, para asegurar el máximo beneficio social y tecnológico del país, pero esto, en vista de las disposiciones legales del país, debe hacerse de una forma que propicie un ambiente de seguridad para los usuarios finales de los servicios de telecomunicaciones. Importancia de la incorporación de la Ciberseguridad en análisis de tecnologías 5G El CINPE menciona que, para el planteamiento de los escenarios utilizados en su estudio, se utiliza el supuesto de estar operando con y sin el Decreto Ejecutivo No. 44196-MSP-MICITT, titulado Reglamento sobre Medidas de Ciberseguridad Aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores. En esta misma línea, el CINPE es enfático en mencionar que este tipo de medidas en temas de ciberseguridad, “(...) pueden limitar la competencia del despliegue de tecnologías 5G” (CINPE, 2023), lo cual se toma como punto de partida para su argumentación. No obstante, a pesar de que el estudio por parte de CINPE se basa en análisis macroeconómicos y microeconómicos, no considera en ningún momento los costos en los que se incurriría en caso de operar en un entorno donde no se considere la ciberseguridad como un pilar para la protección de los datos y la privacidad de los usuarios de servicios de telecomunicaciones, siendo este un foco central en la discusión global alrededor de este tema. La consideración de la ciberseguridad y la protección de datos en un análisis de tecnologías 5G es imperativa debido a los riesgos inherentes a la conectividad avanzada que esta tecnología proporciona. La implementación de redes 5G no sólo acelera la velocidad de transmisión de datos, sino que también amplía la superficie de ataque potencial para amenazas cibernéticas, lo que hace que la seguridad sea una prioridad crítica (Fonyi, 2020; Park et al., 2021; Stuchtey et al., 2020). Las amenazas a la ciberseguridad en un entorno 5G pueden incluir desde ataques tradicionales como el malware hasta amenazas más sofisticadas como el robo de identidad y la interrupción de servicios críticos (Stuchtey et al., 2020; Park et al., 2021). Además, la mayor cantidad de dispositivos conectados y la transferencia de grandes volúmenes de datos aumentan la probabilidad de violaciones de la privacidad y pérdida de información confidencial. La rápida velocidad y la baja latencia de las redes 5G ofrecen oportunidades significativas, pero también aumentan la exposición a posibles vulnerabilidades, por lo que la falta de medidas de ciberseguridad adecuadas podría permitir ataques más sofisticados, como intrusiones en la red, robo de datos sensibles o interrupciones del servicio (Fonyi, 2020). Asimismo, la protección de datos se vuelve aún más crucial con el aumento de la cantidad de información transmitida a través de estas redes de alta velocidad. El 5G facilita la comunicación entre una variedad de dispositivos, desde vehículos autónomos hasta dispositivos médicos conectados, lo que significa que la información personal y confidencial circula a una escala sin precedentes. La pérdida o compromiso de estos datos podría tener consecuencias graves, incluida la violación de la privacidad, el robo de identidad y el acceso no autorizado a información sensible (Fonyi, 2020; Stuchtey et al., 2020) Los costos asociados por la no inclusión de medidas de ciberseguridad en un análisis de tecnologías 5G puede ser significativo. Los posibles efectos financieros directos, como la pérdida de ingresos debido a la interrupción del servicio, las sanciones regulatorias por violaciones de datos y privacidad que pueden enfrentar las organizaciones (como por ejemplo las contenidas en el Reglamento General de Protección de Datos de la Unión Europea), así como la reparación de la reputación y la pérdida de confianza del cliente también son consecuencias graves que pueden afectar a largo plazo (Fonyi, 2020; Park et al., 2021; Stuchtey et al., 2020). Siguiendo la línea de Stuchtey et al. (2021), pueden existir además costos ocultos que son importantes de considerar ante cualquier análisis de implementación de tecnologías 5G. El análisis de Stuchtey et al. (2021), revela la complejidad de la seguridad en la implementación de redes 5G, especialmente en relación con la elección de proveedores. Los autores señalan que estos costos están ocultos porque ocurren ya sea mucho después de la implementación de la tecnología, o porque son asumidos por personas o agentes distintos a aquellos que deciden sobre la forma de implementación de las tecnologías 5G. Los autores además señalan que, para la sociedad en su conjunto, estos costos son altamente relevantes y deben ser considerados al decidir a quién confiar en la construcción de la próxima generación de infraestructura de red. Es por esta razón que, ante una eventual negativa por parte del estado y de los proveedores a optar por fuentes confiables, esto podría desplazar los costos de protección hacia las empresas y ciudadanos; por lo que se recalca la importancia de que el estado interviene preventivamente, convirtiendo incluso la protección en un bien público. En Stuchtey et al (2021), se menciona que cuando se trata de políticas para la implementación de tecnologías 5G, el enfoque debe darse con una “seguridad desde el diseño” (security by design), pues esto permitiría resguardar desde un inicio incluso, a aquellos agentes económicos más vulnerables. En este sentido, se resalta la importancia de que este tipo de análisis incorpore todos los costos posibles para los agentes económicos involucrados, pues una decisión de mercado para un bien tan particular como las telecomunicaciones no debería ser determinado únicamente por el precio de mercado de dicho servicio, o por el costo de implementación de la infraestructura. Por el contrario, se resalta el valor que tiene la consideración de todas las variables que puedan afectar el bienestar tanto de los consumidores como de los operadores. Consideraciones finales desde la perspectiva económica Luego de la revisión de los documentos referentes a la contratación Aprovisionamiento e Implementación de redes 5G NR por parte de RACSA, y el estudio sobre Evaluación del Impacto Económico de la Exclusión de Proveedores de la Red 5G en Costa Rica por parte del CINPE, se procede a hacer una serie de señalamientos que buscan comprender lo que cada uno de estos documentos presenta. Con respecto a la revisión y análisis desde la perspectiva económica de la contratación por parte de Racsa, se logra visualizar que, DATASYS GROUP VINET (Datasys-Nokia) fue el oferente que presentó la oferta con el precio más bajo por un monto de $2 455 798,27 el cual es un 76% más bajo que el Consorcio ITS CR-ITS PA (ITS Huawei); siendo así que se cuenta con información que señala, con datos reales, que existen opciones incluso más baratas a ITS Huawei, en contraposición a lo que se señala en el estudio del CINPE con base en proyecciones. Además, en relación precisamente al estudio del CINPE, se encuentran inconsistencias en la información presentada; se detectan cálculos que al parecer contienen errores, existe confusión sobre la fuente de información de algunos de los datos que allí se presentan y además, existen dudas sobre el marco teórico y metodológico que sustenta la rigurosidad técnica y científica de la evaluación de impacto que el estudio alega realizar. Lo anterior, no permite constatar las afirmaciones y estimaciones realizadas por el CINPE, a lo largo del estudio. Existen al menos dos versiones del estudio del CINPE, el que consta en los expedientes N° 23-023887-0007-CO y N°23-025158-0007-CO (sujeto a estudio por esta Rectoría) y el que está disponible en el sitio web del Centro de estudio, que según aclaración del CINPE, es el documento final y oficial; dicho de otra manera, pareciera ser que el documento que consta en los expedientes en mención y que es utilizado como prueba en el Recurso de Amparo y en la Acción de Inconstitucional presentada por la empresa [Nombre 002], es un documento preliminar y no oficial del CINPE. Adicionalmente, cabe señalar que los documentos presentan diferencias entre sí. Además, se resalta que aunque el estudio del CINPE se basa en análisis macroeconómicos y microeconómicos, se destaca la omisión de considerar los costos asociados con la falta de ciberseguridad. Las amenazas a la ciberseguridad en redes 5G, desde ataques tradicionales hasta riesgos más sofisticados, subrayan la importancia de medidas preventivas. La falta de seguridad no solo implica riesgos para la privacidad y la pérdida de datos, sino también costos financieros directos, sanciones regulatorias y pérdida de confianza del cliente, por lo que se insta a que este tipo de análisis pueda incorporar todas aquellas variables que puedan afectar el bienestar del consumidor y de los operadores, más allá del precio de mercado y el costo de infraestructura. Es importante recalcar que, a pesar de que el CINPE proporcionó cuatro fuentes de información y enlaces web para abordar la solicitud del MICITT en el oficio MICITTDVT-OF-850-2023, resultando que no fue posible verificar los datos del estudio del CINPE mediante estas fuentes. Este inconveniente surgió debido a la falta de especificación del procedimiento metodológico utilizado para la extracción de dichos datos. Esta omisión resalta la importancia de una transparencia metodológica completa para asegurar la fiabilidad y verificabilidad de los resultados presentados. N. ELEMENTOS ANEXOS 1.Expediente administrativo certificado N°MICITT-DGDCFD-EXP-003 2023, titulado: REGLAMENTO SOBRE MEDIDAS DE CIBERSEGURIDAD APLICABLES A LOS SERVICIOS DE TELECOMUNICACIONES BASADOS EN LA TECNOLOGÍA DE QUINTA GENERACIÓN MÓVIL (5G) Y SUPERIORES. 2. CERTIFICACIÓN N° MICITT-DGDCFD-CER-006-2023, de fecha 12 de diciembre de 2023, emitida por el Director de la Dirección de Gobernanza Digital y Certificadores de firma digital del Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones. 3. Plan General de Emergencia Ciberataques, de la Comisión Nacional de Emergencias de junio de 2022. Documento recuperado del sitio web: https://www.cne.go.cr/recuperacion/declaratoria/planes/Plan%20General%2 0de%20la%20Emergencia%20por%20Ciberataques.pdf. 4. Oficio de la Contraloría General de la República N°DFOE-CAP-OS-00001-2023 de fecha 01 de mayo de 2023, denominado “Opiniones y sugestiones: “Emergencia cibernética: Obstáculo para la transformación digital y el bienestar social; retrocesos para la transparencia y rendición de cuentas. Documento recuperado del sitio web: https://cgrweb.cgr.go.cr/apex/f?p=164:7:::NO. 5.Informe del Programa de Información y el Conocimiento de la Universidad de Costa Rica denominado “Hacia la Sociedad de la Información y el Conocimiento” diciembre de 2022, documento recuperado del sitio web: http://www.prosic.ucr.ac.cr/sites/default/files/recursos/informe_2022_compl eto.pdf. 6. Comunicación digital de la Promotora de Comercio Exterior denominada “SECTOR TIC DE COSTA RICA MUESTRA SU OFERTA DE VALOR EN MIDSIZE ENTERPRISE SUMMIT 2023”, dato recuperado del sitio web: https://www.procomer.com/noticia/sector-tic-de-costa-rica-muestra-suoferta-de-valor-en-midsize-enterprise-summit-2023/. 7.Documento denominado “Caja de herramientas de la UE para la seguridad en redes 5G”. https://op.europa.eu/en/publication-detail/-/publication/7def1c03-da16-11eb-895a-01aa75ed71a1/language-es 8.Documento denominado 5G en América Latina: Liberando el Potencial. https://www.gsma.com/latinamerica/wp-content/uploads/2023/06/2906235G-in-Latam-ESP.pdf . 9. Plan Nacional de Desarrollo de las Telecomunicaciones 2022-2027 “Costa Rica: Hacia la disrupción digital inclusiva”, el cual fue aprobado por el Poder Ejecutivo mediante Decreto Ejecutivo N° 43843-MICITT publicado en el Diario Oficial La Gaceta N°5 de fecha 13 de enero de 2023. 10.Acuerdo Ejecutivo Nº 031-2023-TEL-MICITT 11.Informe de Opinión Nº 4225-SUTEL-OTC-2021 de fecha 19 de mayo del 2021, “Informe sobre Asignación de Espectro para Despliegue Futuro de Redes 5G desde la Perspectiva de la Competencia” 12. Dictamen Técnico N° 05071-SUTEL-DGC-2020 de fecha 09 de junio de 2020 13. Dictamen Técnico N° 02823-SUTEL-DGC-2021 de fecha 8 de abril de 2021 14. Informe de Opinión N°09228-SUTEL-OTC-2022 de fecha 20 de octubre de 2022”. 15.Asian Development Bank (2006). Impact Evaluation: methodological and operational issues. Economic Analysis and Operations Support Division Economics and Research Department. Disponible en: https://www.adb.org/sites/default/files/institutionaldocument/33014/impactanalysis-handbook_0.pdf 16. Baker, Judy L. (2000). Evaluating the Impact of Development Projects on Poverty: A Handbook for Practitioners. Directions in development. Washington, DC: World Bank. Disponible en http://hdl.handle.net/10986/13949 17. Fonyi, S. (2020). Overview of 5G Security and Vulnerabilities. The Cyber Defense Review, 5(1), 117–134. Disponible en: https://www.jstor.org/stable/26902666 18. La Gaceta (2015) N°154. Alcance Digital N° 63. Expediente legislativo N° 19.615. Disponible en https://www.imprentanacional.go.cr/pub/2015/08/10/alca63_10_08_2015. pd f 19. Gertler, Paul J.; Martinez, Sebastian; Premand, Patrick; Rawlings, Laura B. and Vermeersch, Christel M. J. (2016). Impact Evaluation in Practice. International Bank for Reconstruction and Development / The World Bank. Disponible en: https://openknowledge.worldbank.org/server/api/core/bitstreams/4659ef23-61ff-5df7-9b4e-89fda12b074d/content 20. OECD (2001). Evaluation Network report, Evaluation Feedback for Effective Learning and Accountability. Report No 5, OECD Evaluation and Effectiveness Series. Disponible en: https://www.oecd.org/development/evaluation/2667326.pdf 21. Park, J., Rathore, S., Kumar, S., Salim, M., Azzaoui, A., Kim, T., Pan, Y. & Park, J. (2021). A Comprehensive Survey on Core Technologies and Services for 5G Security: Taxonomies, Issues, and Solutions. Human-Centric Computing and Information Sciences,Vol. 11, Jan-21. Disponible en: http://hcisj.com/data/file/article/202101282/11-03.pdf 22. Solano Ruiz, J. & Alonso Ubieta, S. (2020). Evaluación de impacto expost de acuerdos comerciales: síntesis de algunas aproximaciones teóricas y metodológicas. Cuaderno de Trabajo, CINPE-UNA, Heredia, Costa Rica. Disponible en: https://repositorio.una.ac.cr/bitstream/handle/11056/18286/Cuaderno%20004%202020%20Solano%20%26%20Alonso%20M%c3%a9todo.pdf?sequence=4 &isAllowed=y 23. Stuchtey, T., Dörr, C., Frumento, E., Oliveira, C., Panza, G., Rausch, S., Rieckmann, J. & Yaich, R. (2020). The Hidden Costs of Untrusted Vendors in 5G Networks. Brandenburg Institute for Society and Security, Policy Paper No.8, Dec-20. 24. SUTEL (2023). INFORME TÉCNICO PARA EL CÁLCULO DE LA TASA REQUERIDA DE RETORNO DEL CAPITAL O COSTO PROMEDIO PONDERADO DEL CAPITAL (CPPC) PARA EL PERÍODO 2022, Expediente: GCO-DGM-IFR-00487-2023 PETITORIA Con fundamento en los hechos y fundamentos expuestos se solicita a esta Honorable Sala Constitucional de la Corte Suprema de Justicia: 1.- Revisado de oficio el expediente electrónico N° 23-023887-0007-CO, se conoce recurso de amparo interpuesto por [Nombre 002]. en contra del Instituto Costarricense de Electricidad, donde se ha dado audiencia a distintas entidades y órganos a efecto de que se pronuncien de los alcances del amparo interpuesto, por lo cual en calidad de jerarca del Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones y como parte suscribiente del Decreto Ejecutivo Nº44196-MSP-MICITT, me apersono en aras de la verdad objetiva, la justicia pronta y cumplida y la rigurosidad técnica, lógica y científica que debe privar en el presente proceso, lo cual justifica sobradamente la participación informativa del Ministerio Rector a mi cargo, brindando así una visión técnica complementaria para los objetivos señalados. 2.-Solicitar, con base en el principio de igualdad procesal establecido conforme a los artículos 33, 39 y 41 de la Constitución Política, que se confiera audiencia formal al Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones en la presente acción de amparo para referirse a todos y cada uno de los hechos, a la fundamentación jurídica y las pretensiones correspondientes, en el ejercicio de la transparencia, rendición de cuentas, justicia y seguridad jurídica”.

23.- Mediante resolución de las 14:39 horas de 24 de noviembre de 2023, la magistrada instructora, confirió audiencia a la ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones.

24.- Por escrito incorporado al expediente digital el 9 de enero de 2024, se apersona Paula Bogantes Zamora, ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones. Expone lo siguiente: “De forma previa indicar a esta Sala Constitucional que la presente audiencia se atiende desde el ámbito de funciones del Ente Rector de las Telecomunicaciones, por lo cual procedo a referirme a los hechos planteados por el accionante en el recurso de amparo interpuesto contra el Instituto Costarricense de Electricidad, como Operador habilitado para la operación de redes y la prestación de telecomunicaciones, en aras de la defensa objetiva y técnica, en relación con las disposiciones de carácter general emitidas por el Poder Ejecutivo mediante Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”, publicado en Alcance Nº 166 a La Gaceta Nº159 del 31 de agosto de 2023, y demás normas que conforman el bloque de juridicidad y legalidad de las telecomunicaciones. HECHOS Sobre los hechos y alegatos planteados en el escrito del RECURSO DE AMPARO, recibido en la Secretaría de la Sala el día 28 de septiembre de 2023, procedemos a indicar lo siguiente: 1.- Mi representada está preparada para participar en la licitación pública que abrirá el ICE para implementar y operar la tecnología 5G IMT en sus redes, dado que somos uno de los principales proveedores de esa tecnología en Costa Rica. Respuesta. No me consta si la empresa está o no preparada para participar en la licitación que refiere, sin embargo es de conocimiento público que la empresa [Nombre 002]. ha manifestado su interés y ha presentado formal oferta dentro del procedimiento especial de servicios en competencia, con el objeto de contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (en adelante, SICOP) y registrado con el expediente electrónico número 2023XE000023-0000400001. Este Ministerio es respetuoso de las etapas parte del ciclo de la contratación, y por lo tanto deberá estarse a lo que el Operador contratante resuelva en la etapa de análisis de ofertas y adjudicación como corresponda en su esfera de actuación, para esta y otras empresas que también participaron en dicho concurso. En ese sentido no me corresponde emitir ningún criterio calificativo que pueda interferir en la posición del operador, en total respeto al principio de legalidad, imparcialidad, competencia y del debido proceso administrativo. Sobre lo que sí puedo referirme y se precisará infra en el presente informe, es sobre el hecho de que la empresa [Nombre 002]. documentó en dos oportunidades diferentes que su oferta se ajusta a los requerimientos de la contratación, lo cual deberá verificar el Operador recurrido en la etapa del procedimiento especial de servicios en competencia correspondiente, siendo que esta oferta está sujeta, como cualquier otra oferta, al escrutinio durante la etapa de análisis de ofertas, para determinar su idoneidad, de forma que el criterio de si en efecto se encuentra preparada o no para asumir el objeto de la contratación, será una conclusión a la que tenga llegar el operador en su proceso concursal, para lo cual debe respetarse el debido proceso y el ejercicio de verificación que el ICE realice a efecto de determinar si la empresa cumple con las condiciones que así haya dispuesto en el propio pliego de condiciones. 2.- El 31 de agosto pasado, el Poder Ejecutivo promulgó y publicó en La Gaceta el "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic), el cual contiene disposiciones que expresamente impiden la participación de mi representada en ese concurso público. Respuesta. Es falso, que dicha normativa contiene disposiciones que impidan a la empresa [Nombre 002]., toda vez que como se indicó, ha manifestado su interés y ha presentado formal oferta dentro del procedimiento especial de servicios en competencia, con el objeto de contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (en adelante, SICOP) y registrado con el expediente electrónico número 2023XE-000023-0000400001. Sin embargo, lo cierto es que el Poder Ejecutivo emitió y publicó el Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores” en la fecha y medio indicado, con el objeto de establecer disposiciones generales aplicables a los Operadores debidamente habilitados para la para la operación de redes y prestación de servicios basados en tecnologías de quinta generación o superior, quienes están sujetos a la aplicación de medidas de ciberseguridad para garantizar el uso y la explotación segura y con resguardo de la privacidad de las personas, de las redes y los servicios de telecomunicaciones, tal cual se estableció en el artículo 1 de dicho cuerpo reglamentario. Dichas medidas de ciberseguridad surgen como parte de los esfuerzos de fortalecer y adaptar el marco regulatorio sectorial -por razones de seguridad nacional para la defensa de la soberanía cibernética-, en virtud de los ciberataques sufridos por nuestro país en el año 2022 y de forma más reciente en fecha 18 enero 2023 al Ministerio de Obras Públicas y Transporte (MOPT). Dada la magnitud y las consecuencias del ataque, el Poder Ejecutivo mediante Decreto N° 43542-MP-MICITT, “Declara estado de emergencia nacional en todo el sector público del Estado costarricense, debido a los cibercrímenes que han afectado la estructura de los sistemas de información”, declaratoria que se fundamentó precisamente en el impacto inmediato en los sistemas informáticos vinculados al funcionamiento de servicios críticos del Estado. No debe perderse de vista que el ataque sufrido a inicios del año 2022 tuvo importantes repercusiones en la confidencialidad, integridad y disponibilidad de los sistemas informáticos, así como en la información que residía en estos sistemas informáticos públicos, interfiriendo así en el normal ejercicio de la función pública de las instituciones afectadas. Además, el ataque perpetrado por el grupo cibercriminal CONTI tuvo efecto en el recaudo de información pública financiera y fiscal de carácter trascendental para la toma de decisiones del país. Por último y no menos importante, debe recordarse que dicho ataque generó lesiones importantes a la ciudadanía, pues uno de los sectores afectados fue precisamente la seguridad social y la salud pública, al haber interferido sustancialmente en la prestación de los servicios de salud administrados por la Caja Costarricense del Seguro Social. Las consecuencias más críticas del ataque fueron la afectación en los servicios de salud, la vulneración de los datos confidenciales de salud de la población costarricense, y la dilación en la atención del bienestar de las personas. Este impacto se debió principalmente a la reprogramación de sistemas y servicios, lo cual afectó negativamente el acceso a los servicios esenciales de salud. Estos servicios requieren, para su efectiva prestación, el acceso a bases de datos con información clínica relevante de los usuarios, las cuales fueron objeto de los ciberataques ocurridos. A mayor abundamiento, puede consultarse el apartado -D- del informe técnico No. MICITT-DM-OF-1099-2023 de fecha 12 de diciembre de 2023, aportado a esta Sala Constitucional de manera oficiosa por este Ene Rector, en el cual se profundiza el recuento de los daños que motivan la necesidad de adaptar el marco regulatorio sectorial en vista del ciberataque del año 2022 e inicios del año 2023, junto a otros aspectos de carácter técnico que se desarrollan en torno a la emisión del Decreto Ejecutivo Nº44196-MSPMICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”. Se remite a dicho informe y a los aspectos allí vertidos que en forma complementaria sirven como insumo para mejor resolver el presente asunto, escrito que fue aportado al expediente del presente recurso de amparo el pasado 13 de diciembre de 2023. A partir de la afectación a los sistemas, la vulneración de la información sensible de los ciudadanos, el acceso a los servicios esenciales de los habitantes y los daños graves ocasionados a las personas por la interrupción en dicho acceso, se decide adoptar a nivel nacional, entre otras acciones que se suman a la declaratoria de emergencia, el referido Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores” que reúne los estándares más altos y mejores prácticas internacionales en esta materia e incorpora la seguridad por diseño desde las etapas iniciales, de cara al proceso concursal para servicios de telecomunicaciones mediante sistemas IMT incluido 5G. Desde luego que el alcance del Reglamento lo es para el desarrollo de redes IMT2020 (5G) y superiores, segmento en el cual se hace más crítica la implementación de medidas enfocadas en reducir los riesgos y el impacto en materia de ciberseguridad en razón de sus características técnicas destacadas, como por ejemplo:•Una mayor tasa de transferencia de datos experimentada por el usuario (10 veces mayor que 4G). • Una menor latencia (10 veces menor que 4G). • Una mayor densificación de conexiones (10 veces más que 4G, hasta 1M de dispositivos por kilómetro cuadrado). • Escenarios de movilidad (hasta 500 km/h). • Mayor eficiencia espectral (3 veces mayor). • “Network slicing” (capacidad de segmentar redes). Es así como las bondades de la tecnología 5G por sobre otras generaciones de redes móviles, permiten habilitar una serie de escenarios de uso, como lo son la atención de salud (telemedicina), gestión de infraestructuras críticas (como generación y distribución de energía eléctrica, gas o agua potable; estas últimas con impacto normalmente nacional y de gran relevancia en distintos sectores productivos), la industria en general, la agricultura, ciudades inteligentes, Internet de las cosas masivo, Inteligencia Artificial, vehículos autónomos, metaverso, aplicaciones de realidad virtual y aumentada (usos industriales y en educación), por ejemplo. Todas estas particularidades que separan 5G de otras tecnologías se desarrollan también en el apartado -E- del informe técnico Nº MICITT-DMOF-1099-2023 de fecha 12 de diciembre de 2023. Sobre el particular, resulta poner en conocimiento a los señores y señoras Magistrados de la Sala, que aún y cuando el ataque del grupo criminal CONTI (2022) tuvo por objeto la infiltración en los sistemas informáticos públicos y no a las redes de telecomunicaciones, debe tenerse presente que la implementación de redes IMT-2020 (5G) poseen una capacidad de conexión y vinculación a sectores de alta sensibilidad y criticidad que aumentan la superficie de ataque a las redes y sistemas informáticos, por lo cual guardan una vinculación directa con la seguridad del país. Es en virtud de la evolución de la conectividad móvil y su profunda integración con el quehacer de la sociedad y la industria, es que precisamente las redes IMT-2020 (5G) generan una mayor superficie de ataques cibernéticos, por lo que adquieren relevancia las medidas de ciberseguridad como parte de los mecanismos regulatorios en materia de telecomunicaciones para resguardar el uso y explotación segura de las redes por parte de los operadores. Por lo cual resulta consustancial el papel del Poder Ejecutivo, en ejercicio de las potestades delegadas por el Legislador en lo que respecta al uso y explotación del espectro radioeléctrico, a su vez derivadas por las normas del derecho internacional público (Ley Nº 8622, CAFTA-DR) y el bloque de legalidad sectorial (Ley Nº 8642, Ley General de Telecomunicaciones), que le habilitan a fijar las condiciones y obligaciones necesarias para garantizar la explotación segura de las redes que utilizan el espectro radioeléctrico como bien finito demanial a través del cual se implementan las denominadas redes públicas de telecomunicaciones, que desde luego alcanzan a las redes 5G. Y, como parte de éstas condiciones, el Poder Ejecutivo posee potestad reglamentaria para adoptar las medidas técnicas y administrativas necesarias, para garantizar la explotación segura de las redes de telecomunicaciones con el objetivo de resguardar el régimen jurídico de protección de los derechos humanos de los usuarios finales de redes de telecomunicaciones, en aras de garantizar la privacidad, el secreto de las comunicaciones, y la autodeterminación informativa de los usuarios (véase artículo 42, de la Ley Nº8642). Este desarrollo normativo también puede consultarse en los apartados -A-, -B- y -C- del informe técnico No. MICITT-DM-OF-1099-2023 de fecha 12 de diciembre de 2023, y a su vez lo que será señalado infra en el presente escrito. Cabe destacar también a los señores y señoras Magistrados de la Sala Constitucional, que aún (sic) y cuando Costa Rica es una república cuya política de seguridad nacional y defensa se basa en los pilares de neutralidad permanente y desmilitarización ante conflictos internacionales, -inspirados en la paz como valor que informa el Ordenamiento Jurídico costarricense-, esta situación jurídica no impide que el Poder Ejecutivo llamado constitucionalmente a mantener el orden público y la tranquilidad de la Nación por disposición del artículo 140 inciso 6) de la misma Constitución Política, adopte las medidas preventivas razonables ante situaciones que menoscaben o atenten contra la seguridad nacional como sucedió con el antecedente del ciberataque del 2022, por parte de un grupo criminal organizado de origen ruso. Así lo ha señalado la Procuraduría General de la República en Dictamen N° C-94-86 del 29 de abril de 1986: “El señor Presidente de la República proclamó perpetuamente neutral a Costa Rica el día 17 de noviembre de 1983. La neutralidad perpetua se define como “una situación jurídica libremente aceptada que compromete al Estado a no declarar jamás la guerra a otro Estado. Esta disposición jurídica no inhibe al Estado para ejercer la legítima defensa en caso de agresión. Conforme a los principios del Derecho Internacional Publico (sic), el Estado permanentemente neutral debe permanecer al margen de todas las guerras que si susciten entre terceros Estados”. En esta misma línea, consta la Opinión Jurídica de la Procuraduría General de la República N° O.J.-228-2003 del 12 de noviembre del 2003 en donde señaló: “(...) la existencia de una ‘conciencia nacional’ que favorece la preservación de la paz. Consecuencia de ello, se afirma, se han tomado acciones concretas que reconoce ese sentimiento colectivo, como lo son la abolición del ejército en la Constituyente de 1949; la Proclama de Neutralidad, adoptada durante la Administración Monge Alvarez (sic) (...) en vista de que el Derecho de la Constitución le impone al Poder Ejecutivo el deber constitucional de asumir una posición neutral frente al flagelo de la guerra, salvo en los casos de legítima defensa (...) aun la noción de neutralidad clásica concebía posible la legítima defensa individual y es posible que un Estado perpetuamente neutral ejerza su legítima defensa individual”. Es con fundamento en lo anterior, que esta cartera Ministerial emite junto con el Ministerio de Seguridad Pública el Decreto Ejecutivo N°. 44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”, puesto que ante la evolución tecnológica, el ciberespacio no es un tema ajeno a la seguridad nacional, pese a su condición intangible adquiere un carácter especial a proteger tal cual sucede con el espacio aéreo, marítimo, terrestre y exterior, del cual pueden surgir daños importantes a la soberanía nacional (soberanía cibernética) y por tanto la doctrina le ha reconocido como el “quinto dominio de la guerra”. Esta precisión conceptual puede consultarse en el apartado -F- del informe técnico No. MICITT-DM-OF-1099-2023 de fecha 12 de diciembre de 2023. Es con este alcance de prevención de actos de crimen en el ciberespacio ligado a las redes 5G, que la emisión del Reglamento de Ciberseguridad para redes 5G y superiores, se remonta al resguardo de un claro interés público. La inactividad y omisión de medidas por parte del Poder Ejecutivo en este sentido, podría generar daños de una magnitud que supere con grandes creces el ataque ocurrido en el año 2022. En relación con lo anterior, desde la óptica de la Rectoría de las Telecomunicaciones, debe tenerse en consideración que, mediante el Decreto Ejecutivo N°37052-MICIT se establece en Costa Rica el denominado Centro de Respuesta de Incidentes de Seguridad Informática (CSIRT-CR), con sede en el Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones (establecido desde el año 2012). Este Centro de Respuesta de Incidentes de Seguridad Informática (CSIRT-CR) tiene facultades suficientes para coordinar con los poderes del Estado, instituciones autónomas, empresas y bancos del Estado todo lo relacionado con la materia de seguridad informática y cibernética y concretar el equipo de expertos en seguridad de las Tecnologías de la Información que trabajará para prevenir y responder ante los incidentes de seguridad cibernética e informática que afecten a las instituciones gubernamentales. Es como parte de esta articulación de esfuerzos entre carteras ministeriales, que se emite el Decreto de marras. Luego de esta necesaria explicación sobre la génesis del reglamento, resulta de especial relevancia contextualizar además, cuál es el ámbito de aplicación del citado cuerpo reglamentario. Es así como el artículo 2 establece: “Está sometida al presente reglamento la operación activa de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, por parte de las personas físicas o jurídicas, públicas o privadas, nacionales o extranjeras, que operen redes o presten servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores que se originen, terminen o transiten por el territorio nacional, exceptuando la operación de redes privadas de telecomunicaciones. En el caso de procesos de compra pública que tengan por objeto la habilitación de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, así como de equipamiento tecnológico activo necesario para el despliegue de éstas (sic), para el uso y explotación del espectro radioeléctrico, la Administración o entidad contratante deberá adoptar los mecanismos idóneos para verificar que los potenciales oferentes han considerado todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en la presente normativa, a la hora de planificar, diseñar e implementar su oferta técnica. En caso de resultar adjudicatario, las disposiciones de la presente norma serán de acatamiento obligatorio durante la operación de las redes y prestación de los servicios basados en la tecnología de quinta generación móvil (5G) o superiores”. Como punto inicial, el artículo advierte en su primer párrafo que las medidas de seguridad contempladas en dicha normativa y todas las actuaciones aplicables para el manejo de gestión de riesgos resultan de carácter obligatorio y vinculante para todas aquellas personas físicas o jurídicas, públicas o privadas, nacionales o extranjeras que posean un título habilitante para la operación de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores. Ahora bien, el supuesto que regula el párrafo segundo resulta de aplicación para una primera etapa del ciclo de la contratación pública, que es precisamente ante el concurso donde los potenciales oferentes deben de construir su oferta técnica tomando en consideración las medidas de seguridad y gestión de riesgos que les serán de carácter vinculante y obligatorio en caso de resultar beneficiados con una adjudicación de los segmentos de frecuencia del espectro radioeléctrico para la explotación de redes y la prestación de servicios basados en tecnología de quinta generación móvil o superior; o de aquellos operadores de telecomunicaciones que cuenten actualmente con títulos habilitantes de concesión que les permitan el desarrollo e implementación de estas redes y la prestación de sus servicios. Es por ello que en la normativa se reserva bajo responsabilidad del Operador promovente del procedimiento especial de servicios en competencia, adecuar bajo su potestad discrecional el requisito a consignar en el pliego de condiciones, mediante el cual verificará en su esfera comercial que dichos oferentes conocen los alcances de esta normativa a fin de planificar, diseñar e implementar su oferta técnica. En este sentido bajo el principio sectorial de no discriminación debe entenderse que cualquier operador de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores está obligado a respetar las medidas técnicas reglamentarias fijadas por el Poder Ejecutivo en esta materia, considerando el debido resguardo de los bienes jurídicos tutelados superiores como lo son la dignidad humana, la intimidad, la privacidad, la seguridad y autodeterminación de sus usuarios. Por lo antes examinado, el artículo de cita debe de interpretarse en su integralidad, en el sentido de que es el operador de redes y servicios mediante tecnología 5G quien estará obligado en sentido estricto a cumplir con la adopción de estándares y análisis de riesgos toda vez que se trata regular la operación activa de redes de telecomunicaciones y en consecuencia es el llamado a garantizar la seguridad de sus propias redes. De lo anterior, se extrae que la sujeción especial la posee el Operador con concesión que lo habilita para estos efectos, que en este caso concreto sería el Instituto Costarricense de Electricidad, el llamado a cumplir las disposiciones del reglamento, mientras que en el caso de la empresa recurrente, participa eventualmente en la cadena de suministro, de resultar beneficiado de una eventual adjudicación dentro del procedimiento especial de servicios en competencia. Tomando en cuenta las consideraciones anteriores, obsérvese tal y como consta en autos, concretamente en la Certificación No. 178-SUTEL-2023 emitida por el Registro Nacional de Telecomunicaciones de la Superintendencia de Telecomunicaciones (PRUEBA No. 1), que la empresa [Nombre 002]. en la actualidad no posee título habilitante de concesión para la la (sic) operación de redes públicas o la prestación de servicios bajo tecnología de quinta generación móvil o superior 5G que conlleve la explotación y uso del espectro radioeléctrico, por lo cual no está comprendido dentro del ámbito de aplicación de la normativa reglamentaria referida por dicha empresa. 3.- Tanto el Presidente de la República, la Ministra del MICITT así como el Presidente Ejecutivo del ICE han manifestado públicamente que la promulgación del citado Reglamento se hizo con el motivo específico de impedir la participación de empresas de diversas nacionalidades, especialmente las de origen chino, en los procesos licitatorios tendentes a la obtención y operación de la tecnología en telecomunicaciones 5G IMT y Superiores de las redes de aquella institución. Respuesta. No es cierto. Como bien se aprecia de la respuesta al punto anterior, la emisión del Decreto Ejecutivo N°. 44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”, se sustenta en la necesidad de contar dentro del Ordenamiento sectorial de las telecomunicaciones de una norma técnica para resguardar bienes jurídicos superiores el régimen jurídico de protección a la intimidad, la privacidad y autodeterminación informativa de los usuarios finales, la protección del orden público y la seguridad nacional desde la óptica del ciberespacio para el desarrollo de redes y prestación de servicios basados en tecnología 5G y superiores, por lo cual no refiere a una nacionalidad en particular, sino a medidas objetivas de carácter técnico y administrativo basados en los más altos estándares aplicables en esta materia; lo anterior sin perjuicio de la indebida circunstanciación (sic) de este hecho, que deriva en una mera apreciación subjetiva del recurrente. 4.- El Presidente del ICE manifestó por medio del periódico El Mundo CR el pasado 16 de setiembre que el respectivo concurso público será publicado antes de finales de setiembre del año en curso. Respuesta. No me corresponde referirme a aparentes manifestaciones realizadas por el Presidente del Instituto Costarricense de Electricidad. En todo caso, resulta de conocimiento y acceso público que, dicho Instituto publicó en fecha del 9 de noviembre de 2023, la invitación a participar en el procedimiento especial de servicios en competencia, con el objeto de contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) registrado con el expediente electrónico número 2023XE-000023-0000400001. Como parte de la consulta realizada a dicho expediente, se aprecia que en el contexto de dicho procedimiento especial de servicios en competencia, la apertura de ofertas se realizó el día 19 de diciembre de 2023, en donde consta la participación de 5 a 6 oferentes, distribuidos en 6 partidas, entre los cuales se observa la oferta de la empresa [Nombre 002]. para las partidas 1, 2, 3, 4 y 5. 5.- Adicionalmente, y como prueba fehaciente y absoluta del riesgo que existe para mi representada, el día 5 de setiembre de 2023 a las 4:20 p.m. se recibió de parte del señor Huberth Valverde Batista, Administrador del Contratos del ICE, un correo en el que envían un cuestionario consultando sobre el cumplimiento del Reglamento de Ciberseguridad No.44196-MSP-MICITT. El propio correo se indica la necesidad de obtener esa información en 4 días hábiles. Respuesta. No me consta. Corresponde a diligencias propias del Operador recurrido con la empresa [Nombre 002]. 6.- Dicho cuestionario, como se puede apreciar de la certificación notarial que se aporta, es una copia exacta de los requerimientos del Reglamento. Respuesta. No me consta. Corresponde a diligencias propias del Operador recurrido con la empresa [Nombre 002]. 7.- Lo anterior es prueba directa que, ante la publicación inminente de la licitación, mi representada se verá afectada e imposibilidad (sic) de participar en ella. Respuesta. Lo cierto es que en fecha del 9 de noviembre de 2023, el ICE cursó la invitación a participar en el procedimiento especial de servicios en competencia, con el objeto de contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) registrado con el expediente electrónico número 2023XE-000023-0000400001, resultando que la apertura de ofertas en dicho concurso se realizó el día 19 de diciembre de 2023, en la cual se observa la oferta de la empresa [Nombre 002]. para las partidas 1, 2, 3, 4 y 5. Por lo cual a pesar de lo manifestado la empresa sí participó en el procedimiento de interés, presentando una plica en la que incluso manifestó su adecuación a las condiciones del pliego de condiciones de dicho proceso concursal. En este sentido resulta de relevancia considerar lo señalado por el propio Operador recurrido en su Informe No. 0060-456-2023, rendido para los efectos del presente recurso de amparo, en fecha 06 de octubre de 2023, en el cual manifestó en lo que interesa: “El 11 de setiembre de 2023, el señor Marcel Aguilar Sandoval de la empresa Huawei Tecnologies (sic) Costa Rica, responde a las consultas realizadas, según se demuestra en el Anexo N.o 7 del Informe Técnico, del cual se solicita la confidencialidad dado que dichos datos están amparados en convenios que resguardan este tipo de información. 9. En lo que concierne a las respuestas de Huawei Tecnologies Costa Rica, según podrá constatar el Honorable Tribunal Constitucional, no se evidencia que dicha empresa haya tenido algún tipo de disconformidad con lo consultado. (Ver Anexo N.o 7 del Informe Técnico)”. (El resaltado es propio y no del original) Se destaca ante esta estimable Sala Constitucional, la inconsistencia en las manifestaciones de la empresa, donde en una etapa previa a la publicación del concurso no puso en conocimiento al Operador de las inconformidades que debieron exponerse en un ámbito administrativo, y que ahora revela en esta sede jurisdiccional. Debe entonces valorarse la buena fe de sus actuaciones, dada la omisión de alertar dicha situación desde un primer momento, frente a la consulta del Operador, y no de forma posterior a la verificación de mercado cursada por dicho Instituto, que ahora se encuentra licitando y ante quien se solicita la suspensión de dicho procedimiento especial. Esto lo que refleja es una inconsistencia entre las manifestaciones del recurso de amparo y lo que documenta en su propia oferta, misma que se adjunta como PRUEBAS No. 3 y 4 al presente informe, a los efectos de que la Sala Constitucional constate la ambivalencia entre lo manifestado de previo al concurso, y la aceptación de cumplimiento al pliego de condiciones del concurso licitatorio referido ut supra. 8.-Ante esta situación resulta más que claro, evidente y manifiesto el riesgo directo, indudable, actual, inminente y real al que se enfrenta la empresa que represento”. Describe amenazas en los siguientes términos: “1.- El Presidente Ejecutivo del ICE ha dicho claramente que a finales de setiembre esa institución sacará a concurso público la adquisición de la tecnología en telecomunicaciones 5G Móvil y que, en ese concurso público, aplicarán los requisitos exigidos en el "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores” (sic). 2.- Como lo cita el medio noticiero digital "El Mundo.CR" el 15 de setiembre del año en curso, el presidente Ejecutivo del ICE expresamente señaló lo siguiente: "el decreto ya lo tienen los equipos y lo están revisando para ver de qué manera se incluye en el cartel. Además, tenemos algunas aclaraciones que tenemos que hacer. Sin embargo, la respuesta es que sí, vamos a tener que incluir lo que ahí se dispone, puesto que es política pública aplicable" (https:elmundo.cr/costa-rica/licitaciónpara-5g-saldra-a-finales-desetiembrevetando-empresas-chinas/). 3.- El presidente de la República, don Rodrigo Chaves Robles, había declarado ante la prensa cuando se encontraba en los Estados Unidos, luego de haber firmado poco antes de su partida el citado Reglamento, que su promulgación tenía como objetivo impedir la participación de empresas de diverso origen, en los próximos concursos públicos que abrirían el ICE y la SUTEL para la adquisición de la tecnología en telecomunicaciones 5G Móvil lo cual se puede verificar en el siguiente link https://dplnews.com/rodrigo-chaves-prohibeempresas-chinasen-el-desarrollo-de-5g-encosta-rica/ 4.- Este criterio fue ratificado por la ministra del MICITT en el programa radial de Amelia Rueda el lunes 4 de setiembre pasado conforme se puede verificar en el siguiente link https://ameliarueda.com/noticia/huawei-china-5g-micitt-subastacosta-ricanoticas Respuesta. Sobre las presuntas amenazas descritas, me referiré en el orden en que son señaladas: Sobre lo que se indica en puntos 1 y 2 con respecto al Presidente Ejecutivo del ICE, reitero que no me constan las manifestaciones que haya realizado en medios públicos o en actuaciones que no consten precisamente por escrito dirigidas a esta cartera ministerial o bien no incorporadas al expediente de la contratación del procedimiento especial de servicios en competencia aludido. Pese a que no me consta la veracidad de las manifestaciones, lo que en apariencia fue manifestado no constituye violación a algún derecho fundamental del recurrente, por cuanto el Operador se limitaría a cumplir con el derecho objetivo que regula las condiciones reglamentarias para la implementación de redes 5G y superiores. Lo anterior sin perjuicio de la oferta presentada por el recurrente en el proceso de contratación en curso. Sobre lo referido en el punto 3, aparentemente por el Presidente de la República, no consta a este Ministerio la existencia de dichas manifestaciones, aun cuando se alegue la presencia de publicaciones en diferentes medios de comunicación. El Decreto Ejecutivo Nº44196-MSP MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”, como bien se ha desarrollado en apartados anteriores y en forma abundante en el informe técnico Nº MICITT-DM-OF-1099-2023 de fecha 12 de diciembre de 2023 presentado de forma oficiosa ante la Sala Constitucional en fecha 13 de diciembre de 2023, se trata de una norma técnica que no encuentra en su parte considerativa o dispositiva, expresión alguna en detrimento de una nacionalidad en particular como lo pretende hacer ver la empresa recurrente. Sobre lo alegado en el punto 4, debe considerar este Órgano colegiado que el enlace suministrado no conduce a una publicación en la que se pueda verificar lo señalado por el recurrente, sin perjuicio de que como se ha indicado la normativa reglamentaria responde a medidas técnicas y administrativas tendientes a garantizar el régimen jurídico de protección de los usuarios finales de los servicios de telecomunicaciones. 5.- En consonancia con todo lo anterior, mi representada recibió un cuestionario del ICE, solicitando confirmación del cumplimiento del Decreto, el cual se refiere específicamente a la tecnología 5G o superior, esto como una evidencia clara y directa de la intención del ICE de promover este concurso a la mayor brevedad. Respuesta. No me consta. Corresponde a diligencias propias del Operador recurrido con la empresa [Nombre 002]. 6.-Es evidente que el cuestionario enviado por el ICE tiene directa relación con el Pliego de Condiciones que será utilizado para el proceso de licitación que tenga como objetivo la tecnología 5G. De conformidad con la Ley General de la Contratación Pública, la Administración, previo a publicar el Pliego de Condiciones de cualquier naturaleza, debe realizar un estudio de mercado para verificar cuáles son los posibles oferentes. En este caso es evidente que el ICE está cumpliendo con el estudio de mercado establecido en artículo 34 de la Ley de Contratación Pública, al hacer las preguntas sustentadas en el Reglamento, dejando así claro que van a incorporar dichas disposiciones al proceso licitatorio de 5G, en razón de que el Reglamento es una norma vigente el ICE no tiene potestad para desaplicarlo. Respuesta. No me consta. Corresponde a diligencias propias del Operador recurrido con la empresa [Nombre 002]. Lo único que me es posible afirmar en mi condición de Ministerio Rector de las telecomunicaciones, y como parte del Poder Ejecutivo a cargo de definir las condiciones y obligaciones para el uso y explotación del espectro radioeléctrico es, que el ICE sí es un operador concesionario de frecuencias en la actualidad (v.gr. Acuerdo Ejecutivo No. RT010-2010-MINAET y Acuerdo Ejecutivo RT-024-2009- MINAET, adecuación). Por lo tanto, dicho operador, así como cualquier otro Operador con título habilitante de concesión sujeto a dicha norma reglamentaria, deberá adecuar sus actuaciones al Ordenamiento Jurídico sectorial, y sobre esto a las medidas de gestión y mitigación de riesgo integradas en el Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”. 7.- Por tanto, estamos en presencia de una amenaza cierta, real, efectiva e inminente, casi en etapa de ejecución, de un acto lesivo de los derechos fundamentales de mi representada. Respuesta. Lo cierto, es que el Instituto Costarricense de Electricidad publicó en fecha del 9 de noviembre de 2023, la invitación a participar en el procedimiento especial de servicios en competencia, con el objeto de contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) registrado con el expediente electrónico número 2023XE-000023-0000400001. A partir de la consulta realizada a dicho expediente, se aprecia que en el contexto de dicho procedimiento especial de servicios en competencia, la apertura de ofertas se realizó el día 19 de diciembre de 2023, en donde consta la oferta de la empresa [Nombre 002]. para las partidas 1, 2, 3, 4 y 5 de dicho proceso de contratación, por lo cual no se configura materializado el riesgo argüido y por consecuencia las violaciones a los derechos fundamentales del recurrente como parte del proceso de contratación pública. Llama poderosamente la atención como ya se ha indicado, que la empresa no solo presentó oferta; sino que desde un primer momento previo a la publicación del pliego de condiciones, ante una supuesta consulta efectuada por el Operador, la empresa recurrente no refirió ningún impedimento, imposibilidad o circunstancia que dicho Instituto tuviera que valorar de previo. Dado que en la actualidad el proceso de contratación se encuentra en curso y que en el caso concreto el recurrente ha presentado una oferta formal sujeta a valoración por parte de la Administración contratante, es necesario respetar bajo los principios de legalidad, imparcialidad, competencia y el debido proceso administrativo, el criterio que dicho Operador efectúe en igualdad de condiciones para esta y las restantes ofertas que se presentaron al concurso. Sin embargo, note esta honorable Sala Constitucional como en forma posterior al supuesto intercambio de comunicación con el Operador contratante, es que la empresa modifica su discurso, el cual no se mantiene congruente en el tiempo, pues en el documento de oferta, afirma que “entiende, acepta y cumple” las condiciones del propio concurso registrado con el expediente electrónico número 2023XE-000023-0000400001, mientras que con su recurso de amparo intenta llevar a la convicción de una limitación que no le evidenció al Operador. 8.- En efecto, el concurso público que abrirá el ICE antes de finales de este mes, según lo han anunciado sus propios personeros, impedirá que mi representada pueda participar en él, por el simple hecho de ser una compañía de origen chino. Respuesta. Lo cierto, es que deben valorarse de forma objetiva por este Órgano colegiado, los elementos que conforman el expediente electrónico número 2023XE-0000230000400001, por cuanto en primer orden, ya se ha apuntado que el Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores” le aplica al operador de redes y prestador de servicios basados en tecnología 5G o superiores, quien estará obligado en sentido estricto a cumplir con la adopción de estándares y análisis de riesgos toda vez que se trata regular la operación activa de redes de telecomunicaciones y en consecuencia es el llamado a velar por su cadena de suministro. Por lo tanto, para estar sujeto a su ámbito de aplicación debe contar con un título de concesión para estos fines, del cual adolece la empresa recurrente (ver PRUEBA N°1). Segundo, aún (sic) y cuando la empresa recurrente sostiene que su origen constituye un impedimento para participar, no hace ninguna relación a las disposiciones concretas del Decreto Ejecutivo Nº44196-MSP-MICITT aplicables a dicha circunstancia, para aseverar que en el caso concreto podría materializarse una lesión a su esfera de derechos fundamentales, y esto es así por cuanto dicha normativa reglamentaria no establece discriminación alguna en relación con el origen o nacionalidad de alguna empresa. Sobre el particular cabe resaltar que la debida fundamentación y la carga de la prueba (onus probandi) recae sobre quien alega en este caso concreto la transgresión de derechos protegidos constitucionalmente. No obstante lo anterior, observe esta Sala Constitucional a los efectos de mejor resolver lo que corresponda para el presente recurso de amparo, que pese a que la empresa sostiene que se trata de una empresa de origen chino, se aprecia en autos, dentro de los elementos probatorios del recurso de amparo, la certificación literal número RNPDIGITAL-1458528-2023 de fecha 28 de setiembre de 2023, en la que consta que [Nombre 002]. se encuentra registrada y domiciliada según la información que consta en los tomos y asientos mecanizados que al efecto dispone la Sección de Personas Jurídicas del Registro Nacional de Costa Rica, de carácter constitutivo, bajo la cédula jurídica [Valor 001]. A partir de este supuesto fáctico, puede determinarse del código o clase “3-101”, que dicha persona jurídica es una sociedad anónima constituida en Costa Rica, según la inscripción practicada. Además, la inscripción de dicha persona jurídica se visualiza como “sociedad anónima” al tenor de las disposiciones del ordenamiento jurídico. De tratarse de una sociedad extranjera, note la Sala que la nomenclatura no sólo (sic) sería otra, esto es “3012”, sino que así se haría constar en la certificación literal bajo el principio de publicidad que permea la debida inscripción de los documentos públicos según artículo 32 de la Ley de Inscripción de Documentos en el Registro Público N.º 3883, lo cual no ocurre en el caso concreto, por lo que la condición de que se trata de una sociedad extranjera no se encuentra documentado y por lo tanto no posee efectos oponibles para terceros en ese sentido. Agréguese a lo anterior, que según se lee del escrito del recurso de objeción interpuesto por esta misma empresa contra el pliego de condiciones del procedimiento especial número 2023XE-000023-0000400001 (ver PRUEBA ADJUNTA No. 2), la siguiente introducción: “El suscrito, [Nombre 001], de un sólo (sic) apellido en razón de mi nacionalidad china, mayor de edad, casado, ingeniero, vecino de San José, Rohrmoser, portador de la cédula de residencia costarricense 115601034602 y, del pasaporte de mi país número EE1392531, en mi condición de Gerente General con facultades de apoderado generalísimo sin límite de suma de [Nombre 002]., sociedad costarricense con cédula jurídica número [Valor 001], domiciliada en San José, Pavas, Rohrmoser, Oficentro Torre Cordillera, piso 16, me apersono respetuosamente en nombre de mi representada a interponer formal Recurso de Objeción en contra de las cláusulas y condiciones que se dirán, del pliego de condiciones que regula el procedimiento de contratación pública de referencia (...) (...) En este caso, debemos indicar que [Nombre 002]. es una sociedad constituida y que funciona de conformidad con las leyes y el ordenamiento jurídico costarricense, que opera en el mercado de venta y de suministro de equipos, hardware y software a los operadores de redes y prestadores de servicios de telecomunicaciones, desde el año 2007. Tal y como consta en el referido expediente en SICOP, la participación dentro del concurso que promueve el ICE, donde se desprende formal oferta por parte de [Nombre 002]. en la que consta una manifestación totalmente distinta a lo que aquí se alega en cuanto a su origen. En este sentido ya la Sala Constitucional ha precisado en pronunciamientos anteriores, como lo hizo en la Sentencia N° 2014-007274 de las 15:15 horas del 27 de mayo del 2014, reiterada recientemente en la N° 2023-002894, de las 10:40 horas del 07 de febrero de 2023, que: “(...), en ésta (sic) sede de tutela constitucional y en tal sentido, la regla según la cual corresponde al accionante probar todos los hechos en que fundamenta su acción de amparo, debe aplicarse de manera flexible porque en la situación de vulnerabilidad en que se encuentra, éste sólo debe probar aquellos hechos que le sea posible demostrar desde su situación particular (...) Estas circunstancias demuestran que estamos en este caso frente a un claro desequilibrio de las posiciones procesales, que debe corregirse desplazando la carga de la prueba, con el fin de no impedir el equitativo ejercicio y acceso a la justicia y el descubrimiento de la verdad”. VII.- Los criterios de la Sala señalados en la sentencia parcialmente transcrita, se sustentan, como se dijo, en el principio de la carga dinámica de la prueba que, doctrinariamente, es conocida como la posibilidad de trasladar esta carga de probar los hechos a la parte que está en mejores condiciones para hacerlo, de modo tal que la inversión de la prueba pretende “determinar sobre quien pesan los esfuerzos de probar en función de las posibilidades de producir la prueba”, es decir, que se parte del interrogante de quién es la persona que está en mejores y peores condiciones para probar los hechos; implica un reconocimiento de la desigualdad en que se hallan las partes respecto del hecho a probar y constituye una compensación a favor de la parte a la que le es más difícil acreditarlo” A partir del principio dinámico de la carga de la prueba, ésta (sic) recae sobre quien alega en este caso demostrar cual es el origen de su empresa, y cómo en el caso concreto dicho origen puede generarle una afectación a la luz de las disposiciones del Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”, lo cual no se desarrolla en el presente alegato sino que presume que dicho ejercicio debe construirlo la Sala Constitucional, ello a pesar de la información registral a la que tiene acceso el recurrente para informar a este Órgano colegiado sobre la veracidad de su origen, y así evitar conductas que tiendan a la confusión contrario al principio de buena fe que debe orientar los procesos de contratación pública y estos procesos jurisdiccionales. En esta línea considérese que como parte de los documentos de oferta y que constan públicamente en el expediente de la contratación en curso, se extrae la Declaración Jurada rendida por el representante [Nombre 001], quien bajo la fe de Juramento declara entre otros aspectos que: “[Nombre 002]., sociedad costarricense con cédula jurídica número tres-ciento uno- cuatrocientos noventa y nueve mil quinientos ochenta y ocho, con domicilio social en San José, Pavas, Rohrmoser, Oficentro Torre Cordillera, piso dieciséis” (ver PRUEBA ADJUNTA No. 4). De esta manera, lo que se reafirma es el aspecto de la sociedad constituida en nuestro país. Escapa al Ministerio comprobar un aspecto privado como el que atañe al giro propio, o estructura de negocio de la empresa, cuyo fuero probatorio le corresponde directamente a ella para demostrar si en efecto su empresa posea un origen distinto al que ha sido registrado y publicitado, y en relación a este extremo concreto, cómo su origen le genera alguna afectación derivada precisamente del Reglamento; cuando de hechos públicos y notorios lo que ha documentado es que se trata de una sociedad conformada al amparo del ordenamiento nacional, registrada en calidad de sociedad anónima en la Sección de Personas Jurídicas del Registro Nacional. Agréguese a lo anterior la posición tan cambiante que ha sostenido la empresa a la hora de comunicarse con las diferentes instancias. Si en el caso identificaba una circunstancia en apariencia lesiva a sus intereses particulares, debió demostrarlo así al Operador desde antes de la concepción del pliego de condiciones, cuando se le consultó en apariencia mediante la supuesta herramienta “cuestionario” y no en un momento posterior, incluso precluido, actitud temeraria que lo que podría hacer es dilatar el proceso a su conveniencia, y con ello una afectación sustancial al interés público de implementar en el país redes de telecomunicaciones basadas en tecnologías 5G y superiores. 9.- Es importante indicar que no puede ser imputable a mi representada que el Gobierno de la República Popular China, dentro de sus potestades soberanas, no haya firmado al día de hoy el Convenio de Budapest. Respuesta. Lo cierto, es que conforme a lo indicado ut supra, el recurrente es una empresa costarricense, constituida bajo el Ordenamiento Jurídico nacional, y regida por sus disposiciones. De ahí que no se identifica el nexo lógico de la imputación argumentada en relación con el Gobierno de la República Popular China. Tampoco consta a este Ministerio que a la empresa recurrente se le haya imputado dicha responsabilidad por parte del Operador conforme al expediente del procedimiento especial número 2023XE-0000230000400001. Añádase a lo anterior, que no es posible comprender cuál es la verdadera afectación de la empresa derivada de los términos del Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”. Lo anterior por cuanto consta en autos, no se le mencionó al ICE sobre ninguna limitación para participar o de imposible cumplimiento en concurso público, cuando en paralelo planteó la acción recursiva en contra de la actuación del propio Operador. Aunado a lo cual, de forma posterior se observa la oferta de la empresa [Nombre 002]., con el objeto de contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) registrado con el expediente electrónico número 2023XE-000023-0000400001, en el cual a pesar de lo manifestado la empresa sí participó y manifestó su adecuación a las condiciones del pliego de condiciones de dicho proceso concursal. Además, alega mediante escrito del recurso de amparo que se trata de una compañía de “origen chino”, cuando en la oferta deja de manifiesto que se trata de una empresa constituida en Costa Rica. Por último, no entiende este Ministerio cuál es la verdadera afectación en el caso concreto, pues según lo acontecido en un intercambio de comunicaciones aparentemente con el operador ICE previo a la publicación del concurso, y lo que se documenta en el expediente en SICOP, ha mantenido una posición conforme ante las diferentes instancias en relación con las condiciones referidas al Reglamento, lo que no ocurre ante la Sala en donde manifiesta en forma laxa una vulneración a sus derechos, discurso que no ha reflejado en las diferentes oportunidades procesales del caso. Esto lejos de reflejar una apariencia de buen derecho lo que conduce más bien es a manifestaciones temerarias alejadas del principio de buena fe procesal de la empresa con el afán de interrumpir el curso normal del procedimiento de contratación en curso. A manera de ejemplo, véase el documento de oferta (PRUEBA No. 3) en el cual la empresa refirió sobre el citado Convenio lo siguiente: “3.4. El oferente deberá presentar una declaración jurada en donde se indique su sede está en un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). Para lo cual deberá adjuntar la documentación de respaldo. El ICE se reserva el derecho de verificar la valides (sic) de la información aportada. Respuesta: Entendemos. Huawei cumple totalmente con los estándares de ciberseguridad y mejores practicas (sic) de la industria para el resguardo e integridad de la información. El Convenio de Budapest no se refiere a un estándar de ciberseguridad para redes móviles 5G o similares”. (El resaltado es propio) En total respeto a los principios de legalidad, de competencia, debido proceso administrativo y al procedimiento concursal que a la fecha mantiene su curso, así como a las funciones administrativas que ostenta este Ministerio, no podría generar ningún criterio en torno al fondo de la oferta de la empresa. Lo que sí me permito hacerle ver a la Sala, -sin perjuicio del análisis que el operador deba efectuar en cuanto a las manifestaciones y documentos aportados propiamente con la oferta-, es que al momento de formular dicha plica tampoco hizo referencia a las razones por las cuales su compañía, que se estima constituida en Costa Rica, se le atribuye dificultad alguna en cuanto al Convenio de Budapest, cuyo requisito además ha manifestado “entiende”. Este ejercicio de argumentación le corresponde efectuarlo a la empresa a la hora de plasmar una eventual afectación en el escrito de amparo. Lo que se desprende de la prueba aportada, la oferta y los escritos recursivos, son evidentes inconsistencias e incongruencias en las manifestaciones esbozadas. Empero, sí puedo precisar a esta honorable Sala Constitucional, cuál es el contexto y las razones de índole técnico y jurídico por las cuales el Decreto Ejecutivo Nº44196-MSPMICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores” incorporó el Convenio de Budapest como parte de las medidas de gestión y mitigación de riesgos. En ese sentido puede apreciarse por este Honorable Tribunal el apartado -K- del informe técnico NºMICITT-DM-OF-1099-2023 de fecha 12 de diciembre de 2023, que ahonda en la decisión por la cual se ha incluido la referencia a dicho Convenio como parte de los parámetros de riesgo alto, regulados en el Reglamento (artículo 10 inciso E). A su vez, remite al desarrollo que sobre este mismo tema se realiza en la presente respuesta, concretamente en el siguiente extremo. Por el momento nos limitamos a mencionar su incorporación al Ordenamiento Jurídico costarricense mediante Ley N° 9452 “Convenio de Europa sobre Ciberdelincuencia (Budapest, 2001)”. 10.- El Convenio de Budapest fue publicado 18 años antes que la tecnología 5G fuera lanzada al mercado, por lo que es imposible que alguna de sus consideraciones estuviera relacionada con esa tecnología. Se está usando un factor de evaluación que está desfasado y no relacionado directamente con la ciberseguridad, además de que se viola el principio de imparcialidad tecnológica recogido en el Capítulo XIII del CAFTA. Respuesta. Lo único cierto en cuanto a este argumento, es que el Convenio de Europa sobre Ciberdelincuencia suscrito en Budapest en el año 2001, fue ratificado por la Asamblea Legislativa según Ley N° 9452 “Aprobación de la Adhesión al Convenio sobre la Ciberdelincuencia”, emitida en fecha 26 de mayo de 2017 y publicada en el Alcance N°161 al Diario Oficial La Gaceta N°125 de fecha 03 de julio de 2017. Es importante destacar a la Sala, que los argumentos de la empresa carecen de la debida fundamentación, toda vez que la empresa recurrente no desarrolla ni explica de forma clara y precisa las razones por las que considera que: 1. El Convenio de referencia se encuentra desfasado, toda vez que sus disposiciones normativas siguen vigentes y aplicables con autoridad superior a la ley en nuestro Ordenamiento Jurídico; 2. El Convenio no guarda relación a la ciberseguridad, cuando procura dotar de un marco normativa en la lucha contra la ciberdelincuencia, lo cual resulta improcedente por las razones técnicas desde el ámbito de las telecomunicaciones y la ciberseguridad aplicada a sus redes y servicios; 3. El Convenio vulnera el principio de imparcialidad tecnológica recogido en el Capítulo XIII del CAFTA, cuando dicho contenido en el CAFTA es el de “flexibilidad en las opciones tecnológicas, que en un ámbito deriva en el principio de neutralidad tecnológica, ambos, sujetos a los intereses legítimos de la política pública en materia de ciberseguridad y estándares garantizados que permiten el disfrute pleno y seguro por parte de los usuarios finales. Pesa sobre la empresa como parte del ejercicio de fundamentación demostrar la premisa concreta que alega, desde la óptica y la experiencia del giro comercial de la empresa aunado a las particularidades del sector telecomunicaciones, sobre el cual aplica precisamente el Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”, sobre cual resulta omisa la argumentación. Además, no basta con afirmar en tres líneas una serie de vulneraciones, cuando tampoco se refiere al texto del Convenio y los extractos con los que sustente de forma clara, precisa e inequívoca, por qué dicho instrumento jurídico es inaplicable a la materia como pretende hacerlo ver y por qué infringe determinados principios, lo cual no sólo (sic) es ayuno de pruebas y fundamentación, sino que se trata de alegatos que no poseen asidero jurídico ni técnico, por lo que a continuación se precisará. Ahora bien, dado que el argumento de la empresa se refiere a dos temas totalmente distintos, sobre el Convenio como “factor de evaluación” y sobre la vulneración del principio de imparcialidad tecnológica con la inserción del Convenio, se procederá a explicar lo necesario a estos dos temas, según se indica. a. Sobre el Convenio de Budapest, como parámetro de riesgo. En primer orden, conviene explicar a la Sala Constitucional como bien se ha venido precisando en el presente escrito y en los diferentes insumos que se han suministrado de forma oficiosa al expediente de trámite del presente recurso de amparo, que el Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores” incorpora los estándares más altos y mejores prácticas internacionales en materia de ciberseguridad, de cara al proceso concursal para servicios de telecomunicaciones mediante sistemas de Telecomunicaciones Móviles Internacionales (IMT, por sus siglas en inglés), incluida la tecnología de quinta generación 5G y superiores. Dichos elementos constituyen parámetros objetivos para afianzar la prevención contra la ciberdelincuencia, que como bien se ha explicado, ha generado importantes repercusiones a los sistemas públicos, las finanzas públicas y a las personas usuarias de estos servicios esenciales en el país. Como bien lo explica el apartado -I- del informe técnico No. MICITT-DM-OF-10992023 de fecha 12 de diciembre de 2023, las medidas de seguridad contempladas en dicha normativa y todas las actuaciones aplicables para el manejo de gestión de riesgos resultan de carácter obligatorio y vinculante para todas aquellas personas físicas o jurídicas, públicas o privadas, nacionales o extranjeras que posean un título habilitante para la operación de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores. Desde luego que esta consideración a quien obliga en este caso es al Operador de servicio, es decir -el ICE-, a cumplir con la adopción de los estándares y análisis de riesgos dispuestos en la normativa, por tratarse de la operación activa de redes para estos fines. Ahora bien, se aprecia en el Capítulo II, artículo 4 denominado “Riesgos Nacionales de Ciberseguridad en Redes 5G y Superiores”, los escenarios de riesgo en materia de ciberseguridad y que han sido identificados y agrupados según las recomendaciones y experiencia de la comunidad internacional, en concreto la Unión Europea:

(Al respecto puede consultarse el Informe N° MICITT-DGDCFD-INF-011-2023/ MICITT-DERRT-INF-007- 2023/ MICITT-DCNT-INF-011-2023 aportado como Anexo el pasado 14 de diciembre de 2023, como parte del informe MICITT-DM-OF-1099-2023.) En este orden de ideas, continúa indicando el Reglamento de marras en sus artículos 6 y 7 la necesidad de que los sujetos cubiertos por el ámbito de aplicación de la norma, ergo -los operadores-, adopten una serie de estándares y un análisis de riesgos de las redes que operan, para determinar si alguno de los elementos de la red califica bajo los parámetros de riesgo alto, dimensionados en el numeral 10, que en lo literal señala: “Artículo 10º- Parámetros de riesgo alto. Los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento, deberán considerar los siguientes parámetros de riesgo alto para la operación de redes de telecomunicaciones 5G o superiores y la prestación de sus servicios: a) Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento cuenten con un único suministrador de hardware y software en su cadena de suministro, cuando este se encarga de configurar e integrar todos los equipos activos y software de la solución, o si la red está compuesta por equipos activos y software de un único fabricante. b) Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento o sus suministradores de hardware y software tengan algún informe de incidente publicado por el CSIRT-CR sobre brechas en la ciberseguridad de sus sistemas que no han sido atendidas y por ende implican un riesgo para la seguridad, disponibilidad, integridad o privacidad de la información de los usuarios finales. c) Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento o sus suministradores de hardware y software sean susceptibles de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones. d) Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento o sus suministradores de hardware y software tienen su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses. e) Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento utilizan suministradores de hardware y software que tengan su sede en un país que no ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). f) Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este reglamento utilizan suministradores de hardware y software que no cumplen con los estándares de ciberseguridad dispuestos en el artículo 6 de este Reglamento” Como puede ver la Sala, es en el presente artículo en el cual se desprende la regulación asociada al Convenio de Budapest, como parámetro de riesgo dentro de la operación de redes de telecomunicaciones basados en tecnología 5G o superiores, delimitado en el inciso e) que en lo conducente señala: “Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento utilizan suministradores de hardware y software que tengan su sede en un país que no ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest)”. Para una mejor comprensión de este Honorable Tribunal conviene analizar este inciso desde el espíritu que se le ha conferido precisamente a los elementos de: • suministrador de hardware y software, • sede, • manifestación o consentimiento de obligarse. En primer orden, el artículo 3 en su inciso o) del Decreto Ejecutivo N.º 44196-MSPMICITT “Reglamento Sobre Medidas de Ciberseguridad Aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores” establece el concepto de suministrador de software y hardware en los siguientes términos: “(...) o) Suministradores de hardware y software: Entidades que brindan servicios o equipo activo a los sujetos comprendidos en el artículo 2 del presente reglamento. Esta categoría incluye: i) fabricantes de equipos de telecomunicaciones; y ii) otros proveedores externos, como proveedores de infraestructura en la nube, integradores de sistemas, contratistas de seguridad y mantenimiento, y fabricantes de equipos de transmisión, cuando estos se encargan de configurar e integrar los equipos activos y software de la solución”. El concepto anterior debe integrarse desde la óptica del cumplimiento del parámetro de riesgo del Convenio de Budapest, siendo entonces que los fabricantes y proveedores del operador deben tener sede en un país que haya manifestado su consentimiento de obligarse al cumplimiento del Convenio, como por ejemplo Costa Rica, país de origen en el que se constituyó el recurrente como un comerciante costarricense. En esta línea, la definición de sede fue prevista como el núcleo o la sede principal de la organización empresarial, de sus suministradores, esto es, fabricantes y proveedores. Ahora bien, en cuanto a la manifestación del consentimiento, en este inciso e) del artículo 10 no se exige expresamente la calidad de Estado que haya ratificado e incorporado dicho instrumento en su ordenamiento nacional conforme a los procedimientos internos de cada país; sino que, considera el proceso de “Adhesión” establecido para acceder a este Convenio. En relación con este tema, conviene indicar que, el proceso de “Adhesión” a la Ley N° 9452 “Convenio de Europa sobre Ciberdelincuencia (Budapest, 2001)”, implica 3 pasos que son los siguientes: 1. Una vez que esté disponible un proyecto de ley que indique que un Estado ya ha implementado o es posible que pueda implementar las disposiciones del Convenio de Budapest en su legislación nacional, el Ministro de Relaciones Exteriores (u otro representante autorizado) deberá enviar una carta dirigida al Secretario General del Consejo de Europa en la que manifieste el interés de su Estado en adherirse al Convenio de Budapest. 2. Una vez que exista consenso entre los actuales Estados Parte del Convenio, se invita al Estado a adherirse. 3. Las autoridades de ese Estado deberán formalizar sus procedimientos internos similares a la ratificación de cualquier tratado internacional antes de depositar el instrumento de adhesión ante el Consejo de Europa. Según se desprende de las tratativas anteriores el Reglamento únicamente requiere la acreditación del primer nivel, distinto a exigir formal ratificación conforme al derecho interno, desde luego que se seleccionó este primer peldaño siendo que se comprueba el interés de otras naciones de tutelar los mismos valores jurídicos protegidos por nuestro país y la Comunidad. En ese sentido, es importante recalcar que el citado Reglamento únicamente contempla parámetros de riesgo alto por cuanto se ha procurado que la intervención estatal sea mínima, de modo tal que la valoración y gestión de riesgos de impacto medio y bajo sea llevada a cabo por los operadores de redes o proveedores de servicios de telecomunicaciones que cuenten con título habilitante para estos propósitos. Realizada esta precisión, procede aclarar entonces las razones por las cuales existe una especial vinculación del Convenio de Budapest como parte de las medidas de ciberseguridad para redes y servicios basados en tecnología 5G y superiores. Estas razones pueden consultarse en el desarrollo realizado en el apartado -K- del informe técnico No. MICITT-DM-OF-1099-2023 de fecha 12 de diciembre de 2023, en lo referido al presente inciso e del numeral de análisis). Dicho parámetro fue considerado fundamental en un mundo donde las amenazas cibernéticas no reconocen fronteras geográficas y la naturaleza descentralizada y a menudo anónima del ciberespacio ha permitido que actores maliciosos realizan ataques desde cualquier lugar del mundo, complicando enormemente los esfuerzos de persecución, respuesta y sanción. Es menester reiterar el punto medular del Reglamento, la tecnología 5G y superiores que prometen revolucionar numerosos sectores con su alta velocidad y capacidad de conexión masiva, lo que amplifica los riesgos asociados con la ciberseguridad. La infraestructura 5G es crítica y sensible, dada su implicación en la conectividad de dispositivos esenciales en sectores como la salud, la industria y los servicios públicos esenciales. Un ataque a estas redes no solo podría tener consecuencias devastadoras en términos de interrupción de servicios esenciales, sino que también podría comprometer la seguridad y privacidad de enormes volúmenes de datos e infraestructuras críticas. Cierto es que el Convenio de Europa sobre Ciberdelincuencia (Budapest, 2001), aprobado mediante Ley N° 9452, es anterior al Reglamento en cuestión, por tanto deviene en una norma necesaria para combatir el cibercrimen y la delincuencia organizada, con autoridad superior a la ley conforme al ordinal 7 de nuestra Constitución Política. Así las cosas, Costa Rica debe poner en práctica las disposiciones de los instrumentos internacionales en materia de Derechos Humanos, los cuales en armonía con los mandatos de la Constitución Política visualizan a la persona como el centro de la jurisdicción y en consecuencia debe garantizarse el régimen de protección de sus derechos y libertades fundamentales ex officio por las autoridades públicas. Desde esta óptica jurídica, dicho Convenio forma parte de la normativa internacional incorporada al Ordenamiento Jurídico costarricense y tiene por objeto, en conjunto con el Reglamento de cita, garantizar bajo el principio de progresividad el respeto de los Derechos Humanos y Fundamentales consagrados en la Constitución Política de Costa Rica y en otros instrumentos como el Convenio del Consejo de Europa para la Protección de los Derechos Humanos y de las Libertades Fundamentales (1950), el Pacto Internacional de Derechos Civiles y Políticos de las Naciones Unidas (1966), la Convención Americana sobre Derechos Humanos (Pacto de San José) (1970), entre otros. Desde luego que esto concilia con la verdadera necesidad de la emisión Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”, ya que tutela la protección de los citados derechos desde un ámbito que es sumamente vulnerable como lo es el establecimiento de la propia red de telecomunicaciones y sus servicios por los Operadores de tecnologías 5G y superiores. Dicho cuerpo reglamentario pretende entonces resguardar los referidos derechos de los usuarios finales de telecomunicaciones que derivan del artículo 24 constitucional (ya citado) como lo son la intimidad, inviolabilidad de los documentos privados, privacidad de las comunicaciones, la autodeterminación informativa y por ende la calidad de los servicios que reciben los usuarios finales, al establecer medidas técnicas y objetivas en el despliegue de las redes 5G y superiores, ya que estos derechos encuentran su fundamento en la dignidad de la persona y su ejercicio supone la autodeterminación consciente y responsable de la propia vida. Por lo anterior, es correcto apuntar que la tutela de la dignidad humana y el goce de los derechos que de este valor emanan, prevalece sobre cualquier otra materia, y en consecuencia, son superiores, así lo ha apuntado la Sala Constitucional en el voto N°034212020, de las 12 horas 10 minutos, de fecha 19 de febrero de 2020, al reseñar que: “(...) es importante recordar una cuestión elemental del Derecho Internacional Público. Los Tratados sobre Derechos Humanos tienen, por su materia, un objeto y fin muy distinto a los tratados internacionales bilaterales o multilaterales en temas comerciales, de relaciones de cooperación técnica, científica, cultural, etc. En estos tratados, los sujetos de derecho internacional acuerdan obligaciones mutuas entre sí en los respectivos temas pactados; sin embargo, en los relacionados con los derechos humanos, los Estados ponen como objeto y fin a la persona humana que se encuentre dentro de su jurisdicción. En este sentido, los Estados conceden de conformidad con la regla de oro del derecho internacional, obligaciones internacionales a favor de la persona humana, que deben ser cumplidas de buena fe (de conformidad con el artículo 26. Pacta sunt servanda del Convenio de Viena sobre el Derechos de los Tratados)”. De lo anterior, prevalece la regla del derecho internacional pacta sunt servanda conforme al artículo 26 de la Convención de Viena sobre el Derecho de los Tratados, Ley N°7615, de cumplir las obligaciones internacionales de buena, y en el caso concreto a favor de la persona humana, que es precisamente lo que el Estado costarricense ha procurado con la implementación del Reglamento de análisis. Todo ello entendiendo que, el ser humano es la piedra angular en la Sociedad de la Información y el Conocimiento, y por tanto debe de dotarse de toda protección, máxime cuando se trata de entornos digitales complejos con una mayor exposición para los usuarios finales y la institucionalidad pública con la implementación de la tecnología de quinta generación (5G) y superiores. Como bien se ha indicado en el informe técnico No. MICITT-DM-OF-1099 2023 de fecha 12 de diciembre de 2023 (apartado -B-), en la incorporación del derecho supranacional al local no basta el proceso de adhesión a los instrumentos internacionales, sino que debe aplicarse una lectura progresiva, de esta manera la puesta en ejecución de los instrumentos internacionales, el control de convencionalidad ex officio, entre las normas internas y los instrumentos internacionales en el marco de las respectivas competencias de los órganos públicos que permite la adaptabilidad en el tiempo del marco normativo a las nuevas exigencias tecnológicas y necesidades que se satisfacen. Este control de convencionalidad se materializa en el caso concreto, en el ejercicio de las potestades reglamentarias del Poder Ejecutivo de establecer vía en materia de telecomunicaciones medidas técnicas y administrativas de protección incorporadas al Reglamento de Ciberseguridad para 5G, a favor del régimen jurídico de protección a los usuarios finales en el acceso y disfrute efectivo de los servicios de telecomunicaciones, entre las cuales se encuentran precisamente la manifestación referida a la Ley N° 9452 “Convenio de Europa sobre Ciberdelincuencia (Budapest, 2001)”. Máxime que la Ley N° 9452 “Convenio de Europa sobre Ciberdelincuencia (Budapest, 2001)”, ha sido catalogada el Consejo de Europa, como la norma internacional más completa hasta la fecha, ya que proporciona un marco integral y coherente en contra del ciberdelito y la evidencia electrónica. Sirve como una guía para cualquier país que desee desarrollar una legislación nacional integral sobre ciberdelitos y como un marco para la cooperación internacional entre los Estados Parte de este Tratado. Es así como la Ley N° 9452 “Convenio de Europa sobre Ciberdelincuencia (Budapest, 2001)”, desde el plano técnico y jurídico, actúa como un control disuasorio, preventivo y punitivo en la persecución de delitos que atentan contra la tríada de la seguridad de la información: confidencialidad, integridad y disponibilidad de los sistemas, redes y datos informáticos. La disciplina de la ciberseguridad no solo se enfoca en aspectos como el monitoreo, la detección y la protección, sino que también aborda campos cruciales como la respuesta a incidentes de ciberseguridad y el análisis forense. Estos últimos son de vital importancia para obtener evidencia digital, como los registros (logs) de los sistemas, que resulta esencial para determinar la causa raíz de los incidentes. Dada la naturaleza transfronteriza de los ataques cibernéticos, muchas veces se requiere de cooperación internacional para obtener estas evidencias, no solo para la persecución del ciberdelincuente sino también para identificar cuáles fueron las vulnerabilidades explotadas y así solucionar la brecha de seguridad. Es así como señala la Ley N° 9452 “Convenio de Europa sobre Ciberdelincuencia (Budapest, 2001)”, en su preámbulo: “(...) Convencidos de que el presente Convenio es necesario para prevenir los actos que pongan en peligro la confidencialidad, la integridad y la disponibilidad de los sistemas, redes y datos informáticos, así como el abuso de dichos sistemas, redes y datos, garantizando la tipificación como delito de dichos actos, tal como se definen en el presente Convenio, y la asunción de poderes suficientes para luchar eficazmente contra dichos delitos, facilitando su detección, investigación y sanción, tanto a nivel nacional como; internacional, y estableciendo disposiciones materiales que permitan una cooperación internacional rápida y fiable (...)” (El resaltado es propio) Por lo anterior, resulta de vital importancia recalcar que la Ley N° 9452 “Convenio de Europa sobre Ciberdelincuencia (Budapest, 2001)”, aborda los pilares de la ciberseguridad (tríada de la seguridad de la información: confidencialidad, integridad y disponibilidad) en plataformas tecnológicas entre ellas las redes. Al respecto es posible analizar el contenido del artículo 3 que se relaciona con la interceptación ilícita; el 4 con la integridad de los datos; el artículo 5 relacionado con la integridad del sistema; todo lo anterior, además del contenido del capítulo 3 mecanismos de cooperación internacional, asistencia mutua y la creación de una red de contactos que funciona 24/7) en plataformas tecnológicas entre ellas las redes (definición que se usa a lo largo de todo el convenio con medidas que pueden identificarse como "datos relativos al tráfico). Además, al referirse a "redes" en general, dicho marco normativo en efecto aplica para una gama más amplia de tecnologías, incluyendo aquellas que existen actualmente y las que puedan surgir en el futuro. La tecnología evoluciona rápidamente y mencionar en el seno del Convenio una tecnología específica, como 5G, provocaría que la norma no se adapte en el tiempo cuando en realidad se procura su estabilidad, sobre todo ponderando la jerarquía supra legal de la misma. En cambio, referir a "redes" en términos generales mantiene de forma abstracta la aplicabilidad y vigencia de la norma, a medida que surjan nuevas tecnologías. A razón de lo anterior, se ha desarrollado un esfuerzo colectivo en la comunidad internacional para incluir el Convenio dentro de los diferentes planes estratégicos de ciberseguridad nacional, en aras de fortalecer la resiliencia cibernética. Ejemplo de ello, se encuentran República Dominicana, Ecuador, Panamá, Belice, Colombia y Costa Rica.

País y año Parte de la Estrategia Nacional de Ciberseguridad Mención República Dominicana (2022) En los considerandos y las vistas del Decreto No. 313-22 (Ver página 2) VISTA: La resolución del Congreso Nacional núm. 158-12, del 11 de junio de 2012, que aprueba el Convenio sobre la Cibercriminalidad, suscrito el 23 de noviembre de 2001, en Budapest.

Ecuador (2022) En el capítulo de contexto (ver páginas 8 y 10), en la descripción del Pilar Prevención y Combate a la Ciberdelincuencia (Ver página 4) y en acciones para alcanzar el Objetivo 3.1: Actualizar el marco legal y regulatorio de Ecuador en materia de ciberdelincuencia para garantizar la seguridad ciudadana y la protección de los derechos y libertades en el ciberespacio (Ver página 48) Acciones para alcanzar el Objetivo 3.1:

● Revisar el derecho penal existente y adoptar las medidas legislativas necesarias para definir claramente qué constituye delito cibernético y delitos relacionados (delitos contra o a través de sistemas o datos informáticos), considerando la armonización con los instrumentos legales internacionales y regionales existentes, en particular el Convenio de Budapest sobre la Ciberdelincuencia.

● Revisar y alinear los poderes y procedimientos apropiados para la aplicación de la ley, el enjuiciamiento y la judicialización para la investigación y el enjuiciamiento del delito cibernético, incluida la recopilación y el procesamiento de pruebas e instrumentos electrónicos para una cooperación internacional rápida y eficaz, considerando la armonización con el Convenio de Budapest sobre la Ciberdelincuencia y otros instrumentos internacionales.

Panamá (2021) En las acciones para lograr el objetivo establecido en el Pilar II. Disuadir y castigar el comportamiento criminal en el ciberespacio (Ver página 44) 2.4 Continuar el involucramiento con entidades regionales e internacionales En 2014, Panamá exitosamente ratificó la Convención de Budapest5 , el primer tratado internacional que busca abordar el cibercrimen armonizando las leyes nacionales, mejorando las técnicas de investigación y aumentando la cooperación entre las naciones. Panamá también firmó acuerdos en el marco de la Convención de las Naciones Unidas contra la Delincuencia Organizada Transnacional. Si bien representan pasos iniciales importantes, es necesario mejorar la coordinación y la cooperación internacional. Además es necesario incorporar al ordenamiento jurídico leyes que estén alineadas con los convenios o acuerdos internacionales, de los cuales Panamá es signataria.

Belize (2020) En una actividad para cumplir el objetivo estratégico 5 del Área Prioritaria 1 (Ver página 26) Area of Priority 1: Develop the National Legal Framework to adequately address cybersecurity threats Objective 5. Ministry of Foreign Affairs National Security & Attorney General’s Office participate in bilateral and multilateral international cybersecurity agreements Activity 5.1. Government to review the process for acceding to the Convention on Cybercrime (Budapest Convention) Costa Rica (2017) En el capítulo 3 de contexto actual (Ver páginas 23 y 34) En busca de mejorar aún más el marco normativo costarricense y lograr un mejor accionar ante la delincuencia informática, Costa Rica concretó el proceso de adhesión a la “Convención sobre el Cibercrimen” conocida como el “Convenio de Budapest” mediante la firma del Decreto Ejecutivo N° 40546-RREE el 3 de julio del 2017 el cual coadyuva en la lucha frente a los delitos Informáticos.

(…) La legislación sobre delincuencia cibernética debe tener en cuenta el contexto nacional, los convenios internacionales, los mecanismos para facilitar la investigación interinstitucional y multi-jurisdiccional y la mayor complejidad de avances tecnológicos. Costa Rica cuenta con legislación relacionada con delitos informáticos, no obstante, a medida que cambia la sofisticación de estos crímenes, debe haber un proceso dedicado para su revisión y actualización para asegurar que existe la autoridad necesaria para investigar y procesar eficazmente. La adhesión al Convenio sobre Delincuencia Cibernética (también conocido como Convenio de Budapest) es un hecho y las discusiones están en curso dentro del Poder Judicial para la formación de jueces y fiscales en materia de delincuencia cibernética.

Colombia (2016) En el contexto, en el marco normativo, en las estrategias para el Plan de Acción y en el

Anexo con

instrumentos internacionales (Ver páginas 15, 22, 63 y 79) Cooperación y posicionamiento internacional En 2013, a través del Ministerio de Relaciones Exteriores, el país solicitó formalmente la adhesión a la Convención de Europa sobre cibercriminalidad, también conocido como Convenio de Budapest.

(…) 2.3.2. Normativa internacional Entre los instrumentos internacionales que tienen relación con la seguridad digital se encuentran el Convenio sobre Ciberdelincuencia del Consejo de Europa (conocido como el convenio sobre Cibercriminalidad de Budapest) mediante el cual se adopta una legislación que facilita la prevención de las conductas delictivas y contribuye con herramientas eficientes en materia penal que permitan detectar, investigar y sancionar las conductas antijurídicas.

(…) E5.1. Generar mecanismos para impulsar la cooperación, colaboración y asistencia a nivel internacional, en materia de seguridad digital (DE1) Bajo esta estrategia, se busca la adhesión de Colombia a convenios internacionales en torno a la seguridad digital, tales como la Convención de Budapest (…)

Anexo D: Normativa internacional relacionada con asuntos de seguridad digital

Instrumento: Convenio sobre Ciberdelincuencia del Consejo de Europa CCC (conocido como el convenio sobre Cibercriminalidad de Budapest) Adoptado en noviembre de 2001 y entrada en vigor desde el 1° de julio de 2004 En línea con lo anterior procede entonces reiterar a este Órgano Colegiado que en el año 2022, Costa Rica experimentó un episodio devastador en el que un grupo cibercriminal conocido como CONTI, cuyos integrantes residen en países no firmantes del Convenio, no pudieron ser detenidos pese a ser identificados. Además, Costa Rica sufrió en 2022 un ataque informático a los servicios de la Caja Costarricense de Seguro Social (CCSS) perpetrado por el grupo cibercriminal Hive. Las operaciones de este grupo fueron desmanteladas por el Departamento de Justicia de los Estados Unidos en una operación conjunta con las fuerzas del orden de Alemania y los Países Bajos, miembros del Convenio de Budapest. Esta colaboración internacional permitió proporcionar más de 1.300 claves de descifrado a las más de 1.500 víctimas de Hive en más de 80 países alrededor del mundo. De esta forma, la evolución tecnológica debe tener presente este contexto, para efectos de su prevención como un elemento crucial de la rama de la ciberseguridad. En este sentido la prevención de actos que pongan en peligro la confidencialidad, la integridad y la disponibilidad de los sistemas, redes y datos informáticos, juega un rol importante el acondicionar un ambiente en el que sea factible también el aspecto punitivo, esto es, la persecución de los delitos y la aprehensión de los ciberdelincuentes. La ciberseguridad no solo es un elemento técnico sino también controles de diferente naturaleza, tanto administrativos, de gobernanza y normativos que funcionan como controles disuasorios. En caso de un ataque cibernético, se requiere información sobre vulnerabilidades o registros de eventos asociados a equipos de hardware o software, de un proveedor cuyo país de origen debe estar obligado a colaborar bajo la Ley N° 9452 “Convenio de Europa sobre Ciberdelincuencia”, a fin de obtener toda la información necesaria para atender el incidente. El recaudo de evidencia es crucial para generar una adecuada respuesta al incidente de seguridad, y en segundo orden, la persecución y aprehensión de los delincuentes cibernéticos, reduciendo así el riesgo de futuros ataques. De acuerdo con los marcos y estándares internacionales para la respuesta a incidentes, como la NIST 800-61 'Guía de manejo de incidentes de seguridad' o la ISO 27035 'Gestión de incidentes de seguridad de la información', una fase crucial es la erradicación de la amenaza y la corrección de las vulnerabilidades que causaron la brecha. Es por ello que se requiere del examen y manejo de la información en el menor tiempo para remediar la causa raíz y restablecer el servicio. Es desde esta arista, que el Convenio ofrece una herramienta fundamental para garantizar la cooperación para proteger la seguridad digital contra las amenazas transfronterizas, y no depender únicamente de la buena voluntad de la contraparte. Es así como los principios de la Ley N° 9452 “Convenio de Europa sobre Ciberdelincuencia”, instan una activa comunicación con los países firmantes para conseguir evidencia fundamental tanto para subsanar la vulnerabilidad como para perseguir los cibercriminales por el hecho delictivo. Por lo anterior, este Ministerio consideró que la medida es consecuente, proporcional e idónea al beneficio que se pretende generar en beneficio de la seguridad nacional y del régimen jurídico de protección a los intereses y derechos de los usuarios finales. Por lo tanto, las apreciaciones de la empresa recurrente son totalmente incorrectas. Como puede apreciar la Sala, los acuerdos en el marco del Convenio de Budapest sí obedecen al componente de prevención propio de la ciencia de la ciberseguridad, como parte del régimen de protección de los derechos fundamentales de las personas usuarias. Dado que el pilar fundamental de la Sociedad de la Información y el Conocimiento es la persona y la tutela de la dignidad humana como valor superior de raigambre constitucional y supranacional. Según lo refiere el mismo preámbulo de la Ley N° 9452 “Convenio de Europa sobre Ciberdelincuencia (Budapest, 2001)” los Estados Parte son: “Conscientes de los profundos cambios suscitados por la digitalización, la convergencia y la globalización continua de las redes informáticas”; Preocupados por el riesgo de que las redes informáticas y la información electrónica sean utilizadas igualmente para cometer delitos y que las pruebas relativas a dichos delitos sean almacenadas y transmitidas por medio de esas redes”. Por lo cual si bien este Convenio no especifica expresamente tecnologías, como lo es el caso de las redes móviles de Quinta generación (5G) o superiores, de esta circunstancia no deviene que el instrumento sea inaplicable, por el contrario, se entiende que la técnica jurídica fue suscribir el instrumento con miras al futuro y evitar su obsolescencia al restringirlo para ciertos casos, ante la evolución tecnológica que precisamente se ha incorporado en su expresión de motivos. Por ello, tampoco lleva razón la empresa recurrente al sugerir que el Convenio se encuentra desfasado, por cuanto se encuentra vigente y es de acatamiento obligatorio para el Estado costarricense conforme a las reglas del Derecho Internacional de los Tratados. Tampoco resulta cierto, como lo afirma la empresa, que el Convenio de Budapest figure como “factor de evaluación”. Pues la expresión semántica de “evaluación” se utiliza en contratación pública para aquellos aspectos sujetos a calificación y otorgan valor agregado a las ofertas que satisfacen precisamente el perfil mínimo del oferente, como bien lo regula el artículo 40 de la Ley General de Contratación Pública, Ley Nº 9986, de la siguiente forma: “El pliego de condiciones deberá establecer los requisitos de admisibilidad, los parámetros para verificar la calidad y contener un sistema de calificación de ofertas, siendo posible incorporar factores de evaluación distintos del precio, tales como plazo y calidad que, en principio, deben regularse como requisitos de cumplimiento obligatorio (...)”. Como bien se ha dejado en claro en líneas anteriores, los parámetros, medidas y análisis de gestión de riesgo contempladas en el Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”, que nos ocupa no constituyen meros aspectos sujetos a “evaluación” para un proceso de contratación pública, sino que se configuran en disposiciones normativas a las que se encuentran sujetos los Operadores de redes con esta tecnología, y forman parte de las condiciones y obligaciones mínimas a las que se encuentran sujetos conforme al derecho objetivo sectorial de las telecomunicaciones en relación el uso y explotación del espectro radioeléctrico como bien demanial constitucional. Como ha quedado de manifiesto, la incorporación de este parámetro posee una justificación técnica y jurídica y no a un criterio arbitrario o antojadizo como pretende hacer ver la empresa recurrente. b. Sobre el cumplimiento del principio de neutralidad tecnológica. Tal y como ha sido desarrollado en el apartado -H- del informe técnico No. MICITTDM-OF-1099-2023 de fecha 12 de diciembre de 2023, el Decreto Ejecutivo Nº44196-MSPMICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores” guarda una especial sujeción al principio de flexibilidad en las opciones tecnológicas, así como el principio sectorial de neutralidad tecnológica. De esta forma el principio de flexibilidad en las opciones tecnológicas (neutralidad tecnológica) surge en el marco del proceso de apertura comercial del sector telecomunicaciones, como parte de los “IV. Principios Regulatorios aprobados en el Anexo 13 de los “Compromisos Específicos de Costa Rica en Materia de Servicios de Telecomunicaciones” del Tratado de Libre Comercio República Dominicana- Centroamérica - Estados Unidos (TLC) Ley N° 8622, el cual en lo conducente dispone: “10. Flexibilidad en las Opciones Tecnológicas Costa Rica no impedirá que los proveedores de servicios públicos de telecomunicaciones tengan la flexibilidad de escoger las tecnologías que ellos usen para suministrar sus servicios, sujeto a los requerimientos necesarios para satisfacer los intereses legítimos de política pública.” (El resaltado es propio) A partir de este principio regulatorio se desprende que en materia de telecomunicaciones los operadores y proveedores de servicios disponibles al público, gozan efectivamente de la flexibilidad para escoger las tecnologías que prefieran para operar las redes públicas y suministrar sus servicios, por ejemplo para prestar servicios de Telecomunicaciones Móviles Internacionales conocidas como IMT por sus siglas en inglés (en cualquiera de sus generaciones técnicamente disponibles), siempre y cuando, se satisfagan los intereses legítimos de política pública. En este ámbito es importante señalar que la política pública en materia de telecomunicaciones se define a través del Plan Nacional de Desarrollo de las Telecomunicaciones (PNDT) 2022-2027 “Costa Rica: Hacia la disrupción digital inclusiva”, el cual fue aprobado por el Poder Ejecutivo mediante Decreto Ejecutivo N° 43843-MICITT publicado en el Diario Oficial La Gaceta N°5 de fecha 13 de enero de 2023, previa celebración durante el año 2022 de un proceso participativo mediante la realización de talleres y sesiones de trabajo abiertas en múltiples áreas de las telecomunicaciones, en el que pudieron concurrir libremente representantes de la sociedad civil, los diversos sectores del país, con inclusión de los operadores y proveedores de servicios de telecomunicaciones, proveedores de servicios de información, representantes de redes sociales, entre otros, quienes pudieron expresar y compartir su visión sobre el futuro del Sector telecomunicaciones, hasta el año 2027. Por lo cual, la política pública para la operación de redes y la prestación de servicios de telecomunicaciones está plasmada en Plan Nacional de Desarrollo de las Telecomunicaciones (PNDT) 2022-2027 “Costa Rica: Hacia la disrupción digital inclusiva”, con el objetivo de marcar el desarrollo del sector desde la perspectiva de la política pública sectorial, que permita durante los próximos años atender los retos y desafíos de las telecomunicaciones. Debe de subrayarse que en su sección “3.3.3.3 Estrategia Nacional de Ciberseguridad Costa Rica” el PNDT 2022-2027 señala que “La estrategia en materia de ciberseguridad data de 2017 y procura la búsqueda de acciones conducentes al aseguramiento de datos y la protección en línea en diferentes aspectos, considera a la persona como prioridad, el respeto a los derechos humanos y la privacidad, la coordinación con múltiples partes interesadas y la cooperación internacional.” Además, el PNDT señala que “en materia de seguridad cibernética y los retos que esto representa para las diferentes poblaciones, desde las infraestructuras críticas, los servicios en línea, servicios financieros, las MIPYMES, las poblaciones en condición de vulnerabilidad, entre otros, para las que se debe considerar transversalmente el tema en los ejes de la planificación sectorial con visión al 2027.” En esta línea en su sección “3.3.4 Síntesis de los instrumentos publicados asociados al PNDT” añade que “hay diversos instrumentos en los que Costa Rica ha formulado directrices y líneas de acción para la atención de problemas de interés público en temas relacionados al sector de telecomunicaciones, tales como: infraestructura, espectro radioeléctrico y televisión digital; poblaciones específicas en el área de TIC; ciencia, innovación y tecnología, economía digital, transformación digital y ciberseguridad; (...)”. Se complementa lo anterior precisando que conforme al Índice Global de Ciberseguridad (IGC), que es una iniciativa de la Unión Internacional de Telecomunicaciones establecida con el objetivo de medir el compromiso de los países sobre la ciberseguridad y ayudarles a identificar áreas de mejora, la posición de Costa Rica en relación a los países miembros de la OCDE, es el penúltimo en la lista (posición 37 de 38), únicamente superando a Colombia. A partir de ello, y procurando materializar los objetivos establecidos para nuestro país desde la política pública es que se aprueba el “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT, el cual forma parte de las medidas técnicas de ciberseguridad para garantizar el uso y la explotación segura de las redes y con resguardo de la privacidad de las personas. Esta normativa se orienta a la satisfacción de un conjunto de derechos fundamentales e intereses legítimos de los usuarios finales de los servicios de telecomunicaciones. Colectividad que está conformada por quienes accedemos diariamente a estos servicios y que tenemos el derecho a que nos garantice una prestación segura en cuanto a la privacidad y confidencialidad de la información, el secreto de las comunicaciones y la protección de los datos personales de toda naturaleza. De este modo, debe existir total claridad de que la ciberseguridad en materia de telecomunicaciones está definida desde la política pública y los instrumentos normativos que la conforman como el “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” Decreto Ejecutivo 44196-MSP-MICITT, así como cualquier otro instrumento normativo, plan o estrategia que se apruebe para la satisfacción de los intereses legítimos y derechos subjetivos protegidos en la privacidad y confidencialidad de los datos personales y las comunicaciones, conforme con el principio regulatorio de Flexibilidad en las opciones tecnológicas (neutralidad tecnológica) establecido en el CAFTA, y es por ende, un asunto que nos interesa a todos como usuarios finales y destinatarios de estos derechos. Por su parte, desde la óptica técnica quisiera dejar establecido con claridad que la emisión del Decreto Ejecutivo 44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”: •No prohíbe ni obliga el uso de ninguna tecnología específica, como pueden ser las tecnologías móviles de quinta generación, sino que establece unos requisitos mínimos de seguridad que deben cumplir todos los Operadores de redes móviles de telecomunicaciones que decidan implementar redes de telecomunicaciones bajo esta tecnología o superiores. • Estos requisitos consideran la Ley N° 9452 “Convenio de Europa sobre Ciberdelincuencia”, y una serie de estándares relativos a la seguridad de la información, de manera que el Reglamento procura garantizar que los Operadores garanticen la operación segura de sus redes y los usuarios puedan confiar en la integridad, disponibilidad y confidencialidad de sus redes y servicios, y disfrutar plenamente de los beneficios de la tecnología 5G sin riesgos para su privacidad, seguridad o derechos humanos. • No limita la competencia ni la innovación en el mercado de las telecomunicaciones bajo tecnología de quinta generación (5G), sino que promueve un entorno en competencia efectiva e igualdad condiciones para todos los Operadores independientemente de su origen o tamaño. Al exigir que los Operadores estén sujetos a un marco legal que respete los principios del Convenio de Budapest, así como los demás estándares destacados en el Reglamento. • Esta igualdad de condiciones y obligaciones para los Operadores procura evitar que se generen ventajas competitivas desleales o distorsiones del mercado por parte de aquellos Operadores que puedan eventualmente operar bajo normativas más laxas o incompatibles con las requeridas por el Decreto de referencia. • El Reglamento también fomenta la diversidad y la interoperabilidad de las tecnologías y plataformas para el despliegue de sistemas IMT-2020, incluyendo 5G y superiores, al permitir que los Operadores puedan elegir entre una variedad de proveedores confiables de equipamiento, que cumplan con los requisitos de seguridad establecidos. • No viola el principio supralegal de flexibilidad en las opciones tecnológicas ni el principio sectorial de neutralidad tecnológica, sino que atiende a su contenido orientador conforme a la política pública del Estado costarricense. • El Reglamento no hace ninguna distinción entre las diferentes tecnologías o plataformas para el despliegue de sistemas IMT- 2020, incluyendo 5G y superiores, sino que se aplica por igual a todas ellas. • El Reglamento tampoco impone ninguna restricción al acceso o uso de esas redes o servicios móviles innovadores por parte de los usuarios, sino que garantiza que estos puedan ejercer su libertad de expresión, información y comunicación a través de redes y medios de comunicación seguros. 11- Es completamente discriminatorio que se le impida a mi representada participar en una licitación por una decisión que no está en sus manos, por ser una decisión completamente del Gobierno chino. Respuesta. No es cierto que la normativa Reglamentaria sea discriminatoria, sobre todo considerando la oferta presentada por la empresa [Nombre 002]., con el objeto de contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) registrado con el expediente electrónico número 2023XE-000023-0000400001, en el cual a pesar de lo indicado por la recurrente, ésta (sic) sí participó y manifestó su adecuación a las condiciones del pliego de condiciones de dicho proceso concursal. Además, alega que se trata de una compañía de “origen chino”, cuando en la oferta deja de manifiesto que se trata de una empresa constituida en Costa Rica. Sobre ello, estimo oportuno reiterar a este Honorable Tribunal, la inscripción practicada para [Nombre 002]. en el Registro Nacional de Costa Rica, Sección de Personas Jurídicas como sociedad anónima costarricense, de acuerdo con el documento de oferta suministrado al procedimiento especial de servicios en competencia que se encuentra promoviendo el Operador recurrido en la actualidad. En todo caso nótese que la empresa declaró en su oferta (PRUEBA No. 4), lo siguiente: “3.4. El oferente deberá presentar una declaración jurada en donde se indique su sede está en un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). Para lo cual deberá adjuntar la documentación de respaldo. El ICE se reserva el derecho de verificar la validez (sic) de la información aportada. Respuesta: Entendemos. Huawei cumple totalmente con los estándares de ciberseguridad y mejores practicas (sic) de la industria para el resguardo e integridad de la información. El Convenio de Budapest no se refiere a un estándar de ciberseguridad para redes móviles 5G o similares”. (El resaltado es del original) De la transcripción anterior, debe considerarse por esta Sala Constitucional que la empresa manifestó entender el requerimiento, y en forma laxa apunta al final que no se refiere a un estándar de ciberseguridad, sin que se aborden o desarrollen los fundamentos para sustentar dicha afirmación, la cual corresponde una mera apreciación subjetiva sin respaldo técnico o jurídico. Si en la casuística existe alguna base fáctica objetiva que permita brindar una diferencia de trato, se denomina diferenciación de trato y resulta ser un escenario perfectamente factible y válido, con fundamento en el principio de igualdad. Esta precisión conceptual implica que los poderes públicos deben tratar de igual forma a los que se encuentren en iguales condiciones de hecho, de manera motivada. En consecuencia, el principio de igualdad sólo (sic) es vulnerado cuando se trata desigualmente a los iguales en ausencia de justificación, que se traduce en discriminación. Sin embargo, nótese en este sentido que la normativa resulta no discriminatoria por cuanto aplica a todos los Operadores de redes y prestadores de servicios bajo la tecnología de quinta generación o superior, quienes deben velar en igualdad de condiciones por la idoneidad de su cadena de suministro. Por cuanto según lo hemos señalado la normativa reglamentaria procura resguardar los referidos derechos de los usuarios finales de los servicios de telecomunicaciones que derivan del artículo 24 constitucional (ya citado) como lo son la intimidad, inviolabilidad de los documentos privados, privacidad de las comunicaciones y la calidad de los servicios al establecer medidas técnicas y administrativas objetivas para el despliegue de las redes públicas aludidas, a favor de la dignidad de la persona y su ejercicio supone la autodeterminación consciente y responsable de la propia vida. Siendo la dignidad humana el mínimo jurídico que se le debe asegurar a los usuarios finales con el objeto de que se respete su condición y asegure bajo parámetros objetivos la calidad en la prestación del servicio que finalmente redundará en la calidad de vida de esta colectividad. Por lo tanto, siendo que la discriminación, desde el punto de vista jurídico, consiste en el otorgamiento de un trato diferente basado en desigualdades injustas o arbitrarias que son contrarias al principio de igualdad ante la ley y la prohibición de discriminar por cualquier circunstancia personal o social; y en sentido contrario cuando la diferenciación se realiza sobre una justificación objetiva y razonable, el principio de igualdad de trato derivado del régimen fundamental de protección de los Derechos Humanos admite la existencia de elementos diferenciadores. El elemento diferenciador en este caso lo constituye el parámetro del Convenio de Budapest, que responde a la necesidad de garantizar un ambiente seguro para la protección del régimen de los derechos humanos de los usuarios finales que accederán a este tipo de tecnología y sus servicios por la razones técnicas y jurídicas desde la perspectiva de la ciberseguridad que hemos desarrollado anteriormente. Esta tesis también ha sido claramente dimensionada en los apartados -B- y -K- inciso E) del informe técnico No. MICITT-DM-OF-1099-2023 de fecha 12 de diciembre de 2023. Finalmente, conforme a lo argumentado por la empresa recurrente, se debe señalar que las decisiones soberanas de un Estado internacional ajeno al costarricense, no es materia que competa dilucidar ante este Órgano constitucional. 12- La única forma de evitar una flagrante violación a los derechos constitucionales de libre competencia e igualdad de participación que según la jurisprudencia de esa Sala tienen rango constitucional (Voto 998-1998), así como el derecho a la no discriminación, es mediante la suspensión inmediata del concurso público en cuestión. Respuesta. No es cierto. De acuerdo a (sic) lo señalado ut supra, se observa la oferta de la empresa [Nombre 002]., con el objeto de contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) registrado con el expediente electrónico número 2023XE-0000230000400001, en el cual el recurrente participó y manifestó su adecuación a las condiciones del pliego de condiciones de dicho proceso concursal, en la cual se reitera que en su oferta deja de manifiesto también que se trata de una empresa constituida en Costa Rica, sin perjuicio de que como lo hemos señalado anteriormente a este Ministerio no le competen prejuzgar o calificar el contenido de la oferta, lo cual es resorte del ámbito de competencia en esta materia del Operador contratante. De este modo cabe resaltar que en materia de contratación pública los principios de igualdad y libre concurrencia poseen dos vertientes. En la primera debe garantizarse la más amplia participación en igualdad de condiciones, en ausencia de restricciones injustificadas. A contrario sensu, también pueden participar oferentes bajo una serie de restricciones que hayan sido debidamente motivadas, ergo, justificadas, cuando el objeto de la contratación así lo requiera por la especialidad técnica que le caracteriza. En este particular la Contraloría General de la República, ha señalado que: “(...) si bien es claro que la Administración es quien mejor conoce la necesidad que pretende satisfacer mediante la promoción de un concurso público, y por ello es a ésta (sic) a quien le corresponde definirla en forma discrecional, evidentemente en el ejercicio de dicha discrecionalidad, la Administración debe respetar las reglas unívocas de la ciencia y la técnica, así como los principios elementales de la justicia, la lógica y la conveniencia, en aplicación de lo dispuesto por el artículo 16 de la Ley General de la Administración Pública, y el principio de eficiencia, en el sentido de que el procedimiento tienda a la selección de la oferta más conveniente al interés público. De forma tal que la estructuración de la necesidad pública a satisfacer mediante la realización del concurso debe responder a un análisis razonado y sustentado desde el punto de vista técnico y jurídico que permita respaldar adecuadamente las características, funcionalidades y requerimientos técnicos que deben satisfacer las adquisiciones que pretenda realizar. No debe perderse de vista que incluso resulta posible que la definición de requerimientos técnicos pueda entrañar, una limitación a la libre participación en la medida en que ello se encuentre adecuadamente fundamentado” (El resaltado es propio) De allí que, las limitaciones a la participación son totalmente legítimas siempre y cuando se ajusten a los principios de convencionalidad, razonabilidad, proporcionalidad, bloque de legalidad, y a las reglas de la ciencia, de la técnica y la lógica jurídica, parámetros que según se ha demostrado, fueron observados a la hora de emitir el Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores” y que en consecuencia deben observarse por cualquier Operador de servicios de telecomunicaciones bajo tecnología 5G o superiores. En cuanto a la suspensión inmediata que plantea, remito al desarrollo que se indica en el presente informe y las razones por las cuales estima este Ministerio que no procede la tutela cautelar en favor de la empresa recurrente. 13- Si el citado acto llegare a materializarse el perjuicio para mi representada sería irreversible y de imposible reparación, tales como los daños y perjuicios reputacionales. Por ello, es que estamos procesalmente legitimados para incoar el presente recurso de amparo contra las amenazas inminentes del ICE, consistentes en sacar un concurso público para implementar y operar la tecnología 5G IMT en sus redes, del cual estamos de antemano excluidos”. Respuesta. No es cierto. Reitero lo señalado en cuanto a que se observa la oferta de la empresa [Nombre 002]., con el objeto de contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) registrado con el expediente electrónico número 2023XE-0000230000400001, en el cual el recurrente participó y manifestó su adecuación a las condiciones del pliego de condiciones de dicho proceso concursal, en la cual se reitera que en su oferta deja de manifiesto también que se trata de una empresa constituida en Costa Rica. Además, la empresa recurrente afirma que en el caso podría configurarse un daño irreversible, así como daños derivados de su reputación, lo cual no posee asidero en contrataciones públicas por la naturaleza propia del procedimiento. Es menester recordar que los oferentes que reúnen las condiciones técnicas propias del objeto participan y deben ser evaluadas en un plano de igualdad de condiciones, por lo que bien ya se ha indicado que cada una participa con una expectativa, no así con un derecho (subjetivo) preconstituido de resultar favorecidas. Bien se ha señalado ya que en un procedimiento en el cual concurren distintos participantes, el riesgo a no resultar adjudicado es una posibilidad y por tanto no califica de daño grave: “(...) no puede pretenderse hacer derivar un daño grave de la no adjudicación de la licitación, cuando la Administración en uso de su discrecionalidad es la que escoge la oferta que mejor se ajusta en precio y calidad a sus intereses. Recuerde la recurrente que lo que ostenta frente a la licitación es un interés legítimo en resultar adjudicataria no un derecho subjetivo. Por lo que, mal podría pretenderse la causación de un daño grave potencial o actual derivado de la adjudicación a otro de los participantes en la licitación” (ver resolución del Tribunal de Apelación Contencioso Administrativo y Civil de Hacienda Nº 00336 - 2020 del 25 de Junio del 2020 a las 10:00). (El resaltado no es propio) Por otra parte, sólo (sic) en caso de que ocurra una real exclusión de la oferta en el concurso, es que deberá examinarse la fundamentación que el Operador a los efectos desarrolle para validar la causal, y, en caso de motivar la exclusión en razón del incumplimiento de alguna de las medidas o parámetros de riesgo identificados en el Reglamento de cita, es menester indicar que la norma está dirigida a los Operadores de redes debidamente habilitados conforme al ordenamiento sectorial, y en adición lo que regula son medidas técnicas y administrativas, así como estándares técnicos inspirados en las buenas prácticas internacionales, con sustento técnico y jurídico que se encuentra vastamente desarrollado en el informe técnico No. MICITT-DM-OF-1099-2023 de fecha 12 de diciembre de 2023. De esta manera, lo que el Decreto viene a establecer son medidas diferenciadoras amparadas en una justificación técnica y jurídica, para Operadores interesados en el desarrollo de redes y servicios 5G. Como bien se ha indicado además en el presente informe, la empresa recurrente ha manifestado en reiteradas ocasiones que se trata de un daño irreparable, circunstancia que no ha logrado demostrar con la falta de congruencia entre sus manifestaciones y actuaciones en el procedimiento especial de servicios en competencia, y que en apariencia se han generado en el contexto concursal promovido por el Operador aquí recurrido. Si bien habla de un daño irreparable, dicha circunstancia difícilmente se aprecia en un concurso en el cual la empresa manifestó su sujeción al pliego de condiciones sin ningún problema, entendiendo y aceptando además sus condiciones. Refiere las siguientes violaciones a los derechos fundamentales de su representada: “La amenaza recurrida viola en perjuicio de mi representada al menos los siguientes derechos fundamentales: a) derecho de libre competencia e igualdad de participación en los concursos públicos y b) derecho a no ser discriminado en razón del origen de la empresa. A.-La violación de los derechos fundamentales de libre competencia e igualdad de participación en los concursos públicos. 1.- La jurisprudencia de esa Sala ha establecido que “si el artículo 182 de la Constitución Política establece este principio -el de la licitación-, entonces se encuentran inmersos en el concepto todos los principios propios de la Contratación Administrativa. En virtud de lo anterior, debe entenderse que del artículo 182 de la Constitución Política se derivan todos los principios y parámetros constitucionales que rigen la actividad contractual del Estado. Algunos de estos principios que orientan y regulan la licitación son: 1.- de la libre concurrencia, que tiene por objeto afianzar la posibilidad de oposición y competencia entre los oferentes dentro de las prerrogativas de la libertad de empresa regulado en el artículo 46 de la Constitución Política, destinado a promover y estimular el mercado competitivo, con el fin de que participen el mayor número de oferentes, para que la Administración pueda contar con una amplia y variada gama de ofertas, de modo que pueda seleccionar la que mejores condiciones le ofrece; 2.- de igualdad de trato entre todos los posibles oferentes, principio complementario del anterior y que dentro de la licitación tiene una doble finalidad, la de ser garantía para los administrados en la protección de sus intereses y derechos como contratistas, oferentes y como particulares, que se traduce en la prohibición para el Estado de imponer condiciones restrictivas para el acceso del concurso, sea mediante la promulgación de disposiciones legales o reglamentarias con ese objeto, como en su actuación concreta; y la de constituir garantía para la administración, en tanto acrece la posibilidad de una mejor selección del contratista; todo lo anterior, dentro del marco constitucional dado por el artículo 33 de la Carta Fundamental" (Voto 9981998). Respuesta. No es cierto. Reitero nuevamente lo señalado en cuanto a la oferta de la empresa [Nombre 002]., con el objeto de contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) registrado con el expediente electrónico número 2023XE-0000230000400001, en el cual el recurrente participó y manifestó su adecuación a las condiciones del pliego de condiciones de dicho proceso concursal, en la cual se reitera que en su oferta deja de manifiesto también que se trata de una empresa constituida en Costa Rica. Por lo cual la empresa [Nombre 002]., según sus propias manifestaciones ante el Operador, ha confirmado su adecuación a las condiciones y normativa aplicable para el concurso, inclusive bajo fe de juramento. En este sentido la empresa ha hecho ejercicio efectivo de todos y cada uno de los derechos que argumenta transgredidos, lo cual pone en evidencia una incongruencia entre lo aquí manifestado y los hechos reales verificables conforme cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) registrado con el expediente electrónico número 2023XE000023-0000400001. Por otra parte, el Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores” contiene parámetros objetivos para el despliegue de redes bajo tecnologías de quinta generación o superiores por parte de los Operadores habilitados para explotar el espectro radioeléctrico, y además afianzar la prevención contra la ciberdelincuencia, que como bien se ha explicado, ha generado importantes daños a los sistemas públicos, las finanzas públicas y a las personas usuarias de estos servicios esenciales en el país. 2.- La amenaza del ICE de sacar un concurso público en el que aplicará el artículo 10) incisos c), d), e) y f) y el numeral 11 del Reglamento precitado implica una clara violación, en perjuicio de mi representada, de sus derechos fundamentales a la libre concurrencia en las contrataciones públicas y de igualdad de trato de los oferentes. 3.- En efecto, esas normas establecen requisitos para que compañías de diversas nacionalidades, así como las de origen chino, no puedan participar en ningún concurso público para la adquisición de tecnología de telecomunicaciones 5G Móvil y superiores. 4.- De esa forma se violan de manera grosera y evidente los derechos fundamentales a la libertad de competencia e igualdad de trato que tienen todos los eventuales interesados en participar en concursos públicos para la adquisición de bienes y servicios en nuestro país, entre ellos mi representada. 5.- En el caso de mi representada, el pliego de condiciones impedirá nuestra participación en esa contratación pública al aplicar lo estipulado en los incisos c), d), e) y f) del artículo 10 y numeral 11 del citado Reglamento, que es la finalidad que persigue esa normativa según declaraciones del Presidente Ejecutivo del ICE, de la Ministra del MICITT y del Presidente de la República. A confesión de parte, relevo de prueba. Respuesta. No es cierto. Por cuanto la empresa [Nombre 002]., con el objeto de contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) registrado con el expediente electrónico número 2023XE-000023-0000400001, participó y manifestó bajo fe de juramento su adecuación a las condiciones del pliego de condiciones de dicho proceso concursal, y confirma que es una sociedad comerciante constituida en Costa Rica y por ende bajos los preceptos del Ordenamiento Jurídico nacional. Además, aún (sic) y cuando esta empresa costarricense sostiene que el origen o nacionalidad de una empresa constituye un impedimento para participar, no hace ninguna relación a las disposiciones concretas del Decreto Ejecutivo Nº44196-MSP-MICITT aplicables a dicha circunstancia, para aseverar que en el caso concreto, podría materializarse una lesión a su esfera de derechos fundamentales, y esto es así por cuanto dicha normativa reglamentaria no establece discriminación alguna en relación del origen o nacionalidad de alguna empresa. Pese a que en reiteradas ocasiones ha señalado que las disposiciones del Reglamento impedirán su participación en los procesos de contratación pública, se aprecian circunstancias totalmente contrarias que desvirtúan groseramente los argumentos expuestos, toda vez que dentro del concurso recientemente promovido por el ICE lo que plasmó por escrito fue una total sujeción y cumplimiento a las reglas del concurso, incluyendo las condiciones derivadas del Decreto Ejecutivo Nº44196-MSPMICITT. En cuanto a las manifestaciones públicas que alega por parte de los diferentes jerarcas, se reitera que derivan en una mera apreciación subjetiva del recurrente. Como bien se aprecia de la respuesta a extremos anteriores, la emisión del Decreto Ejecutivo N°. 44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”, se sustenta en la necesidad de contar dentro del Ordenamiento sectorial de las telecomunicaciones con una norma técnica para resguardar bienes jurídicos superiores dentro del régimen jurídico de protección a la intimidad, la privacidad y autodeterminación informativa de los usuarios finales, la protección del orden público y la seguridad nacional en lo que respecta a la soberanía cibernética, desde la óptica del ciberespacio para el desarrollo de redes y prestación de servicios basados en tecnología 5G y superiores, por lo cual no se refiere a impedir la participación de ninguna nacionalidad en particular, sino a medidas objetivas de carácter técnico y administrativo basados en los más altos estándares aplicables en esta materia. B.- La violación del principio constitucional a no ser discriminado por ninguna razón 1.- El artículo 33 de la Constitución consagra el principio cardinal en el Derecho Occidental, de que ninguna persona, física o jurídica, puede ser discriminada por ninguna razón (sexo, creencias religiosas, ideología, nacionalidad, etc.). 2.- En el presente caso a mi representada se le discrimina abiertamente tanto por su supuesta ideología como por su nacionalidad, lo que implica una grosera violación del artículo 33 de la Constitución Política. Respuesta. No es cierto. Por cuanto la empresa [Nombre 002]., ha participado efectivamente en el proceso licitatorio para contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, mismo que fue cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) y registrado con el expediente electrónico número 2023XE-000023-0000400001; en el cual además declaró bajo fe de juramento su adecuación a las condiciones del pliego de condiciones de dicho proceso concursal, y confirma que es una sociedad comerciante constituida en Costa Rica, sin que se precise ideología alguna por dicho comerciante societario para su participación, y sobre el cual se identifiquen actos discriminatorios por parte del Operador. Tampoco la empresa recurrente en sus manifestaciones efectúa alguna relación a las disposiciones concretas del Decreto Ejecutivo Nº44196-MSP-MICITT aplicables a dicha circunstancia, para aseverar que en el caso concreto podría materializarse una lesión a su esfera de derechos fundamentales, y esto es así por cuanto dicha normativa reglamentaria no establece discriminación alguna en relación con el origen o nacionalidad de las empresas, prueba de ellos es que el recurrente ha ejercido plenamente sus derechos de ofertar libremente en el citado procedimiento concursal. Lo cual provoca de forma automática que se desvirtúan sus argumentos por cuanto se ha sujetado libremente a las disposiciones del pliego de condiciones en forma igualitaria con otros participantes. 3.- Por ejemplo, admitir que sólo (sic) empresas de países que hayan suscrito el Convenio de Budapest pueden participar en los concursos públicos para adquirir la tecnología 5G es evidentemente discriminatorio, pues tal Convenio no se refiere estrictamente a temas de ciberseguridad sino que más bien esa normativa se enfocan en la pena de crímenes informáticos que incluyen: fraudes, infracciones a la propiedad intelectual, distribución y posesión de pornografía infantil, falsificación informática, entre otros. Aplicando una política penal común entre los Estados inscritos. En este contexto, otra característica del Convenio de Budapest es la cooperación internacional, aspecto que facilita la investigación de infracciones cibernéticas y que es relevante por las características de los delitos informáticos y la posibilidad de que sean cometidos fuera de las fronteras de un país, pero con impacto en un territorio determinado. 4.- Recordemos que la discriminación, desde el punto de vista jurídico, significa otorgamiento de trato diferente basado en desigualdades injustas o arbitrarias que son contrarias al principio de igualdad ante la ley. Respuesta. No es cierto. Resulta falaz que un comerciante costarricense argumente discriminación alguna debido a un cuerpo normativo supra legal que forma parte del Ordenamiento Jurídico costarricense como lo es la Ley N° 9452 “Aprobación de la Adhesión al Convenio sobre la Ciberdelincuencia”, misma que por disposición del artículo 7 Constitucional cuenta con autoridad superior a la ley. Si dicha normativa a su criterio resulta discriminatoria, toda impugnación tendiente a expulsarla del Ordenamiento local debe interponerse en forma directa contra sus disposiciones, y no así de las normas infralegales que procuran su cumplimiento. Aunado a lo anterior, resultan improcedentes sus manifestaciones, en el tanto la norma deviene de obligatorio acatamiento para todos los Operadores de redes que se encuentren cubierto por su ámbito de aplicación, del cual no forman parte aquellas empresas que no cuenten con título habilitante de concesión para tales efectos (v.gr. la empresa [Nombre 002].) 5.- La prohibición de discriminar cobija la interdicción de hacerlo por cualquier circunstancia personal o social; o sea, que toda diferenciación que carezca de justificación objetiva y razonable puede calificarse de discriminatoria. 6.- De esa forma, son contrarias al principio de no discriminación las desigualdades de trato que se funden exclusivamente en razones de sexo, raza, condición social, motivos ideológicos, origen, nacionalidad, etc. 7.- La normativa que el ICE pretende aplicar en el citado concurso público implica una clara violación al principio de no discriminación en perjuicio de mi representada, dado que se la excluye de un concurso público por razones supuestamente ideológicas y de nacionalidad”. Respuesta. No es cierto. Por cuanto la empresa [Nombre 002]., ha participado efectivamente en el proceso licitatorio para contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, mismo que fue cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) y registrado con el expediente electrónico número 2023XE-000023-0000400001; en el cual además declaró bajo fe de juramento su adecuación a las condiciones del pliego de condiciones de dicho proceso concursal, y confirma que es una sociedad comerciante constituida en Costa Rica, sin que se precise ideología alguna por dicho comerciante societario para su participación, y sobre el cual se identifiquen actos discriminatorios por parte del Operador. Tampoco la empresa recurrente en sus manifestaciones efectúa alguna relación a las disposiciones concretas del Decreto Ejecutivo Nº44196-MSP-MICITT aplicables a dicha circunstancia, para aseverar que en el caso concreto podría materializarse una lesión a su esfera de derechos fundamentales, y esto es así por cuanto dicha normativa reglamentaria no establece discriminación alguna en relación con el origen o nacionalidad de las empresas, prueba de ello es que el recurrente, comerciante de origen costarricense, ha ejercido a plenitud sus derechos de ofertar libremente en el citado procedimiento concursal. Lo cual provoca de forma automática que se desvirtúan por incongruentes sus argumentos, por cuanto se ha sujetado bajo los principios de libertad de empresa y libre concurrencia a las disposiciones del pliego de condiciones en forma igualitaria con otros participantes; en este sentido lo que establece el Decreto Ejecutivo Nº44196-MSP-MICITT son medidas mínimas de ciberseguridad que deben cumplir todos los operadores, y no es una discriminación por origen o nacionalidad, en tanto cualquier empresa de cualquier país que cumpla con los requerimientos de seguridad establecidos puede ser presentar libremente su oferta dentro del procedimiento de contratación especial en curso. Formula la siguiente solicitud de medida cautelar: “1.- Dado que estamos ante un caso de excepción, pues si no se suspende la ejecución del futuro acto lesivo de nuestros derechos fundamentales y que se encuentra casi en fase de ejecución, el perjuicio para mi representada sería irreparable e irreversible pues no podría participar en el citado concurso público para la adquisición de la tecnología en telecomunicaciones 5G/IMT Móvil. Para entender esta irreparabilidad e irreversibilidad, se debe considerar que el ICE representa el 60% del negocio de Huawei en Costa Rica. Ante esto, si Huawei se ve impedido de participar en el concurso, se estarían afectando de forma directa a cerca de 80 empleados en Costa Rica, además de las pérdidas financieras para la empresa. 2.- Por tanto, solicitamos que en aplicación del artículo 41 de la Ley de la Jurisdicción Constitucional, se proceda a suspender la publicación de cualquier pliego de condiciones o en caso de que ya esté publicado, la suspensión de cualquier proceso licitatorio por parte del ICE en que deba aplicarse el "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic) hasta tanto esa Sala Constitucional se haya pronunciado sobre el fondo de este recurso de amparo y, en caso de que fuere convertido en una acción de inconstitucionalidad, hasta que se haya pronunciado sobre el fondo de ésta”. Plantea esta petitoria: “1.- Que mi representada no puede ser impedida de participar en el citado concurso público introduciendo cláusulas de imposible cumplimiento para ella, porque ello viola los derechos fundamentales a la libre competencia, la igualdad de trato y la prohibición de la discriminación exclusivamente por razones ideológicas y de nacionalidad. 2.- Que una vez notificada al ICE la imposibilidad de continuar adelante con el concurso público tantas veces citado, se convierta este amparo en una acción de inconstitucionalidad con el fin de que varias normas del Reglamento impugnado puedan ser eliminadas del ordenamiento jurídico y, por tanto, no puedan ser aplicados en ninguna licitación presente o futura”. Respuesta. No es cierto. Primero que todo, considerando el tiempo transcurrido y los hechos expuestos, es evidente que en este momento no se presenta ninguna situación excepcional como la que pretende alarmarse por parte del recurrente dada la efectiva participación de la empresa [Nombre 002]., en el proceso licitatorio para contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, mismo que fue cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) y registrado con el expediente electrónico número 2023XE 000023-0000400001. Además, la empresa en dicho proceso ha manifestado que entiende y cumple las condiciones del pliego cartelario por lo cual no se vislumbra el escenario descrito por el recurrente en el cual ha hecho un ejercicio efectivo de sus derechos a la libertad de empresa y libre concurrencia en el proceso de contratación pública en curso. También conforme lo señalamos ut supra, la empresa recurrente afirma que en el caso concreto podría configurarse un daño irreversible, lo cual no posee asidero en contrataciones públicas dada la naturaleza propia del procedimiento licitatorio, en el cual los oferentes que reúnan las condiciones técnicas propias del objeto por el cual participan y deben ser evaluadas en un plano de igualdad de condiciones, es por ello que hemos indicado que cada una participa con una expectativa, no así con un derecho (subjetivo) preconstituido de resultar favorecidas. Pretendiendo además que en caso de no resultar favorecida deba el Estado costarricense asumir de forma resarcitoria los costos de su operación empresarial. Es criterio de este Ministerio que debe valorarse con mucha pericia por esta Honorable Sala Constitucional, las pérdidas potenciales que derivarían para la empresa Operadora de telecomunicaciones con la eventual suspensión de su proceso concursal, sobre todo considerando que se encuentra en un régimen de mercado en competencia, en el cual la inacción de su actividad conlleva implícita una ventaja para sus competidores que por su naturaleza jurídica no son sujetos a los procesos de contratación pública, pero sí a la normativa del Decreto Ejecutivo en materia de ciberseguridad en las redes de telecomunicaciones. Y en un grado superior la afectación de los usuarios finales de dicho Operador en el acceso a las nuevas tecnologías digitales y el pleno disfrute de sus servicios en el marco de la Sociedad de la Información y el Conocimiento. Lo anterior, sin perjuicio del eventual incumplimiento de las condiciones y obligaciones contractuales por parte del Operador frente a la Administración Concedente, en detrimento del interés público para el cual fueron otorgadas sus concesiones especiales, recordando en este punto que el Operador que cuenta con un título de concesión para el uso y explotación del espectro radioeléctrico, es un sujeto calificado para la satisfacción del interés público. Sobre este particular debemos considerar la génesis de la tutela cautelar, precisada por esta Sala Constitucional en su Resolución Nº 12684 del 02 de junio del 2021 a las 09:15, al manifestar en lo que interesa: “IV.- CONTENIDO DEL DERECHO A LA TUTELA CAUTELAR. El derecho a la tutela cautelar, en cuanto incardinado en el contenido esencial del derecho más general a una justicia pronta y cumplida, comprende el derecho de pedir y obtener del órgano jurisdiccional las medidas cautelares necesarias, idóneas y pertinentes para garantizar la eficacia de la sentencia de mérito –función esencial de la tutela cautelar-, si se cumplen los presupuestos de ésta (apariencia de buen derecho -fumus boni iuris- y el peligro en la mora -periculum in mora-). Correlativamente, el órgano jurisdiccional tiene la obligación de ordenar o emitir la medida provisoria si concurren los presupuestos para su adopción. Del núcleo esencial del derecho fundamental a la tutela cautelar, se pueden extraer dos consecuencias, a saber: a) El otorgamiento de una medida cautelar no depende, exclusivamente, del libre y prudente arbitrio o discrecionalidad judicial, y b) el legislador ordinario no puede negar, limitar, restringir o condicionar tal derecho. Los límites extrínsecos de este derecho fundamental están constituidos por los principios de igualdad (artículo 33 de la Constitución Política), para evitar un privilegio injustificado o una distinción objetivamente infundada y el de proporcionalidad, en sus diversas especificaciones de idoneidad, necesidad y proporcionalidad en sentido estricto, así como por el derecho fundamental a la defensa y el contradictorio (artículo 39 ibidem). Bajo esta inteligencia, la tutela cautelar es constitucionalmente obligatoria cuando puedan desaparecer, dañarse o perjudicarse, irremediablemente, las situaciones jurídicas sustanciales de las partes, llámense derechos subjetivos o intereses legítimos, puesto que, el juzgador esta (sic) llamado a protegerlos y repararlos (artículos 41 y 49 de la Constitución Política)” (El resaltado es propio). Se desprende tal cual, que la tutela cautelar por su naturaleza deriva del derecho a una justicia pronta y cumplida, para lo cual la autoridad jurisdiccional puede emitir las medidas que estime necesarias cuando aprecie un riesgo de -desaparecer, dañarse o perjudicarse, irremediablemente, las situaciones jurídicas sustanciales de las partes-. De allí que la tutela cautelar posee características particulares que no deben perderse de vista: “V.- Características de las medidas cautelares: (...) Se dice que son instrumentales en cuanto su función es garantizar la fiel y completa efectividad del fallo en el principal, en beneficio de la parte victoriosa en éste. La medida cautelar no constituye una finalidad en sí misma, sino que, necesariamente, está vinculada a la sentencia que pueda dictarse en el proceso principal (e incluso al proceso mismo), por la función de asegurar su efectividad práctica. (...) se les atribuye también la provisionalidad, lo que significa que son temporales y sujetas a lo que en definitiva se resuelva en el fallo final del proceso, el que las desplaza para todo efecto. Más simple, la medida se mantiene hasta que se dicte sentencia. Es en ella, donde se confirma la adoptada, o por el contrario, se revoca. El pronunciamiento definitivo la sustituye y la extingue (...) la urgencia es otra de las notas distintivas del instituto en comentario, que se traduce en la necesidad de que sean resueltas de manera inmediata, sin “las reposadas formas del proceso” (Calamandrei), lo que impide muchas veces el pleno conocimiento de los supuestos que la justifican. Esa urgencia que se refleja en la sumariedad de la gestión (sumario cognitio), conlleva una gran limitación de los plazos, trámites y elementos probatorios, por lo que existe alguna posibilidad de error, circunstancia que justifica los amplios poderes del Juez para que pueda corregir la dispuesta (si es errónea), o sustituirla en virtud de hechos nuevos que la conviertan en ilegítima. De allí que este remedio provisional sea revocable ante la aparición de nuevas circunstancias fácticas, que lleven al Juzgador al convencimiento de lo contrario, o al menos de lo diverso. Esto no es más que la sujeción a la regla rebus sic standibus, que permite su modificación al ritmo de las circunstancias que la justificaron. (...) en casos especial y excepcionalmente urgentes, en donde el daño es inminente (por lo general debido a la ejecución inmediata del acto administrativo impugnado, o por la denegatoria del mismo), es viable la adopción prima facie, es decir, inaudita parte. Por último, se afirma que la medida cautelar debe adaptarse perfectamente a la naturaleza del derecho que se ejercita y pretende. Es decir, que debe estar en función de la pretensión efectuada, y es a esto lo que denominan funcionalidad de la medida. En tanto más próxima o funcional sea con respecto a la sentencia definitiva, mejor será cumplida su finalidad, lo que en modo alguno permite prejuzgar sobre el asunto principal. Su provisionalidad y funcionalidad, deben ir acompañadas del respeto por la resolución final de fondo, a la que deben plena sumisión, pues lo contrario, sería autorizar la definición total del proceso a través de medidas definitivas e irreversibles, convirtiendo así la justicia cautelar en una indebida y prematura justicia definitiva”. Del desarrollo anterior, la tutela cautelar no constituye un fin en sí mismo, sino que su utilidad es intrínseca a asegurar el respeto por la resolución final en discusión. De allí que el ejercicio de la tutela encuentra ciertos límites, siendo éstos la apariencia de buen derecho -fumus boni iuris- y el peligro en la demora -periculum in mora-. “Periculum in mora: en efecto, esa posibilidad, razonable y objetivamente fundada, de una lesión grave e irreparable a la situación jurídica del gestionante, por el transcurso del tiempo necesario para el dictado de la sentencia principal (periculum in mora), se presenta, no sólo como base imprescindible de la medida cautelar, sino como su presupuesto básico y central, sobre el que realmente gira toda su existencia. (...) b.-) Fumus Boni Iuris: Pero para que la medida cautelar sea procedente, se afirma que además debe existir seriedad en la demanda, es decir, una probabilidad de acogimiento de la cuestión principal. Es este el denominado principio del fumus boni iuris, que para la doctrina no es otra cosa que la probable estimación posterior del derecho material del actor en la sentencia. Esa seriedad y consistencia de las pretensiones invocadas por el accionante, que hacen posible el acogimiento de la demanda en la sentencia definitiva. No obstante, aquí debe tenerse a la vista, que por la necesaria sumariedad del proceso cautelar, es virtualmente imposible para el Juez determinar con certeza la existencia de ese buen derecho, el que por demás, debe definirse normalmente en la sentencia y no antes. Así las cosas, por esa precariedad de los elementos de cognición, tan sólo podrá exigirse al interesado la apariencia de un buen derecho, que dé al Juzgador algún viso de seriedad de la demanda. No se trata entonces, de comprobar el certero fundamento jurídico de la pretensión, ni de prejuzgar sobre el fondo, o de establecer siquiera, como se ha dicho, un “criterio sumario de las expectativas de estimación del recurso”, sino tan sólo que aquélla no sea descabellada ni temeraria, de modo que pueda evitarse la emisión de una medida cautelar en perjuicio de la Administración o de terceros, sin ninguna posibilidad de triunfo en el derecho pretendido. Bastará con esa apariencia inicial de seriedad, para que pueda darse por cumplido el requisito de comentario. Así, el elemento del fumus boni iuris deberá tomarse como criterio para su denegatoria, sólo en aquellos supuestos en los que no exista, de manera evidente y manifiesta, fundamento en la demanda, de modo que en el fuero interno del Juez, exista el convencimiento de que aquella pretensión está dispuesta al fracaso” (ver Resolución Nº 00041 - 2003 del Tribunal Contencioso Administrativo Sección II de fecha 07 de Febrero del 2003 a las 10:35) Por lo tanto, la solicitud de medida cautelar resulta improcedente, por no acreditarse los elementos necesarios para su configuración, toda vez que la misma no puede partir de hechos que no son ciertos, que adolecen de los presupuestos esenciales para su posible otorgamiento toda vez que: • La empresa costarricense [Nombre 002]., ha participado efectivamente en el proceso licitatorio para contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, mismo que fue cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) y registrado con el expediente electrónico número 2023XE-000023-0000400001. • Además, declaró bajo fe de juramento su adecuación a los requisitos del pliego de condiciones de dicho proceso concursal. En ese sentido, no se aprecia la consideración de imposible cumplimiento que viene a afirmar. • Tampoco la instrumentalidad de la medida por cuanto pretende suspender un procedimiento de concurso en el cual participa en igualdad de condiciones que otros oferentes, por lo cual su suspensión en este momento implicaría una afectación de los intereses legítimos de todos los oferentes involucrados en el proceso. •La medida no evitaría algún privilegio injustificado o una distinción objetivamente infundada, dada la condición de igualdad del recurrente en el proceso de contratación al cumplir conforme a sus manifestaciones, las condiciones del pliego cartelario, sin ningún tipo de señalamiento en contra o en línea con lo aquí argumentado. • En igual forma no puede acreditarse la apariencia de buen derecho sobre hechos que contradicen los argumentos presentados por la empresa, en el tanto esta declaró bajo fe de juramento su adecuación a los requisitos del pliego de condiciones de dicho proceso concursal. • No sería proporcional suspender el concurso del Operador, causándole una situación de desventaja frente a sus competidores, lo cual es contrario al principio sectorial de competencia efectiva, y sobre todo una afectación a los usuarios del Operador en lo que atiende al disfrute y ejercicio de los derechos humanos y fundamentales que conlleva el disfrute pleno de los servicios de telecomunicaciones (v.gr. Internet basado en tecnologías de quinta generación o superior). • Tampoco sería idóneo favorecer al recurrente con una medida cautelar que no es idónea por cuanto no puede partirse de un derecho subjetivo inexistente a ser favorecido por el resultado del proceso de contratación. • De igual forma no es necesaria la medida haciendo manifestado la empresa recurrente la sujeción y aceptación plena a las condiciones del pliego de la contratación. • Finalmente, el ejercicio del derecho fundamental a la defensa y el contradictorio deberá darse dentro del mismo procedimiento licitatorio, a través del régimen recursivo. Véase entonces que de los presupuestos esenciales para que se materialice la tutela cautelar, procede valorar no solo el peligro en la demora, también la apariencia de buen derecho que debe mantener un componente de seriedad en la pretensión, pues la empresa no ha sido impedida de participar en el citado concurso público, habiendo realizado hasta este momento un ejercicio efectivo y pleno de sus derechos fundamentales a la libre competencia, la libre concurrencia, la igualdad de trato y la prohibición de la discriminación por razones ideológicas y de nacionalidad. Dada la improcedencia de dicha medida cautelar, es que tampoco deviene en procedente convertir el presente recurso de amparo en una acción de inconstitucionalidad, que pretende colocar por encima de los derechos humanos y fundamentales de los usuarios de acceso a las nuevas tecnologías en forma segura, la eficiente y óptima la explotación del espectro radioeléctrico y el desarrollo de redes de telecomunicaciones basadas en tecnología 5G y superiores, para favorecer el interés particular de una empresa que se expone la constitución de un derecho subjetivo a resultar favorecida en un proceso licitatorio de previo a que dicho procedimiento finalice su curso formal para establecer su idoneidad de resultar adjudicataria. En esta línea debe estimarse que la suspensión pretendida ocurre en el marco de un procedimiento especial de contratación pública, donde la tutela cautelar debe ponderar además la satisfacción del interés público, y respetar el plano de igualdad en el cual deben ser analizadas las ofertas: “Debe tenerse en consideración que aquí se está ante un procedimiento de contratación administrativa, donde la empresa actora es una participante más, y como tal, lo que ostenta es un interés legítimo y no un derecho subjetivo en resultar adjudicada con la licitación. La no adjudicación por sí sola, en este caso en concreto, no puede constituirse en un presupuesto de daño grave a fin de obtener una tutela cautelar; (...) pueden ser fundamento para la tutela, no hay nexo de causalidad entre la no adjudicación y los daños que se alegan, véase que se trata de una licitación en donde, todos los oferentes participan en igualdad de condiciones y que, el no resultar favorecido con la decisión de la adjudicación no constituye un daño, es una posibilidad a la que se ven sujetos quienes participan en una licitación. El hecho de que la accionante contara con un contrato previo, no constituye ningún parámetro a valorar y carece de relevancia a efecto de analizar la medida que se pretende, pues se está ante un procedimiento licitatorio nuevo, en el que, la actora entra a participar en igualdad de condiciones con los demás oferentes. (...) en cuanto a la ponderación de los intereses involucrados en el caso, debe indicarse que para la procedencia de una medida cautelar se requiere la verificación simultánea de los tres presupuestos legales establecidos en el artículo 21 del Código Procesal Contencioso Administrativo, siendo que ya se descartó uno de ellos, no hay mérito suficiente para realizar un análisis detallado sobre este último elemento. Sin perjuicio de lo anterior debe indicarse que en el presente asunto debe privar la potestad que posee la Administración para adjudicar un contrato administrativo, previo respeto de los principios y garantías constitucionales y legales a los oferentes para satisfacer sus necesidades de utilidad pública y en resguardo del interés público (...)" (Véase Resolución Nº 00336 - 2020 del Tribunal de Apelación Contencioso Administrativo y Civil de Hacienda Tribunal de Apelación Contencioso Administrativo y Civil de Hacienda del 25 de Junio del 2020 a las 10:00) (El resaltado es propio) Es así como se remite a la naturaleza del procedimiento especial de servicios en competencia promovido por el ICE, y la necesidad de observar los principios que informan la materia de contratación pública, para solicitar que en el caso no se acoja la medida solicitada por la empresa, puesto que dicha solicitud atenta claramente en contra del interés público. También es oportuno señalar a esta Sala Constitucional que cuando se trata de acudir a la tutela cautelar en materia de contratación pública, es consustancial valorar el tipo de daño que se pretende resguardar con las medidas excepcionales. Bien se ha señalado ya que en un procedimiento en el cual concurren distintos participantes, el riesgo a no resultar adjudicado es una posibilidad y por tanto no califica de daño grave:“(...) la conducta administrativa sometida al proceso produzca daños o perjuicios graves, actuales o potenciales, en la situación jurídica del promovente. (...) se desprende que la parte actora se refiere a un daño grave que sufre con ocasión de que el contrato con su representada vence el 30 de setiembre del 2019 y que su representada no fue adjudicada pese a contar con mejor oferta realizada a la Administración y que se ha venido desempeñando de la mejor manera (sin contar con ninguna falta) siendo que para efectos de la demostración aporta como prueba copia del expediente administrativo instruido para tales efectos; de tal documentación no se desprenden indicios para que el Tribunal pueda valorar la existencia de un daño de naturaleza grave, si bien al contar con una adjudicación anteriormente con la administración podría inferirse que el actor percibía ingresos se desconoce el porcentaje de los mismos que corresponde a su totalidad o la dependencia económica del actor con ésta a tal grado que le impida honrar sus pasivos, pago de planillas o que con ocasión de la situación que describe se genere un estado de quiebra, no se aprecia una prueba idónea para efectos de dicha determinación al Tribunal, como lo sería a modo de ejemplo una certificación de contador público autorizado; es decir se parte de suposiciones en cuanto al daño grave que se le ocasionaría sin prueba alguna para su determinación. Es necesario reiterar que el proceso cautelar no es ajeno a las regulaciones procesales generales en cuanto a la carga de la prueba, de modo que es la parte promovente, al formular su pretensión, la obligada a probar sus afirmaciones. En otras palabras, la tutela cautelar no es un mecanismo automático que proceda con la sola solicitud de la parte. De forma, que no se logra demostrar que exista una situación de daño o perjuicio grave a su situación jurídica que amerite el otorgamiento de la medida pedida”. (ver Resolución Nº 00336 - 2020 del Tribunal de Apelación Contencioso Administrativo y Civil de Hacienda Tribunal de Apelación Contencioso Administrativo y Civil de Hacienda del 25 de Junio del 2020 a las 10:00). (El resaltado es propio) En relación con lo anterior, las circunstancias económicas indicadas por la empresa recurrente no son de recibo para acudir a la tutela cautelar, ya que cualquier empresa con interés en licitar, lo que posee es una expectativa de derecho, por lo que no se puede pretender que la Administración adecúe sus actuaciones y pliegos a sus intereses particulares. De tal manera, no es posible entender que las condiciones de negocio actuales de la empresa recurrente le confieran la suerte de derecho preconstituido como lo quiere hacer ver en sus argumentaciones, que pareciera llevar a la convicción de que su giro de negocio debe mantenerse en forma perpetua en tales condiciones para garantizar la sostenibilidad financiera de la empresa. Incluso véase que, si el 60% es dedicado a operaciones de esta naturaleza, posee otra alternativa de un 40% como posibilidad de ingreso a explotar. Añádase a lo anterior, en cuanto al carácter de irreparabilidad e irresarcibilidad alegada por la empresa recurrente de no suspender el procedimiento especial, la jurisprudencia ha sido clara en que el único daño sujeto a esta protección temporal lo es el daño irreparable, dentro del cual no califica una eventual adjudicación:“Ya se ha insistido sobre la naturaleza del daño requerido para la procedencia de la pretensión cautelar, pues obviamente no basta con cualquier acción dañosa, sino que deberá ser real y efectivo; material, moral, religioso o de cualquier otra índole; concreto y cierto, aunque no necesariamente actual, pues bien puede ser futuro. Sí interesa destacar, que dicho daño ha de ser de difícil o imposible reparación, no en el sentido de que sea irresarcible, sino irreversible, pues los daños leves o fácilmente reversibles en su totalidad, no pueden servir al efecto, y por el contrario, existen lesiones que aunque resarcibles, no son necesariamente reversibles. La irreparabilidad no es equiparable a la irresarcibilidad, pues quien solicita la tutela cautelar quiere que el bien tutelado permanezca íntegro y no que se le asegure una indemnización”. A partir de los elementos anteriores, se le solicita a la Sala Constitucional valorar conforme lo establece el artículo 41 de la Ley de la Jurisdicción Constitucional, el interés público en este caso sobre el particular, y resolver sobre la necesidad de continuar la ejecución del procedimiento especial promovido por el ICE para evitar daños o perjuicios ciertos e inminentes a los intereses públicos. Recordemos en este punto que conforme al preámbulo del Anexo 13 de la Ley Nº 8622, nuestro país se comprometió a tener un proceso de apertura en beneficio del usuario y la modernización del ICE, al disponer: “(...) enfatizando que dicho proceso de apertura será en beneficio del usuario y se fundamentará en los principios de gradualidad, selectividad y regulación, y en estricta conformidad con los objetivos sociales de universalidad y solidaridad en el suministro de los servicios de telecomunicaciones; y (...)”reconociendo su compromiso de fortalecer y modernizar el Instituto Costarricense de Electricidad (ICE) como un participante en un mercado competitivo de telecomunicaciones y asegurando que el uso de su infraestructura será remunerada y además desarrollar una entidad reguladora para supervisar el desarrollo del mercado;” Tal y como se desarrolló en el escrito presentado por este Ministerio a la Sala Constitucional, específicamente en el apartado -E- del informe técnico No. MICITT-DM-OF-1099-2023 de fecha 12 de diciembre de 2023, pues el despliegue de redes y la prestación de servicios de telecomunicaciones basados en tecnología de 5G, revisten para el país un proceso de la mayor trascendencia por las consecuentes mejoras en las condiciones económicas y sociales de los costarricenses. Debe recordarse en este sentido la reciente reforma parcial al artículo 24 de la Constitución Política mediante el artículo único de la Ley para reconocer como derecho fundamental al acceso a las telecomunicaciones, tecnologías de la información y comunicaciones en todo el territorio nacional, N° 10385 del 29 de noviembre de 2023, en el cual se adiciona el siguiente texto: “Toda persona tiene el derecho fundamental al acceso a las telecomunicaciones, y tecnologías de la información y comunicaciones en todo el territorio nacional. El Estado garantizará, protegerá y preservará este derecho.” Existen por además razones superiores de interés público y conveniencia nacional, derivadas de las políticas públicas que orientan el Sector de Telecomunicaciones dispuestas en el Plan Nacional de Desarrollo de las Telecomunicaciones 2022-2027 y la normativa sectorial, que buscan, ante el modelo de apertura del mercado de las Telecomunicaciones, dinamizar la participación de operadores, posibilitar la ampliación de la oferta, por ende la posibilidad de elección a favor los usuarios de los servicios de telecomunicaciones en el país. Debe en este punto considerarse los objetivos que procura la Ley General de Telecomunicaciones, Nº 8642, la cual en su artículo 2 dispone: “Son objetivos de esta Ley: a) Garantizar el derecho de los habitantes a obtener servicios de telecomunicaciones, en los términos establecidos en esta Ley b) Asegurar la aplicación de los principios de universalidad y solidaridad del servicio de telecomunicaciones. c) Fortalecer los mecanismos de universalidad y solidaridad de las telecomunicaciones, garantizando el acceso a los habitantes que lo requieran. d) Proteger los derechos de los usuarios de los servicios de telecomunicaciones, asegurando eficiencia, igualdad, continuidad, calidad, mayor y mejor cobertura, mayor y mejor información, más y mejores alternativas en la prestación de los servicios, así como garantizar la privacidad y confidencialidad en las comunicaciones, de acuerdo con nuestra Constitución Política. e) Promover la competencia efectiva en el mercado de las telecomunicaciones, como mecanismo para aumentar la disponibilidad de servicios, mejorar su calidad y asegurar precios asequibles. f) Promover el desarrollo y uso de los servicios de telecomunicaciones dentro del marco de la sociedad de la información y el conocimiento y como apoyo a sectores como salud, seguridad ciudadana, educación, cultura, comercio y gobierno electrónico. g) Asegurar la eficiente y efectiva asignación, uso, explotación, administración y control del espectro radioeléctrico y demás recursos escasos. h) Incentivar la inversión en el sector de las telecomunicaciones, mediante un marco jurídico que contenga mecanismos que garanticen los principios de transparencia, no discriminación, equidad, seguridad jurídica y que no fomente el establecimiento de tributos. i) Procurar que el país obtenga los máximos beneficios del progreso tecnológico y de la convergencia. j) Lograr índices de desarrollo de telecomunicaciones similares a los países desarrollados.” De proceder con una medida cautelar en este caso para suspender el procedimiento especial de servicios en competencia del Operador recurrido conlleva una afectación directa de sus usuarios a más y mejores alternativas en la prestación de los servicios, la plena satisfacción en cuanto al disfrute de los servicios que la tecnología actual brinda, la implementación de redes innovadoras para la satisfacción del interés público inmerso en los títulos de concesión otorgados por el Poder Ejecutivo, afectaría además la esfera de intereses legítimos de los demás oferentes en igualdad de condiciones, el cumplimiento de las condiciones y obligaciones dispuestas en el título de concesión para el Operador recurrido, y una potencial desventaja en el desarrollo de su actividad en materia de telecomunicaciones frente a otros competidores no sujetos a los procesos de contratación pública, y además perjudica inclusive a la propia oferta de la empresa recurrente al suspender su propia evaluación, por circunstancias que ella misma no aclaró desde un momento inicial, en sede administrativa. II. Sobre los hechos y alegatos planteados en el RECURSO DE AMPARO en escrito recibido en la Secretaría de la Sala los días 6 y 25 de octubre de 2023. “Para los efectos del artículo 75 de la Ley de la Jurisdicción Constitucional alego de manera sucinta la inconstitucionalidad e inconvenciona1idad (sic) in toto y de algunas normas en específico de “El Reglamento sobre Medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones en la Tecnología de Quinta Generación Móvil (5G) y superiores”, aprobado mediante decreto ejecutivo número 44196- MSP -MCITT, publicado en La Gaceta del 31 de agosto del 2023. A continuación, fundamento someramente los vicios constitucionales alegados. I.- Vicios de inconstitucionalidad “El Reglamento sobre Medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones en la Tecnología de Quinta Generación Móvil (5 G) y superiores”, aprobado mediante decreto ejecutivo número 44196- MSP-MCITT, publicado en La Gaceta del 31 de agosto del 2023, contiene serios vicios tanto de inconstitucionalidad como de inconvencionalidad, los cuales enumeramos a continuación de manera sucinta. 1.- El Reglamento in toto viola el artículo 28 de la Constitución Política, por cuanto regula materia reservada por tales normas al dominio de la ley. Es decir, sólo (sic) por ley se pueden reglamentar y, sobre todo, restringir el ejercicio de los derechos fundamentales. Respuesta. No es cierto. De conformidad con las disposiciones del artículo 10 de la Ley General de Telecomunicaciones, Nº 8642, corresponde al Poder Ejecutivo dictar el Plan Nacional de Atribución de Frecuencias para designar los usos específicos que se atribuyen a cada una de las bandas del espectro radioeléctrico; y en adición le corresponde modificar el Plan Nacional de Atribución de Frecuencias por razones de conveniencia y oportunidad. Del mismo modo, corresponde al Poder Ejecutivo asignar, reasignar o rescatar las frecuencias del espectro radioeléctrico, de acuerdo con lo establecido en el Plan Nacional de Atribución de Frecuencias, de manera objetiva, oportuna, transparente y no discriminatoria, de conformidad con la Constitución Política y lo dispuesto en esta Ley. Por ende, como parte de las potestades conferidas al Poder Ejecutivo en su carácter de administración concedente le corresponde promover el procedimiento impuesto por el constituyente para la respectiva asignación de frecuencias en el espectro radioeléctrico, lo cual resulta de aplicación en materia de explotación de redes mediante la tecnología de interés 5G. En este sentido, los artículos 11 y 12 de la Ley General de Telecomunicaciones, en lo que interesa disponen: “ARTÍCULO 11.- Concesiones. Se otorgará concesión para el uso y la explotación de las frecuencias del espectro radioeléctrico que se requieran para la operación y explotación de redes de telecomunicaciones. Dicha concesión habilitará a su titular para la operación y explotación de la red. Cuando se trate de redes públicas de telecomunicaciones, la concesión habilitará a su titular para la prestación de todo tipo de servicio de telecomunicaciones disponibles al público. La concesión se otorgará para un área de cobertura determinada, regional o nacional, de tal manera que se garantice la utilización eficiente del espectro radioeléctrico. (El resaltado es propio) Artículo 12.- Procedimiento concursal. Las concesiones de frecuencias para la operación y explotación de redes públicas de telecomunicaciones serán otorgadas por el Poder Ejecutivo por medio del procedimiento de concurso público, de conformidad con la Ley de contratación administrativa y su reglamento. La Sutel instruirá el procedimiento, previa realización de los estudios necesarios, para determinar la necesidad y factibilidad del otorgamiento de las concesiones, de conformidad con el Plan nacional de desarrollo de las telecomunicaciones y las políticas sectoriales.” (El resaltado es propio) De allí obedece, que el uso y explotación del espectro radioeléctrico como bien demanial constitucional puede asignarse en un régimen de competencia y libre concurrencia, según lo dispone el artículo 182 de la Constitución Política: “ARTÍCULO 182.- Los contratos para la ejecución de obras públicas que celebren los Poderes del Estado, las Municipalidades y las instituciones autónomas, las compras que se hagan con fondos de esas entidades y las ventas o arrendamientos de bienes pertenecientes a las mismas, se harán mediante licitación, de acuerdo con la ley en cuanto al monto respectivo”. De conformidad con lo anterior, la asignación de las nuevas frecuencias debe observar el principio de licitación regulado en el citado artículo 182 de nuestra Constitución Política, en concordancia con las disposiciones de la Ley General de Telecomunicaciones, Ley Nº 8642 y lo dispuesto de forma sistemática en la Ley General de Contratación Pública, Ley N° 9986; y en un ámbito infralegal por lo dispuesto en el artículo 21 del Reglamento a la Ley General de Telecomunicaciones (por sus siglas RLGT), Decreto Ejecutivo N° 34765MINAET, el cual en lo conducente indica: “Artículo 21. —Concesiones. Se otorgará concesión para el uso y la explotación de las frecuencias del espectro radioeléctrico que se requieran para la operación y explotación de redes de telecomunicaciones. (...) Las concesiones de frecuencias serán otorgadas por el Poder Ejecutivo por medio del procedimiento de concurso público, (...) y corresponderá a la SUTEL la instrucción del procedimiento.” (El resaltado es propio) Tenemos entonces que las concesiones de frecuencias serán otorgadas por el Poder Ejecutivo por medio del procedimiento de concurso público, trámite que le corresponde instruir a la Superintendencia de Telecomunicaciones, cómo Órgano regulador establecido por ley para determinar técnicamente la posibilidad del otorgamiento de cualquier frecuencia solicitada. Así lo estipula el artículo 23 del RLGT en donde se establecen los requisitos que deben ser acreditados para que el Poder Ejecutivo pueda iniciar un proceso de concurso público para la concesión de frecuencias de espectro radioeléctrico: “Artículo 23. —Decisión inicial. Una vez emitido el criterio técnico de los estudios previos por parte de la SUTEL y comprobada la necesidad y factibilidad de la concesión, el Poder Ejecutivo emitirá la decisión de inicio del procedimiento concursal respectivo, que trasladará a la SUTEL para que lo instruya. La decisión administrativa que da inicio al procedimiento de contratación será emitida por el Poder Ejecutivo. Esta decisión se adoptará una vez que se haya acreditado al menos, lo siguiente: a) Una justificación de la procedencia del concurso público, con indicación expresa de la necesidad a satisfacer, considerando para ello los planes de largo y mediano plazo, el Plan Nacional de Desarrollo de las Telecomunicaciones y las políticas sectoriales. b) Las especificaciones técnicas y características de la frecuencia del espectro radioeléctrico a concesionar. c) Deberá acreditarse la existencia de estudios necesarios y la factibilidad del otorgamiento de la concesión. La SUTEL valorará el cumplimiento de los anteriores requisitos, previo inicio del procedimiento y dispondrá la confección de un cronograma con tareas y responsables de su ejecución y velará por el debido cumplimiento del procedimiento.” Así las cosas, y en apego al principio de legalidad, el Poder Ejecutivo solamente licita el espectro disponible registralmente conforme lo dimensionan las normas del ordenamiento sectorial de las telecomunicaciones, en una sana inversión de los fondos públicos, máxima jurídica que se reitera en el artículo 8 inciso e) de la LGCP que reúne precisamente los principios de rango constitucional que informan la materia: “(...) e) Principios de eficacia y eficiencia: el uso de los fondos y bienes públicos y la conducta de todos los sujetos que intervienen en la actividad de compras públicas deben responder al cumplimiento de los fines, las metas y los objetivos institucionales y a la satisfacción del interés público. (...)”. Es al amparo del mandato constitucional y demás leyes especiales que regulan las compras públicas, que el Estado en su condición de Administración Concedente tiene la obligación de garantizar la igualdad y la más amplia concurrencia en un ambiente íntegro, imparcial y transparente, con apego a los principios generales de la contratación pública. Lo anterior, con especial resguardo además en la especificidad técnica del objeto contractual en este caso, conforme lo regula el artículo 23 inciso b) del RLGT antes citado. Es por ello que, la potestad del Poder Ejecutivo debe conciliar todos los aspectos derivados del régimen legal aplicable con las medidas técnicas necesarias en aras de proteger, administrar y controlar el uso y explotación que se haga de este bien demanial constitucional con estricto apego a los derechos fundamentales, condiciones que deben ser plasmadas en el pliego de condiciones del procedimiento concursal respectivo. Tal y como se desprende en el apartado -A- del informe técnico No. MICITT-DMOF-1099-2023 de fecha 12 de diciembre de 2023, precisamente sobre las competencias que han sido delegadas al Poder Ejecutivo para el establecimiento de condiciones y obligaciones de los títulos habilitantes de concesión otorgados a los Operadores de servicios de telecomunicaciones para el uso y explotación del espectro radioeléctrico, régimen jurídico que se analiza a continuación. Sobre el particular, conviene partir del mandato constitucional del artículo 121 numeral 14) inciso c) que al efecto señala: “(...) No podrán salir definitivamente del dominio del Estado: c) Los servicios inalámbricos; Los bienes mencionados en los apartes a), b) y c) anteriores sólo podrán ser explotados por la administración pública o por particulares, de acuerdo con la ley o mediante concesión especial” (El resaltado es propio) En ese sentido, el constituyente dispuso cuales eran las dos vías para explotar los bienes demaniales como ocurre con los servicios inalámbricos, en primer orden conforme al bloque de la legalidad y en segundo orden, mediante concesión especial. Con respecto a la normativa sectorial propia de la Ley N° 8642, Ley General de Telecomunicaciones y su Reglamento, resulta de interés mencionar que para el momento en que se conoció tal proyecto de ley, el constituyente fue enfático en el objetivo prioritario de dicho texto, de ordenar el Sector Telecomunicaciones, en concreto lo relativo al uso y explotación del espectro radioeléctrico. Lo anterior, siendo que se requería de un marco normativo respetuoso, se consignó en actas, que la discusión del proyecto lo era con el propósito de regular aspectos como la administración y asignación de un recurso finito y limitado como lo es el espectro radioeléctrico. En el seno de este modelo sistemático, el legislador tomó en cuenta una serie de ejes que es necesario rescatar. En primer orden, dentro de los objetivos de la Ley General de Telecomunicaciones, se destaca en el artículo 2 inciso g): “Asegurar la eficiente y efectiva asignación, uso, explotación, administración y control del espectro radioeléctrico y demás recursos escasos”. Como bien finito que es, el espectro se debe disponer de la forma más transparente posible, por lo cual se instauró en dicha norma un modelo de separación de roles tripartito, en donde interactúan las figuras del Ente Rector, Órgano Regulador y el Operador de las telecomunicaciones. Esta desagregación de roles se plasmó en la normativa concordante con los principios de transparencia, equidad y seguridad jurídica que informan la materia de las telecomunicaciones, en donde el Estado en la figura del Poder Ejecutivo es el único que concede, modifica o extingue el título habilitante para explotar dicho bien demanial constitucional. Corolario de lo anterior, se lee del artículo 10 de la Ley de marras (N° 8642) la definición de competencias en donde: “(...) El Poder Ejecutivo asignará, reasignará o rescatará las frecuencias del espectro radioeléctrico, de acuerdo con lo establecido en el Plan nacional de atribución de frecuencias, de manera objetiva, oportuna, transparente y no discriminatoria, de conformidad con la Constitución Política y lo dispuesto en esta Ley. A la Sutel le corresponderá la comprobación técnica de las emisiones radioeléctricas, así como la inspección, detección, identificación y eliminación de las interferencias perjudiciales”. Como puede verse, la competencia permanente de asignar las frecuencias disponibles conforme al Plan Nacional de Atribución de Frecuencias (PNAF) fue delegada por el constituyente en el Poder Ejecutivo, lo cual puede hacer atendiendo los criterios de objetividad, transparencia y no discriminación. Es aquí como se manifiesta el principio de protección y control del espectro radioeléctrico en donde la administración concedente lleva en su seno la competencia de otorgar las concesiones, y junto a esto, ejerce con ello las potestades de supervisión y fiscalización para garantizar que el uso concedido no sólo es eficiente, sino que además en su fiscalización es garante de la protección del régimen superior de los derechos humanos bajo el principio de progresividad y no en detrimento de los particulares. Desde luego que la Procuraduría General de la República, hizo hincapié en este rol del Poder Ejecutivo durante la discusión del texto de la norma, sobre lo cual puede consultarse la Opinión Jurídica N° OJ-015-2007 del 26 de febrero de 2007, donde señaló: "(...) La Procuraduría es del criterio de que funciones como el control y administración del espectro son propias del Estado, que debería ejercerlas por medio del Poder Ejecutivo. (...) Reafirma la Procuraduría su posición en orden a la competencia para otorgar concesiones. Dicha competencia es propia del Poder Ejecutivo. El espectro electromagnético es un bien nacional, es un bien escaso y hoy por hoy es un bien estratégico. Por lo que debe permanecer en el ámbito del Estado. (...)”. Corolario de lo anterior, la Ley General de Telecomunicaciones en su artículo 7 reitera: “ARTÍCULO 7.- Planificación, administración y control El espectro radioeléctrico es un bien de dominio público. Su planificación, administración y control se llevará a cabo según lo establecido en la Constitución Política, los tratados internacionales, la presente Ley, el Plan nacional de desarrollo de las telecomunicaciones, el Plan nacional de atribución de frecuencias y los demás reglamentos que al efecto se emitan. En virtud de lo anterior, y de una adecuada hermenéutica jurídica es preciso señalar que la materia especialísima de telecomunicaciones que nos ocupa se rige en primer orden por las disposiciones del régimen constitucional y a su vez, por el derecho internacional público, tomando en cuenta que el artículo 7 de la Constitución Política establece que “los tratados públicos, los convenios internacionales y los concordatos, debidamente aprobados por la Asamblea Legislativa, tendrán desde su promulgación o desde el día que ellos designen, autoridad superior a las leyes.” (El resaltado es propio) En ese sentido, la Ley N° 8622 “Tratado de Libre Comercio República Dominicana - Centroamérica-Estados Unidos (TLC)”, en su Anexo 13 del CAFTA “Compromisos Específicos de Costa Rica en Materia de Servicios de Telecomunicaciones”, observa en su artículo 4 el principio de asignación del espectro que recae precisamente en la figura del Poder Ejecutivo: “Asignación y Utilización de Recursos Escasos Costa Rica asegurará que los procedimientos para la asignación y utilización de recursos escasos, incluyendo frecuencias, números y los derechos de vía, sean administrados de manera objetiva, oportuna, transparente y no discriminatoria, por una autoridad doméstica competente. La República de Costa Rica emitirá licencias directamente a los proveedores del servicio para el uso del espectro, de conformidad con el artículo 121, inciso 14 de la Constitución Política de la República de Costa Rica.” (El resaltado es propio) Por otra parte, los artículos 6 y 10 marcan las pautas necesarias para el acceso y uso de las redes, en tanto debe considerarse: “6. Acceso a y Uso de Redes (...) (b) No obstante lo dispuesto en el subpárrafo (a), Costa Rica podrá tomar las medidas que sean necesarias para garantizar la seguridad y confidencialidad de los mensajes, o proteger la privacidad de datos personales no públicos de los suscriptores de servicios públicos de telecomunicaciones, sujeto al requisito de que tales medidas no se apliquen de tal manera que pudieran constituir un medio de discriminación arbitraria o injustificable, o alguna restricción encubierta al comercio de servicios.” (c) Costa Rica también garantizará que no se impongan condiciones al acceso a y el uso de redes o servicios públicos de telecomunicaciones, distintas a las necesarias para salvaguardar las responsabilidades del servicio público de los prestadores de redes o servicios públicos de telecomunicaciones, en particular su capacidad para poner sus redes o servicios a disposición del público en general, o proteger la integridad técnica de las redes o servicios públicos de telecomunicaciones.” (El resaltado es propio) (...) 10. Flexibilidad en las Opciones Tecnológicas Costa Rica no impedirá que los proveedores de servicios públicos de telecomunicaciones tengan la flexibilidad de escoger las tecnologías que ellos usen para suministrar sus servicios, sujeto a los requerimientos necesarios para satisfacer los intereses legítimos de política pública”. (El resaltado es propio) Es así como el régimen especial de las telecomunicaciones impuso en el Poder Ejecutivo un especial deber de vigilancia sobre el uso y explotación del espectro, por tratarse de un bien escaso, de uso no libre, por lo que dicha explotación ciertamente escapa a la esfera jurídica de los particulares y solamente se realiza bajo ciertos términos y condiciones definidas por el ordenamiento jurídico, la potestad reglamentaria del Poder Ejecutivo y demás regulaciones técnicas que le apliquen al caso concreto. Sobre este particular la Procuraduría General de la República en su dictamen N° C177-2023 de fecha 18 de setiembre de 2023, ha manifestado en lo que interesa: “En coherencia con las consideraciones anteriores, la LGT constituye el marco legal general por el que se regula en nuestro medio la competencia del Poder Ejecutivo para otorgar la concesión para el uso y explotación del espectro radioeléctrico y las condiciones bajo las cuales se explotarán las frecuencias y se prestarán los servicios correspondientes, a saber: requisitos y procedimiento para el otorgamiento de la concesión, obligaciones y derechos del concesionario, potestades de la Administración concedente, transmisión de los títulos habilitantes, entre otros aspectos. (...) Por consiguiente, ni un particular, ni la Administración pública, están habilitados para explotar el espectro si no cuentan con la concesión respectiva otorgada por el Poder Ejecutivo (ver el pronunciamiento PGR-OJ059-2023, del 23 de mayo) La palabra concesión en su misma significación jurídica implica exclusividad, siendo esa la regla impuesta por la LGT cuando conlleve la “reserva” de un determinado uso (en este caso el comercial) en favor exclusivo del titular. Así también se desprende del artículo 19 de la misma ley, cuando a modo de excepción del procedimiento concursal, contempla la concesión otorgada por el Poder Ejecutivo en forma directa y según el orden de recibo de la solicitud por el interesado, en los supuestos de “frecuencias requeridas para la operación de redes privadas y de las que no requieran asignación exclusiva para su óptima utilización” (el subrayado es añadido). La asignación exclusiva implica así que únicamente el titular de la concesión puede usar o explotar las bandas de frecuencias del espectro que le fueron reservadas con dicho acto, al punto que la LGT tipifica como una infracción muy grave, el “[u]sar (sic) o explotar bandas de frecuencias del espectro radioeléctrico sin la correspondiente concesión o permiso”. Esta asignación exclusiva responde también a motivos técnicos, en la medida que el uso compartido por varios operadores de los mismos rangos de frecuencias podría generar interferencias que afecten la calidad del servicio.” A ese tenor, el Título II, Capítulo II denominado Régimen de Protección a la intimidad y derechos de los usuarios finales de la Ley N° 8642, Ley General de Telecomunicaciones, establece una norma especial que regula el régimen de privacidad y de protección de los derechos e intereses de los usuarios finales de los servicios de telecomunicaciones, y de forma específica los artículos 41 y 42 de este cuerpo legal disponen: “ARTÍCULO 41.- Régimen jurídico El presente capítulo desarrolla el régimen de privacidad y de protección de los derechos e intereses de los usuarios finales de los servicios de telecomunicaciones. Los acuerdos entre operadores, lo estipulado en las concesiones, autorizaciones y, en general, todos los contratos por servicios de telecomunicaciones que se suscriban de conformidad con esta Ley, tendrán en cuenta la debida protección de la privacidad y los derechos e intereses de los usuarios finales. A la Sutel le corresponde velar por que los operadores y proveedores cumplan lo establecido en este capítulo y lo que reglamentariamente se establezca.”(El resaltado es propio) “ARTÍCULO 42.- Privacidad de las comunicaciones y protección de datos personales Los operadores de redes públicas y proveedores de servicios de telecomunicaciones disponibles al público, deberán garantizar el secreto de las comunicaciones, el derecho a la intimidad y la protección de los datos de carácter personal de los abonados y usuarios finales, mediante la implementación de los sistemas y las medidas técnicas y administrativas necesarias. Estas medidas de protección serán fijadas reglamentariamente por el Poder Ejecutivo. (...)” (El resaltado es propio) De conformidad con el artículo 42 de la misma Ley Nº 8642, es una obligación de los Operadores de redes públicas garantizar el secreto de las comunicaciones, el derecho a la intimidad y la protección de los datos de carácter personal de los abonados y usuarios finales, mediante la implementación de los sistemas y las medidas técnicas y administrativas necesarias de protección que deberán ser fijadas reglamentariamente por el Poder Ejecutivo. Por ende, las medidas adoptadas en materia de ciberseguridad para redes de telecomunicaciones derivan de la potestad reglamentaria conferida en esta materia al Poder Ejecutivo, sin perjuicio de que también le corresponde definir la decisión de inicio de los concursos públicos las condiciones y obligaciones de los títulos de concesión para el uso y explotación del espectro radioeléctrico. Esta delegación de reglamentar las medidas pertinentes desde luego que se deriva del artículo 140 de la Constitución Política que establece en lo conducente: ARTÍCULO 140.- Son deberes y atribuciones que corresponden conjuntamente al Presidente y al respectivo Ministro de Gobierno: (...) 3) Sancionar y promulgar las leyes, reglamentarlas, ejecutarlas y velar por su exacto cumplimiento; Del mandato anterior se origina constitucionalmente la potestad del Poder Ejecutivo de reglamentar las leyes lo cual el legislador plasmó a su vez en forma derivada en la norma del numeral 42 de la Ley General de Telecomunicaciones. Desde luego que, para ejercer dicha potestad corresponde observar también la trascendencia de la competencia económica y la libre concurrencia para el adecuado funcionamiento del mercado y en beneficio de los consumidores o usuarios, lo cual conlleva la debida protección a su seguridad e intereses económicos de conformidad ordinal 46 de la Constitución Política, así expresado por esta Sala Constitucional, en su Resolución Nº 01104 - 2017 del 25 de enero del 2017. En este sentido ha sido el deseo del Constituyente que los particulares participen de la explotación del espectro radioeléctrico, siempre y cuando, se cumplan con las condiciones estipuladas en la propia Norma Fundamental, por lo cual resulta óbice la supervisión del Poder Ejecutivo en este sentido. (Sala Constitucional, Resolución Nº 04569 - 2008 del 26 de marzo del 2008). Es al amparo de las competencias constitucionales y legales ya esbozadas, que el Poder Ejecutivo emitió el Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores” publicado en el Alcance No 166 del Diario Oficial La Gaceta No 159 del 31 de agosto de 2023, con el objeto de establecer medidas de ciberseguridad para garantizar el uso y la explotación segura y con resguardo de la privacidad de las personas, de las redes y los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores, con fundamento además en las consideraciones que más adelante se precisan. De esta manera, las medidas adoptadas por el Poder Ejecutivo se orientan precisamente a regular el ejercicio de la libertad de empresa en un bien finito demanial como lo es el espectro radioeléctrico frente al eslabón más débil de la cadena del servicio de telecomunicaciones, es decir, el usuario final, quien a fin de cuentas aprovechará el servicio y ante un riesgo inminente se puede ver menoscabado del régimen de los derechos fundamentales ya citados y que son garantizados por el régimen jurídico de las telecomunicaciones, a través no solo del reconocimiento de dichos derechos sino de la delegación para el Poder Ejecutivo de establecer reglamentariamente las medidas técnicas y administrativas idóneas para asegurar su resguardo y libre ejercicio. 2.- En el Reglamento se regula el derecho fundamental a la autodeterminación informativa, los derechos de libre competencia e igualdad de participación en los concursos públicos, además de consagrar un régimen sancionatorio contra quienes violen disposiciones contenidas en el Reglamento. Todos estos aspectos están sustraídos al dominio del Reglamento pues deben ser necesariamente regulados por ley. Respuesta. No es cierto, por cuanto ya se ha indicado que el Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores” establece medidas técnicas y administrativas necesarias, para garantizar la explotación segura de las redes de telecomunicaciones con el objetivo de resguardar el régimen jurídico de protección de los derechos humanos de los usuarios finales de redes de telecomunicaciones, en aras de garantizar la privacidad, el secreto de las comunicaciones, y la autodeterminación informativa de los usuarios. Es así como la norma reglamentaria no regula los derechos fundamentales que indica la empresa recurrente, sino que regula medidas con el fin de resguardar estos mismos derechos. En cuanto a lo alegado sobre el régimen sancionatorio, se remite a lo indicado en los siguientes extremos, por cuanto el Reglamento no consagra un nuevo régimen sancionatorio ex novo como lo pretende hacer ver la empresa aquí recurrente, sino que se sustenta en las disposiciones de la Ley General de Telecomunicaciones a partir de lo dispuesto en los artículos 22, 65 y siguientes de dicho cuerpo legal. 3.- Consecuencia de lo anterior, se viola también el principio de la división de poderes consagrado en el artículo 9 de la Constitución Política, según el cual ningún Poder puede inmiscuirse en las competencias garantizadas constitucionalmente a otro Poder. 4.- En la especie, el Poder Ejecutivo invadió competencias propias de la Asamblea Legislativa, pues según el artículo 121 inciso 1) de la Constitución corresponde al órgano legislativo aprobar, interpretar auténticamente y derogar las leyes. Respuesta. No es cierto que se haya vulnerado en ningún sentido la norma constitucional, ni el principio de división de funciones entre los diferentes poderes de la República. Tal y como fue desarrollado para el extremo tras anterior, el Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores” se emite en total apego a las competencias que constitucionalmente han sido otorgadas al Poder Ejecutivo para el establecimiento de condiciones y obligaciones de los títulos habilitantes de concesión otorgados a los operadores de servicios de telecomunicaciones para el uso y explotación del espectro radioeléctrico, y con ello las medidas técnicas y administrativas de corte reglamentario, derivan de las propias funciones administrativas delegadas por el Legislador al Poder Ejecutivo en esta materia, razón por la cual no ha vulnerado en absoluto el citado principio. 5.- E1 (sic) artículo 13 viola el artículo 39 de la Constitución Política, norma que consagra los principios de legalidad y tipicidad en materia de sanciones administrativas y penales. 6.- Según el primer principio, los tipos sancionatorios deben establecerse por ley, en tanto que el de tipicidad exige que la conducta objeto de una eventual sanción debe estar precisada en la norma. Respuesta. No es cierto que el Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores” vulnere los principios de legalidad y tipicidad por las siguientes razones. Como un primer aspecto, conviene contextualizar a la Sala Constitucional lo que establece la disposición del artículo 13 del referido Reglamento, que en lo literal señala: “Artículo 13º— Sanciones e infracciones. El régimen sancionatorio administrativo aplicable por el incumplimiento de las disposiciones contenidas en este Decreto Ejecutivo se regirá por lo dispuesto en la Ley Nº 8642, Ley General de Telecomunicaciones”. (El resaltado es propio) Como puede verse de la norma transcrita, ésta no viene a constituir un régimen sancionatorio por la vía reglamentaria sino que es totalmente respetuoso del que ya determinó el legislador mediante Ley especial Nº 8642, cuyo ámbito concierne precisamente al uso y la explotación de las redes y la prestación de los servicios de telecomunicaciones, por disposición del artículo 1 de dicha Ley, que además incorpora los mecanismos de regulación de las telecomunicaciones, que comprende el uso y la explotación de las redes y la prestación de los servicios de telecomunicaciones que se originen, terminen o transiten por el territorio nacional. Es así como el Poder Ejecutivo, en la construcción del artículo anterior fue respetuoso totalmente de los principios de legalidad y tipicidad, en la medida que la Sala Constitucional ya ha referido que la materia sancionatoria es de carácter odiosa, por tanto, de interpretación restrictiva y su fijación reservada a la ley: “En cuanto a la potestad reglamentaria, señaló que no es ilimitada, y que uno de sus más importantes límites sustanciales es la reserva de ley, que implica la prohibición de que el reglamento -norma secundaria- regule en forma originaria los aspectos comprendidos en la reserva. Al ser la libertad y el régimen sancionatorio materias reservadas a la ley, se concluye que en este ámbito sólo son posibles los reglamentos ejecutivos, que no pueden establecer nueva normativa o restringir las libertades públicas más allá de lo permitido por las leyes. Así, el régimen sancionatorio sólo podría ser válidamente regulado por reglamento en tanto exista una ley previa que regule esos aspectos, estableciendo las causas, conforme al principio de tipicidad, de ejercicio de la potestad sancionatoria y las sanciones la Administración puede aplicar, situación que a su juicio no se presenta en el caso en estudio, pues no existe ley previa que establezca el régimen sancionatorio de los co-contratantes de la Administración, por lo que debe concluirse que el Reglamento de la Contratación Administrativa innova en ese campo. En consecuencia, se produce una violación de los artículos 121 inciso 1 y 39 en relación con el 140, incisos 3 y 18 de la Constitución política, por lo que es criterio de la Procuraduría que el artículo 260 del Reglamento la Sala Constitucional N°. 6114 - 1996, del 12 de Noviembre del 1996 a las 15:15) Siendo entonces que el Reglamento de marras no impone ningún régimen sancionatorio novedoso, y se limita a hacer remisión directa al régimen constituido por el legislador en la propia Ley General de Telecomunicaciones que por jerarquía normativa se encuentra en un nivel superior al Reglamento de cita, son improcedentes las argumentaciones de la empresa recurrente en el tanto no existe ninguna transgresión del artículo 39 de la Constitución Política. 7.- El artículo 13 del Reglamento no especifica las infracciones ni las sanciones, sino que se limita a remitir a lo dispuesto en la materia en la Ley General de Telecomunicaciones. Respuesta. Lleva razón la empresa recurrente, en el sentido de que la norma reglamentaria no excede las potestades que han sido reservadas al legislador de constituir nuevos tipos o sanciones. Es importante hacer notar a la Sala Constitucional, la contradicción en los argumentos de la empresa recurrente, toda vez que en un extremo anterior presume que el reglamento infringe una serie de principios de frente a la creación de nuevos tipos sancionatorios, cuando en el presente alegato alude a una situación contraria. En todo caso, se reitera que para la emisión del Decreto Ejecutivo Nº44196-MSPMICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”, el Poder Ejecutivo no excedió sus potestades reglamentarias, sino que en la definición del artículo 13 se remite a la aplicación de la normativa sectorial del caso. 8.- Los artículos 9 y 10 incisos c), d), e) y f) violan los principios constitucionales de libertad de competencia e igualdad de participación en los procedimientos de contratación pública, al impedir la libre competencia entre todos los posibles oferentes que poseen tecnología 5G y así como limitar esa participación por razones ajenas a criterios estrictamente técnicos. Respuesta. No es cierto. Reitero una vez más el carácter técnico que reviste el Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”; además hemos venido señalando que la empresa [Nombre 002]., al momento de este informe y según consta en autos, ha participado efectivamente en el proceso licitatorio para contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) y registrado con el expediente electrónico número 2023XE 0000230000400001; y además declaró bajo fe de juramento su adecuación a los requisitos del pliego de condiciones de dicho proceso concursal. En ese sentido, no se aprecia violación alguna a los principios de libre competencia e igualdad de participación. Tampoco los artículos citados vulneran los principios que informan la materia de contratación pública, por las siguientes razones. ● Los estándares y parámetros de riesgo alto para la operación de redes de telecomunicaciones 5G o superiores y la prestación de sus servicios señalados en el Reglamento, poseen un sustento técnico y jurídico como bien se ha desarrollado en los apartados -J- y -K- del informe técnico No. MICITT-DM-OF-1099-2023 de fecha 12 de diciembre de 2023.● Al tratarse de estándares y parámetros que obedecen a una serie de criterios de necesidad, idoneidad, proporcionalidad, razonabilidad y legitimidad, no vulneran en forma injustificada la libre concurrencia. ● Se ha brindado de forma oficiosa por este Ministerio un informe que contiene una justificación técnica y jurídica, en la que se determina el apego a los elementos que ciencia y técnica que orientan la materia de ciberseguridad amplia a los servicios de telecomunicaciones, inclusive considerada para cada uno de los incisos que reclama la empresa aquí recurrente. a. Sobre el estándar SCS-9001. En particular, resulta importante indicarle a la Sala Constitucional que el artículo 9 del Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores” establece lo siguiente: “Artículo 9º- Análisis y Gestión del Riesgo en la Cadena de Suministro. Los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento, deberán solicitar a sus suministradores de hardware y software, que intervienen en el funcionamiento y operación de las redes 5G y superiores y sus servicios, la definición de los requisitos, controles y mediciones del sistema de gestión de ciberseguridad de la cadena de suministro para el diseño, desarrollo, producción, entrega, instalación y mantenimiento de hardware, software y servicios de conformidad con el estándar SCS 9001 “Estándar de Seguridad de la Cadena de Suministro y Ciberseguridad”. Dicha información deberá de ser presentada atendiendo a las particularidades de los procesos dispuestos por el Poder Ejecutivo y la Superintendencia de Telecomunicaciones (Sutel), cada una de acuerdo con su ámbito de competencia, sin detrimento del ejercicio de las potestades de control y fiscalización superior para verificar el cumplimiento de estas disposiciones. En el caso de los procesos de contratación pública promovidos por entidades contratantes, que tengan por objetivo la operación de redes y servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) o superiores, incorporarán lo dispuesto en el presente artículo en las reglas de la contratación con el fin de garantizar el uso y la explotación segura de las redes y los servicios de telecomunicaciones y con resguardo de la intimidad y la privacidad de los usuarios finales”. En relación con la norma anterior, el Operador de Redes deberá verificar que proveedores y fabricantes en su cadena de suministro atiendan la definición de los requisitos, controles y mediciones del sistema de gestión de ciberseguridad de la cadena de suministro para el diseño, desarrollo, producción, entrega, instalación y mantenimiento de hardware, software y servicios de conformidad con el estándar SCS 9001 “Estándar de Seguridad de la Cadena de Suministro y Ciberseguridad. Lo anterior de cara a la finalidad precisada en la propia norma reglamentaria “de garantizar el uso y la explotación segura de las redes y los servicios de telecomunicaciones y con resguardo de la intimidad y la privacidad de los usuarios finales”. El estándar SCS 9001 es un estándar centrado en la seguridad de la cadena de suministro para la industria mundial de las TIC, se desarrolló activamente durante los años durante 2020 y 2021 por QuEST Forum, comunidad de mejora del rendimiento empresarial dentro de TIA (Telecommunications Industry Association). TIA QuEST Forum sigue los procedimientos y lineamientos de desarrollo de estándares internacionales. Por lo cual TIA QuEST Forum siguió el proceso riguroso y bien estructurado para la publicación del estándar SCS 9001, para asegurar que sea global, relevante y de alta calidad. Este proceso involucró a expertos de seguridad del campo, diferentes organizaciones y fabricantes del sector que trabajaron para el desarrollo del estándar SCS 9001, por lo tanto, no se puede considerar este estándar como inmaduro, ya que su desarrollo y publicación han cumplido con los requisitos y lineamientos exigidos por cualquier estándar ISO, un proceso que requirió su debido tiempo. Es importante destacar además que este estándar responde a una necesidad creciente en el sector, garantizando la aplicación de medidas de seguridad para minimizar un riesgo que está en aumento en la cadena de suministro como lo apunta el informe de Gartner y ENISA.6 El SCS 9001 es un estándar global más completo de ciberseguridad y seguridad de la cadena de suministro, adaptable a cualquier tipo de red de comunicaciones en todas las industrias y sectores. Las amenazas cibernéticas están en constante evolución, como lo evidencia el informe de la Agencia de la Unión Europea para la Ciberseguridad (ENISA), entidad establecida por la Unión Europea (UE) con el objetivo de mejorar la ciberseguridad en toda la región, sobre "Amenazas Cibernéticas hacia 2030" en el cual el ataque a la cadena de suministro estará en el primer lugar de los ciberataques. Hay que destacar el dinamismo y la sofisticación creciente de estos riesgos. Ante este panorama cambiante, la implementación de estándares como el SCS 9001 se hace imprescindible, especialmente para abordar la seguridad en la cadena de suministro. Este estándar específico responde a la necesidad de adaptarse a las amenazas emergentes y crecientes, proporcionando un marco que garantiza prácticas de seguridad robustas y coherentes en todos los eslabones de la cadena de suministro. Su adopción es crucial para proteger las infraestructuras críticas y mantener la integridad, confidencialidad y disponibilidad en la seguridad de los sistemas en un entorno de amenazas que evoluciona rápidamente. Además, el análisis de Gartner, que predice que para 2023, el riesgo cibernético se convertirá en una consideración primordial en las decisiones de compra en las cadenas de suministro. Este enfoque creciente en la seguridad cibernética refleja la necesidad de mejorar la protección entre la ciberseguridad y la cadena de suministro, destacando la importancia de adoptar estándares como SCS 9001. Este estándar responde a las amenazas cibernéticas en evolución, proporcionando un marco robusto para asegurar y proteger la cadena de suministro frente a riesgos emergentes. Como ejemplo de ello, puede observarse que el pasado mes de setiembre del año 2023, se registró un ataque cibernético a IFX Networks , una empresa proveedora de telecomunicaciones que ofrecía servicios en la nube a diversas instituciones gubernamentales y empresas en Colombia, Chile y Argentina, escenario que reafirma la necesidad de velar por la seguridad en la cadena de suministro. Este incidente tuvo un grave impacto, especialmente porque IFX Networks era uno de los proveedores principales de telecomunicaciones del gobierno colombiano. Por lo anterior, la adopción de SCS 9001 no sólo obedece a un contexto actual, sino que mejora la seguridad, implica un paso crucial para alinear las prácticas en la cadena de suministro con las necesidades de seguridad cibernética en constante cambio, un aspecto ahora reconocido como fundamental por líderes en la gestión de cadenas de suministro. Los controles de seguridad y protección deben cubrir todo el ciclo de vida de productos, incluida la cadena de suministro completa de software, hardware, sistemas y el rendimiento operativo de la propia organización. Este estándar responde a la necesidad de adaptarse a las amenazas emergentes y crecientes, proporcionando un marco que garantiza prácticas de seguridad robustas y coherentes en todos los eslabones de la cadena de suministro. Su adopción es crucial para proteger las infraestructuras críticas y mantener la integridad, confidencialidad y disponibilidad en la seguridad de los sistemas en un entorno de amenazas que evoluciona rápidamente. La adopción de SCS 9001 no solo mejora la seguridad, sino que también es un paso crucial para alinear las prácticas en la cadena de suministro con las necesidades de seguridad cibernética en constante cambio, un aspecto ahora reconocido como fundamental por líderes en la gestión de cadenas de suministro. En cuanto a la idoneidad de prever el cumplimiento de este estándar en el Reglamento, debe indicarse que las amenazas cibernéticas a la cadena de suministro han aumentado en frecuencia y sofisticación, incluyendo ataques para comprometer el software y hardware, y la manipulación de la integridad de los productos. El SCS 9001 está específicamente diseñado para abordar estas vulnerabilidades, estableciendo un marco que refuerza la seguridad en cada eslabón de la cadena de suministro. Desde la perspectiva del análisis de riesgos, este estándar responde como una medida necesaria para minimizar el riesgo de seguridad a la emergente amenaza a la cadena de suministro. Dicha contramedida reduce el riesgo porque aborda los aspectos técnicos más en detalle de los eslabones a la cadena de suministro y todos los aspectos relacionados para reducir los riesgos latentes que están en creciente evolución tal como lo demuestran organismos internacionales especializados en la materia. Sobre la proporcionalidad en sentido estricto en la determinación de la aplicación de este estándar, debe indicarse que la implementación del estándar SCS 9001 en la cadena de suministro de ciberseguridad es una medida necesaria, justificada y adecuada dada la magnitud y severidad de las amenazas actuales y proyecciones futuras de la evolución de los ataques a las cadenas de suministro, sin perjuicio de los daños ocasionados a nuestro país en el año 2022, y de forma posterior, a inicios del año 2023 según se identificó en contra del Ministerio de Obras Públicas y Transportes. En materia de telecomunicaciones las redes basadas en tecnología 5G, como infraestructuras críticas, son complejas y altamente interconectadas, lo que hace susceptibles a una variedad de ataques cibernéticos que pueden tener repercusiones devastadoras en servicios esenciales y en la seguridad nacional. De acuerdo con los estudios mencionados, la creciente evolución de las amenazas cibernéticas a la cadena de suministro aumenta la probabilidad de sufrir una brecha de seguridad en los elementos que participan en las cadenas de suministro. La aplicación del estándar cumple, además, con un criterio de legitimidad, por cuanto la implementación de estos es una práctica legítima y ampliamente aceptada en la comunidad global, pues son el resultado de un amplio consenso entre expertos de seguridad, la industria y diferentes organizaciones expertas en el área, para reflejar las mejores prácticas actuales en el campo. Desde el punto de vista técnico los estándares ofrecen guías en fortalecer la cadena de suministro. El estándar parte de trabajos existentes y se alinea con iniciativas de agencias gubernamentales. Agrega requisitos cruciales que no habían sido abordados para la protección a la cadena de suministro la cual está creciendo las amenazas en este campo. La no conformidad con estos estándares significa que los productos y servicios podrían carecer de medidas de seguridad fundamentales, exponiendo a los usuarios a riesgos significativos y al país a riesgos de seguridad nacional. b. Sobre los parámetros del artículo 10, incisos c), d) e) y f) Conviene contextualizar como bien se ha desarrollado en el presente informe, que el artículo 10 del Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores” establece que los sujetos comprendidos en el ámbito de aplicación del Reglamento deberán considerar entre los parámetros de riesgo alto para la operación de redes de telecomunicaciones bajo tecnología 5G o superiores y la prestación de sus servicios: “c) Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento o sus suministradores de hardware y software sean susceptibles de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones “d) Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento o sus suministradores de hardware y software tienen su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses.”. Los criterios de razonabilidad y proporcionalidad que la empresa recurrente extraña fueron considerados por el Poder Ejecutivo para la emisión de la norma reglamentaria, tal y como se desprende en el apartado -K- del informe técnico No. MICITT-DM-OF-1099-2023 de fecha 12 de diciembre de 2023, en lo referido al presente inciso, del numeral de análisis. La necesidad de estos dos parámetros radica en que nos encontramos en la Sociedad de la Información y el Conocimiento (SIC) por lo que los datos revisten de alto valor. En ese sentido, se han multiplicado los riesgos de que las redes informáticas y la información electrónica sea utilizada para cometer delitos. Desde luego que este tema trasciende la soberanía de cada país, pues inclusive podemos hablar acá de la defensa de la soberanía cibernética, debido a la facilidad con que se pueden cometer los abusos por esta vía, por lo que estas medidas resultan imprescindibles para garantizar que no haya menoscabo en la confidencialidad, integridad y disponibilidad de los sistemas informáticos, de las redes, los datos personales y los datos de tráfico, por parte de la presión de otros Estados que requieran la información para fines distintos a los objetivos por los cuales fueron recabados a nivel nacional bajo el principio de consentimiento informado y libre información de los usuarios. Esta medida es idónea toda vez que el Estado costarricense el competente para resguardar a sus usuarios de las telecomunicaciones, que habiliten el acceso indebido a sus datos transitados por las redes de las telecomunicaciones, en transgresión de los derechos fundamentales que se pretenden resguardar con la normativa reglamentaria en análisis. De este modo, el Estado costarricense a través del Poder Ejecutivo, ha sido delegado para establecer condiciones diferenciadas cuando la información vaya a transitar fuera de sus fronteras, tránsito que debe ser compatible con el régimen especial de protección que el constituyente ha impuesto sobre los datos. Es importante reconocer que no toda legislación extranjera es afín o compatible a la nacional razón por la cual se han considerado estos parámetros para reforzar la importancia de la protección de los derechos fundamentales de los usuarios finales de telecomunicaciones en materia de ciberseguridad de las telecomunicaciones. Se entiende que la medida es proporcional desde la óptica técnica, por cuanto las consecuencias potenciales de espionaje o sabotaje cibernético son proporcionales a la medida que procura disminuir el riesgo, ya que se pueden comprometer servicios críticos de 5G, implicando la necesidad de evaluaciones de seguridad rigurosas. Vale acotar que el Estado democrático costarricense está llamado a actuar de forma conservadora en dos vertientes, primeramente en el resguardo al sano uso del espectro radioeléctrico como bien demanial y en segundo lugar en la protección de los derechos fundamentales que derivan del uso y explotación de dicho espectro radioeléctrico, de manera que está obligado a señalar las pautas conforme a las cuales se hará el trasiego de la información, dicho esto, los operadores que no tengan la posibilidad legal de garantizar el tránsito seguro de los datos en sus redes implican un alto riesgo de vulneración debido a la posible coacción de otros gobiernos. Realizando un ejercicio de legitimidad, debemos de partir que, de conformidad con las buenas prácticas internacionales, entre ellas la Directriz sobre protección de la privacidad y flujos transfronterizos de datos personales (1980) de la OCDE, puede imponer restricciones a algunas categorías de datos personales para lo cual el ordenamiento nacional incluye regulaciones específicas debido a la naturaleza de esos datos y que el otro Estado no considere de forma similar en su normativa. En ese sentido ante el evento de encontrar normativas que no garanticen una protección equiparable a la nacional, el Estado costarricense podrá establecer restricciones al trasiego de datos cuando los operadores o sus suministradores no puedan garantizar sustancialmente el cumplimiento la normativa doméstica sobre protección de datos, intimidad, privacidad, autodeterminación informativa y secreto de las comunicaciones, obligaciones que inclusive se constituyen en un principio rector sectorial para los Operadores de redes pública, véase en este particular el artículo 3 inciso j) “Privacidad de la Información” de la Ley General de Telecomunicaciones, Nº8642. En cuanto a la consideración sobre la legitimidad de esta medida, la preocupación por la influencia de gobiernos extranjeros sobre dichos proveedores es legítima y a la vez, se fundamenta en criterios de seguridad nacional dado el riesgo potencial y los daños de diversa índole que pueden materializarse si se da un ataque o sabotaje directa o indirectamente ligado a la actuación de un gobierno extranjero que ejerza influencia sobre los operadores. Por tanto, se ejerce como una facultad que tiene el Estado de garantizar la independencia de los operadores frente a presiones de gobiernos extranjeros a fin de resguardar los datos que transiten por sus redes con información de los usuarios protegida constitucionalmente. Ahora bien, en lo que concierne al inciso f) que en lo conducente señala: “f) Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este reglamento utilizan suministradores de hardware y software que no cumplen con los estándares de ciberseguridad dispuestos en el artículo 6 de este Reglamento” En relación con este inciso se debe considerar que los estándares son necesarios porque brindan una guía y buenas prácticas que se deben aplicar o implementar en las plataformas tecnológicas para minimizar los riesgos de seguridad que puedan presentarse. De lo contrario, la falta de cumplimiento de los estándares puede ocasionar o llevar a deficiencias en la protección de la confidencialidad, integridad y disponibilidad de la información, que son los pilares de la ciberseguridad. También se debe tomar en cuenta que los estándares de ciberseguridad, como cualquier otro estándar, es un proceso detallado que involucra múltiples etapas y la participación de expertos del área de varios países y organizaciones con el fin de brindar una guía de buenas prácticas, políticas y procedimientos para disminuir los riesgos de seguridad en plataformas tecnológicas y combatir las amenazas crecientes en el ciberespacio. La idoneidad de la medida reside en que los estándares abordan las principales amenazas y riesgos en la prestación de servicios tecnológicos para la mitigación de los mismos y una mejor gestión de los riesgos de seguridad ante las amenazas cibernéticas que puedan comprometer las infraestructuras tecnológicas y con ello afectar los servicios esenciales y críticos del país, la información de los habitantes y la continuidad de los servicios tecnológicos. Dichos estándares abordan todo un ciclo de la ciberseguridad en sus diferentes etapas tanto en la detección, protección, identificación, respuesta y recuperación de los servicios tecnológicos, y con ello se garantiza existan los controles de seguridad para minimizar los riesgos existentes en el ciberespacio. Estas medidas son fundamentales ya que aplican el debido cuidado y la debida diligencia cuando se brindan servicios críticos. En cuanto a la proporcionalidad en sentido estricto se indica que la gravedad y frecuencia de los ataques cibernéticos justifican la necesidad de adherirse a los estándares de ciberseguridad, por lo que la decisión de considerar alto riesgo a los proveedores que no cumplan con los estándares es proporcional a los riesgos potenciales de seguridad que estos proveedores puedan presentar como brechas de datos, ataques de malware y otras amenazas que se hubieran evitado o minimizado cumpliendo los estándares de ciberseguridad. Ya el país ha sufrido las consecuencias reales de los ataques que con solo haber aplicado dichos estándares, el impacto que se hubiera tenido tanto en pérdida de información, continuidad de los servicios, filtración de información sensible, no disponibilidad de los servicios, daños y pérdidas económicas, se hubieran minimizado en gran medida. Es por esta razón que diferentes organizaciones empresas y demás, implementen este tipo de estándares, para minimizar estos riesgos y cumplir con normativas internacionales es adecuado y proporcional al beneficio que puede obtener. Asimismo, en cuanto a la legitimidad de la previsión de este riesgo, implementar estos estándares es una práctica legítima y ampliamente aceptada en la comunidad global, pues dichos estándares son el resultado de un amplio consenso entre expertos de seguridad, la industria y diferentes organizaciones expertas en el área, para reflejar las mejores prácticas actuales en el campo. Desde el punto de vista técnico los estándares ofrecen guías para fortalecer sistemas y redes. Estos incluyen aspectos como el cifrado, autenticación, gestión de parches, respuesta a incidentes, continuidad del servicio, entre otros. La no conformidad con estos estándares significa que los productos y servicios podrían carecer de medidas de seguridad fundamentales, exponiendo a los usuarios a riesgos significativos y al país a riesgos de seguridad nacional. Considerando todos los elementos antes esgrimidos, no lleva razón la empresa recurrente en la medida que la definición de los artículos se realizó sobre la base de premisas técnicas que justifican las diferentes medidas incorporadas al texto del Reglamento. 9.- Finalmente, los artículos 9 párrafo primero y 11 inciso f) violan el principio constitucional de razonabilidad técnica, el cual exige, como lo ha establecido la jurisprudencia de esa Sala, que toda norma y, en general, todo acto emanado de las instituciones públicas, debe estar fundamentado en criterios técnicos sobre la materia que regulan. Respuesta. No es cierto. En primer orden cabe indicar conforme se contextualiza para el extremo anterior, que el artículo 9 del Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores” establece el cumplimiento del estándar SCS 9001 “Estándar de Seguridad de Cadena de Suministro y Ciberseguridad, cuya definición como parte de las medidas de ciberseguridad obedece a los criterios de razonabilidad técnica allí precisados. Por otra parte, el artículo 11 del del Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores” no posee en su contenido ningún inciso f): “Artículo 11º. Medidas aplicables ante la identificación de riesgo alto. Cuando alguno de los sujetos comprendidos en el ámbito de aplicación del artículo 2 del presente Reglamento identifique la presencia de alguno o varios de los parámetros de riesgo alto consignados en el artículo anterior, deberá informarlo a la Superintendencia de Telecomunicaciones (Sutel) de conformidad con las disposiciones del artículo 42 de la Ley General de Telecomunicaciones, Nº8642, dentro de los 3 (tres) días naturales siguientes a su identificación y adoptar las medidas técnicas y administrativas idóneas para garantizar la seguridad de sus redes y sus servicios. Cuando se identifique la presencia de alguno o varios de los parámetros de riesgo alto por parte de los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento, quedará sujeto a la adopción inmediata de las siguientes medidas técnicas de ciberseguridad: 1) No podrán ser utilizados en elementos críticos de la red, equipos de telecomunicación, sistemas de transmisión, equipos de conmutación o encaminamiento y demás recursos, que permitan el transporte de señales por representar un alto riesgo de ciberseguridad para las redes 5G y superiores, y la seguridad nacional. Para tal efecto, se declaran elementos críticos de la red 5G y superiores los siguientes: i. Los relativos a las funciones del núcleo de la red. ii. Los sistemas de control y gestión y los servicios de apoyo. iii. La red de acceso en aquellas zonas geográficas y ubicaciones que proporcionen cobertura a centros vinculados con la seguridad nacional y la provisión de servicios públicos esenciales. 2) Llevar a cabo la sustitución de los equipos, productos y servicios de la red 5G y superiores cuando ello fuera necesario, para lo cual, deberá tener en cuenta la situación del mercado de los suministradores de hardware y software, las alternativas de suministro de equipos y productos sustitutivos viables, la implantación de esos equipos y productos en la red 5G y superiores, especialmente en los elementos críticos de la red, la dificultad intrínseca para llevar a cabo la sustitución de equipos, los ciclos de actualización de equipos, así como su impacto económico. En ningún caso, el plazo de sustitución de los equipos podrá ser superior a cinco años, contados a partir de la clasificación como de alto riesgo. El cumplimiento de las presentes disposiciones reglamentarias deberá ser consideradas para la operación de redes 5G y superiores y sus servicios, de conformidad con las disposiciones del artículo 49 numerales 1 y 3 de la Ley N°8642, Ley General de Telecomunicaciones”. Siendo que el numeral no posee el inciso que la parte recurrente indica, por lo cual es impertinente su análisis. 10.- Es la especie, los artículos impugnados carecen de fundamentación técnica y los requisitos establecidos en ellos no se ajustan a los estándares internacionales debidamente probados, aceptados y adoptados. Por ejemplo, el artículo 9 párrafo primero dispone que “Los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento, deberán solicitar a sus suministradores de hardware y software, que intervienen en el funcionamiento y operación de las redes 5G y superiores y sus servicios, la definición de los requisitos, controles y mediciones del sistema de gestión de ciberseguridad de la cadena de suministro para el diseño, desarrollo, producción, entrega, instalación y mantenimiento de hardware, software y servicios de conformidad con el estándar SCS 9001 “Estándar de Seguridad de la Cadena de Suministro” sin justificar porqué se exige específicamente este standard. El Estándar SCS 9001 (Supply Chain Security 9001) fue recientemente creado, en el 2022, por la TIA (Telecommunications Industry Association), que es una agrupación Estadounidense de proveedores TIC (Tecnologías de la Información y Comunicación). El Estándar SCS 9001 carece de datos suficientes que permitan la comprobación de su eficacia, puesto que aún se encuentran en la fase de planes piloto para llevar a cabo la correspondiente evaluación técnica. El ecosistema actual de normas de Ciberseguridad, que ha sido desarrollado por ISO, GSMA y 3GPP, siendo reconocido, aceptado, verificado e implementado por la industria de Servicios de Telefonía Móvil Celular a nivel mundial, desde hace ya varios años. Respuesta. No es cierto. Han sido abundantes hasta este punto las fundamentaciones de por qué el Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores” contiene una base técnica y objetiva, que deriva de las potestades propias para el establecimiento de las condiciones y obligaciones para la explotación del espectro radioeléctrico; lo anterior sin detrimento de la potestad reglamentaria en esta materia que deriva del artículo 42 de la Ley General de Telecomunicaciones. En concreto, para el estándar fijado en el artículo 9 que indica en su alegato se remite a las consideraciones técnicas ya incorporadas al presente informe y al insumo técnico complementario de referencia, precisando lo siguiente: ● Se trata de un estándar que fue construido sobre la metodología de TIA QuEST Forum para asegurar que sea global, relevante y de alta calidad. ● Su elaboración es resultado del aporte de expertos de seguridad del campo, diferentes organizaciones y fabricantes del sector que trabajaron para el desarrollo del estándar SCS 9001. ● En este proceso se cumplen los requisitos y lineamientos exigidos por cualquier estándar ISO. ● El estándar SCS 90018 se desarrolló activamente durante aproximadamente dos años durante 2020 y 2021. El SCS 9001 fue aprobado para su lanzamiento en diciembre de 2021. ● SCS 9001 responde a una necesidad de las nuevas amenazas que enfrenta el espacio cibernético. ● El SCS 9001 en comparación del ISO 27001 son las medidas detalladas de seguridad de la cadena de suministro y la evaluación comparativa de SCS 9001. ● El SCS 9001 está acreditado por el Instituto de Estándares Nacionales Estadounidense (ANSI) ● TIA tiene más de 1000 voluntarios contribuyen desde aproximadamente 400 compañías en más de 20 países. ● El Reglamento no menciona en su articulado que las medidas de gestión del riesgo desplacen o invaliden en forma alguna otras normas de ciberseguridad desarrolladas como son las ISO, GSMA y 3GPP, sino que vienen a fungir como medidas complementarias, de acatamiento obligatorio para los operadores que cuenten con título habilitante para los servicios de telecomunicaciones basados en tecnologías de quinta generación o superiores. 11.- Los artículos 8 inciso i) y 10 inciso a) violan el principio constitucional de proporcionalidad. 12.- Como lo ha establecido la jurisprudencia de esa Sala, un acto estatal que limite derechos fundamentales debe ser necesario, idóneo y proporcional. 13.- Los artículos antes citados del Reglamento no son necesarios, ni idóneos ni proporcionales. En efecto, no son necesarios pues la red de telefonía ha operado en el país desde sus inicios mediante el sistema de diversificación vertical, que es la metodología más eficiente y por ende la más ampliamente usada a nivel mundial, para garantizar un balance de proveedores que garantice la seguridad de la red en forma costoefectiva. Si algo funciona bien no hay razón para cambiar. Por tanto, no existe una necesidad imperiosa de acoger el modelo indicado en los artículos 8 inciso i) y el 10 inciso a) del Reglamento impugnado. 14.Finalmente, no existe una proporcionalidad entre el supuesto beneficio que obtendría el interés público según el modelo indicado en los artículos 8 inciso i) y el 10 inciso a) del Reglamento impugnado”. Respuesta. No son ciertas las afirmaciones de la empresa recurrente por las siguientes razones. Conviene contextualizar lo indicado en el artículo 8 del Decreto Ejecutivo Nº44196MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores” que indica: “Artículo 8º- Gestión del Riesgo de las Redes 5G y Superiores. Los sujetos comprendidos en el ámbito de aplicación definido en el artículo 2 de este Reglamento, deberán adoptar las medidas adecuadas para gestionar los riesgos identificados de conformidad con el artículo 7 de esta normativa. Para estos efectos se deberán de incluir las siguientes medidas: (...) Diseñar una estrategia de diversificación en la cadena de suministro de los equipos de telecomunicación, sistemas de transmisión, equipos de conmutación o encaminamiento y demás recursos que permitan el transporte de señales en una red 5G o superior, de forma tal que dichos equipos, sistemas o recursos sean proporcionados, como mínimo, por dos suministradores de hardware y software diferentes”.Como bien se ha desarrollado en el presente informe, que las medidas de gestión de riesgos reguladas en el Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores” permite que se identifiquen en el numeral 10, cuáles son los parámetros de riesgo alto de la red. En ese sentido, se delimita en el inciso a) que en lo conducente señala: “a) Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento cuenten con un único suministrador de hardware y software en su cadena de suministro, cuando este se encarga de configurar e integrar todos los equipos activos y software de la solución, o si la red está compuesta por equipos activos y software de un único fabricante”. Sobre el particular se reitera que, para la definición de estos parámetros, el Poder Ejecutivo en efecto realizó todo un ejercicio de razonabilidad y proporcionalidad que la empresa recurrente extraña. Esta construcción de criterios se ha reseñado en los apartados -B- y -K- inciso E) del informe técnico No. MICITT-DM-OF-1099-2023 de fecha 12 de diciembre de 2023 y que a continuación se trae a colación. Resulta importante además informar a esta Sala Constitucional, que los sistemas IMT 2020 son mucho más complejos que un sistema de telefonía, por lo que no lleva razón la empresa en cuanto a las afirmaciones que sostiene, dadas sus limitaciones técnicas. En todo caso, es el Poder Ejecutivo en su carácter de Administración Concedente, quien mejor conoce la necesidad a satisfacer, y en ese sentido es responsable de definir el objeto contractual y con ello las condiciones bajo las cuales los operadores deben brindar el servicio correspondiente en su título de concesión, y no viceversa como pretende hacerlo en este caso la empresa recurrente, de pretender que el uso y explotación del espectro radioeléctrico para la operación de redes y la prestación de este tipo de servicios se ajuste a un modelo en concreto, que beneficie los intereses de un particular. Debe reflexionarse además, que se torna crítica la implementación de medidas enfocadas en reducir los riesgos en materia de ciberseguridad en razón de las características técnicas avanzadas de dicha tecnología, que como bien se ha apuntado son: ● Tasa de transferencia de datos experimentada por el usuario (10 veces mayor que 4G), ● Latencia (10 veces menor que 4G), ● Densificación de conexiones (10 veces más que 4G, hasta 1M de dispositivos por kilómetro cuadrado), ● Escenarios de movilidad (hasta 500 km/h), ● Eficiencia espectral (3 veces mayor), ● “Network slicing” (capacidad de segmentar redes). Es entonces como se evidencia la necesidad de dicha medida, ya que la dependencia o monocultura tecnológica aumenta el riesgo significativo de que se pueda comprometer todo el ecosistema. Si un atacante encuentra una vulnerabilidad para un tipo de sistema, se pone en riesgo a todos los componentes de la red y por ende, afectaría toda la información que pase por esos dispositivos, datos, información de los usuarios y servicios que por ellos transitan. A nivel de capas de seguridad, no es la misma seguridad si se trata de sistemas, equipos con especificaciones y componentes diferentes, siendo más complejo encontrar la vulnerabilidad ante la diversidad de fabricantes. La diversidad de proveedores es necesaria para mitigar los riesgos, aumentando la resiliencia del sistema o los sistemas, frente a ataques y fallas que se puedan ocasionar. Desde una perspectiva jurídica, se recalca la necesidad de la medida, toda vez que pretende garantizar la funcionalidad de la tecnología en aras de salvaguardar la continuidad y acceso al servicio. Con la medida, se previene además la afectación al régimen jurídico de los derechos e intereses de los usuarios finales de telecomunicaciones, que derivan precisamente de la protección y resguardo de los derechos fundamentales y derechos humanos a la intimidad, privacidad y secreto de las comunicaciones, autodeterminación informativa, el acceso a la libre información, comunicación, salud, entre otros. Por su parte, se determina que la previsión de esta disposición cumple con un criterio de idoneidad, por cuanto, la dependencia de un solo proveedor puede traer un único punto de falla, ya que si se sufre una interrupción, todo el sistema se puede ver comprometido. En contraposición, tener múltiples proveedores permite disminuir la posibilidad de que una única vulnerabilidad o falla afecte todo el sistema. Diversificar los proveedores ayuda a asegurar la seguridad operativa y la resiliencia del sistema en caso de fallos de un proveedor. La presente medida se estima idónea, pues procura garantizar que, a mayor cantidad de proveedores, mayor cantidad de soluciones ante el servicio final de telecomunicaciones sin necesidad de interrumpir la continuidad del servicio en beneficio del usuario final. Ante un incidente de ciberdelincuencia con un único suministrador se elevaría la criticidad del siniestro, como resultado de la dependencia de un único suministrador. Ahora bien, desde una perspectiva de proporcionalidad, contar con múltiples proveedores permite reducir la dependencia de las actualizaciones de seguridad de un único proveedor, con la ventaja de tiempos de respuesta y disponibilidad de opciones de seguridad mejoradas y eficaces, por tanto, la medida es proporcional al fin de seguridad que se pretende asegurar. El impacto de la contramedida, por tanto, no es mayor al riesgo que ocasiona la dependencia hacia un único proveedor, por las razones apuntadas. El beneficio que se persigue es dotar a la población de una red avanzada y segura previendo que no exista dependencia de un único suministrador y por tanto exista riesgo de no conseguir componentes, compatibilidad obstaculizada, cierre de fábricas, discontinuidad de repuestos, problemas en la cadena de producción entre otros. El objetivo primordial es evitar que la materialización de los riesgos asociados al funcionamiento de la red tenga consecuencias en los usuarios finales de telecomunicaciones perjudicando el ejercicio de sus derechos fundamentales de rango constitucional. En ese sentido la medida es proporcional porque pretende equilibrar la posibilidad de un servicio continuo frente a las dificultades de comercio a que puedan enfrentarse los suministradores, es una por ende una medida a favor de la continuidad del servicio que se presta. La medida como tal, técnicamente tiene plena legitimidad toda vez que es factible que sistemas o componentes de distintos proveedores interactúen entre sí, por tanto, no es técnicamente imposible ni predispone la generación de fallas en la operación y más bien, aunado a las razones anteriormente descritas, representa un fin legítimo para la salvaguardia de la seguridad de la información y las redes, así como en el cumplimiento de los fines de la ciberseguridad. Finalmente, se ha considerado que los habitantes tienen derecho de acceder a las telecomunicaciones para su desarrollo personal, cultural, educativo, entre otros. En ese sentido el espectro radioeléctrico como bien demanial constitucional merece una protección por parte del Estado quien debe velar por el uso y explotación segura de las redes y servicios prestados a través de este bien demanial constitucional, mediante el ejercicio de su potestad pública reglamentaria, particularmente dispuesta en el Régimen de Protección de los derechos de los usuarios finales de telecomunicaciones de los numerales, 41, 42 y siguientes de la Ley General de Telecomunicaciones. El establecimiento de esta medida se hace sobre la base de los criterios de la ciencia y la técnica dispuestos en el artículo 16 de la Ley General de la Administración Pública, Nº 6227, todo ello sabiendo que la existencia de un único proveedor en la cadena de suministro podría significar que la red dependa de un único elemento para su óptimo funcionamiento, con los riesgos que ello conlleva sobre la continuidad del servicio y por ende el correspondiente acceso a este por parte de los usuarios finales. Conviene agregar además, que los escenarios de riesgo en materia de ciberseguridad entre los cuales figura la dependencia a un sólo proveedor, han sido identificados y agrupados según las recomendaciones y experiencia de la comunidad internacional, en concreto la Unión Europea en documento titulado “Caja de Herramientas de la Unión Europea para la seguridad de las redes 5G”. III. Sobre los hechos y alegatos planteados en el RECURSO DE AMPARO en escrito recibido en la Secretaría de la Sala el 10 de octubre de 2023. “Con fundamento en el artículo 41 de la Ley de la Jurisdicción Constitucional reitero mi solicitud que se suspenda la ejecución de la licitación que promoverá el ICE en pocos días para la adquisición de la tecnología en telecomunicaciones 5G/IMT Móvil, con base en las siguientes razones fácticas y jurídicas. 1.- Las finalidades del recurso de amparo 1.- Como es sabido, la institución del amparo fue tomada por nuestros Constituyentes de 1949 de la efímera Constitución cubana de 1940. Este modelo, a diferencia de lo que ocurre en el resto de las legislaciones, establece el recurso de amparo exclusivamente contra conductas administrativas (actos, omisiones, amenazas). 2.- Este sistema tiene la ventaja de que cumple con el principal objetivo del recurso de amparo que consiste en evitar la violación de derechos fundamentales cuando se plantea contra amenazas, o bien en restituir el derecho fundamental conculcado antes de que el daño se convierta en irreversible. Para lograr este objetivo es que se utiliza precisamente el instituto de las medidas cautelares y, en el caso costarricense, de suspender los efectos de la ejecución de la conducta impugnada, de conformidad con la letra y espíritu del artículo 41 de la Ley de la Jurisdicción Constitucional. 3.- Cuando el amparo se consagra sólo (sic) contra resoluciones judiciales, como ocurre en la mayoría de las legislaciones, sólo (sic) tiene un efecto indemnizatorio, pues ya la violación o amenaza de violación se ha materializado de manera irreversible, por lo que resulta jurídicamente imposible restituir al amparado en el ejercicio efectivo de su derecho fundamental conculcado o bien la amenaza de violación se tradujo en una conculcación irreversible de su derecho. 4.- Por ello, cuando en nuestro sistema no se suspende la ejecución del acto o de la amenaza impugnada por la gravedad de sus implicaciones, el citado remedio procesal termina teniendo sólo (sic) efectos indemnizatorios pues se habría renunciado a cumplir con su vocación primaria de restituir el derecho fundamental vulnerado o de impedir que se viole alguno. 5.- Por tanto, esa Sala debe valorar, caso por caso, cuando es imprescindible suspender la ejecución presente (cuando se trata de actos) o futura (cuando estemos en presencia de amenazas), dado que si, en determinados casos no lo hace, la no suspensión podría producir violaciones irreversibles a los derechos fundamentales y sus titulares tendrían que resignarse con el cobro de los daños y perjuicios sufridos en la vía contencioso- administrativa. Respuesta. No es cierto. En este momento no se presenta ningún derecho fundamental conculcado, en vista de la efectiva participación de la empresa [Nombre 002]., en el proceso licitatorio para contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, mismo que fue cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) y registrado con el expediente electrónico número 2023XE-000023-0000400001. Además, la empresa en dicho proceso ha manifestado que entiende y cumple las condiciones del pliego cartelario por lo cual no se vislumbra el escenario descrito por el recurrente siendo que ha efectuado un ejercicio efectivo y pleno de sus derechos a la libertad de empresa, libre concurrencia e igualdad de condiciones en el proceso de contratación pública en curso. También conforme lo señalamos ut supra, la empresa recurrente afirma que en el caso concreto podría configurarse un daño irreversible, así como daños derivados de su reputación, lo cual además de adolecer de los elementos probatorios pertinentes, no posee asidero en materia de contratación pública, dada la naturaleza propia del procedimiento licitatorio. Ello por cuanto los oferentes que reúnan las condiciones técnicas propias del objeto por el cual participan, y deben ser evaluadas en un plano de igualdad de condiciones, es por ello por lo que hemos indicado que cada una participa con una expectativa, no así con un derecho (subjetivo) preconstituido de resultar favorecidas. Pretendiendo además que en caso de no resultar favorecida el Operador deba asumir una carga resarcitoria en virtud de relaciones contractuales previas, o en razón del porcentaje de mercado local que representa el Operador recurrido. Considérese además lo ya referido por este Ministerio, en cuanto a la improcedencia de otorgar a la empresa la medida cautelar pretendida, toda vez que no se acreditan en el caso concreto cada uno de los presupuestos de mérito para suspender la contratación en curso, con las consecuencias para el Operador y sus usuarios que hemos señalado. Como bien se ha mencionado, la solicitud de la empresa recurrente posee una serie de incongruencias que atentan con los presupuestos para otorgar la medida cautelar pretendida, así por ejemplo en cuanto al presupuesto de apariencia de buen derecho: ● La empresa costarricense [Nombre 002]., ha participado efectivamente en el proceso licitatorio para contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, mismo que fue cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) y registrado con el expediente electrónico número 2023XE-000023-0000400001. ● Además declaró bajo fe de juramento su adecuación a los requisitos del pliego de condiciones de dicho proceso concursal. En ese sentido, no se aprecia la consideración de imposible cumplimiento que viene a afirmar. ● Tampoco la instrumentalidad de la medida por cuanto pretende suspender un procedimiento de concurso en el cual participa en igualdad de condiciones con otros oferentes, por lo cual su suspensión en este momento implicaría una afectación de los intereses legítimos de todos los oferentes involucrados en el proceso, del Operador y sus usuarios. ● La medida no evitaría algún privilegio injustificado o una distinción objetivamente infundada, dada la condición de igualdad del recurrente en el proceso de contratación al cumplir conforme a sus manifestaciones, las condiciones del pliego cartelario, sin ningún tipo de señalamiento en contra o en línea con lo aquí argumentado. ● En igual forma no puede acreditarse la apariencia de buen derecho sobre hechos que contradicen los argumentos presentados por la empresa, en el tanto esta declaró bajo fe de juramento su adecuación a los requisitos del pliego de condiciones de dicho proceso concursal. ● No sería proporcional suspender el concurso del Operador, causándole una situación de desventaja frente a sus competidores, lo cual es contrario al principio sectorial de competencia efectiva. ● Sobre todo una afectación directa a los usuarios del Operador en lo que atiende al disfrute y ejercicio de los derechos humanos y fundamentales que conlleva el el acceso a nuevas tecnologías y el disfrute pleno de los servicios de telecomunicaciones (v.gr. Internet basado en tecnologías de quinta generación o superior). ● Tampoco sería idóneo favorecer al recurrente con una medida cautelar que pretende originarse en un derecho subjetivo (inexistente) a ser favorecido por el resultado del proceso de contratación pública en particular. ● De igual forma no es necesaria la medida haciendo manifestado la empresa recurrente la sujeción y aceptación plena a las condiciones del pliego de la contratación. ● Finalmente, el ejercicio del derecho fundamental a la defensa y el contradictorio deberá darse dentro del mismo procedimiento licitatorio, a través del régimen recursivo. Desde luego que todas estas debilidades hacen nugatoria la solicitud planteada por la empresa. Aunado a ello, la solicitud de la empresa lo que demuestra es que prevalezca el interés propio por encima del público, con lo cual pretende dejar desprovista a la ciudadanía de las nuevas tecnologías en forma segura, la eficiente y óptima la explotación del espectro radioeléctrico y el desarrollo de redes de telecomunicaciones basadas en tecnología 5G y superiores ante su sola expectativa de resultar adjudicada, que sin ánimo de prejuzgar, podría incurrir en dos alternativas inciertas a hoy, resultar adjudicada o no verse favorecida del todo con la adjudicación. Al no materializarse aún la lesión que reputa a sus derechos fundamentales, lesivo sería proceder con una medida cautelar de suspensión en perjuicio del procedimiento especial de servicios en competencia del Operador. Esto por cuanto el impacto directo lo es para los usuarios quienes no tendrían acceso a más y mejores alternativas en la prestación de los servicios, la plena satisfacción en cuanto al disfrute de los servicios que la tecnología actual brinda, la implementación de redes innovadoras para la satisfacción del interés público inmerso en los títulos de concesión otorgados por el Poder Ejecutivo, afectaría además la esfera de intereses legítimos de los demás oferentes en igualdad de condiciones, el cumplimiento de las condiciones y obligaciones dispuestas en el título de concesión para el Operador recurrido, y una potencial desventaja en el desarrollo de su actividad en materia de telecomunicaciones frente a otros competidores no sujetos a los procesos de contratación pública, y además perjudica inclusive a la propia oferta de la empresa recurrente al suspender su propia evaluación, por circunstancias que ella misma no aclaró desde un momento inicial, en sede administrativa. 6.- En tales circunstancias, el recurso de amparo deja de ser un remedio procesal para reintegrar el derecho violado o impedir que se concrete su violación, para convertirse en una jurisdicción reparadora de daños y perjuicios. Esta última función es accesoria y debe ceder ante la finalidad primaria del amparo que es la tutela efectiva de los derechos fundamentales. II.- Los elementos para decretar una medida cautelar 1.- En el presente caso estamos en presencia de un caso de excepción, pues si no se suspende la ejecución del futuro acto lesivo de nuestros derechos fundamentales y que se encuentra casi en fase de ejecución, el perjuicio para mi representada sería irreparable e irreversible pues no podría participar en el citado concurso público para la adquisición de la tecnología en telecomunicaciones 5G/IMT Móvil. 2.- Por ello es claro que en la especie se presentan los tres elementos que la doctrina procesal administrativa considera que son necesarios para el otorgamiento de una medida cautelar, a saber: a) apariencia de buen derecho, b) peligro en la demora, c) bilateralidad del periculum in mora. 3.- La apariencia de buen derecho está ampliamente demostrada en el expediente con las evidentes violaciones de los derechos fundamentales a la libre concurrencia e igualdad de participación en los concursos públicos en perjuicio de mi representada. 4.- El peligro en la demora consiste en el temor objetivamente fundado y razonable de que la situación jurídica sustancial aducida resulte seriamente dañada o perjudicada en forma grave e irreparable, durante el transcurso del tiempo necesario para dictar sentencia en el proceso principal. 5.- Este presupuesto requiere la presencia de dos elementos: el daño o perjuicio grave y la demora en el proceso principal, sin soslayar que dentro de este presupuesto se encuentra lo que la doctrina denomina la “bilateralidad del periculum in mora” o como comúnmente se le conoce, la ponderación de los intereses en juego. 6.- El presupuesto del peligro en la demora alude a dos aspectos: primero, a los daños que se reprochen que son susceptibles de producirse actual o potencialmente de no adoptarse la medida que se requiere. Daños que deben establecerse como graves, además de tenerse como derivados de la situación aducida. Respuesta. No es cierto que en la especie se hayan configurado todos los elementos y presupuestos necesarios para que proceda la tutela cautelar que ha solicitado la empresa recurrente, por el contrario la realidad de los hechos es que al momento de rendirse el presente informe la empresa tuvo la oportunidad de participar en el procedimiento especial de servicios en competencia, para contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, mismo que fue cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) y registrado con el expediente electrónico número 2023XE-000023-0000400001. Incluso conforme ha quedado demostrado líneas atrás, la empresa manifestó su total entendimiento y conformidad a los requisitos regulados en el pliego de condiciones, sin reserva o protesta alguna. Por lo anterior, no se observa cual (sic) es el daño que ha mencionado en constantes ocasiones para solicitar incluso la protección mediante suspensión cautelar, toda vez que su participación en un proceso de la más amplia concurrencia permitiría dos resultados, la adjudicación o la no adjudicación, tomando en cuenta no sólo las reglas fijadas con antelación para la contratación, además las prerrogativas de la Administración para valorar si en el caso concreto terminará el procedimiento en forma normal con la adjudicación, o en forma anormal, mediante otra decisión. Es por ello que ante las posibilidades que pueden surgir del procedimiento de selección, la participación constituye una mera expectativa y el resultado no puede reputarse como un daño irreparable tal cual quiere hacerlo ver la empresa. Por el contrario, parece sostener la posición de que su empresa debe mantener una adjudicación perpetua, lo cual no solo enerva la finalidad del procedimiento, sino que esta circunstancia de contratar ad perpetuam con la administración no es factible en el ordenamiento costarricense. 7.- En cuanto a los daños es claro que, de no suspenderse los efectos de la conducta impugnada en el presente recurso de amparo, se le podrían ocasionar daños y perjuicios de difícil o inclusive imposible reparación a mi representada, al impedírsele participar en el citado procedimiento licitatorio tendente a la adquisición de la tecnología en telecomunicaciones 5G Móvil. 8.- Solo para el Instituto Costarricense de Electricidad los costos por la exclusión de [Nombre 002]. que es el actual suplidor de hardware y software para esa entidad, sería de $1.5 billones. Lo anterior es un hecho público y notorio que consta en la noticia de La República de 11 de septiembre de 2023 “Excluir a empresas asiáticas de concurso de redes 5G le costaría al país $1,5 billones en tecnología” disponible en https://www.larepublica.net/noticia/excluir-a-empresas-asiaticasdeconcurso-de-redes-5g-le-costaria-al-pais-15-billones-en-tecnologia Respuesta. No es cierto. El acceso al sitio web señalado no corresponde con la información; además según los hemos señalado en la especie no se acredita y adolece de elementos probatorios que se le haya impedido participar, lo que en consecuencia no amerita otorgar a la empresa recurrente la tutela cautelar que ha solicitado, por las siguientes razones: ● Al momento de rendirse el presente informe la empresa recurrente tuvo la oportunidad de participar en el procedimiento especial de servicios en competencia, para contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, mismo que fue cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) y registrado con el expediente electrónico número 2023XE000023-0000400001. Incluso conforme ha quedado demostrado líneas atrás, la empresa manifestó su total entendimiento y conformidad a los requisitos regulados en el pliego de condiciones, sin reserva o protesta alguna. ● La inexistencia del daño que ha mencionado en constantes ocasiones para solicitar incluso la protección mediante suspensión cautelar, toda vez que su participación en un proceso de la más amplia concurrencia permitiría dos resultados, la adjudicación o la no adjudicación, tomando en cuenta no sólo las reglas fijadas con antelación para la contratación. ● Las prerrogativas del Operador contratante mediante procedimiento especial para servicios en competencia para valorar si en el caso concreto terminará el procedimiento en forma normal con la adjudicación, o en forma anormal, mediante otra decisión. ● La participación constituye una mera expectativa y el resultado no puede reputarse como un daño irreparable tal cual quiere hacerlo ver la empresa recurrente. ● Es improcedente la posición de que su empresa debe mantener una adjudicación perpetua, o que debe resultar favorecida previo procedimiento de concurso. ● Esta posición enerva la finalidad del procedimiento especial de servicios en competencia en curso, y la improcedencia de pretender una contratación ad perpetuam con el Operador contratante lo cual jurídicamente no procede. En cuanto a la supuesta cuantificación de costos de exclusión por la suma de $1.5 billones en perjuicio del operador, tome nota la Sala Constitucional que se trata de una premisa sin sustento, por cuanto la valoración de la empresa parte de un comunicado cuyo sustento técnico no ha sido aportado al caso concreto, y por tanto carece de base objetiva técnica y se omite aportar el elemento probatorio pertinente para estos efectos. 9.- En segundo lugar, este presupuesto se refiere a la situación que se genera con ocasión de los procesos jurisdiccionales que requieren para su desarrollo y posteriormente fenecimiento, la realización de una serie de actos a través de los cuales se garantiza no sólo (sic) el debido proceso, sino la emisión de un fallo que si no se puede llevar a cabo con prontitud al menos que sea justo. 10.- El ponerle fin a un proceso, cuya sentencia dependerá de que previamente se resuelva una acción de inconstitucionalidad contra normas que necesariamente tienen que aplicarse en él, demanda tiempo y es precisamente donde la tutela cautelar adquiere especial relevancia, por cuanto mientras llega esa decisión del proceso se evita la producción de graves daños, que en el evento de producirse haría nugatorio el derecho que se reclama. 11.- El presente recurso de amparo no podrá resolverse antes que esa misma Sala vote por el fondo la acción de inconstitucionalidad que se presentará con base en él, lo cual podría tardar al menos dos años. 12.- La bilateralidad del periculum in mora se refiere a la ponderación de los intereses en juego, vinculado ello con el interés público que sea susceptible de encontrarse en necesidad de ser protegido, frente al interés de terceros y por supuesto del interés de quien acude por medio de una medida cautelar, debiendo valorarse comparativamente los mismos, imponiéndose la derogatoria de la medida cuando el perjuicio sufrido o susceptible de ser producido a la colectividad o terceros, sea superior al que podría experimentar el Solicitante de la medida. Respuesta. No es cierto. Hemos acreditado previamente como se incumplen los presupuestos y elementos necesarios en la especie para otorgar a la empresa recurrente la tutela cautelar que ha solicitado. Debe valorarse por esta Sala Constitucional en cuanto a los potenciales daños en caso de acogerse dicha medida cautelar sobre la actividad comercial del Operador en régimen de competencia, el acceso a nuevas tecnologías y disfrute pleno y seguro de servicios por parte de los usuarios finales y los objetivos propios del proceso de contratación pública en curso conforme al artículo 182 de nuestra Constitución Política. 13.-El interés público también se vería afectado porque el impacto en los operadores con exclusión de Huawei en 5G tendría efectos muy perjudiciales. La implementación del decreto podría traducirse en la necesidad de un incremento de inversión de aproximadamente USD196,69 millones en un periodo de 5 años. Pero más allá del impacto monetario directo, esta situación podría generar un atraso en la implementación de la tecnología 5G, extendiendo la duración de su despliegue hasta 4 años adicionales. Estos retrasos, además de los costos adicionales financieros, pueden tener repercusiones en la competitividad del país y en la adaptabilidad de las industrias locales a las tendencias tecnológicas globales. 14.-Desde el punto de vista del impacto interno también se acarrearían importantes perjuicios. Por ejemplo, el ICE tendría que incrementar su deuda externa debido a las inversiones adicionales que tendría que realizar para compatibilizar el nuevo sistema. 15.- El PIB bajaría debido a la disminución de las actividades económicas impulsadas por las tecnologías avanzadas y que requieren de la 5G para su desarrollo, tales como la auto conducción, la auto fabricación, la inteligencia artificial, etc. 16.- Los costos de adquisición de equipos por parte de los operadores de redes y prestadores de servicios de telecomunicaciones se incrementarán al tener que adquirirlos a un precio mayor de empresas estadounidenses y europeas (hecho público y notorio que consta en noticias de medios de prensa Semanario Universidad, 6 de septiembre de 2023 “Decreto de Presidente Chaves deja fuera a cinco de las empresas líderes en 5G” disponible en https://semanariouniversidad.com/pais/decreto-de-presidentechaves-deja-fuera-a-cincode-las-empresas-lideres-en-5g/ y Diario Extra, 6 de septiembre de 2023 “Decisión de Gobierno subiría precio del Internet” https://www.diaríoextra.com/Noticia/detalle/504206/decisi-n-de-gobiernosubir-a-preciodel-internet-). 17.- Los costos más elevados en la adquisición de los equipos por los operadores de redes y prestadores de servicios de telecomunicaciones serían trasladados a los consumidores y usuarios finales de tales servicios (Hecho público y notorio que consta en noticias de medios de prensa Semanario Universidad, 6 de septiembre de 2023 “Decreto de Presidente Chaves deja fuera a cinco de las empresas .líderes en SG” disponible enhttps://semanariouniversidad.com/pais/decretode. presidente-chaves-deja-fuera-a-cincode-las-empresas-lideres-en-5g/ y Diario Extra, 6 de septiembre de 2023 “Decisión de Gobierno subiría precio del internet” https://www.diarioextra.com/Noticia/detalle/504206/decisi-n-de-gobiernosubir-a-preciodel-internet-). 18.- También habría una pérdida de oportunidades justas para que los usuarios del sistema obtengan acceso a tecnologías avanzadas de 5G debido al inevitable aumento de las tarifas telefónicas. En efecto, el costo adicional de las tecnologías menos avanzadas y el mercado con competencia insuficiente se trasferirá finalmente a los usuarios. El precio de las tarifas aumentaría entre un 40%. 19.- Si se lleva a cabo el despliegue 5G sin restricciones, su inversión contribuiría con USD 748,4 millones al Producto Interno Bruto (PIB) de Costa Rica en un lapso de 5 años. Esto representa un significativo 3,19% del PIB. Sin embargo, bajo las limitaciones del decreto, esta contribución se desploma a apenas USD 419,1 millones. Estamos hablando de una reducción de USD329,3 millones en tan solo cinco años, una cifra nada despreciable para cualquier economía y altamente significativa para Costa Rica. 20.- En todo caso, el estudio económico realizado por el CINPE de la Universidad Nacional en la que participaron 5 prestigiosos investigadores de ese centro educativo llega a las siguientes conclusiones: Capítulo IV: Conclusiones y Recomendaciones. A lo largo de la presente investigación nos hemos propuesto calcular el impacto financiero y económico que tiene para Costa Rica la decisión de implementación del decreto ejecutivo No 44196MSP-MICITT. Hemos dejado claro en el capítulo 1 de la investigación la importancia y efectos que tendrá el paso de la internet 4 y 4.5 G a las plataformas de uso basadas en 5G. Este proceso de transformación de la economía digital tiene importantes efectos en la competitividad de las empresas, en el empleo y el desarrollo tecnológico de industrias claves para el país y en la generación de oportunidades de innovación. Por todo lo anterior, hemos de tomarle la mayor importancia y trascendencia al proceso que viene para el país con el despliegue de las redes 5G. En el capítulo 2 y 3 de este estudio, a partir de los resultados obtenidos de la aplicación de la metodología de análisis de impacto financiero y de impacto económico, así como la distribución de dichos montos en las tarifas, podemos concluir qué, las restricciones a los proveedores asiáticos y en particular a la empresa Huawei de participar en la licitación de los equipos y el mantenimiento de las redes 5G en Costa (sic), tiene significativos efectos financieros para los operadores de telefonía celular y un muy alto impacto económico y social para el país. Se concluye que: 1. La implementación del decreto podría traducirse en la necesidad de un incremento de inversión de aproximadamente USD196,69 millones en un periodo de 5 años. Pero más allá del impacto monetario directo, esta situación podría generar un atraso en la implementación de la tecnología SG, extendiendo la duración de su despliegue hasta 4 años adicionales. Estos retrasos, además de los costos adicionales financieros, pueden tener repercusiones en la competitividad del país y en la adaptabilidad de las industrias locales a las tendencias tecnológicas globales. 2. Respecto al impacto en la economía de dichos efectos del despliegue de la tecnología 5G puede apreciarse de manera contundente al comparar los escenarios con y sin la implementación de este decreto. De acuerdo con nuestra investigación y los datos presentados en la tabla 2.3, si se lleva a cabo el despliegue 5G sin restricciones, su inversión contribuiría con USD 748,4 millones al Producto Interno Bruto (PIB) de Costa Rica en un lapso de 5 años. Esto representa un significativo 3,19% del PIB. Sin embargo, bajo las limitaciones del decreto, esta contribución se desploma a apenas USD 419,1 millones. Estamos hablando de una reducción de USD 329,3 millones en tan solo cinco años, una cifra nada despreciable para cualquier economía y altamente significativa para Costa Rica. 3. Las industrias más afectadas son, la industria manufacturera, el sector TIC, el sector comercial y la administración pública. La industria de manufactura es un sector estrechamente ligado al dinamismo de las zonas francas y que ha sido históricamente un pilar del crecimiento económico de Costa Rica y esta será la que absorbería cerca de un tercio de ese costo económico (USD 117,0 millones), lo que es alarmante. Esta industria no solo es vital por su aporte al PIB, sino también porque es una fuente crucial de empleo para los costarricenses. Adicionalmente, el sector de información y comunicación no se queda atrás, proyectando un impacto negativo de USD 39,18 millones durante el mismo periodo, como consecuencia directa del decreto. En un tercer lugar, se ubica el costo económico para el sector comercial que totaliza USD 29,9 millones. De alguna forma, el impacto estimado para esta industria sería el mejor escenario posible, es decir, podría existir un costo mayor producto de la profundidad que tiene y que tendría la tecnología 5G en la en el acceso a nuevos productos para los consumidores, como es el caso de las plataformas digitales. En un cuarto lugar, se sitúa el impacto en la administración pública por un total de USD24,6 millones, lo cual limitaría al gobierno en general y a los gobiernos locales en particular, en poder acelerar el proceso de ciudades inteligentes. A esto se le complementa mejoras tecnológicas para mejorar la seguridad ciudadana y la cobertura de las tarifas de servicios públicos como es el caso del agua y la luz. 4. A1 integrar los efectos de costos adicionales de inversión en un modelo tarifario medio de la industria, encontramos que las tarifas podrían elevarse hasta en un 40 por ciento adicional, con la implementación del decreto. El efecto para las y los usuarios tiende a la exclusión digital de manera muy importante, sin embargo, dependerá de la estrategia de precios que desarrollen los prestadores del servicio 5G y/o de la intervención del Estado costarricense para amortiguar este impacto en los ingresos de los costarricenses producto del incremento de costos y de precios de los servicios de las telecomunicaciones. 5. Preocupa de sobremanera la exclusión de clientes en áreas rurales y en segmentos de menor ingreso relativo. La brecha existente en la actualidad podría ampliarse significativamente con nefastas implicaciones para las personas excluidas. Adicionalmente, la no implementación a tiempo tendrá efectos de pérdida de oportunidades de inversión y empleo. 6. En su conjunto, vemos que el impacto financiero, económico y social del decreto da cuentas de una significativa pérdida para el país por implementar esta medida. Es claro que existen posiciones encontradas sobre el tema, pero la magnitud de los efectos requiere de un análisis profundo, crítico y coherente con la realidad país. Para ejemplificar el tamaño del impacto económico, podemos compararlo con tres grandes rubros de inversión: a. Emisión de Eurobonoz (sic) La pérdida de USD 329,3 millones equivale aproximadamente al 33% de lo que el Gobierno de Costa Rica obtendría a través de la emisión de un eurobono. Estos bonos son herramientas cruciales que el gobierno utiliza para financiar sus operaciones y proyectos de infraestructura. b. Infraestructura Deportiva: E1 (sic) monto en cuestión podría financiar la construcción de casi cuatro Estadios Nacionales. Estos recintos no solo sirven para eventos deportivos, sino también para actividades culturales y sociales que benefician a la población. c. Seguridad Nacional: La cifra también representa el doble del presupuesto anual destinado al Organismo de Investigación Judicial (OIJ), una entidad vital para el mantenimiento de la seguridad y el orden en el país. Respuesta. No es cierto. En primer orden, debe destacarse que se trata de una prueba que fue contratada por la empresa recurrente a cambio de una contraprestación económica de cuarenta mil dólares americanos a favor del Centro Internacional de Política Económica para el Desarrollo Sostenible (en adelante CINPE) según lo informaron los propios profesionales al atender la convocatoria a la audiencia fijada por la Comisión Permanente Especial de Relaciones Internacionales y Comercio Exterior el pasado 13 de diciembre de 2023. En esta misma línea debe valorar esta Sala Constitucional que de acuerdo con el informe de “Evaluación de Impacto Económico de la Exclusión de Proveedores en las Inversiones de la Red 5G en Costa Rica” elaborado por el Centro Internacional de Política Económica para el Desarrollo Sostenible (en adelante CINPE) señala en plana 8 lo siguiente: “La investigación fue solicitada por la empresa [Nombre 002]., ante la inminente exclusión de esa empresa para proveer el servicio de 5G en Costa Rica; sin embargo, es fundamental enfatizar que los investigadores trabajamos con total independencia y sin presión de ningún tipo” Dicho elemento probatorio por lo tanto no es pertinente dada la ausencia de imparcialidad en la información utilizada y su análisis. Por lo cual, sin perjuicio de las falencias técnicas que presenta, no sería procedente considerar este documento para validar el impacto económico que se alega por el recurrente. Incluso note la Sala Constitucional como las fuentes de dicho estudio son omisas, por cuanto no consta en dicho informe la fuente de información de los datos utilizados para la elaboración de las tablas que se mencionan, a continuación: - TABLA 1. PRINCIPALES CARACTERÍSTICAS DE LAS GENERACIONES DE TELEFONÍA CELULAR. -TABLA 2. PRECIO RELATIVO DE DISTRIBUIDORES VERSUS HUAWEI. PRECIO COMPETIDOR/ HUAWEI. - TABLA 3. PLAN DE INVERSIÓN ACUMULADO 5G EN OPERADORES. MILLONES DE USD. - TABLA 4. MODELO DE COBERTURA DE LA RED 5G SEGÚN HUAWEI Y COMPETIDORES. -TABLA 5. CONTRIBUCIÓN DE LA INVERSIÓN 5G AL PIB EN 5 AÑOS. MILLONES DE USD. -TABLA 10. GASTOS OPERATIVOS Y CONSTRUCTIVOS DE LA INDUSTRIA PROMEDIO. - TABLA 11. ESTIMACIÓN DE LOS GASTOS DE OPERACIÓN Y MANTENIMIENTO, FUNCIÓN DE COSTOS. -TABLA 12. ESTADO DE RESULTADO: RESULTADOS DE LA 5G, AÑO 1, USD$ (ESCENARIO). -TABLA 13. ESCENARIOS DE IMPACTO EN LAS TARIFAS. -TABLA 14. ANÁLISIS DE SENSIBILIZACIÓN DEL VALOR REMANENTE DE LA INVERSIÓN, USD$. -TABLA 15. DISTRIBUCIÓN DE LA CANTIDAD DE USUARIOS A LA RED 5G, POR TIPO DE SERVICIOS. -TABLA 16. IMPACTO EN LA TARIFA SEGÚN OPERADOR Y PAQUETES DE INTERNET Y TV. También se echan de menos los datos promedio de la industria elaborados, los cuales se precisan en la prosa del documento. Se menciona como fuente en algunas de las tablas presentadas, sin embargo, se desconoce cuál es la fuente de información directa de dichos datos. En el estudio se menciona que “(...) en el caso de Huawei (...) en el área urbana su cobertura es 44% mayor (...)”, (página 21 del informe), sin embargo, no se especifica la fuente de este dato. En esta misma línea, se menciona en el estudio que “(...) Esto anterior justifica el costo adicional, conservador, de un 44% de las inversiones esperadas por los operadores (...)”, (página 22 del informe) siendo otro dato del cual se desconoce la fuente. Tampoco consta la fuente de datos utilizada para la extracción del Producto Interno de Costa Rica y la inversión total que se utiliza para la modelación econométrica (según se menciona en la página 23). En el documento se señala que “(...) para el caso de Costa Rica el alcance de la 5G en las conexiones móviles será de un 6%”, sin embargo, no se presenta la fuente de información (página 36 del informe). Aunado a la falta de información antes identificada, se aprecian otras inconsistencias de fondo que implican que la prueba no es idónea para sustentar los daños que se mencionan. En concreto, se aprecia: • Con respecto a la revisión y análisis desde la perspectiva económica, de la reciente contratación por parte de Racsa para equipamiento 5G, se logra visualizar que, DATASYS GROUP VINET (Datasys-Nokia) fue el oferente que presentó la oferta con el precio más bajo por un monto de $2 455 798,27 el cual es un 76% más bajo que el Consorcio ITS CR-ITS PA (ITS Huawei); siendo así que se cuenta con información que señala, con datos reales y recientes aplicables a Costa Rica, que existen opciones incluso más baratas a ITS Huawei, en contraposición a lo que se señala en el estudio del CINPE con base en proyecciones. • Además, en relación precisamente al estudio del CINPE, se encuentran inconsistencias en la información presentada; se detectan cálculos que contienen errores, existe confusión sobre la fuente de información de algunos de los datos que allí se presentan y además, existen dudas sobre el marco teórico y metodológico que sustenta la rigurosidad técnica y científica de la evaluación de impacto que el estudio alega realizar. Lo anterior, no permite constatar las afirmaciones y estimaciones realizadas por el CINPE, a lo largo del estudio. • Existen al menos dos versiones del estudio del CINPE, el que consta en los expedientes N° 23-023887-0007-CO y N°23-025158-0007-CO y el que está disponible en el sitio web del Centro de estudio, que según aclaración del CINPE, es el documento final y oficial; dicho de otra manera, pareciera ser que el documento que consta en los expedientes en mención y que es utilizado como prueba en el Recurso de Amparo y en la Acción de Inconstitucional presentada por la empresa [Nombre 002], es un documento preliminar y no oficial del CINPE. Adicionalmente, cabe señalar que los documentos presentan diferencias entre sí. •De igual forma resaltar que, aunque el estudio del CINPE se basa en análisis macroeconómicos y microeconómicos, se destaca la omisión de considerar los costos asociados con la falta de ciberseguridad. Las amenazas a la ciberseguridad en redes 5G, desde ataques tradicionales hasta riesgos más sofisticados, subrayan la importancia de medidas preventivas. La falta de seguridad no solo implica riesgos para la privacidad y la pérdida de datos, sino también costos financieros directos, sanciones regulatorias y pérdida de confianza del cliente, por lo que se insta a que este tipo de análisis pueda incorporar todas aquellas variables que puedan afectar el bienestar del consumidor y de los operadores, más allá del precio de mercado y el costo de infraestructura. Es importante recalcar que, a pesar de que el CINPE proporcionó cuatro fuentes de información y enlaces web para abordar la solicitud del MICITT en el oficio MICITTDVT-OF-850-2023, resultando que no fue posible verificar los datos del estudio del CINPE mediante estas fuentes. Este inconveniente surgió debido a la falta de especificación del procedimiento metodológico utilizado para la extracción de dichos datos. • Esta omisión resalta la importancia de una transparencia metodológica completa para asegurar la fiabilidad y verificabilidad de los resultados presentados. Todas las falencias antes señaladas implican que el elemento de prueba carece de sustento técnico necesario para establecer con rigurosidad científica las conclusiones del análisis efectuado en dicho estudio, y por consecuencia, no es sostenible para determinar el impacto económico que pretende argumentar la empresa recurrente. Todas estas inconsistencias pueden observarse en el apartado -M- inciso b del informe técnico No. MICITT-DM-OF-1099-2023 de fecha 12 de diciembre de 2023, donde además se profundizan sobre estos aspectos. 7. Estos ejemplos ilustran la gravedad de las consecuencias financieras y económicas que implica el decreto y enfatizan la necesidad de reconsiderar políticas que puedan tener repercusiones tan profundas en la economía y bienestar del país. Todo lo anterior nos hace pensar en la necesidad de discutir la neutralidad tecnológica en política de proveedores 5G y sobre todo, la necesidad de obviar criterios basados en prejuicios políticos no comprobados, en tanto afectan factores críticos del mercado a saber: • Promoción de la Competencia: Una política de neutralidad tecnológica asegura un campo de juego equitativo para todos los proveedores, promoviendo la competencia, lo que puede resultar en precios más bajos y soluciones más innovadoras.• Seguridad y Resiliencia: Depender de una variedad de proveedores puede aumentar la seguridad y resiliencia de la red al reducir la dependencia de un único proveedor o tecnología. • Desarrollo Tecnológico Inclusivo: Una política neutral evita la exclusión tecnológica, garantizando que el país tenga acceso a la gama completa de avances y soluciones SG (sic) disponibles globalmente. En suma, es imperativo que Costa Rica y otros países adopten una política de neutralidad tecnológica al considerar la implementación de la tecnología SG. Esta neutralidad no solo garantizará una adopción eficiente y económica, sino que también posicionará al país de manera óptima para capitalizar las oportunidades de la próxima era digital y de todas las que vendrán a futuro. La implementación efectiva y oportuna de la SG (sic) puede ser una de las decisiones más críticas que los líderes tomen para garantizar el progreso y la prosperidad en la era moderna. 21.- Con la finalidad de que la situación jurídica sustancial que nos ocupa se corrija y se eviten mayores afectaciones, serias e irreparables mientras se discute la constitucionalidad y validez del contenido de la conducta impugnada es que solicitamos la suspensión del procedimiento licitatorio tantas veces citado. Respuesta. No son ciertas las consecuencias financieras y económicas alegadas por la empresa aquí recurrente, siendo que dicho alegato se sustenta en un estudio económico patrocinado por la propia empresa [Nombre 002]. y no reúne la información con la rigurosidad técnica y científica necesaria que permitan asegurar la adecuada trazabilidad entre las fuentes y los hallazgos citados en dicho informe, concretamente en el apartado -M- inciso b del informe técnico No. MICITT-DM-OF-10992023 de fecha 12 de diciembre de 2023, que profundiza sobre estos aspectos. A falta de información suficiente que permita acreditar las conclusiones indicadas en el estudio de evaluación elaborado por CINPE, no es factible asumir los escenarios económicos que plantea dicho elemento probatorio. Añádase a lo anterior, que los argumentos de la empresa en cuanto a la necesidad de fortalecer la política de neutralidad tecnológica considerando los resultados económicos obtenidos en la evaluación de CINPE tampoco posee asidero técnico, dadas las falencias que posee el propio estudio, y lo que hemos señalado en cuanto a la sujeción de la neutralidad tecnológica o la flexibilidad en la opciones tecnológicas a los intereses legítimos de la política pública y estándares garantizados a favor del pleno disfrute del servicio por parte de los usuarios finales. En todo caso ya se ha desarrollado en párrafos precedentes del presente informe, que la emisión del Decreto Ejecutivo 44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”: ● No prohíbe ni obliga el uso de ninguna tecnología específica, como pueden ser las tecnologías móviles de quinta generación, sino que establece requisitos mínimos de seguridad que deben cumplir todos los Operadores de redes móviles de telecomunicaciones que decidan implementar redes de telecomunicaciones bajo esta tecnología o superiores. ● Estos requisitos consideran la Ley N° 9452 “Convenio de Europa sobre Ciberdelincuencia”, y una serie de estándares relativos a la seguridad de la información, de manera que el Reglamento procura garantizar que los Operador es garanticen la operación segura de sus redes y los usuarios puedan confiar en la integridad, disponibilidad y confidencialidad de sus redes y servicios, y disfrutar plenamente de los beneficios de la tecnología 5G sin riesgos para su privacidad, seguridad o autodeterminación informativa. ● No limita la competencia ni la innovación en el mercado de las telecomunicaciones bajo tecnología de quinta generación (5G), sino que promueve un entorno en competencia efectiva e igualdad condiciones para todos los Operadores independientemente de su origen o tamaño. Al exigir que los Operadores estén sujetos a un marco legal que respete los principios del Convenio de Budapest, así como los demás estándares destacados en el Reglamento. ● Esta igualdad de condiciones y obligaciones para los Operadores procura evitar que se generen ventajas competitivas desleales o distorsiones del mercado por parte de aquellos Operadores que puedan eventualmente operar bajo normativas más laxas o incompatibles con las requeridas por el Decreto de referencia. ● El Reglamento también fomenta la diversidad y la interoperabilidad de las tecnologías y plataformas para el despliegue de sistemas IMT-2020, incluyendo 5G y superiores, al permitir que los Operadores puedan elegir entre una variedad de proveedores confiables de equipamiento, que cumplan con los requisitos de seguridad establecidos. ● No viola el principio supralegal de flexibilidad en las opciones tecnológicas ni el principio sectorial de neutralidad tecnológica, sino que atiende a su contenido orientador conforme a la política pública del Estado costarricense definida en el PNDT 2022-2027. ● El Reglamento no hace ninguna distinción entre las diferentes tecnologías o plataformas para el despliegue de sistemas IMT- 2020, incluyendo 5G y superiores, sino que se aplica por igual a todas ellas. ● El Reglamento tampoco impone ninguna restricción al acceso o uso de esas redes o servicios móviles innovadores por parte de los usuarios, sino que garantiza que estos puedan ejercer su libertad de expresión, información y comunicación a través de redes y medios de comunicación seguros. Todas estas inconsistencias pueden observarse en el apartado -M- inciso b del informe técnico No. MICITT-DM-OF-1099-2023 de fecha 12 de diciembre de 2023, donde además se profundizan sobre estos aspectos. 22.- Esa medida guarda total proporcionalidad con el interés público, dado que la eventual medida cautelar nos brindaría una protección integral en cuanto tendríamos la posibilidad de participar en la licitación pública para la adquisición de la tecnología de telecomunicaciones 5G que en los próximos días promoverá el ICE y a la cual, de antemano, estamos imposibilitados de participar. 23.- Por lo tanto, las afectaciones que producirá el acto licitatorio son mayores y reales a las que presuntamente sufriría el interés público. De esa manera queda demostrada la necesidad imperiosa que existe para adoptar la presente medida cautelar, la cual constituye el único remedio para prevenir y evitar mayores afectaciones a nuestro derecho a ejercer una actividad empresarial altamente beneficiosa para el país. 24.- Lo anterior confirma la idoneidad de la medida que se está solicitando, que además resulta ser proporcionada con el fin que se busca en el presente recurso de amparo, es decir, la inconstitucionalidad evidente y manifiesta de cualquier concurso público que promueva el ICE para la adquisición de la tecnología en telecomunicaciones 5G Móvil por violar los derechos fundamentales de libre competencia e igualdad de participación en los concursos públicos. Respuesta. No es cierto. Como bien se ha mencionado, la solicitud de la empresa recurrente posee una serie falencias que evidencian la improcedencia de la tutela cautelar pretendida, así hemos resaltado que: • Que la empresa costarricense [Nombre 002]., ha participado efectivamente en el proceso licitatorio para contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, mismo que fue cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) y registrado con el expediente electrónico número 2023XE-000023-0000400001. • Declaró bajo fe de juramento su adecuación a los requisitos del pliego de condiciones de dicho proceso concursal. En ese sentido, no se aprecia la consideración de imposible cumplimiento que viene a afirmar. • La instrumentalidad de la medida tampoco se cumple por cuanto pretende suspender un procedimiento de concurso iniciado, en el cual participa en igualdad de condiciones que otros oferentes, por lo cual su suspensión en este momento implicaría una afectación de los intereses legítimos de todos los oferentes involucrados en el proceso. • La medida no evitaría algún privilegio injustificado o una distinción objetivamente infundada, dada la condición de igualdad del recurrente en el proceso de contratación al cumplir conforme a sus manifestaciones, las condiciones del pliego cartelario, sin ningún tipo de señalamiento en contra o en línea con lo aquí argumentado. • La empresa, declaró bajo fe de juramento su adecuación a los requisitos del pliego de condiciones de dicho proceso concursal. • No sería proporcional suspender el concurso del Operador, causándole una situación de desventaja frente a sus competidores, lo cual es contrario al principio sectorial de competencia efectiva, y sobre todo una afectación a los usuarios del Operador en lo que atiende al disfrute y ejercicio de los derechos humanos y fundamentales que conlleva el disfrute pleno de los servicios de telecomunicaciones, en contra del principio sectorial de beneficio del usuario. • No hay un derecho subjetivo a ser favorecido por el resultado del proceso de contratación, esto es improcedente. • Es improcedente una medida que pretendía suspender ex ante un procedimiento de contratación en curso, por lo cual ya no es necesaria la medida, habiendo además la empresa recurrente manifestado la sujeción y aceptación plena a las condiciones del pliego de la contratación. • El ejercicio del derecho fundamental a la defensa y el contradictorio deberá darse dentro del mismo procedimiento licitatorio, a través del régimen recursivo, como parte del debido procedimiento administrativo. Todos estos aspectos hacen improcedente la tutela cautelar pretendida, aunado a ello, lo pretendido por la empresa procura además que prevalezca el interés propio por encima del público, al dejar desprovista a los usuarios del Operador de las nuevas tecnologías en forma segura; lo relativo a la eficiente y óptima la explotación del espectro radioeléctrico y el desarrollo de redes de telecomunicaciones basadas en tecnología 5G y superiores ante su sola expectativa de resultar adjudicada, que sin ánimo de prejuzgar, podría incurrir en dos alternativas inciertas a hoy, resultar adjudicada o no verse favorecida del todo con la adjudicación. Al no materializarse aún la lesión que reputa a sus derechos fundamentales, lesivo sería proceder con una medida cautelar de suspensión en perjuicio del procedimiento especial de servicios en competencia del Operador. Esto por cuanto el impacto directo lo es para los usuarios quienes no tendrían acceso a más y mejores alternativas en la prestación de los servicios, la plena satisfacción en cuanto al disfrute de los servicios que la tecnología actual brinda, la implementación de redes innovadoras para la satisfacción del interés público inmerso en los títulos de concesión otorgados por el Poder Ejecutivo, afectaría además la esfera de intereses legítimos de los demás oferentes en igualdad de condiciones, el cumplimiento de las condiciones y obligaciones dispuestas en el título de concesión para el Operador recurrido, y una potencial desventaja en el desarrollo de su actividad en materia de telecomunicaciones frente a otros competidores no sujetos a los procesos de contratación pública. Inclusive perjudica a la propia oferta de la empresa recurrente al suspender su propia evaluación, por circunstancias que ella misma no aclaró desde un momento inicial, en sede administrativa. PETITORIA 1.- Por tanto, solicitamos que en aplicación del artículo 41 de la Ley de la Jurisdicción Constitucional, se proceda a suspender la publicación de cualquier pliego de condiciones o en caso de que ya esté publicado, la suspensión de cualquier proceso licitatorio por parte del ICE en que deba aplicarse el "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic) hasta tanto esa Sala Constitucional se haya pronunciado sobre el fondo de este recurso de amparo y, en caso de que fuere convertido en una acción de inconstitucionalidad, hasta que se haya pronunciado sobre el fondo de ésta (sic)”. Respuesta. Es improcedente. Reitero para estos efectos los argumentos señalados en el punto anterior y me limitaré a señalar que la adopción de esta medida cautelar conlleva un impacto directo para los usuarios del Operador recurrido que no tendrían acceso a más y mejores alternativas en la prestación de los servicios, una afectación en el grado de satisfacción en el disfrute de los servicios que la tecnología actual brinda. Además se afecta la futura implementación de redes innovadoras para la satisfacción del interés público inmerso en los títulos de concesión otorgados por el Poder Ejecutivo para el uso y explotación del espectro radioeléctrico para redes públicas, y por otra parte tiene efectos sobre la esfera jurídica de intereses legítimos de los demás oferentes en igualdad de condiciones, el cumplimiento de las condiciones y obligaciones dispuestas en el título de concesión para el Operador recurrido, y una potencial desventaja en el desarrollo de su actividad en materia de telecomunicaciones frente a otros competidores no sujetos a los procesos de contratación pública, pero sí sujetos a esta normativa reglamentaria en materia de ciberseguridad. IV. Sobre los hechos y alegatos planteados en el RECURSO DE AMPARO en escrito recibido en la Secretaría de la Sala el 9 de noviembre de 2023. “1.- El ICE publicó el día de hoy 9 de noviembre de 2023, el PLIEGO DE CONDICIONES PARA LA ADQUISICIÓN DE: GTADQUISICIÓN (sic) DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”. Respuesta. Cierto es, que el Instituto Costarricense de Electricidad publicó en fecha del 9 de noviembre de 2023, la invitación a participar en el procedimiento especial de servicios en competencia, con el objeto de contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) registrado con el expediente electrónico número 2023XE-000023-0000400001. A partir de la consulta realizada a dicho expediente, se aprecia que en el contexto de dicho procedimiento especial de servicios en competencia, la apertura de ofertas se realizó el día 19 de diciembre de 2023, en donde consta la oferta de la empresa [Nombre 002]. para las partidas 1, 2, 3, 4 y 5 de dicho proceso de contratación. 2.- El cartel contiene requisitos que son imposibles de cumplir por mi representada por estar ubicada su casa matriz en la República Popular China. Respuesta. No es cierto. Hemos señalado que al momento de rendirse el presente informe la empresa recurrente tuvo la oportunidad de participar en el procedimiento especial de servicios en competencia, para contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, mismo que fue cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) y registrado con el expediente electrónico número 2023XE-000023-0000400001, en el cual la empresa: ● Manifestó su total entendimiento y conformidad a los requisitos regulados en el pliego de condiciones, sin reserva o protesta alguna. ● La inexistencia del daño que ha mencionado en constantes ocasiones para solicitar incluso la protección mediante suspensión cautelar, toda vez que su participación en un proceso de la más amplia concurrencia permitiría dos resultados, la adjudicación o la no adjudicación, tomando en cuenta no sólo las reglas fijadas con antelación para la contratación. ● Las prerrogativas del Operador contratante mediante procedimiento especial para servicios en competencia para valorar si en el caso concreto terminará el procedimiento en forma normal con la adjudicación, o en forma anormal, mediante otra decisión. ● La participación constituye una mera expectativa y el resultado no puede reputarse como un daño irreparable tal cual quiere hacerlo ver la empresa recurrente. ● Es improcedente la posición de que su empresa debe mantener una adjudicación perpetua, o que debe resultar favorecida previo procedimiento de concurso. ● Esta posición enerva la finalidad del procedimiento especial de servicios en competencia en curso, y la improcedencia de pretender una contratación ad perpetuam con el Operador contratante lo cual jurídicamente no procede. Otro aspecto ya desarrollado en forma abundante en el presente informe lo es que, aún y cuando la empresa recurrente sostiene que por radicar presuntamente su empresa en otro país y que esto constituye un impedimento para participar, no hace ninguna relación a las disposiciones concretas del Decreto Ejecutivo Nº44196-MSP-MICITT aplicables a dicha circunstancia, para aseverar que en el caso concreto podría materializarse una lesión a su esfera de derechos fundamentales, y esto es así por cuanto dicha normativa reglamentaria no establece discriminación alguna en relación con el origen o nacionalidad de alguna empresa. Se ha reiterado además la falta de fundamentación que impera en el recurso de amparo en cuestión, por cuanto la empresa sostiene que su empresa es de origen chino o posee casa matriz en china de la redacción de este extremo en particular, cuando ninguna de estas circunstancias fue alertada en los distintos elementos probatorios adjuntados al expediente del recurso de amparo, y por el contrario a partir de las manifestaciones de la empresa queda en evidencia su origen costarricense, así como el entendimiento y aceptación de los términos del concurso registrado con el expediente electrónico número 2023XE-000023-0000400001. En esta línea considérese lo documentado en la propia oferta de la empresa, en donde no se ha realizado ninguna protesta, reserva u observación en cuanto al origen y/o casa matriz que aquí plantea y de qué forma esta condición podría acarrear alguna lesión a su esfera de derechos fundamentales. No menos importante, como dicha afectación derivada precisamente del Reglamento; cuando de hechos públicos y notorios lo que ha documentado es que se trata de una sociedad conformada al amparo del ordenamiento nacional, registrada en calidad de sociedad anónima en la Sección de Personas Jurídicas del Registro Nacional. Específicamente el Apartado 3, Ciberseguridad RAN-CORE Móvil 5G que en lo que interesa indica: “3. APARTADO DE CIBERSEGURIDAD RAN-CORE MOVIL 5G. 3.1. El oferente deberá cumplir todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en el Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT, a la hora de planificar, diseñar e implementar su oferta técnica, para lo cual deberá aportar junto con la oferta, el plan de gestión y mitigación de riesgos en concordancia con la normativa precitada. 3.2. El oferente deberá presentar una declaración jurada en donde indique que cumple con la adopción de los siguientes estándares de ciberseguridad:

Respuesta. Lo cierto, es que el Instituto Costarricense de Electricidad publicó en fecha del 9 de noviembre de 2023, la invitación a participar en el procedimiento especial de servicios en competencia, con el objeto de contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) registrado con el expediente electrónico número 2023XE-000023-0000400001. A partir de la consulta realizada a dicho expediente, se aprecia que, en el contexto de dicho procedimiento especial de servicios en competencia, la apertura de ofertas se realizó el día 19 de diciembre de 2023, en donde consta la oferta de la empresa [Nombre 002]. para las partidas 1, 2, 3, 4 y 5 de dicho proceso de contratación. En concreto, se lee del documento de oferta (PRUEBA N°3) las siguientes manifestaciones de conformidad plasmadas por la propia empresa, en lo literal indicó: “Respuesta: Se adjunta la declaración jurada en Anexo #2 donde se indica la adopción de los estándares mencionados según se detalla a continuación. ISO/IEC 27001:2022: Entendemos, aceptamos y cumplimos. Se cuenta con la certificación. ISO/IEC 27002:2022: Entendemos, aceptamos y cumplimos. Huawei cumple totalmente con la adopción de esta guía de referencia para la implementación de controles del ISO27001. ISO/IEC 27003:2017: Entendemos, aceptamos y cumplimos. Huawei cumple totalmente con la adopción de esta guía de referencia para la implementación de requerimientos del ISO27001. ISO/IEC 27011:2016: Entendemos y aceptamos. Este estándar es una extensión del ISO 27001 basado en los controles del ISO 27002 adicionando controles que están dirigidos a los Proveedores de servicios de Telecomunicaciones. SCS 9001: Huawei cumple y adopta totalmente con los requerimientos técnicos de este estándar siguiendo las mejores prácticas de la industria, lo cual se demuestra a través de las certificaciones (ISO9001, ISO27001, ISO28000 y NESAS). Se adjuntan certificaciones en el Anexo #10. GSMA NESAS: Entendemos, Aceptamos y Cumplimos. Se adjuntan los certificados en Anexo #10 y además el link para su verificación https://www.gsma.com/security/nesas-results/ ISO/IEC 27400: Entendemos, Aceptamos y Cumplimos. Huawei cumple totalmente con los requerimientos técnicos de este estándar siguiendo las mejores prácticas de la industria. Se adjuntan las hojas de datos de los productos donde se observan las funcionalidades para mejorar la seguridad de la red. 3GPP 33.501: Entendemos, Aceptamos y Cumplimos. Huawei cumple totalmente con los requerimientos técnicos de este estándar siguiendo las mejores prácticas de la industria. NIST 1800-33B: Entendemos, Aceptamos y Cumplimos. La solución de 5G de Huawei cumple totalmente con los requerimientos técnicos de esta guía, siguiendo las mejores prácticas de la industria”. (El resaltado es propio) A su vez, consta la Declaración Jurada (PRUEBA N°4) que se aportó como parte de los documentos de oferta, en la que el personero de la empresa [Nombre 002]. declaró bajo la fe de juramento que: “Que mi representada cumple y adopta con los requerimientos técnicos de los estándares, guías y recomendaciones de ciberseguridad (ISO/IEC 27001:2022, ISO/IEC 27002:2022, ISO/IEC 27003:2017, ISO/IEC 27011:2016, SCS 9001, GSMA NESAS, ISO/IEC 27400, 3GPP 33.501,NIST 1800-33B), siguiendo las mejores prácticas de la industria”. (El resaltado es propio) Del alegato concreto y de las respuestas documentadas en el propio expediente del concurso, no se aprecia ninguna disconformidad por parte de la empresa recurrente en este aspecto. 3.3. De conformidad con el artículo 10 del Reglamento Ciberseguridad Costa Rica Nº 44196MSP-MICITT en donde se indica que no se puede tener un único suministrador en cuanto a hardware y software en elementos críticos de la red, el ICE no podrá adjudicar al mismo oferente el CORE Móvil (partidas 3 y 4) y la red de acceso móvil (partidas 1 y 2). En caso de que la oferta, participe para el CORE Móvil (partidas 3 y 4) y la red de acceso móvil (partidas I y 2) y cumpla con todos los aspectos técnicos, financieros, jurídicos y ocupe el primer lugar en precio para todas las partidas mencionadas, el ICE adjudicará solamente las partidas I y 2 (red de acceso móvil) a este oferente y las partidas 3 y 4 (Core Móvil) se adjudicará al segundo lugar en precio, con el fin de no tener un único suministrador en cuanto a hardware y software en elementos críticos de la red, lo anterior en cumplimiento del 10 del Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT. Respuesta. Lo cierto, es que el Instituto Costarricense de Electricidad publicó en fecha del 9 de noviembre de 2023, la invitación a participar en el procedimiento especial de servicios en competencia, con el objeto de contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) registrado con el expediente electrónico número 2023XE-000023-0000400001, en dicho procedimiento especial de servicios en competencia, la apertura de ofertas se realizó el día 19 de diciembre de 2023, en donde consta la oferta de la empresa [Nombre 002]. para las partidas 1, 2, 3, 4 y 5 de dicho proceso de contratación. En cuanto al modelo de adjudicación, se trata de un aspecto cuya definición es resorte exclusivo del Operador contratante, sobre lo cual no me compete opinar. Lo que sí puedo enfatizar a esta Sala Constitucional, tal y como se ha precisado ut supra, es la necesidad de diversificar la cadena de suministro procura disminuir los riesgos de perjudicar la funcionalidad de la red, al depender de las vulnerabilidades que pueda presentar un único fabricante en su hardware o software. A mayor cantidad de proveedores, mayor cantidad de soluciones ante el servicio final de telecomunicaciones sin necesidad de interrumpir la continuidad del servicio en beneficio del usuario final. El diversificar la cadena de suministro no sólo (sic) constituye una sana práctica en el sector de las tecnologías y en concreto las telecomunicaciones, sino que al garantizar que la red no dependerá de un único proveedor reduce las brechas de criticidad de los siniestros, como resultado de la complejidad en la interconexión. 3.4. El oferente deberá presentar una declaración jurada en donde se indique su sede está en un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). Para lo cual deberá adjuntar la documentación de respaldo. El ICE se reserva el derecho de verificar la valides (sic) de la información aportada. Respuesta. Lo cierto, al momento de rendir el presente informe es que el Instituto Costarricense de Electricidad publicó en fecha del 9 de noviembre de 2023, la invitación a participar en el procedimiento especial de servicios en competencia, con el objeto de contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) registrado con el expediente electrónico número 2023XE000023-0000400001. A partir de la consulta realizada a dicho expediente, se aprecia que, en el contexto de dicho procedimiento especial de servicios en competencia, la apertura de ofertas se realizó el día 19 de diciembre de 2023, en donde consta la oferta de la empresa [Nombre 002]. para las partidas 1, 2, 3, 4 y 5 de dicho proceso de contratación. En concreto, se lee del documento de oferta (PRUEBA N°3) las siguientes manifestaciones de conformidad plasmadas por la propia empresa, en lo literal indicó: “El oferente deberá presentar una declaración jurada en donde se indique su sede está en un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). Para lo cual deberá adjuntar la documentación de respaldo. El ICE se reserva el derecho de verificar la valides (sic) de la información aportada. Respuesta: Entendemos. Huawei cumple totalmente con los estándares de ciberseguridad y mejores practicas (sic) de la industria para el resguardo e integridad de la información. El Convenio de Budapest no se refiere a un estándar de ciberseguridad para redes móviles 5G o similares”. El cumplimiento sustancial de dicho requisito es un aspecto del resorte propio del Operador contratante. No obstante, observe la Sala como ya se ha apuntado en reiteradas ocasiones, que la empresa aquí recurrente consintió en forma escrita el requisito y su sujeción a todas las condiciones del pliego de la contratación. Del alegato concreto y de las respuestas documentadas en el propio expediente del concurso, no se aprecia ninguna disconformidad por parte de la empresa recurrente en este aspecto. 3.5. El oferente deberá presentar una declaración jurada en donde se indique que, si la sede de la fábrica es o no susceptible de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones. Respuesta. Lo cierto, es que el Instituto Costarricense de Electricidad publicó en fecha del 9 de noviembre de 2023, la invitación a participar en el procedimiento especial de servicios en competencia, con el objeto de contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) registrado con el expediente electrónico número 2023XE-000023-0000400001. A partir de la consulta realizada a dicho expediente, se aprecia que, en el contexto de dicho procedimiento especial de servicios en competencia, la apertura de ofertas se realizó el día 19 de diciembre de 2023, en donde consta la oferta de la empresa [Nombre 002]. para las partidas 1, 2, 3, 4 y 5 de dicho proceso de contratación. En concreto, se lee del documento de oferta (PRUEBA N°3) las siguientes manifestaciones de conformidad plasmadas por la propia empresa, en lo literal indicó: El oferente deberá presentar una declaración jurada en donde se indique que, si la sede de la fábrica es o no susceptible de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones. Respuesta: Entendemos, Aceptamos y cumplimos. Se adjunta archivo con el nombre “Declaración Jurada” en el Anexo #2, el cual se encuentra en la carpeta de “Documentos Legales”. (El resaltado es propio) A su vez, consta la Declaración Jurada (PRUEBA N°4) que se aportó como parte de los documentos de oferta, en la que el personero de la empresa [Nombre 002]. declaró bajo la fe de juramento que: “Que la sede de la fábrica de mi representada no es susceptible de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones”. Del alegato concreto y de las respuestas documentadas en el propio expediente del concurso, no se aprecia ninguna disconformidad por parte de la empresa recurrente en este aspecto. 3.6. El oferente deberá presentar una declaración jurada en donde se indique si tiene su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses.” Como se puede observar de la cita anterior, se involucran en la presente contratación los elementos discriminatorios contenidos en el Reglamento Ciberseguridad Costa Rica Nº 44196-MSPMICITT, que son condiciones de carácter obligatorio para la calificación del oferente para participar en el proceso de licitación, el cual excluye a mi representante del acceso a la licitación, y pierde la oportunidad de competir, en razón del origen de su casa matriz. Todo lo anterior, conforme fue debidamente fundamentado, sustentado y probado en el Recurso de Amparo principal del expediente 23-023887-0007-CO. Respuesta. Lo cierto, es que el Instituto Costarricense de Electricidad publicó en fecha del 9 de noviembre de 2023, la invitación a participar en el procedimiento especial de servicios en competencia, con el objeto de contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) registrado con el expediente electrónico número 2023XE-000023-0000400001. A partir de la consulta realizada a dicho expediente, se aprecia que, en el contexto de dicho procedimiento especial de servicios en competencia, la apertura de ofertas se realizó el día 19 de diciembre de 2023, en donde consta la oferta de la empresa [Nombre 002]. para las partidas 1, 2, 3, 4 y 5 de dicho proceso de contratación. En concreto, se lee del documento de oferta (PRUEBA N° 3) las siguientes manifestaciones de conformidad plasmadas por la propia empresa, en lo literal indicó: “El oferente deberá presentar una declaración jurada en donde se indique si tiene su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses. Respuesta: Entendemos, Aceptamos y cumplimos. Se adjunta archivo con el nombre “Declaración Jurada” en el Anexo #2, el cual se encuentra en la carpeta de “Documentos Legales”. (El resaltado es propio) A su vez, consta la Declaración Jurada (PRUEBA N°4) que se aportó como parte de los documentos de oferta, en la que el personero de la empresa [Nombre 002]. declaró bajo la fe de juramento que: “Que la sede de la fábrica de mi representada no es susceptible de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones. 13. Que mi representada, de ninguna manera, está sujeta a la dirección de un gobierno extranjero con leyes o prácticas establecidas que le pueda requerir que compartan la información de los usuarios finales de servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses”. Del alegato concreto y de las respuestas documentadas en el propio expediente del concurso, no se aprecia ninguna disconformidad por parte de la empresa recurrente en este aspecto. 3.- De esa manera se concretó inminentemente la violación de nuestros derechos fundamentales conforme lo habíamos indicado en el escrito de interposición del presente recurso de amparo. (…) DERECHO I.- Las violaciones de los derechos fundamentales de mi representada El pliego de condiciones de la licitación pública del ICE citado viola en perjuicio de mi representada al menos los siguientes derechos fundamentales: a) derecho de libre competencia e igualdad de participación en los concursos públicos y b) derecho a no ser discriminado en razón del origen de la empresa. A.-La violación de los derechos fundamentales de libre competencia e igualdad de participación en los concursos públicos 1.- La jurisprudencia de esa Sala ha establecido que "si el artículo 182 de la Constitución Política establece este principio -el de la licitación entonces se encuentran inmersos en el concepto todos los principios propios de la Contratación Administrativa. En virtud de lo anterior, debe entenderse que del artículo 182 de la Constitución Política se derivan todos los principios y parámetros constitucionales que rigen la actividad contractual del Estado. Algunos de estos principios que orientan y regulan la licitación son: 1.-de la libre concurrencia, que tiene por objeto afianzar la posibilidad de oposición y competencia entre los oferentes dentro de las prerrogativas de la libertad de empresa regulado en el artículo 46 de la Constitución Política, destinado a promover y estimular el mercado competitivo, con el fin de que participen el mayor número de oferentes, para que la Administración pueda contar con una amplia y variada gama de ofertas, de modo que pueda seleccionar la que mejores condiciones le ofrece; 2.- de igualdad de trato entre todos los posibles oferentes, principio complementario del anterior y que dentro de la licitación tiene una doble finalidad, la de ser garantía para los administrados en la protección de sus intereses y derechos como contratistas, oferentes y como particulares, que se traduce en la prohibición para el Estado de imponer condiciones restrictivas para el acceso del concurso, sea mediante la promulgación de disposiciones legales o reglamentarias con ese objeto, como en su actuación concreta; y la de constituir garantía para la administración, en tanto acrece la posibilidad de una mejor selección del contratista; todo lo anterior, dentro del marco constitucional dado por el artículo 33 de la Carta Fundamental” (Voto 998-1998). Respuesta. No es cierto. Reitero nuevamente lo señalado en cuanto a la oferta de la empresa [Nombre 002]., con el objeto de contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) registrado con el expediente electrónico número 2023XE-0000230000400001, en el cual el recurrente participó y manifestó su adecuación a las condiciones del pliego de condiciones de dicho proceso concursal, en la cual se reitera que en su oferta deja de manifiesto también que se trata de una empresa constituida en Costa Rica. Por lo cual la empresa [Nombre 002]., según sus propias manifestaciones ante el Operador, ha confirmado su adecuación a las condiciones y normativa aplicable para el concurso, inclusive bajo fe de juramento. Por lo tanto, la empresa ha hecho ejercicio efectivo de todos y cada uno de los derechos que argumenta transgredidos, lo cual pone en evidencia una incongruencia entre lo aquí manifestado y los hechos reales verificables conforme cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) registrado con el expediente electrónico número 2023XE-000023-0000400001. Por otra parte, el Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores” contiene parámetros objetivos para el despliegue de redes bajo tecnologías de quinta generación o superiores por parte de los Operadores habilitados para explotar el espectro radioeléctrico, y además afianzar la prevención contra la ciberdelincuencia, que como bien se ha explicado, ha generado importantes daños a los sistemas públicos, las finanzas públicas y a las personas usuarias de estos servicios esenciales en el país. 2.- El pliego de condiciones publicado por el ICE para la adquisición de “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, implica una clara violación, en perjuicio de mi representada, de sus derechos fundamentales a la libre concurrencia en las contrataciones públicas y de igualdad de trato de los oferentes, dado que se aplican en esa licitación pública directamente los artículos 10) incisos c), d), e) y f) y el numeral 1 1 del " Reglamento Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic), normas que establecen regulaciones discriminatorias y contrarias a los citados derechos fundamentales de la libre competencia e igualdad de trato en los concursos públicos. Respuesta. No es cierto. Por cuanto la empresa [Nombre 002]., con el objeto de contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) registrado con el expediente electrónico número 2023XE-000023-0000400001, participó y manifestó bajo fe de juramento su adecuación a las condiciones del pliego de condiciones de dicho proceso concursal, y confirma que es una sociedad comerciante constituida en Costa Rica y por ende bajos los preceptos del Ordenamiento Jurídico nacional. Además, aún y cuando esta empresa costarricense sostiene que el origen o nacionalidad de una empresa constituye un impedimento para participar, no hace ninguna relación a las disposiciones concretas del Decreto Ejecutivo Nº44196-MSP-MICITT aplicables a dicha circunstancia, para aseverar que en el caso concreto, podría materializarse una lesión a su esfera de derechos fundamentales, y esto es así por cuanto dicha normativa reglamentaria no establece discriminación alguna en relación del origen o nacionalidad de alguna empresa. Pese a que en reiteradas ocasiones ha señalado que las disposiciones del Reglamento impedirán su participación en los procesos de contratación pública, se aprecian circunstancias totalmente contrarias que desvirtúan groseramente los argumentos expuestos, toda vez que dentro del concurso recientemente promovido por el ICE lo que plasmó por escrito fue una total sujeción y cumplimiento a las reglas del concurso, incluyendo las condiciones derivadas del Decreto Ejecutivo Nº44196-MSPMICITT. 3.- En efecto, esas normas establecen requisitos para el caso concreto, a fin de que compañías de diferentes orígenes, especialmente chino, no pueden participar en ningún concurso público para la adquisición de tecnología de telecomunicaciones 5 G Móvil y superiores. Respuesta. No es cierto. Por cuanto la empresa [Nombre 002]., ha participado efectivamente en el proceso licitatorio para contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, mismo que fue cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) y registrado con el expediente electrónico número 2023XE-000023-0000400001; en el cual además declaró bajo fe de juramento su adecuación a las condiciones del pliego de condiciones de dicho proceso concursal, y confirma que es una sociedad comerciante constituida en Costa Rica, sin que se precise ideología alguna por dicho comerciante societario para su participación, y sobre el cual se identifiquen actos discriminatorios por parte del Operador. Tampoco la empresa recurrente en sus manifestaciones efectúa alguna relación a las disposiciones concretas del Decreto Ejecutivo Nº44196-MSP-MICITT aplicables a dicha circunstancia, para aseverar que en el caso concreto podría materializarse una lesión a su esfera de derechos fundamentales, y esto es así por cuanto dicha normativa reglamentaria no establece discriminación alguna en relación con el origen o nacionalidad de las empresas, prueba de ello es que el recurrente ha ejercido plenamente sus derechos de ofertar libremente en el citado procedimiento concursal. Lo cual provoca de forma automática que se desvirtúan sus argumentos por cuanto se ha sujetado libremente a las disposiciones del pliego de condiciones en forma igualitaria con otros participantes.4.- De esa forma se violan de manera grosera y evidente los derechos fundamentales a la libertad de competencia e igualdad de trato que tienen todos los eventuales interesados en participar en concursos públicos para la adquisición de bienes y servicios en nuestro país. Respuesta. No es cierto. Por cuanto la empresa [Nombre 002]., ha participado efectivamente en el proceso licitatorio para contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, mismo que fue cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) y registrado con el expediente electrónico número 2023XE-000023-0000400001; en el cual además declaró bajo fe de juramento su adecuación a las condiciones del pliego de condiciones de dicho proceso concursal, y confirma que es una sociedad comerciante constituida en Costa Rica, sin que se precise ideología alguna por dicho comerciante societario para su participación, y sobre el cual se identifiquen actos discriminatorios por parte del Operador. Tampoco la empresa recurrente en sus manifestaciones efectúa alguna relación a las disposiciones concretas del Decreto Ejecutivo Nº44196-MSP-MICITT aplicables a dicha circunstancia, para aseverar que en el caso concreto podría materializarse una lesión a su esfera de derechos fundamentales, y esto es así por cuanto dicha normativa reglamentaria no establece discriminación alguna en relación con el origen o nacionalidad de las empresas, prueba de ellos es que el recurrente ha ejercido plenamente sus derechos de ofertar libremente en el citado procedimiento concursal. Lo anterior desvirtúa sus argumentos por cuanto se ha sujetado libremente a las disposiciones del pliego de condiciones en forma igualitaria con otros participantes.5.- En el caso de mi representada, el pliego de condiciones impide nuestra participación en esa contratación pública al aplicar lo estipulado en los incisos c), d), e) y f) del artículo 10 y numeral 1 1 del citado Reglamento, que es la finalidad que persigue esa normativa según declaraciones, en su momento, del Presidente Ejecutivo del ICE, de la Ministra del MICITT y del Presidente de la República. A confesión de parte, relevo de prueba. B.- La violación del principio constitucional a no ser discriminado por ninguna razón 1.- El artículo 33 de la Constitución consagra el principio cardinal en el Derecho Occidental, de que ninguna persona, física o jurídica, puede ser discriminada por ninguna razón (sexo, creencias religiosas, ideología, nacionalidad, etc). 2.- En el presente caso a mi representada se le discrimina abiertamente tanto por su supuesta ideología como por su nacionalidad, lo que implica una grosera violación del artículo 33 de la Constitución Política. 3.- Recordemos que la discriminación, desde el punto de vista jurídico, significa otorgamiento de trato diferente basado en desigualdades injustas o arbitrarias que son contrarias al principio de igualdad ante la ley. 4.- La prohibición de discriminar cobija la interdicción de hacerlo por cualquier circunstancia personal o social; o sea, que toda diferenciación que carezca de justificación objetiva y razonable puede calificarse de discriminatoria. 5.- De esa forma, son contrarias al principio de no discriminación las desigualdades de trato que se funden exclusivamente en razones de sexo, raza, condición social, motivos ideológicos, origen, nacionalidad, etc. Respuesta. No es cierto. Por cuanto la empresa [Nombre 002]., ha participado efectivamente en el proceso licitatorio para contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, mismo que fue cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) y registrado con el expediente electrónico número 2023XE-000023-0000400001; en el cual además declaró bajo fe de juramento su adecuación a las condiciones del pliego de condiciones de dicho proceso concursal, y confirma que es una sociedad comerciante constituida en Costa Rica, sin que se precise ideología alguna por dicho comerciante societario para su participación, y sobre el cual se identifiquen actos discriminatorios por parte del Operador.Tampoco la empresa recurrente en sus manifestaciones efectúa alguna relación a las disposiciones concretas del Decreto Ejecutivo Nº44196-MSP-MICITT aplicables a dicha circunstancia, para aseverar que en el caso concreto podría materializarse una lesión a su esfera de derechos fundamentales, y esto es así por cuanto dicha normativa reglamentaria no establece discriminación alguna en relación con el origen o nacionalidad de las empresas, prueba de ellos es que el recurrente ha ejercido plenamente sus derechos de ofertar libremente en el citado procedimiento concursal. Ergo, resultan improcedentes sus manifestaciones en estos extremos. 6.- La normativa que el ICE pretende aplicar contiene elementos discriminatorios como requisitos obligatorios en el citado concurso público implica una clara violación al principio de no discriminación en perjuicio de mi representada, dado que se la excluye desde el inicio de un concurso público por razones supuestamente ideológicas y de nacionalidad. Respuesta. No es cierto. Por cuanto la empresa [Nombre 002]., ha participado efectivamente en el proceso licitatorio para contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, mismo que fue cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) y registrado con el expediente electrónico número 2023XE-000023-0000400001; en el cual además declaró bajo fe de juramento su adecuación a las condiciones del pliego de condiciones de dicho proceso concursal, y confirma que es una sociedad comerciante constituida en Costa Rica, sin que se precise ideología alguna por dicho comerciante societario para su participación, y sobre el cual se identifiquen actos discriminatorios por parte del Operador y sus manifestaciones omiten relación alguna entre las disposiciones concretas del Decreto Ejecutivo Nº44196-MSPMICITT aplicables a dicha circunstancia, para aseverar que en el caso concreto podría materializarse una lesión a su esfera de derechos fundamentales, sin perjuicio del ayuno probatorio en este sentido, dados los hechos expuestos que contradicen lo señalado por el recurrente. MEDIDA CAUTELAR 1.- Dado que estamos ante un caso de excepción, pues si no se suspende la ejecución del futuro acto lesivo de nuestros derechos fundamentales y que se encuentra en fase de ejecución, el perjuicio para mi representada sería irreparable e irreversible pues le impide la participación en el citado concurso público para la adquisición de la tecnología en telecomunicaciones 5G/IMT Móvil. 2.- Por tanto, solicitamos que en aplicación del artículo 41 de la Ley de la Jurisdicción Constitucional, se proceda a suspender la tramitación del proceso licitatorio indicado en el cartel impugnado dado que en él se está aplicando el “Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores” (sic), hasta tanto esa Sala Constitucional no se haya pronunciado sobre el fondo de este recurso de amparo y sobre la acción de inconstitucionalidad planteada contra ese decreto oportunamente. Respuesta. Es improcedente. Reitero para estos efectos los argumentos señalados en puntos anteriores y me limitaré a señalar que la adopción de esta medida cautelar conlleva un impacto directo para los usuarios del Operador recurrido que no tendrían acceso a más y mejores alternativas en la prestación de los servicios, una afectación en el grado de satisfacción en el disfrute de los servicios que la tecnología actual brinda. Además, se afecta la futura implementación de redes innovadoras para la satisfacción del interés público inmerso en los títulos de concesión otorgados por el Poder Ejecutivo para el uso y explotación del espectro radioeléctrico para redes públicas, y por otra parte tiene efectos sobre la esfera jurídica de intereses legítimos de los demás oferentes en igualdad de condiciones. Lo anterior, sin perjuicio del potencial de afectar el cumplimiento de las condiciones y obligaciones dispuestas en el título de concesión para el Operador recurrido, y una posible desventaja competitiva en el desarrollo de su actividad en materia de telecomunicaciones frente a otros competidores no sujetos a los procesos de contratación pública, pero sí sujetos a esta normativa reglamentaria en materia de ciberseguridad. PETITORIA Con fundamento en los hechos invocados, pruebas ofrecidas y consideraciones jurídicas señaladas, solicito que en sentencia se declare: 1.- Que mi representada no puede ser impedida de participar en el citado concurso público introduciendo cláusulas de imposible cumplimiento para ella, porque ello viola los derechos fundamentales a la libre competencia, la igualdad de trato y la prohibición de la discriminación exclusivamente por razones ideológicas y de nacionalidad. 2.- Reitero la solicitud de condenatoria al ICE al pago de los daños y perjuicios y costas de esta acción”. Respuesta. No es cierto. De acuerdo a (sic) lo señalado ut supra, se observa la oferta de la empresa [Nombre 002]., con el objeto de contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) registrado con el expediente electrónico número 2023XE-0000230000400001, en el cual el recurrente participó y manifestó su adecuación a las condiciones del pliego de condiciones sin advertir algún elemento de imposible cumplimiento dentro de dicho proceso concursal, en la cual se reitera que en su oferta deja de manifiesto también que se trata de una empresa constituida en Costa Rica. Conforme se ha precisado vastamente, los documentos de conocimiento público y las propias manifestaciones efectuadas por la empresa en el marco del procedimiento concursal desprenden el origen costarricense de la empresa, razón por la cual no se entienden las limitaciones a la participación que alega. Se reitera además que, en el caso, la empresa tampoco ha demostrado que las disposiciones del Reglamento de marras discriminen en forma alguna sobre la base de ideologías y/o nacionalidad alguna, por cuanto la definición de medidas allí vertidas no fue sustentada en estas consideraciones subjetivas. En todo caso, se ha desarrollado en el presente informe que en materia de procedimientos de adquisición pública es perfectamente factible incorporar restricciones legítimas siempre y cuando se ajusten a los principios de convencionalidad, razonabilidad, proporcionalidad, bloque de legalidad, y a las reglas de la ciencia, de la técnica y la lógica jurídica, parámetros que según se ha demostrado, fueron observados a la hora de emitir el Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores” y que en consecuencia deben observarse por cualquier Operador de servicios de telecomunicaciones bajo tecnología 5G o superiores. V. Sobre los hechos y alegatos planteados en el RECURSO DE AMPARO en escrito recibido en la Secretaría de la Sala el 14 de noviembre de 2023. “1. Con el documento técnico adjunto las pérdidas que sufrirían tanto mi representada, así como el país si se nos impidiera participar en la licitación del ICE”. Respuesta. El documento técnico al que refiere es irrelevante a los presentes efectos, toda vez que ya se ha dimensionado en el presente escrito que las pretensiones de la empresa versan sobre su participación en un procedimiento de contratación concreto, en el cual la empresa [Nombre 002]., con el objeto de contratar “GTADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) registrado con el expediente electrónico número 2023XE-000023- 0000400001, en el cual el recurrente participó y manifestó su adecuación a las condiciones del pliego de condiciones de dicho proceso concursal, en la cual se reitera que en su oferta deja de manifiesto también que se trata de una empresa constituida en Costa Rica. En el caso que nos ocupa, en respeto a los principios de debido proceso, transparencia, imparcialidad, e igualdad de condiciones para todos los participantes que han ofertado en dicho concurso, lo prudente es esperar el criterio del Operador contratante para que aquellos que estimen cualquier agravio activen el régimen recursivo del caso. Desde luego que ante la naturaleza del proceso de contratación pública, en aras de garantizar la más amplia concurrencia, la Administración contratante es quien al amparo de sus potestades discrecionales adjudica la contratación, con lo cual se entiende que no todos se verán beneficiados de dicho resultado. Por ende, como ya se ha venido precisando para extremos anteriores, lo que ostenta el potencial oferente es solamente una expectativa y no un derecho subjetivo preconstituido. En ese sentido, el Tribunal Contencioso Administrativo ha señalado: ““Los oferentes en cualquier trámite concursal que efectúe la Administración (...) no tienen un derecho subjetivo a que se les adjudique la contratación (puesto que la adjudicación debe realizarse a la oferta que cumpla con todos los requisitos legales y sea las más conveniente a la satisfacción del interés general y al cumplimiento de los fines y cometidos de la Administración (...) o bien, la licitación puede ser declarada desierta) sino sólo un interés legítimo. Debe recordarse, que en derecho público, el interés legítimo es una expectativa de obtener o conservar una utilidad sustancial, a través del ejercicio de las potestades de la Administración Pública, por lo que el ordenamiento no garantiza al interesado la conducta idónea para la satisfacción de su interés, sino que hace depender esa satisfacción de los actos de ejercicio de potestades administrativas. En otras palabras, cuando se tiene un interés legítimo, no se puede exigir de la Administración una conducta que satisfaga este interés, como sí lo puede hacer el titular de un derecho subjetivo. (...) Sólo quien tiene un derecho subjetivo, puede pedir la nulidad de un acto administrativo, el restablecimiento de la situación jurídica individualizada y la indemnización de daños y perjuicios (artículos 10.3, 23 y 62 de la Ley Reguladora de la Jurisdicción Contencioso Administrativa). (...) el hecho de que este Tribunal prohíje el alegato de que la administración de la CCSS calificó erróneamente la oferta de la empresa adjudicada M.R. Pintores, S.A., no permite concluir que una correcta valoración de su propuesta hubiera conducido irremediablemente a que el concurso fuese otorgado a la oferta del actor. En efecto, una distinta ponderación de los factores bien podría haber llevado, por ejemplo, a declarar desierta la licitación. Así pues, el aquí accionante no tenía entonces –ni tiene ahora– un derecho subjetivo a que se le adjudicara la realización de las obras objeto del concurso; tan solo era titular de una expectativa de derecho, de un interés legítimo. Desde esta óptica, no procede el otorgamiento de los daños y perjuicios reclamados: puesto que su interés legítimo nunca llegó a traducirse en un derecho subjetivo, nunca llegó a estar tampoco en posición de experimentar un daño indemnizable.“ (ver resolución Tribunal Contencioso Administrativo Sección VII Nº 56 - 2009 del 27 de mayo de 2009) Del extracto anterior y de las premisas que ya se han construido en el presente informe, la empresa no puede pretender derecho alguno sobre la contratación efectuada por el ICE, en tanto no se le ha otorgado ninguna adjudicación a su favor y en consecuencia, cualquier utilidad posee carácter eventual, lo que tampoco es un hecho cierto y definitivo para la empresa, ya que deberá aguardar a las valoraciones que finalmente genere el Operador contratante como parte del curso del procedimiento de selección. Por lo anterior, resulta improcedente afirmar que de dicho procedimiento especial podría resultar un daño a la situación económica de la empresa, toda vez que los rendimientos de la empresa no están vinculados por la vía del derecho subjetivo al operador en este momento. De lo contrario, no habría necesidad alguna de someter a concurso el objeto contractual, haciendo nugatorios los principios que informan la materia de contratación pública, al admitir una tesis que no solo prejuzgue en favor de [Nombre 002]., sino que además se pretenda mantener un contrato en forma perpetua, invalidando así los derechos de otros oferentes a ser evaluados en el mismo plano de igualdad. VI. Sobre los hechos y alegatos planteados en el RECURSO DE AMPARO en escrito recibido en la Secretaría de la Sala el 24 de noviembre de 2023. “Amplío por este medio, el recurso de amparo presentado y seguido bajo el expediente 230238870007-CO, con base en los siguientes HECHOS 1.- Que mediante escrito remitido a esta Sala Constitucional el día 09 de noviembre de 2023, se amplió en una primera ocasión el recurso de amparo presentado, debido a que el ICE publicó el día de 9 de noviembre de 2023, el PLIEGO DE CONDICIONES PARA LA ADQUISICIÓN DE: GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED SG ENTREGA SEGÚN DEMANDA". Respuesta. Cierto es, que el Instituto Costarricense de Electricidad publicó en fecha del 9 de noviembre de 2023, la invitación a participar en el procedimiento especial de servicios en competencia, con el objeto de contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) registrado con el expediente electrónico número 2023XE-000023-0000400001. A partir de la consulta realizada a dicho expediente, se aprecia que, en el contexto de dicho procedimiento especial de servicios en competencia, la apertura de ofertas se realizó el día 19 de diciembre de 2023, en donde consta la oferta de la empresa [Nombre 002]. para las partidas 1, 2, 3, 4 y 5 de dicho proceso de contratación. 2.- El cartel contiene requisitos que son imposibles de cumplir por mi representada por estar ubicada su casa matriz en la República Popular China. Específicamente el Apartado 3, CiberSeguridad RAN-CORE Móvil 5G, mismo que puede ser revisado en el escrito del 09 de noviembre de 2023. Respuesta. No es cierto. Hemos señalado que al momento de rendirse el presente informe la empresa recurrente tuvo la oportunidad de participar en el procedimiento especial de servicios en competencia, para contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, mismo que fue cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) y registrado con el expediente electrónico número 2023XE-000023-0000400001, en el cual la empresa: ● Manifestó su total entendimiento y conformidad a los requisitos regulados en el pliego de condiciones, sin reserva o protesta alguna. ● La inexistencia del daño que ha mencionado en constantes ocasiones para solicitar incluso la protección mediante suspensión cautelar, toda vez que su participación en un proceso de la más amplia concurrencia permitiría dos resultados, la adjudicación o la no adjudicación, tomando en cuenta no sólo las reglas fijadas con antelación para la contratación. ● Las prerrogativas del Operador contratante mediante procedimiento especial para servicios en competencia para valorar si en el caso concreto terminará el procedimiento en forma normal con la adjudicación, o en forma anormal, mediante otra decisión. ● La participación constituye una mera expectativa y el resultado no puede reputarse como un daño irreparable tal cual quiere hacerlo ver la empresa recurrente. ● Es improcedente la posición de que su empresa debe mantener una adjudicación perpetua, o que debe resultar favorecida previo procedimiento de concurso. ● Esta posición enerva la finalidad del procedimiento especial de servicios en competencia en curso, y la improcedencia de pretender una contratación ad perpetuam con el Operador contratante lo cual jurídicamente no procede. Otro aspecto ya desarrollado en forma abundante en el presente informe lo es que, aún y cuando la empresa recurrente sostiene que por radicar presuntamente su empresa en otro país y que esto constituye un impedimento para participar, no hace ninguna relación a las disposiciones concretas del Decreto Ejecutivo Nº44196-MSP-MICITT aplicables a dicha circunstancia, para aseverar que en el caso concreto podría materializarse una lesión a su esfera de derechos fundamentales, y esto es así por cuanto dicha normativa reglamentaria no establece discriminación alguna en relación con el origen o nacionalidad de alguna empresa. Se ha reiterado además la falta de fundamentación que impera en el recurso de amparo en cuestión, por cuanto la empresa sostiene que su empresa es de origen chino o posee casa matriz en china de la redacción de este extremo en particular, cuando ninguna de estas circunstancias fue alertada en los distintos elementos probatorios adjuntados al expediente del recurso de amparo. En esta línea considérese lo documentado en la propia oferta de la empresa, en donde no se ha realizado ninguna protesta, reserva u observación en cuanto al origen y/o casa matriz que aquí plantea y de qué forma esta condición podría acarrear alguna lesión a su esfera de derechos fundamentales. No menos importante, como dicha afectación derivada precisamente del Reglamento; cuando de hechos públicos y notorios lo que ha documentado es que se trata de una sociedad conformada al amparo del ordenamiento nacional, registrada en calidad de sociedad anónima en la Sección de Personas Jurídicas del Registro Nacional. 3.- Que contra dicho pliego de condiciones, por ser discriminatorio e impedir la participación de [Nombre 002]., se presentó en tiempo y forma un recurso de objeción al pliego. Respuesta. Se rechaza cualquier consideración subjetiva en contra del citado pliego de condiciones, por cuanto la definición de condiciones allí reguladas resulta ser resorte exclusivo del Operador contratante. De acuerdo con las actuaciones que constan en el expediente electrónico de la contratación “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) con el número 2023XE-000023-0000400001, para lo cual se aprecia que en fecha 14/11/2023 20:20 la empresa en efecto interpuso el mecanismo de objeción. No obstante lo anterior, el recurrente participó en dicho procedimiento especial y manifestó su adecuación a las condiciones del pliego de condiciones de dicho proceso concursal. 4.- Que mediante oficio 5201-250-202 del 21 de noviembre de 2023, el ICE procedió a admitir parcialmente el recurso de objeción, sin embargo, procedió a rechazar de forma absoluta todas las objeciones relacionadas con el Apartado 3, CiberSeguridad RAN-CORE Móvil 5G, que precisamente excluye a Huawei del concurso. Respuesta. De acuerdo con las actuaciones que constan en el expediente electrónico de la contratación “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) con el número 2023XE-0000230000400001, para lo cual se aprecia que en fecha 14/11/2023 20:20 la empresa en efecto interpuso el mecanismo de objeción. Lo que el Operador contratante haya resuelto con respecto a los extremos manifestados en dicha impugnación es un aspecto de su entera competencia, sobre lo cual no estimo referirme. No obstante lo anterior, el recurrente participó en dicho procedimiento especial y manifestó su adecuación a las condiciones del pliego de condiciones de dicho proceso concursal. Por lo anterior extraña a este Ministerio y así se le hace ver a la Sala Constitucional, que, si tenía alguna reserva u objeción de las condiciones, así debió plasmarlo en su oferta sujeto claro a la valoración correspondiente del Operador. En sentido contrario, lo que se aprecia de la oferta son manifestaciones conformes con el pliego por lo cual no se estima lesión alguna a sus derechos. No podría analizarse un perjuicio cuando la empresa misma no ha puesto de manifiesto su inconformidad con las reglas del concurso. 5.- De esa manera, mi representada demuestra el uso oportuno de todos los mecanismos legales disponibles para procurar garantizar sus derechos constitucionales y sin embargo, se concretó la violación de nuestros derechos fundamentales conforme lo habíamos indicado en el escrito de interposición del presente recurso de amparo. Queda así configurada — ya no una posible violación si no una violación consumada — la discriminación hacia mi representada y las condiciones actuales de Costa Rica en contra de empresas Chinas, discriminándolas por su nacionalidad. PRUEBAS 1.- Copia del recurso interpuesto y de la respuesta del ICE. DERECHO I.- Las violaciones de los derechos fundamentales de mi representada El pliego de condiciones de la licitación pública del ICE citado, se encuentra consolidado y ante el rechazo del recurso de objeción no quedan más remedios legales que pueda utilizar mi representada para procurar la protección de sus derecho legítimos (sic) constitucionales. Es con base en esto, que podemos asegurar que, con el agotamiento de esa vía administrativa, el pliego viola en perjuicio de mi representada al menos los siguientes derechos fundamentales: a) derecho de libre competencia e igualdad de participación en los concursos públicos y b) derecho a no ser discriminado en razón del origen de la empresa, todo lo anterior, según fue debidamente explicado y fundamentado en el escrito del 09 de noviembre de 2023. Respuesta. No es cierto que en el caso se haya consumado lesión o discriminación alguna, la empresa recurrente tuvo la oportunidad de participar en el procedimiento especial de servicios en competencia, para contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, mismo que fue cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) y registrado con el expediente electrónico número 2023XE-000023-0000400001. Incluso conforme ha quedado demostrado líneas atrás, la empresa manifestó su total entendimiento y conformidad a los requisitos regulados en el pliego de condiciones, sin reserva o protesta alguna. Tampoco es apegado a la verdad afirmar que utilizó en forma oportuna de todos los mecanismos legales disponibles para advertir cualquier inconformidad ante el citado pliego de condiciones, por cuanto se ha esgrimido en forma abundante en este informe, que la empresa, de origen costarricense y constituida de acuerdo con las leyes nacionales, mantuvo una postura cumpliente desde el primer acercamiento que en apariencia el Operador le formuló mediante un supuesto “cuestionario”. En su oferta además se aprecia que consintió todas las condiciones que con el recurso de amparo pretende visualizar como de imposible cumplimiento o discriminatorias, criterio que no ha mantenido a lo largo de las diferentes etapas del concurso registrado con el expediente electrónico número 2023XE-000023-0000400001, ayunas además de elementos probatorios pertinentes, sin perjuicio de la incongruencia que se presenta entre sus manifestaciones y los hechos expuestos. MEDIDA CAUTELAR 1.- Reiteramos en este acto que estamos ante un caso de excepción y de urgentísima protección cautelar, ante el hecho de que actualmente y habiéndose agotado los remedios procesales, resulta imposible detener el concurso. Una vez que el concurso reciba ofertas y mi representada no sea capaz de presentar la suya, por no cumplir con el apartado 3, CiberSeguridad RAN-CORE Móvil 5G, se configurará el daño grave, manifiesto, inminente y de imposible reparación, al quedar completamente fuera del concurso y sin legitimación para reclamar. De igual forma, se ha demostrado de forma sobrada en este proceso de amparo, la apariencia de buen derecho del reclamo, sustentado en normativa constitucional, en los principios constitucionales, en derecho comparado y también en documentación y análisis técnicos, lo cual demuestran que nuestro reclamo tiene un fundamento debido. Finalmente, en la ponderación de intereses en juego, la suspensión no genera un daño directo a la Administración, pues se trataría de un (sic) medida cautelar provisional. 2.- Por tanto, solicitamos que en aplicación del artículo 41 de la Ley de la Jurisdicción Constitucional, se proceda a suspender la tramitación del proceso licitatorio indicado en el cartel impugnado dado que en él deberá aplicarse el "Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores" (sic), hasta tanto esa Sala Constitucional no se haya pronunciado sobre el fondo de este recurso de amparo y sobre la acción de inconstitucionalidad planteada contra ese decreto oportunamente. Respuesta. No es cierto. Ha quedado en clara evidencia que la situación urgentísima sobre la cual se sustenta la tutela cautelar pretendida le haya impedido participar en el procedimiento para servicios en competencia cursado por el Operador recurrido, lo cual provoca la improcedencia de otorgar lo solicitado, ampliado además por las siguientes razones: • Al momento de rendirse el presente informe la empresa recurrente, registrada y constituida conforme a las leyes nacionales, tuvo la oportunidad de participar en el procedimiento especial de servicios en competencia, para contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, mismo que fue cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) y registrado con el expediente electrónico número 2023XE-0000230000400001. Incluso conforme ha quedado demostrado líneas atrás, la empresa manifestó su total entendimiento y conformidad a los requisitos regulados en el pliego de condiciones, sin reserva o protesta alguna. • La inexistencia del daño que ha mencionado en constantes ocasiones para solicitar incluso la protección mediante suspensión cautelar, toda vez que su participación en un proceso de la más amplia concurrencia que permitiría dos resultados, la adjudicación o la no adjudicación, tomando en cuenta no sólo las reglas fijadas con antelación para la contratación. • Las prerrogativas del Operador contratante mediante procedimiento especial para servicios en competencia para valorar si en el caso concreto terminará el procedimiento en forma normal con la adjudicación, o en forma anormal, mediante otra decisión. • La participación constituye una mera expectativa y el resultado no puede reputarse como un daño irreparable tal cual quiere hacerlo ver la empresa recurrente. • Es improcedente la posición de pretender una adjudicación perpetua basada en relaciones jurídicas preexistentes al procedimiento especial en competencia o que debe resultar favorecida e indemnizada previo resultado final del procedimiento de concurso. • Esta posición resulta contraria a los fines del procedimiento especial de servicios en competencia en curso, y la improcedencia de pretender una contratación ad perpetuam con el Operador contratante lo cual conforme al Ordenamiento jurídico en materia de contratación pública también resultaría antijurídico. PETITORIA Con fundamento en los hechos invocados, pruebas ofrecidas y consideraciones jurídicas señaladas, solicito que en sentencia se declare: 1.- Que mi representada no puede ser impedida de participar en el citado concurso público introduciendo cláusulas de imposible cumplimiento para ella, porque ello viola los derechos fundamentales a la libre competencia, la igualdad de trato y la prohibición de la discriminación exclusivamente por razones ideológicas y de nacionalidad. 3.- Reitero la solicitud de condenatoria al ICE al pago de los daños y perjuicios y costas de esta acción”. Respuesta. No es cierto que en la especie se le haya impedido participar, lo que en consecuencia no amerita otorgar a la empresa recurrente la tutela cautelar que ha solicitado, por las siguientes razones: • Al momento de rendirse el presente informe la empresa recurrente tuvo la oportunidad de participar en el procedimiento especial de servicios en competencia, para contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, mismo que fue cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) y registrado con el expediente electrónico número 2023XE-000023-0000400001. Incluso conforme ha quedado demostrado líneas atrás, la empresa manifestó su total entendimiento y conformidad a los requisitos regulados en el pliego de condiciones, sin reserva o protesta alguna. • La inexistencia del daño que ha mencionado en constantes ocasiones para solicitar incluso la protección mediante suspensión cautelar, toda vez que su participación en un proceso de la más amplia concurrencia permitiría dos resultados, la adjudicación o la no adjudicación, tomando en cuenta no sólo las reglas fijadas con antelación para la contratación. • Las prerrogativas del Operador contratante mediante procedimiento especial para servicios en competencia para valorar si en el caso concreto terminará el procedimiento en forma normal con la adjudicación, o en forma anormal, mediante otra decisión. • La participación constituye una mera expectativa y el resultado no puede reputarse como un daño irreparable que debe ser indemnizado o resarcido tal cual quiere hacerlo ver la empresa recurrente. • Es improcedente la posición de que su empresa debe mantener una adjudicación perpetua, o que debe resultar favorecida previo procedimiento de concurso. • Esta posición enerva la finalidad del procedimiento especial de servicios en competencia en curso, y la improcedencia de pretender una contratación ad perpetuam con el Operador contratante lo cual jurídicamente no procede. PETITORIA Con fundamento en los hechos y fundamentos expuestos se solicita a esta Honorable Sala Constitucional de la Corte Suprema de Justicia: 1. Acoger, en todos sus extremos, el presente informe que atiende la audiencia conferida mediante Resolución de las 14:39 horas del 15 de diciembre de 2023 dentro del expediente electrónico N° 23-023887-0007-CO, en el cual se conoce recurso de amparo interpuesto por [Nombre 002]. en contra del Instituto Costarricense de Electricidad 2. Declarar sin lugar, en todos sus extremos, el recurso de amparo interpuesto por la empresa [Nombre 002]. en contra del Instituto Costarricense de Electricidad (ICE), dentro del expediente electrónico N° 23-023887- 0007-CO. 3. Declarar, sin lugar, en todos sus extremos, la medida cautelar solicitada por la empresa [Nombre 002]. en contra del Instituto Costarricense de Electricidad (ICE) a efectos de suspender el en el procedimiento especial de servicios en competencia, para contratar “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas (SICOP) y registrado con el expediente electrónico número 2023XE-000023- 0000400001. 4. Declarar inadmisible, en todos sus extremos, la acción de inconstitucionalidad interpuesta por la empresa [Nombre 002]. en contra del Decreto Ejecutivo 44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” publicado en La Gaceta del 31 de agosto de 2023, según expediente 23-025158-0007-CO, dada la verdad objetiva, rigurosidad técnica, lógica y científica de dicha normativa, y en virtud de la improcedencia de la medida cautelar solicitada a la cual se sujeta dicha pretensión”.

25.- Por escrito incorporado al expediente digital el 10 de enero de 2024, se apersona Silvia Patricia Castro Montero, en su condición de presidenta de la Cámara Costarricense Norteamericana de Comercio (Amcham). Indica que formula coadyuvancia pasiva en este proceso, con base en los siguientes motivos: “INTERÉS INDIRECTO EN EL OBJETO DEL PROCESO AMCHAM es una Cámara Privada del Sector Comercio. En dicha condición, mi representada mantiene un interés indirecto en relación con la seguridad de los usuarios de los futuros servicios de telecomunicaciones de quinta generación, así como las consecuencias que derivarían de la eventual declaratoria con lugar del recurso. Consiguientemente, mi representada se presenta en esta oportunidad como coadyuvante en defensa de los intereses del recurrido, a quien le asiste el derecho de ejecutar los procesos de contratación pública para prestar los servicios de telecomunicaciones de quinta generación a sus usuarios. Sobre el tema de fondo, en fecha 18 de septiembre de 2023, AMCHAM emitió un comunicado de prensa, que se adjunta como referencia, en el cual destacó nuestra creencia de que “la implementación de 5G debe darse bajo tres grandes principios: celeridad, respeto a las disposiciones legales y seguridad”. En ese contexto, nuestro enfoque en la seguridad considera lo siguiente: •Es necesario incluir consideraciones rigurosas de seguridad en la regulación de las redes 5G. Costa Rica se ha beneficiado enormemente de su atractivo para la inversión extranjera directa. AMCHAM representa tanto a empresas multinacionales responsables de la creación de decenas de miles de empleos costarricenses, así como a algunas de las empresas nacionales más exitosas de Costa Rica. El adecuado tratamiento de los datos personales y de las empresas es esencial para preservar el dinámico entorno empresarial y el atractivo de nuestro país para la inversión extranjera directa (IED). • El éxito de Costa Rica en atraer industrias de alta tecnología ha hecho que la protección de datos empresariales sea más esencial que nunca. AMCHAM colabora estrechamente con MICIIT, COMEX y otras entidades gubernamentales para promover a Costa Rica como destino para industrias como semiconductores, dispositivos médicos y ciberseguridad. Todos estos sectores dependen de la protección de la información comercial propiedad intelectual y los esfuerzos de investigación y desarrollo. Las extraordinarias capacidades de las redes 5G facilitarán el crecimiento en todos estos sectores, pero también traerán consigo riesgos que deben ser gestionados adecuadamente a través de directrices de seguridad. • Las redes 5G también transformarán la forma en que los ciudadanos costarricenses interactúan con instituciones educativas, médicas y gubernamentales. Las redes que habilitan estos servicios esenciales, y gestionan los datos sensibles personales de los ciudadanos, deben ser fiables. • El enfoque en las consideraciones de seguridad para las redes 5G es coherente con las decisiones tomadas por los principales socios económicos de Costa Rica. Países como Estados Unidos, Reino Unido, Japón y varios estados miembros de la Unión Europea han tomado medidas para garantizar la seguridad actual y futura de sus redes 5C. En cada caso, los detalles del enfoque se adaptan a las consideraciones jurídicas nacionales, pero tienen el objetivo común de garantizar que el equipo y software que respaldan los servicios esenciales no presenten riesgos. •También observamos que el país tiene experiencia de primera mano con este desafío. Los ataques de ransomware contra instituciones gubernamentales en 2022 fueron muy perjudiciales para las empresas, le costaron millones de dólares a los contribuyentes y subrayaron la importancia de garantizar que la tecnología de la información y las comunicaciones del país sea confiable y segura. En ese contexto se transcribe el comunicado de prensa de fecha 18 de septiembre de 2023 titulado “Medidas de ciberseguridad deben ser indispensables para el despliegue de 5G en el país” , visible en sitio web https://www.amcham.cr/medidas-de-ciberseguridad-deben-ser-indispensables -para-el-despliegue-de-5g-en-el-pais/ • Generarán confianza para conservar y atraer Inversión Extranjera Directa (IED) San José, 18 de septiembre de 2023. La Cámara Costarricense - Norteamericana de Comercio (AmCham) respalda los principios rectores recientemente emitidos por el Gobierno de Costa Rica en materia de ciberseguridad, para el desarrollo de obras y servicios relacionados con la tecnología 5G en el país. AmCham considera que la implementación de 5G debe darse bajo tres grandes principios: celeridad, respeto a las disposiciones legales y seguridad. Esta tecnología debe cumplir y desplegarse con medidas fiables y rigurosas, que se rijan bajo lo dispuesto en los convenios internacionales y garanticen un adecuado tratamiento de los datos personales y de las empresas. "Desde la perspectiva empresarial, altos estándares de seguridad, precios competitivos y confiabilidad de las redes son fundamentales para garantizar el éxito y proteger la información sensible de nuestros clientes y colaboradores. Costa Rica debe recuperar el terreno perdido frente a otras naciones desarrolladas y de la región que ya han empezado a licitar y desplegar esta tecnología", detalló Silvia Castro, presidenta de AmCham. AmCham considera que el despliegue de esta tecnología debe realizarse lo más pronto posible, para mejorar el clima de inversión. La Cámara continuará colaborando con las autoridades y las empresas locales e internacionales para promover un entorno de negocios seguro y próspero en Costa Rica.” A partir de lo anterior, mi representa estima que las acciones ejecutadas por el Instituto Costarricense de Electricidad en el contexto de los procedimientos de contratación pública para adquirir equipamiento son conformes con el bloque de legalidad y las medidas de seguridad del ordenamiento vigente por lo que el reclamo planteado por el recurrente, en el mejor de los casos, debe ser revisado en la jurisdicción contencioso administrativa, no constitucional. PETITORIA Con fundamento en las razones jurídicas antes indicadas, solicito que en sentencia se declare sin lugar el recurso de amparo o en su defecto se dimensionen los efectos de la sentencia para que no reviertan sobre los procedimientos de licitación que ejecuta la entidad recurrida”.

26.- Por escrito incorporado al expediente el 11 de enero de 2024, se apersona Rubén Hernández Valle, apoderado especial judicial de la parte actora. Expone lo siguiente: “Me refiero a continuación a la comparecencia de oficio del MICITT, así como a la respuesta presentada en razón de la audiencia brindada por esa Sala para que se refiriera a los argumentos presentados por mi representada en el recurso de amparo de marras y la acción de inconstitucionalidad relacionada. I.- Generalidades 1.- El primer escrito es un vano intento de MICITT por demostrar los supuestos fundamentos técnicos del Reglamento sobre Medidas de Ciberseguridad aplicables a los Servicios de Telecomunicaciones basados en la Tecnología de Quinta Generación Móvil (5G) y Superiores, aprobado mediante el decreto ejecutivo número 44196-MSP- MICITT. En el segundo escrito, presenta argumentos en contra del fundamento jurídico y técnico de las acciones presentadas por mi representada que carecen de sentido técnico, legal y que son contrarios a la lógica más elemental. 2.- En todo caso, la intención del MICITT es clara: desviar la atención del objeto del presente amparo, que es la violación flagrante y grosera de los derechos fundamentales a la libertad de competencia y a la igualdad de participación en los concursos públicos en perjuicio de mi representada, y por otra parte tratar de encausar la discusión sobre asuntos meramente técnicos que no son de relevancia para la resolución del presente proceso, así como, aspectos que no corresponden a la verdad real. 3.-En todo caso y como consta en el expediente del recurso que nos ocupa, tanto la SUTEL como INFOCOM, dos entidades independientes y con idoneidad técnica, en sus respectivas comunicaciones, pusieron de relieve como tanto el Reglamento precitado como la licitación del ICE promovida con base en éste, violan elementales principios técnicos, sobre todo la exigencia de que los oferentes pertenezcan a países que hayan suscrito el Convenio de Budapest, así como la obligación de utilizar el estándar técnico SCS 9001. II.- El Convenio de Budapest 1.- El MICITT trata de demostrar vanamente que el Convenio de Budapest es un instrumento fundamental para la ciberseguridad del país. 2.- El MICITT admite que el Convenio de Budapest proporciona un marco legal para la cooperación internacional en materia de ciberdelito y evidencia digital. 3.- Dentro de este orden de ideas, el MICITT indica que “(1) El Convenio proporciona un marco legal para la cooperación internacional en materia de ciberdelito y evidencia digital. (2) Los Estados Parte podrán ser miembros del Comité del Convenio sobre la Ciberdelincuencia que actualmente es el organismo intergubernamental más relevante que se ocupa del ciberdelito. (3) Los Estados Parte comparten información y experiencias, evalúan la implementación del Convenio o lo interpretan a través de Notas de Orientación. (4) El Comité del Convenio sobre la Ciberdelincuencia también puede preparar Protocolos adicionales a este tratado. Por lo tanto, incluso si un Estado no participó en la negociación del tratado original, un nuevo Estado Parte podrá participar en la negociación de futuros instrumentos y la futura evolución del Convenio de Budapest. (5) Los Estados Parte del Convenio se comprometen entre sí para una cooperación confiable y eficiente. MICITT-DM-OF-1099-2023 DESPACHO MINISTERIAL 185. (6) Los Estados Parte que soliciten la adhesión o que se hayan adherido pueden convertirse en países prioritarios para los programas de creación de capacidad. Dicha asistencia técnica es para facilitar la plena aplicación del Convenio y mejorar la capacidad de cooperación internacional. Es así como el Reglamento en estudio introduce elementos”. 4.- Si se leen con detenimiento tales argumentos ninguno rebate nuestra afirmación de que el Convenio de Budapest NO TIENE NADA QUE VER COMO UN ESTANDAR DE CIBERSEGURIDAD. Tanto la SUTEL como el INFOCOM llegaron a la misma conclusión. 5.- En ese mismo sentido, como se indicó anteriormente la propia SUTEL e INFOCOM confirmaron con total objetividad e idoneidad técnica que el Convenio de Budapest no tiene ninguna vinculación que justifique su imposición como requisito para los operadores y proveedores de telecomunicaciones en Costa Rica en materia de ciberseguridad y mucho menos en el desarrollo e implementación de la tecnología 5G en el territorio nacional. Esto puede ser fácilmente comprobado en los informes presentados por INFOCOM en fecha 5-12-2023, página 8 del informe presentado (Archivo en pdf) y presentado por la SUTEL en fecha 07-12-2023, especialmente páginas 1 a la 5, 11-12, 18 a la 20, y 32). 6.- Por tanto, todo lo que diga el MICITT al respecto es simple conjetura subjetiva al respecto. III.- El estándar técnico SCS 9001 1.- En este caso, la argumentación del MICITT es más amplia y tiende supuestamente a demostrar, lo cual desde luego no consigue, que se trata de un standard técnico maduro, como dicen los especialistas en la materia. 2.- Sin embargo, no lo logran tal y como queda demostrado en el dictamen técnico que ofrecemos como prueba para mejor resolver (Análisis Técnico del Standard SCS9001 elaborado por el Ing. Francisco Vargas Navarro, MSc, MED, vicepresidente de la Junta Directiva del Colegio de Profesionales en Informática y Computación). 3.- El SCS9001 tiene una base de discriminación geopolítica. Nada de lo que alegan en la argumentación del MICITT puede ocultar la existencia del capítulo 4.2.SC.2, dedicado a la evaluación de factores geopolíticos, de los países de origen del fabricante, como parámetro de medición del nivel de confianza de un proveedor. El estándar exige el cumplimiento de criterios que no son técnicos y escapan totalmente del alcance de acción de una empresa privada ya que son factores geopolíticos, que vale la pena notar, son los impulsados por el gobierno de los Estados Unidos de manera unilateral. 4.- El dictamen técnico denominado “Análisis técnico del Estándard SCS900”, elaborado por el perito Ing. Francisco Vargas Navarro, MSc., MEd, Vicepresidente del Colegio de Profesionales en Informática y Computación, que ofrecemos como prueba para mejor resolver, coincide con nuestra argumentación. El citado informe técnico concluye de manera terminante que “Basado en el análisis anterior, llegamos a las siguientes conclusiones puntuales: a) El estándar SCS9001 utiliza el criterio de origen geográfico de manera incorrecta, errada, sin aplicar ningún criterio técnico válido; b) Es un error el cambiar el esquema actual por el novel SCS9001; c) El estándar SCS9001 es totalmente inmaduro, carece de experiencia en el mercado mundial; d) El estándar SCS9001 no se ha usado en nuestro ecosistema digital móvil; e) El reemplazo del esquema actual por el estándar SCS9001 no obedece a criterios técnicos; f) El estándar SCS9001 no cuenta con suficientes proveedores de capacitación; g) Las diferentes organizaciones técnicas especializadas del país no recomiendan el cambio; h) El estándar SCS9001 apenas se encuentra en su fase de prueba y corrección; i) Dado el corto tiempo que tiene de estar activo, no contamos con estadísticas y /o métricas confiables del desempeño del estándar SCS9001” (Páginas 8 y 9). 5.- El gobierno costarricense es el primero en Latinoamérica que obliga a los proveedores a cumplir con e estándar SCS9001, tal cual lo menciona la misma TIA en su página WEB (https;//tiaonline.org/press- release/costa rica- takes-bold-and-decisive-stance-on-cybersecurity) y resulta incierta su aplicación en el resto del mundo, por falta de información y entendimiento que rodean al mismo. IV.- De la participación de Huawei en el concurso especial promovido por el ICE para “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, cursado en la plataforma del Sistema Integrado de Compras Públicas 1.- Sobre este tema en particular, es preciso aclarar que en efecto Huawei presentó su oferta en el procedimiento especial de contratación número 2023XE000023-0000400001 como evidencia concreta del “Interés Actual y Tangible” que ostenta como empresa proveedora de infraestructura de telecomunicaciones para la implementación de la tecnología 5G, la cual es objeto de la contratación. Como se establece en el extracto que el mismo Ministerio citó de la resolución del No.00336-2020 del 25 de junio del 2020, en el cual se indica que un oferente “lo que ostenta frente a la licitación es un interés legítimo en resultar adjudicataria (...)” 2.- No obstante lo anterior, deseamos hacer hincapié en el hecho de que la participación de HUAWEI en dicho concurso, por ningún motivo omite y/o subsana la violación de los principios de libre participación en igualdad de condiciones y libre competencia (de orden constitucional en materia de contratación pública). Esto porque toda vez que estos principios están siendo quebrantados en forma tangible y flagrante durante el procedimiento de contratación a raíz de la aplicación decreto ejecutivo número 44196-MSPMICITT. 3.- Lo anterior, debido a que el ICE prefijo requisitos discriminatorios contra mi representada y demás empresas, cuyos fabricantes sean de origen chino, ello con base en la aplicación del decreto ejecutivo número 44196-MSP- MICITT, que también es objeto de control constitucional en la acción de inconstitucionalidad, planteada por esta representación y que se cursa bajo el expediente 23-025158-007-CO. Como se puede verificar en el mismo escrito del recurso de objeción al pliego de condiciones que presentó el MICITT, se impugnaron expresamente las condiciones cartelarias que se fundamentan en las normas de Decreto de reiterada cita que lesiona los derechos fundamentales de mi representada y que son inconstitucionales. Por lo tanto, no se puede interpretar, como lo pretende hacer ver el Ministerio, que mi representada no ha tomado las acciones legales necesarias para la protección de sus derechos y de la constitucionalidad del ordenamiento jurídico. 4.- Realmente lo que pretende el MICITT con su informe es deslegitimar a mi representada con argumentos burdos y sin ninguna lógica elemental. EL Ministerio pretende enredar a ese honorable Tribunal con el supuesto argumento que el decreto ejecutivo número 44196-MSP- MICITT no es aplicación directa a Huawei por presuntamente no ser un operador de redes habilitado por la SUTEL. Cuando resulta notorio que el propio Decreto tiene como fin obligar a los operadores a aplicar criterios arbitrarios para excluir proveedores de infraestructura de telecomunicaciones de origen chino como HUAWEI, o de cualquier otro país que no haya suscrito o tenga intención de suscribir el Convenio de Budapest. Así lo dispone el inciso e) del artículo 10 del Decreto de reiterada cita y objeto de la acción de inconstitucionalidad de referencia. 5.- Realmente lo que pretende el MICITT con su informe es deslegitimar a mi representada con argumentos burdos y sin ninguna lógica elemental. EL Ministerio pretende enredar a ese honorable Tribunal con el supuesto argumento que el decreto ejecutivo número 44196-MSP- MICITT no es aplicación directa a Huawei por presuntamente no ser un operador de redes habilitado por la SUTEL. Cuando resulta notorio que el propio Decreto tiene como fin obligar a los operadores a aplicar criterios arbitrarios para excluir proveedores de infraestructura de telecomunicaciones de origen chino como HUAWEI, o de cualquier otro país que no haya suscrito o tenga intención de suscribir el Convenio de Budapest. Así lo dispone el inciso e) del artículo 10 del Decreto de reiterada cita y objeto de la acción de inconstitucionalidad de referencia. 6.- Asimismo, es necesario aclarar el falso argumento señalado por el Ministerio respecto a que Huawei presentó su oferta al concurso licitatorio precitado y promovido por el ICE, supuestamente alegando que cumple a la perfección con todos los criterios impuestos por el Decreto de Ciberseguridad en cuestión. Cuando lo cierto es que, mi representada presentó su oferta en razón de su interés legítimo, actual y tangible en el objeto de la contratación. Pero precisamente, por eso desde antes del sometimiento de las ofertas a concurso fue que buscó el amparo de sus derechos fundamentales ante esta Sala Constitucional y solicitó la medida cautelar pendiente de resolución. Esto con el fin de que se evite la aplicación de las condiciones del pliego de dicho procedimiento que violentan los derechos fundamentales de igualdad de participación y libre competencia. Es impensable que si no se acoge la medida cautelar solicitada, o el recurso de amparo de marras, el ICE en el proceso de evaluación de las ofertas procederá a aplicar a la oferta de mi representada los criterios arbitrarios impuestos por el decreto ejecutivo número 44196-MSPMICITT, toda vez que con base en el cartel exigirá cumplir con la Adhesión al Convenio de Budapest y la certificación del estándar SCS9001 ya mencionados. 7.-Como se evidencia en la misma transcripción parcial de la respuesta al pliego de condiciones en la oferta de mi representada en el procedimiento de contratación de reiterada cita, no es cierto que Huawei declaró bajo fe de juramento cumplir con los requisitos cuestionados en las acciones que nos ocupan. 8.- En cuanto a la declaración jurada requerida en el punto 3.4 del pliego de condiciones, la respuesta fue la siguiente: “3.4. El oferente deberá presentar una declaración jurada en donde se indique su sede está en un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). Para lo cual deberá adjuntar la documentación de respaldo. El ICE se reserva el derecho de verificar la validez de la información aportada. Respuesta: Entendemos. Huawei cumple totalmente con los estándares de ciberseguridad y mejores prácticas de la industria para el resguardo e integridad de la información. El Convenio de Budapest no se refiere a un estándar de ciberseguridad para redes móviles 5G o similares”. (El resaltado es nuestro) 9.- Como se evidencia y se puede comprobar con ver nuestra oferta en el expediente electrónico en SICOP, la respuesta fue precisamente lo que se ha argumentado tanto por mi representada, como por la SUTEL e INFOCOM, respecto a que el Convenio de Budapest no se refiere a un estándar de ciberseguridad. Pero esta manifestación aclaratoria en nuestra oferta, no constituye de ninguna forma la declaración jurada requerida en esa cláusula del pliego de condiciones. Lo mismo sucede con el requerimiento de la certificación SCS 9001, en la cual se indica expresamente lo siguiente: “(…) SCS 9001: Huawei cumple y adopta totalmente con los requerimientos técnicos de este estándar siguiendo las mejores prácticas de la industria, lo cual se demuestra a través de las certificaciones (ISO9001, ISO27001, ISO28000 y NESAS). Se adjuntan certificaciones en el Anexo #10.” 10.- Es decir, se declaró en nuestra oferta que mi representada cumple con los requerimientos técnicos, pero a través de las certificaciones ISO9001, ISO27001, ISO28000 y NESAS, que son lo certificados reconocidos en la industria a nivel mundial, como se ha demostrado tanto por la prueba presentada por Huawei, como por los señalado por SUTEL e INFOCOM. 11.- Como se desprende con meridiana claridad, es falso que mi representada haya declarado bajo fe de juramento, ni de ninguna otra forma, que se acoge plenamente a las condiciones del pliego de condiciones que lesionan sus derechos fundamentales y que son contrarias a los principios constitucionales que regulan la contratación pública. 12.- Todo esto ha sido realizado por el MICITT con el único afán de desviar la atención del objeto del proceso, al no poder justificar de forma objetiva, idónea y técnica los motivos que subyacen la imposición de requisitos arbitrarios para los proveedores de telecomunicaciones, tales como la Convención de Budapest y la certificación del SCS9001 que a fin de cuentas fueron fijados por el Gobierno con el único fin de excluir a las empresas asiáticas, como HUAWEI, de participar y competir en igualdad de condiciones con resto de proveedores que existen en el mercado de telecomunicaciones para la implementación de la tecnología 5G en el país. 13.- De forma irrisoria y pareciera que con un humor sarcástico, el Ministerio indica que la restricciones del Decreto no le aplican a mi representada por ser una sociedad costarricense. Pero lo que no dice es que el mismo decreto en el inciso e del artículo 10 expresamente señala que las restricciones establecidas por el Decreto le aplican a los “suministradores de hardware y software que tengan su sede en un país que no ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest)”. 14.- Como es público y notorio a nivel mundial, como se ha señalado y comprobado con la documentación presentada en el amparo y acción de inconstitucionalidad que nos ocupa, así como en la oferta del concurso promovido por el ICE, la casa matriz de mi representada y fabricante de los equipos, [Nombre 002], tiene su sede principal en la República Popular de China, la cual no ha manifestado su consentimiento de obligarse al Convenio de Budapest. V.- Conclusiones 1.- De lo dicho se concluye, sin ningún género de dudas, que tanto el decreto ejecutivo 44196- MSP- MICITT como el pliego de la licitación pública promovida por el ICE para la adquisición de la tecnología 5 G, violan los derechos fundamentales de Huawei a la libre competencia y a la igualdad de participación en los concursos públicos, dado que le imponen satisfacer dos requisitos que no son necesarios para escoger la mejor oferta técnica. 2.- En efecto, el requisito de que el país donde sea originario el oferente esté adherido al Convenio de Budapest es absurdo y contrario a la lógica más elemental, pues ese Convenio, como está demostrado hasta la saciedad, NO TIENE RELACIÓN ALGUNA CON UN ESTANDAR DE CIBERSEGURIDAD. 3.- En cuanto a la exigencia de que los oferentes cumplan con el standard técnico SCS 9001 no es de recibo por cuanto, en primer lugar, no fue diseñado para aplicarlo al escenario particular de las redes 5G; en segundo lugar, es irresponsable cambiar un protocolo de seguridad maduro por uno que se encuentra en fase de experimentación, así como demás argumentos expuestos arriba en este escrito. 4- Los argumentos presentados por el Ministerio en respuesta a la audiencia otorgada por ese honorable Tribunal, como se ha demostrado de forma fehaciente, carecen de todo fundamento jurídico, técnico, lógica y son contrarios a la verdad real. 5.- Recordemos las sabias palabras del maestro costarricense del Derecho Administrativo, don Eduardo Ortiz Ortiz, de grata memoria, que solía decir “ frente a la técnica no hay discrecionalidad”, así como que “a la Administración le está prohibido hacer empíricamente lo que debe hacer técnicamente”. En consecuencia, solicitamos se desestime en todos sus extremos por falta de legitimación, fundamento lógico, técnico y jurídico las petitorias señaladas en sendos escritos por el MICITT. Asimismo, que se declare el presente amparo con lugar en todos sus extremos”.

27.- Por escrito incorporado al expediente digital el 15 de enero de 2024, se apersona Rubén Hernández Valle, en su condición de apoderado especial judicial de la parte actora. Indica que la certificación notarial del Análisis Técnico del Estándar SC 9001 consignó por error material emitida por la vicepresidencia del Colegio de Profesional en Informática y Computación; sin embargo, aclara que tal documento fue emitido por Francisco Vargas Navarro, en su calidad personal como perito de la compañía FVNcr.org. Señala que el notario público efectuó la corrección correspondiente.

28.- Por escrito incorporado al expediente digital el 16 de enero de 2024, se apersona Paula Bogantes Zamora, ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones. Pide: “Se confiera audiencia oral al presente Ministerio en los términos del artículo 10 de la Ley de la Jurisdicción Constitucional, a los efectos de que la suscrita formule ante los señores magistrados una serie de aspectos relacionados a la emisión del Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”, publicado en Alcance Nº 166 a La Gaceta Nº159 del 31 de agosto de 2023. Lo anterior, en el contexto de la impugnación interpuesta por parte de la empresa [Nombre 002]., aspectos que merecen dilucidarse previo al dictado de la resolución final del caso concreto”. Manifiesta: “A los efectos de lo solicitado, respetuosamente hago del conocimiento de los señores Magistrados, que estaré fuera del país atendiendo compromisos propios de mi cargo del sábado 20 de enero de 2024 al jueves 25 de enero de 2024. Por lo anteriormente indicado, señalo mi disponibilidad para atender la audiencia oral en los días del 16 al 18 de enero de 2024 y del 26 de enero 2024 en adelante, en la fecha que su Autoridad lo disponga”.

29.- Por escrito incorporado al expediente digital el 16 de enero de 2024, se apersona Paula Bogantes Zamora, ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones. Solicita: “Se reciba y se tenga como prueba dentro del Recurso de Amparo que se tramita mediante el expediente Nº 23-023887-0007-CO de esa Honorable Sala, la certificación de correo electrónico, de fecha 15 de enero de 2024, suscrita por el señor Gezer Molina Colomer, con cédula de identidad N° 1-1239-0030, Director de Ciberseguridad del MICITT, que se adjunta al presente escrito, y mediante la cual se certifica la autenticidad del correo electrónico enviado a las 10:08 horas del 14 de enero de 2023 entre otros al correo electrónico oficial del MICITT del señor Molina Colomer: [email protected], remitido por el señor Francisco Vargas Navarro, con cédula de identidad N° 9-0099-0713, y mediante el cual el señor Vargas Navarro aclaró que suscribió el documento denominado “ANÁLISIS TÉCNICO DEL ESTÁNDARD SCS9001” de fecha 11 de diciembre de 2023, a título personal, y no como Vicepresidente de la Junta Directiva del Colegio de Profesionales en Informática y Computación (CPIC), como se indicó en el citado documento, que fuera certificado por el Notario Público Roberto José Esquivel Cerdas, carné N° 6910, según certificación de copias realizada el 11 de enero de 2024, realizada a solicitud de la empresa [Nombre 002]., con cédula de persona jurídica N° [Valor 001], presentada ante este Tribunal como prueba dentro del Recurso de Amparo. Lo anterior a efecto de que no se considere que dicho documento fue emitido como posición oficial de dicho profesional en nombre del Colegio de Profesionales de Informática y Computación”.

30.- Por escrito incorporado al expediente digital el 17 de enero de 2024, se apersona Natalia Díaz Quintana, ministra de la Presidencia. Menciona lo siguiente:“En atención al oficio MICITT-DM-OF-026-2024, de fecha 15 de enero de los corrientes, se informa a este Despacho, acerca del recurso de amparo, tramitado bajo el Expediente 23-023887-0007-CO, contra el Decreto Ejecutivo 44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de las telecomunicaciones en la tecnología de quinta generación móvil (5G) y superiores” y somete a mi consideración la necesidad que la Dirección de Inteligencia y Seguridad Nacional (DIS) se apersone en los términos del artículo 10 de la Ley de Jurisdicción Constitucional, Ley No. 7135, con el fin de formular aspectos relacionados al ámbito de seguridad nacional. En ese sentido, teniendo en cuenta lo indicado en el Informe Técnico que les fuera remitido el pasado 13 de diciembre de 2023, mediante número de documento, MICITT-DM-OF-1099-2023, y suscrito por la Ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones, Paula Bogantes Zamora, que señala en lo que interesa: “(…) La implementación de las redes 5G ha generado preocupaciones sobre la seguridad nacional, pues existe la posibilidad de que información confidencial y sensible pueda ser interceptada y utilizada por agentes extranjeros de manera no autorizada, o bien que estas redes sean vulneradas para afectar la seguridad pública. Por esta razón, el resguardo de la seguridad nacional debe ser una prioridad en la implementación de las redes 5G, y el Gobierno debe trabajar en estrecha colaboración con los operadores y proveedores para garantizar la seguridad y la integridad de la información que se transmite a través de estas redes. (…)” Debe considerarse, en lo relacionado a las preocupaciones externadas por el MICITT, que la DIS es el “(…)órgano informativo del Presidente de la República, en materia de seguridad nacional (…)” y le otorga atribuciones de: “(…) a) Detectar, investigar, analizar y comunicar al Presidente de la República o al Ministro de la Presidencia, la información necesaria para prevenir hechos que impliquen riesgo para la independencia o la integridad territorial o pongan en peligro la estabilidad del país y de sus instituciones. (Artículos 13 y 14 de la Ley 7410, Ley de Policía) Es por ello que, en razón de esas competencias, la DIS es la instancia informativa del Presidente de la República en materia de Seguridad Nacional, no obstante, de acuerdo con el artículo 1 del Reglamento de organización y funcionamiento de la Dirección de inteligencia y Seguridad Nacional, Decreto Ejecutivo Nº 32522, se encuentra subordinada administrativa y presupuestariamente al Ministerio de la Presidencia. Que debido a lo anterior y ante el requerimiento girado por el Ministerio de Ciencia y Tecnología y Telecomunicaciones, con todo respeto solicito a los honorables Magistrados de la Sala Constitucional, considerar conferir audiencia oral y privada a su Director, señor Jorge Torres Carrillo, con el fin que exponga aspectos de importancia relacionados al presente proceso y que guardan estrecha relación con hechos que puedan afectar la seguridad nacional, integridad territorial y/ o la estabilidad del país y de sus instituciones”.

31.-Por escrito incorporado el expediente digital el 17 de enero de 2024, se apersona Rubén Hernández Valle, apoderado especial judicial de la parte acota. Manifiesta: “Me refiero a los escritos de MICITT y del Ministro de la Presidencia. I.- Los escritos del MICITT 1.- En el primero de ellos, se solicita que se ordene una comparecencia pública al tenor de lo dispuesto en el artículo 10 de la LJC. 2.- En los recursos de amparo el otorgamiento de la audiencia es potestativo y sólo en casos muy calificados procede. 3.- En el presente caso, la audiencia se pide para referirse al decreto ejecutivo C44196-MSP- MICITT, el cual, sin embargo, no es objeto de este proceso. Lo que aquí se impugna es el acto del ICE que abrió el proceso licitatorio. 4.- La validez del citado decreto se impugna en la acción de inconstitucionalidad, que es el proceso en que eventualmente cabría la audiencia. Sin embargo, en este caso tampoco procedería otorgar la audiencia por la sencilla razón de que ni siquiera se le ha dado trámite. 5.- Por tanto, la solicitud de audiencia resulta jurídicamente impertinente. 6.- Por otra parte, llama la atención la impertinencia de la señora Ministra que exige a la Sala ajustarse a su agenda. Nunca se ha visto que un tribunal tenga que acomodar su agenda a la de los otros funcionarios públicos que tienen casos pendientes ante ella. En el fondo, tal solicitud es una falta de respeto para los integrantes de esa Sala. 7.- En cuanto a la certificación aportada en el segundo escrito, ya mi representada aclaró el error que contenía la certificación original, por lo que este documento resulta también impertinente. II.- El escrito del Ministro de la Presidencia 1.- Con una desfachatez sin límites solicita UNA AUDIENCIA PRIVADA para el Director de la DIS. En ningún tribunal costarricense tales audiencias son posibles, pues siempre tiene que estar presente la contraparte. De lo contrario, se podría especular que en ella se harán proposiciones indebidas. 2.- Al igual que lo dijimos en el acápite anterior, en este amparo no se está discutiendo el tema de la ciberseguridad, sino única y exclusivamente, la violación de los derechos de libre competencia e igualdad de participación en un concurso público promovido por el ICE. 3.- El tema de la ciberseguridad se discute en la acción de inconstitucionalidad y no de presente recurso de amparo. Por consiguiente, tal audiencia privada es jurídicamente improcedente. III.- Conclusión 1.- La solicitud de audiencias públicas y privadas, sin ningún fundamento jurídico, sólo tiene una finalidad muy clara: evitar que la Sala falle sobre el fondo y, de esa manera, sigan transcurriendo los plazos legales y reglamentarios para que el ICE realice la admisibilidad jurídica de las ofertas y deje a Huawei fuera de la licitación porque en este momento no cumple con dos requisitos inconstitucionales que contiene el cartel y que violan flagrantemente los derechos fundamentales de mi representada a la libre competencia y a la igualdad de participación en la licitación del ICE objeto de este recurso de amparo”.

32.- Por escrito incorporado al expediente digital el 17 de enero de 2024, se apersona Mario Zamora Cordero, ministro de Seguridad Pública. Pide:“Se confiera audiencia oral al presente Ministerio en los términos del artículo 10 de la Ley de la Jurisdicción Constitucional, a los efectos de que el suscrito formule ante los señores magistrados una serie de aspectos relacionados a la emisión del Decreto Ejecutivo Nº44196-MSP-MICITT “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”, publicado en Alcance Nº 166 a La Gaceta Nº159 del 31 de agosto de 2023. Lo anterior, en el contexto de la impugnación interpuesta por parte de la empresa [Nombre 002]., aspectos que merecen dilucidarse previo al dictado de la resolución final del caso concreto. A los efectos de lo solicitado, quedo atento para la convocatoria que su Autoridad disponga”.

33.- Por escrito incorporado al expediente digital el 18 de enero de 2024, se apersona Rubén Hernández Valle, apoderado especial judicial de la parte actora. Expone lo siguiente: “Me refiero nuevamente a los escritos de MICITT y del Ministro de la Presidencia y a la petición del Ministerio de Seguridad Pública. 1.- La última petición de audiencia oral no procede porque el Ministerio de Seguridad desea referirse al tema de la ciberseguridad, el cual no es objeto de este proceso. Por tanto, carece totalmente de sentido jurídico que se otorgue una audiencia para referirse a un tema que no es objeto de discusión en este recurso de amparo. 2.- Esa audiencia podría tener sentido en la acción de inconstitucionalidad poruq en ella sí se discute el tema de la ciberseguridad. 3.- En realidad ninguna de sus solicitudes pueden tomarse en consideración porque, además de las razones jurídicas anteriores, ni el MICITT ni el Ministerio de la Presidencia ni el Ministerio de Seguridad son partes en este proceso. 4.- Se trata de terceros que se apersonaron en autos sin ser titulares de un interés legítimo en los términos del artículo 35 de la LJC, dado que la sentencia que recaiga en autos no tendrá ningún efecto ni a favor ni en contra de esos Ministerios. 5.- En efecto, ninguno de ellos es parte en el proceso licitatorio y, por ende, del presente proceso de amparo”.

34.-Por escrito incorporado al expediente digital el 18 de enero de 2024, se apersona Paula Bogantes Zamora, ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones. Pide que se tenga por incorporado a este expediente el informe técnico MICITT-DGDCFD-DRII-INF-0058-2024, de fecha 16 de enero de 2024, para el análisis relativo al peritaje “Análisis Técnico del Estándar SCS 9001” suscrito por el Ing. Francisco Vargas Navarro.

35.- Por escrito incorporado al expediente digital el 22 de enero de 2024, se apersona Rubén Hernández Valle, apoderado especial judicial de la parte actora. Manifiesta lo siguiente: “1.- Planteo solicitud de pronto despacho, dado que el viernes 26 vencerá el plazo para presentar aclaraciones en la licitación del ICE objeto de este recurso de amparo, la cual es fase previa para emitir el acto de adjudicación. 2.- Si dentro de dicho plazo no se presentan las aclaraciones regidas por las condiciones cartelarias sustentadas en el Decreto Nº 44196- MSP-MICITT, objeto de la respectiva acción de inconstitucionalidad, su aplicación de forma automática representará la materialización de la violación de los derechos fundamentales de mi representada objeto de este recurso de amparo”.

36.- Por escrito incorporado al expediente digital el 23 de enero de 2024, se apersona Marco Vinicio Acuña Mora, presidente ejecutivo del ICE. Manifiesta: “me permito aportar de manera oficiosa las solicitudes de criterio técnico que este Instituto ha requerido mediante los oficios Nº 0060-0021-2024, 0060-0022-2024 y 0060-0023-2024 al Consejo Nacional de Seguridad Pública, el Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones (MICITT) y la Agencia de Protección de Datos de los Habitantes (PRODHAB), que se explican a continuación: I. CONTEXTO A. SOLICITUD DE CRITERIO TÉCNICO AL CONSEJO NACIONAL DE SEGURIDAD PÚBLICA Mediante oficio Nº 0060-0023-2024 del 23 de enero de 2024 se solicitó al Consejo Nacional de Seguridad Pública que se pronuncie sobre las acciones que en materia de política pública se están llevando a favor de la seguridad nacional, y que han fundamentado la emisión del “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”, publicado en fecha 31 de agosto de 2023 en el Diario Oficial La Gaceta, Decreto Ejecutivo Nº44196-MSP-MICITT. B. SOLICITUD DE CRITERIO TÉCNICO AL MICITT COMO AUTORIDAD RECTORA Mediante oficio Nº 0060-0022-2024 del 23 de enero de 2024 se solicitó al Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones (MICITT), en su condición de Entre Rector, que se pronuncie en relación con las potenciales implicaciones económicas para el Sector Telecomunicaciones y el país, en caso de que se suspenda o imposibilite la operación de redes y la prestación de servicios basados en la tecnología de quinta generación móvil (5G) y superiores en el país. C. SOLICITUD DE CRITERIO TÉCNICO-JURÍDICO A PRODHAB Mediante oficio Nº 0060-0021-2024 de fecha 23 de enero de 2024 se solicitó criterio técnico y jurídico a la Agencia de Protección de Datos de los Habitantes (PRODHAB), para que a partir de lo dispuesto en la Ley de Protección de la Persona frente al tratamiento de sus datos personales, Ley Nº 8968, y en el ámbito de sus funciones administrativas, se refiera a la importancia del Decreto Ejecutivo Nº44196-MSP-MICITT y sus disposiciones, para la protección de datos personales en lo que respecta a la operación de redes y la prestación de servicios basados en la tecnología de quinta generación móvil (5G) y superiores por parte de los operadores de redes y a favor del régimen jurídico de protección de los derechos e intereses legítimos de los usuarios finales. Dado que las disposiciones del Decreto antes citado derivan en una jerarquía legal a partir de las disposiciones del artículo 42 de la Ley General de Telecomunicaciones, Ley Nº 8642, el cual regula las medidas técnicas y administrativas para la protección de los datos de carácter personal de los abonados y usuarios finales, se estima pertinente a los efectos procesales respectivos que se confiera audiencia a PRODHAB de conformidad las atribuciones que en esta materia le confieren la Ley Nº 8968, para que desde esta perspectiva técnica y jurídica, se refiera a las disposiciones del Decreto Ejecutivo de marras, y cualquier otro aspecto vinculado con el objeto del presente proceso, en el marco de sus competencias legales Por lo tanto, se solicita respetuosamente a este Honorable Tribunal Constitucional que, una vez emitidos dichos criterios técnicos por el Consejo Nacional de Seguridad Pública, MICITT y PRODHAB, puedan ser considerados como prueba para mejor resolver dentro del presente expediente judicial, así como se les confiera audiencia para que, en el ámbito de sus atribuciones legales, puedan referirse de forma directa ante su Autoridad; ambas solicitudes conforme el artículo 47 de la Ley de Jurisdicción Constitucional. II. PETITORIA A partir de lo expuesto, y con base en el mencionado principio de colaboración procesal, se reitera la solicitud de que el Recurso de Amparo y de medida cautelar sea declarado sin lugar en todos sus extremos y sin especial condenatoria en costas relativas al Instituto, y además respetuosamente solicito a este Honorable Tribunal Constitucional: 1. Se acepten como prueba para mejor resolver, una vez emitidos, los criterios técnicos solicitados al el Consejo de Seguridad Pública, MICITT y PRODHAB. 2. Se confiera audiencia al Consejo Nacional de Seguridad Pública para que se pronuncien en relación las acciones que desde la política pública se están llevando a cabo en materia de seguridad nacional que fundamentan la emisión del “Reglamento sobre medidas de Ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de Quinta generación móvil (5G) y superiores”, publicado en fecha 31 de agosto de 2023 en el Diario Oficial La Gaceta, Decreto Ejecutivo Nº44196-MSP-MICITT. 3. Se confiera audiencia al Ministerio de Ciencia, Innovación, Tecnología y Telecomunicaciones (MICITT), en relación con las potenciales implicaciones económicas para el Sector Telecomunicaciones y el país, en caso de que se suspenda o imposibilite la operación de redes y la prestación de servicios basados en la tecnología de quinta generación móvil (5G) y superiores en el país. 4. Se confiera audiencia a la Agencia de Protección de Datos de los habitantes (PRODHAB) de conformidad las atribuciones que en esta materia le confieren las disposiciones de la Ley de Protección de la Persona frente al tratamiento de sus datos personales, Ley Nº 8968, en relación la protección de los datos de carácter personal de los abonados y usuarios finales de servicios de quinta generación móvil (5G) y superiores”.

37.- Por escrito incorporado al expediente digital el 24 de enero de 2024, se apersona Rubén Hernández Valle, apoderado especial judicial de la parte actora. Expone lo siguiente: “1.- En la especie estamos en presencia de uno de los típicos recursos de amparos contra normas autoaplicativas de que nos habla el artículo 30 de la LJC. 2.- En efecto, las normas autoaplicativas sólo son impugnables en los procesos de amparo cuando se impugnan conjuntamente con los actos de aplicación individual. Por ello, la jurisprudencia de esa Sala ha dicho que la sentencia, en estos casos, tiene por objeto “la restitución al agraviado en el pleno goce de su derecho fundamental, tratando en lo posible de restituir las cosas al estado que guardaban antes de la violación, en unos casos, o que se realice el acto cuya omisión produjo la interposición en otros, pero nunca el de la declaratoria de la nulidad absoluta con carácter declarativo de una disposición normativa” (Voto 506-I-1996). 3.-Por ello, el decreto ejecutivo número 44196- MSP -MCITT, publicado en La Gaceta del 31 de agosto del 2023, que fundamenta el acto impugnado en este amparo, no podrá anularse con efectos erga omnes y retroactivos. Sin embargo, por tratarse de una norma autoaplicativa, sí puede ser declarado violatorio de derechos fundamentales del amparado y, por ende, inaplicable en el caso que dio origen al proceso de amparo. 4.- Dentro de este orden de ideas la doctrina argentina señala, entre las posibles hipótesis de normas autoaplicativas “cuando comprende a personas determinadas por circunstancias concretas” (BIDART CAMPOS). 5.- Asimismo, la jurisprudencia y doctrina mexicanas han señalado que las normas autoaplicativas son “leyes ( normas en general) que revisten la forma general, designan personas o comprenden individuos innominados, pero bien definidos por las condiciones, las circunstancias y posición en que se encuentran, y la designación de la norma, tienen el carácter de agraviados por ella y personalidad para promover el juicio de amparo contra la misma;… las normas, en algunas ocasiones, comprenden a personas determinadas, por circunstancias concretas que las determinan de forma clara” (IGNACIO BURGOA). 6.- Esto es justamente lo que ocurre con el decreto ejecutivo número 44196- MSP-MCITT, el cual es una norma autoaplicativa pues contiene disposiciones que lesionan directamente los derechos de libertad de competencia e igualdad de participación en los concursos públicos de determinadas personas jurídicas, pues establecen condiciones que se sabe, de antemano, que esas empresas específicas no pueden cumplir. 7.- La norma autoaplicativa del decreto ejecutivo está diseñada para que [Nombre 002]. no pueda participar en las licitaciones públicas para la adquisición de la tecnología de telecomunicaciones 5G y superiores, al exigir dos requisitos que de antemano se sabe que no podemos cumplir: a) que el país donde está ubicada nuestra casa madre sea parte del Convenio de Budapest y b) que cumplamos con el standard técnico SC 9001, el cual no se encuentra demostrado técnicamente como robusto. 8.- La normativa en cuestión fue dictada para excluir a mi representada de las licitaciones públicas para la adquisición de la tecnología en telecomunicaciones 5G y superiores, con lo cual viola, de manera evidente y grosera, nuestros derechos fundamentales a la libertad de competencia e igualdad de participación en los concursos públicos. 9.- Por tanto, en el presente caso debe aplicarse el artículo 30 inciso a) de la LJC y declarar expresamente que el citado reglamento ejecutivo violenta los dos derechos fundamentales citados en perjuicio de mi representada, por lo que las cláusulas del concurso público número 2023XE-000023- 0000400001 promovido por el ICE con base en ese Reglamento citado, están viciadas de nulidad. 10.- Dado que la Sala está en posibilidad jurídica de resolver el amparo sin fallar la acción de inconstitucionalidad por las razones antes indicadas, fue que presentamos la gestión de Pronto Despacho. Es importante que el presente proceso se decida a más tardar el viernes, fecha en la que vence el plazo otorgado por el ICE a mi representada para presentar aclaraciones de nuestra oferta”.

38.- En los procedimientos seguidos se ha observado las prescripciones legales.

Redacta el Magistrado Castillo Víquez; y,

Considerando:

I.- Sobre las coadyuvancias planteadas. De acuerdo con el artículo 34 de la Ley de la Jurisdicción Constitucional, terceros al proceso pueden interponer una solicitud de coadyuvancia, que es una forma de intervención adhesiva que se da, cuando una persona actúa en un proceso, adhiriéndose a las pretensiones de algunas de las partes principales. En consecuencia, se encuentra legitimado para actuar como coadyuvante quien ostente un interés directo en el resultado del recurso; sin embargo, al no ser actor principal, el coadyuvante no resultará directamente afectado por la sentencia, es decir, la eficacia de esta no podrá alcanzarle de manera directa e inmediata, ni le afecta la condición de cosa juzgada del pronunciamiento (Véanse, entre otras, las sentencias número 3235 de las 9:20 horas del 30 de octubre de 1992 y la sentencia 2010-000254 de las 11:28 horas el 08 de enero de 2010). En este caso, se admite la coadyuvancia pasiva de Silvia Patricia Castro Montero, presidenta de la Cámara Costarricense Norteamericana de Comercio, toda vez que, dada su naturaleza, en efecto podría tener un interés directo en el resultado de este proceso.

II.- Sobre las solicitudes de audiencia formuladas. La ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones, la ministra de la Presidencia (en representación de la Dirección de Inteligencia y Seguridad) y el ministerio de Seguridad solicitaron audiencia oral en este proceso. Asimismo, el presidente ejecutivo del ICE pidió que se confiriera audiencia al Consejo Nacional de Seguridad Pública en relación con “las acciones que desde la política pública se están llevando a cabo en materia de seguridad nacional” que fundamentan la emisión del reglamento; al Micitt en cuanto a las “potenciales implicaciones económicas para el Sector Telecomunicaciones y el país, en caso de que se suspenda o imposibilite la operación de redes y la prestación de servicios basados en la tecnología de quinta generación móvil (5G) y superiores en el país”; y a la Prodhab sobre la “protección de los datos de carácter personal de los abonados y usuarios finales de servicios de quinta generación móvil (5G) y superiores”. No obstante, la Sala dispone de suficientes elementos como para resolver de manera sustentada el sub iudice sin necesidad de recurrir a ninguna otra diligencia, por lo que rechaza tales requerimientos.

III.- Objeto del recurso. La parte accionante indica que [Nombre 002]. está preparada para participar en la licitación pública que abrirá el ICE para implementar y operar la tecnología 5G IMT en sus redes, dado que es uno de los principales proveedores de esa tecnología en este país. Señala que, el 31 de agosto de 2023, el Poder Ejecutivo promulgó y publicó en La Gaceta el “Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores”, el cual contiene disposiciones que expresamente impiden la participación de su representada en ese concurso público. Acota que el presidente de la República, la ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones, y el presidente ejecutivo del ICE, han manifestado públicamente que la promulgación del citado reglamento se hizo con el motivo específico de impedir la participación de empresas de diversas nacionalidades, especialmente las de origen chino, en los procedimientos licitatorios tendentes a la obtención y operación de la tecnología en telecomunicaciones 5G IMT y superiores de las redes del instituto recurrido. Agrega que, a las 16:20 horas de 5 de setiembre de 2023, su representada recibió un correo electrónico de parte de Huberth Valverde Batista, administrador de contratos del ICE, con un cuestionario sobre el cumplimiento del Reglamento de Ciberseguridad nro. 44196-MSP-MICITT. Añade que en tal comunicación se les otorgó un plazo de cuatro días hábiles para suministrar la información. Asevera que el cuestionario es una copia exacta de los requerimientos del reglamento mencionado, lo cual es prueba directa de la publicación inminente de la licitación y la afectación de su representada, pues resultará imposibilitada de participar. Refiere que lo anterior corresponde al estudio de mercado que exige la Ley de Contratación Pública, previo a la publicación del pliego de condiciones. Menciona que el presidente del ICE manifestó que a finales de setiembre sacará a concurso público la adquisición de la tecnología en telecomunicaciones 5G Móvil y que aplicarán los requisitos exigidos en el ‘Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores’. Afirma que el Presidente de la República ha declarado que la promulgación del reglamento tenía como objetivo impedir la participación de empresas de diverso origen en los concursos públicos próximos que abrirán el ICE y la SUTEL para la adquisición de la tecnología en telecomunicaciones 5G Móvil. Añade que lo anterior fue ratificado por la ministra del MICITT. Sostiene que es más que notorio el riesgo directo y manifiesto que enfrenta su representada. Asevera que existe una amenaza cierta, real, efectiva e inminente, casi en etapa de ejecución, lo que lesiona los derechos de su representada. Menciona que el concurso que abrirá el ICE le impedirá participar a [Nombre 002]. por tener origen chino. Asevera que no se le puede imputar a la empresa que el Gobierno de la República Popular China, dentro de sus potestades soberanas, no hubiese firmado el Convenio de Budapest. Agrega que tal instrumento fue publicado 18 años antes de que la tecnología 5G fuera lanzada al mercado, por lo que es imposible que alguna de sus consideraciones estuviera relacionada con esta. Refiere que el factor de evaluación está desfasado y no se encuentra directamente relacionado con ciberseguridad; además, viola el “principio de imparcialidad tecnológica” recogido en el Capítulo XIII del CAFTA. Estima discriminatorio que se le impida participar a su representada por una decisión del gobierno chino. Sostiene que la única forma de evitar la transgresión a los derechos constitucionales de libre competencia, igualdad de participación y no discriminación, es con la suspensión del concurso, toda vez que si llegara a materializarse se le causaría a su representada un perjuicio irreversible de imposible reparación, así como daños y perjuicios reputacionales. Refiere que la amenaza del ICE de sacar un concurso público en el que aplicará el artículo 10) incisos c), d), e) y f) y el numeral 11 del reglamento aludido implica una clara violación de los derechos fundamentales a la libre concurrencia en las contrataciones públicas y de igualdad de trato de los oferentes, pues el pliego de condiciones impedirá la participación de su representada en la contratación pública. Arguye que, conforme el artículo 33 constitucional, ninguna persona física o jurídica puede ser discriminada por ninguna razón (sexo, creencias religiosas, ideología, nacionalidad, etc.); empero, a su representada se le discrimina tanto por su ideología como por su nacionalidad. Aduce que es discriminatorio admitir solo empresas de países que hubiesen suscrito el Convenio de Budapest, pues este no se refiere estrictamente a temas de ciberseguridad sino que se enfoca en la pena de crímenes informáticos que incluyen: fraudes, infracciones a la propiedad intelectual, distribución y posesión de pornografía infantil, falsificación informática, entre otros, para aplicar una política penal común entre los estados. Añade que otra característica de ese instrumento es la cooperación internacional, aspecto que facilita la investigación de infracciones cibernéticas y que es relevante por las características de los delitos informáticos y la posibilidad de que sean cometidos fuera de las fronteras de un país, pero con impacto en un territorio determinado. Explica que la discriminación significa otorgamiento de trato diferente basado en desigualdades injustas o arbitrarias que son contrarias al principio de igualdad ante la ley. Señala que la prohibición de discriminar cobija la interdicción de hacerlo por cualquier circunstancia personal o social; es decir, que toda diferenciación que carezca de justificación objetiva y razonable puede calificarse de discriminatoria. Formula la siguiente petitoria: “1.- Que mi representada no puede ser impedida de participar en el citado concurso público introduciendo cláusulas de imposible cumplimiento para ella, porque ello viola los derechos fundamentales a la libre competencia, la igualdad de trato y la prohibición de la discriminación exclusivamente por razones ideológicas y de nacionalidad. 2.- Que una vez notificada al ICE la imposibilidad de continuar adelante con el concurso público tantas veces citado, se convierta este amparo en una acción de inconstitucionalidad con el fin de que varias normas del Reglamento impugnado puedan ser eliminadas del ordenamiento jurídico y, por tanto, no puedan ser aplicados en ninguna licitación presente o futura”. En escritos posteriores, el apoderado de la parte actora señala que el 9 de noviembre de 2023 se publicó el ‘PLIEGO DE CONDICIONES PARA LA ADQUISICIÓN DE: GT-ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA’, el cual contiene requisitos de imposible cumplimiento para su representada por estar ubicada su casa matriz en la República Popular de China. Además, se impone el cumplimiento de los aspectos alusivos a la gestión y mitigación de riesgos contenidos en ‘Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores’, así como de los estándares ahí contemplados. Asevera que lo anterior transgrede los derechos de su representada a la libre competencia e igualdad de participación en los concursos públicos y a no ser discriminados en razón del origen de la empresa. Añade que su representada no puede cumplir el apartado 3 “CiberSeguridad RAN-CORE Móvil 5G”, el cual excluye a Huawei del concurso al exigir: ““3. APARTADO DE CIBERSEGURIDAD RAN-CORE MOVIL 5G. 3.1. El oferente deberá cumplir todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en el Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT, a la hora de planificar, diseñar e implementar su oferta técnica, para lo cual deberá aportar junto con la oferta, el plan de gestión y mitigación de riesgos en concordancia con la normativa precitada. 3.2. El oferente deberá presentar una declaración jurada en donde indique que cumple con la adopción de los siguientes estándares de ciberseguridad:

Estándares de cumplimiento obligatorios Número Nombre ISO/IEC 27001:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad- Sistemas de Gestión de la Seguridad de la Información Requerimientos ISO/IEC 27002:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Controles de seguridad de la información ISO/IEC 27003:2017 Tecnologías de la información —Técnicas de seguridad — Sistemas de Gestión de la Seguridad de la Información —Guía ISO/IEC 27011:2016 Tecnologías de la información —Técnicas de seguridad — Código de prácticas para los controles de seguridad de la información basado en ISO/IEC 27002 para organizaciones de telecomunicaciones.

SCS 9001 Estándar de Seguridad de la Cadena de Suministro Ciberseguridad GSMA NESAS Esquema de aseguramiento de ciberseguridad definido por GSMA y 3GPP.

ISO/IEC 27400 Ciberseguridad — Seguridad y privacidad en IoT— Guías de implementación 3GPP 33.501 Arquitectura y procedimiento de seguridad para sistemas 5G.

NIST 1800-33B 5G Ciberseguridad 3.3. De conformidad con el artículo 10 del Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT en donde se indica que no se puede tener un único suministrador en cuanto a hardware y software en elementos críticos de la red, el ICE no podrá adjudicar al mismo oferente el CORE Móvil (partidas 3 y 4) y la red de acceso móvil (partidas 1 y 2). En caso de que la oferta, participe para el CORE Móvil (partidas 3 y 4) y la red de acceso móvil (partidas I y 2) y cumpla con todos los aspectos técnicos, financieros, jurídicos y ocupe el primer lugar en precio para todas las partidas mencionadas, el ICE adjudicará solamente las partidas I y 2 (red de acceso móvil) a este oferente y las partidas 3 y 4 (Core Móvil) se adjudicará al segundo lugar en precio, con el fin de no tener un único suministrador en cuanto a hardware y software en elementos críticos de la red, lo anterior en cumplimiento del 10 del Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT. 3.4. El oferente deberá presentar una declaración jurada en donde se indique su sede está en un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). Para lo cual deberá adjuntar la documentación de respaldo. El ICE se reserva el derecho de verificar la valides (sic) de la información aportada. 3.5. El oferente deberá presentar una declaración jurada en donde se indique que, si la sede de la fábrica es o no susceptible de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones. 3.6. El oferente deberá presentar una declaración jurada en donde se indique si tiene su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses”. Refiere que plantearon recurso de objeción; empero, se rechazaron los alegatos relacionados con el apartado mencionado. Sostiene que, con base en lo expuesto, se configuró la discriminación hacia la parte actora por su nacionalidad.

IV.Hechos probados.- De importancia para la decisión de este asunto, se estiman como debidamente demostrados los siguientes hechos:

La sociedad [Nombre 002]. con cédula jurídica [Valor 001] se encuentra inscrita en el Registro Nacional de Costa Rica. (Certificación aportada por la parte actora y consulta en la página web del Registro Nacional). En el Alcance nro. 166 a La Gaceta nro. 159 de 31 de agosto de 2023, se publicó el decreto ejecutivo nro. 44196-MSP-MICITT, mediante el cual se emitió el ‘Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores’. (Consulta en la página web de la Imprenta Nacional y prueba aportada por el ICE). El 5 de setiembre de 2023, la Gerencia de Telecomunicaciones del ICE, a través del Área Administradora de Contratos, envió a Huawei, Nokia, Ericsson, GBM Costa Rica y Rakuten, una comunicación electrónica con las siguientes consultas:

“Buenas tardes:

En vista de la reglamentación emitida en relación al (sic) tema de ciberseguridad para la tecnología 5G en Costa Rica, se solicitar (sic) indicar el cumplimiento de los siguientes puntos por parte de su representada, esto con el fin de realizar estudio de mercado:

1. El proveedor podrá cumplir todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en el presente reglamento, a la hora de planificar, diseñar e implementar su oferta técnica.

2. Indicar el cumplimiento de los siguientes estándares de ciberseguridad:

Número Nombres ISO/IEC 27001:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos ISO/IEC 27002:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos ISO/IEC 27003:2017 Tecnologías de la información —Técnicas de seguridad — Sistemas de Gestión de la Seguridad de la Información —Guía ISO/IEC 27011:2016 Tecnologías de la información —Técnicas de seguridad — Código de prácticas para los controles de seguridad de la información basado en ISO/IEC 27002 para organizaciones de telecomunicaciones.

SCS 9001 Estándar de Seguridad de la Cadena de Suministro y Ciberseguridad 3. Que la solución ofertada no es de un único suministrador en cuanto a hardware y software. Entiéndase por Suministradores de hardware y software a: Entidades que brindan servicios o equipo activo a los sujetos comprendidos en el artículo 2 del presente reglamento. Esta categoría incluye: i) fabricantes de equipos de telecomunicaciones; y ii) otros proveedores externos, como proveedores de infraestructura en la nube, integradores de sistemas, contratistas de seguridad y mantenimiento, y fabricantes de equipos de transmisión, cuando estos se encargan de configurar e integrar los equipos activos y software de la solución.

4. Indicar si su sede está en un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest).

5. Que proveedor es o no susceptible de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones.

6. Indicar si tiene su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de los servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses” La información requerida se debe dar respuesta para el próximo 08 de setiembre de 2023”. (Prueba aportada por el ICE).

El 11 de setiembre de 2023, desde la dirección <[email protected]> se envió al correo <[email protected]>, lo siguiente:

“Estimado Huberth, Espero que se encuentre muy bien.

Por este medio me permito brindar respuesta a las consultas enviadas el pasado 5 de setiembre.

1. El proveedor podrá cumplir todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en el presente reglamento, a la hora de planificar, diseñar e implementar su oferta técnica.

Huawei tiene la capacidad de cumplir con todos los requerimientos técnicos y de seguridad definidos, estandarizados, adoptados y probados por la industria, en lo que a Diseño, Implementación y Operación de redes móviles (3G, 4G y 5G) se refiere.

2. Indicar el cumplimiento de los siguientes estándares de ciberseguridad:

Número Nombre ISO/IEC 27001:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos Huawei se adhiere a las directrices y principios establecidos en esta Norma.

ISO/IEC 27002:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos Huawei se adhiere a las directrices y principios establecidos en esta Guía.

ISO/IEC 27003:2017 Tecnologías de la información —Técnicas de seguridad — Sistemas de Gestión de la Seguridad de la Información —Guía Huawei se adhiere a las directrices y principios establecidos en esta Guía.

ISO/IEC 27011:2016 Tecnologías de la información —Técnicas de seguridad — Código de prácticas para los controles de seguridad de la información basado en ISO/IEC 27002 para organizaciones de telecomunicaciones.

Este estándar es una extensión de ISO27001, basado en los controles de ISO27002, pero agregando Controles adicionales que están dirigidos a los proveedores de Servicios de Telecomunicaciones (Operadores, tal como ICE).

SCS 9001 Estándar de Seguridad de la Cadena de Suministro y Ciberseguridad Huawei excede los principios y requerimientos de seguridad en la cadena de suministro, incorporados en estándares internacionales como los listados en la Tabla No. 1.

En los siguientes enlaces pueden encontrar más información al respecto.

https://www-file.huawei.com/-/media/corp2020/pdf/trust-center/huawei-5g-security-white-paper-2021-en.pdf?la=en https://www.huawei.com/en/trust-center/transparency/standard-certification https://www.gsma.com/security/nesas-results/ Tabla No.1 Entity Code Name ISO 9001 Quality management 27001 Information Security 27017 Security techniques for Cloud Services 27018 Security techniques for Privacy Protection in Cloud Services 27034 Application Security 27701 Privacy Management 28000 Security in Supply Chain 22301 Business Continuity 19790 Security Cryptographic Modules 30111 Vulnerability Handling Processes 29147 Vulnerability Disclosure GSMA NESAS/SCAS GSMA Mobile Security PCI SSC Secure Software Secure Software Development NIST FIPS 140-2 Security Cryptographic Modules CSA STAR 711080 Cloud Security ISCC Information Security Qualification of Information Security 3. Que la solución ofertada no es de un único suministrador en cuanto a hardware y software.

Entiéndase por Suministradores de hardware y software a: Entidades que brindan servicios o equipo activo a los sujetos comprendidos en el artículo 2 del presente reglamento. Esta categoría incluye: i) fabricantes de equipos de telecomunicaciones; y ii) otros proveedores externos, como proveedores de infraestructura en la nube, integradores de sistemas, contratistas de seguridad y mantenimiento, y fabricantes de equipos de transmisión, cuando estos se encargan de configurar e integrar los equipos activos y software de la solución.

Dado que la redacción del artículo, al que se refiere esta pregunta, se presta a interpretaciones, recomendamos que se aclare con las instancias pertinentes cuál de los siguientes tipos de diversidad están considerando:

• a)Horizontal, que indica dos fabricantes en la misma capa de red (Acceso, Core, etc). Por ejemplo, asignar el acceso móvil (RAN) de una región a un fabricante y en otra región a otro fabricante.
• b)Hibrido (sic), que indica tener fabricantes para el Hardware y otros para el software en cada capa de la red.

4. Indicar si su sede está en un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest).

[Nombre 002], es una empresa constituida bajo las leyes de la República de Costa Rica, nuestra sede global de manufactura está en China.

5. Que (sic) proveedor es o no susceptible de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones.

Huawei es una empresa privada independiente. La operación, la toma de decisiones y la gestión de Huawei no están controladas por ningún gobierno o terceros.

6. Indicar si tiene su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses.

Huawei es una empresa privada independiente. La operación, la toma de decisiones y la gestión de Huawei no están controladas por ningún gobierno o terceros. Adicionalmente, nuestra línea de negocios es el suministro de equipos de Telecomunicaciones y su instalación. El proveedor de servicios de telecomunicaciones es quien gestiona los datos de Usuario.

Quedo a la orden para cualquier comentario o consulta adicional”. (Prueba aportada por el ICE).

El director del Programa General 5G de la Dirección Planificación de Infraestructura y Espectro de la Gerencia de Telecomunicaciones del ICE, en el informe técnico interno 9191-1520-2023 de 6 de octubre de 2023, consignó:

“1. El Decreto Ejecutivo N.º 44196-MSP-MICITT denominado “Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores” emitido por la Presidencia de la República, el Ministro de Seguridad Pública y la Ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones, según se comentó anteriormente, entró a regir el 31 de agosto de 2023. (Ver Anexo N.º1)” 2. Este Reglamento, según se indica en el artículo 1, “tiene por objeto establecer medidas de ciberseguridad para garantizar el uso y la explotación segura y con resguardo de la privacidad de las personas, de las redes y los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores”. Asimismo, el artículo 2 establece lo siguiente: (Ver Anexo N.º 1) “Artículo 2º-Ámbito de aplicación. Está sometida al presente reglamento la operación activa de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, por parte de las personas físicas o jurídicas, públicas o privadas, nacionales o extranjeras, que operen redes o presten servicios de telecomunicaciones basadas en la tecnología de quinta generación móvil (5G) y superiores que se originen, terminen o transiten por el territorio nacional, exceptuando la operación de redes privadas de telecomunicaciones.

En el caso de procesos de compra pública que tengan por objeto la habilitación de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, así como de equipamiento tecnológico activo necesario para el despliegue de éstas, para el uso y explotación del espectro radioeléctrico, la Administración o entidad contratante deberá adoptar los mecanismos idóneos para verificar que los potenciales oferentes han considerado todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en la presente normativa, a la hora de planificar, diseñar e implementar su oferta técnica. En caso de resultar adjudicatario, las disposiciones de la presente norma serán de acatamiento obligatorio durante la operación de las redes y prestación de los servicios basados en la tecnología de quinta generación móvil (5G) o superiores.” (El resaltado, con excepción del título del artículo, es proveído).

3. Ante la entrada en vigor de dicho Reglamento, obligatorio para los operadores y proveedores de servicios de telecomunicaciones, el 5 de setiembre de 2023 la Gerencia de Telecomunicaciones del ICE, a través del Área Administradora de Contratos, y para efectos de un estudio de mercado, envió a potenciales interesados (Huawei, Nokia, Ericsson, GBM Costa Rica y Rakuten) una comunicación electrónica con la siguiente redacción y consultas: (Ver Anexo N.º 2) “Buenas tardes:

En vista de la reglamentación emitida en relación al (sic) tema de ciberseguridad para la tecnología 5G en Costa Rica, se solicitar (sic) indicar el cumplimiento de los siguientes puntos por parte de su representada, esto con el fin de realizar estudio de mercado:

1. El proveedor podrá cumplir todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en el presente reglamento, a la hora de planificar, diseñar e implementar su oferta técnica.

2. Indicar el cumplimiento de los siguientes estándares de ciberseguridad:

Número Nombres ISO/IEC 27001:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos ISO/IEC 27002:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos ISO/IEC 27003:2017 Tecnologías de la información —Técnicas de seguridad — Sistemas de Gestión de la Seguridad de la Información —Guía ISO/IEC 27011:2016 Tecnologías de la información —Técnicas de seguridad — Código de prácticas para los controles de seguridad de la información basado en ISO/IEC 27002 para organizaciones de telecomunicaciones.

SCS 9001 Estándar de Seguridad de la Cadena de Suministro y Ciberseguridad 3. Que la solución ofertada no es de un único suministrador en cuanto a hardware y software.

Entiéndase por Suministradores de hardware y software a: Entidades que brindan servicios o equipo activo a los sujetos comprendidos en el artículo 2 del presente reglamento. Esta categoría incluye: i) fabricantes de equipos de telecomunicaciones; y ii) otros proveedores externos, como proveedores de infraestructura en la nube, integradores de sistemas, contratistas de seguridad y mantenimiento, y fabricantes de equipos de transmisión, cuando estos se encargan de configurar e integrar los equipos activos y software de la solución.

4. Indicar si su sede está en un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest).

5. Que proveedor es o no susceptible de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones.

6. Indicar si tiene su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de los servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses” La información requerida se debe dar respuesta para el próximo 08 de setiembre de 2023” 4. El 08 de setiembre de 2023, a las 12:24 horas, por medio de correo electrónico, el señor Juan Carlos Blanco Infante de la empresa NOKIA responde a las consultas realizadas, según se demuestra en el Anexo N.º 3 del Informe Técnico, del cual se solicita la confidencialidad dado que dichos datos están amparados en convenios que resguardan este tipo de información.

5. El 08 de setiembre de 2023, a las 15:46 horas, por correo electrónico, el señor Mustafa Syed de la empresa Rakuten, responde a las consultas realizadas, según se demuestra en el Anexo N.º 4 del Informe Técnico, del cual se solicita la confidencialidad dado que dichos datos están amparados en convenios que resguardan este tipo de información.

6. El 08 de setiembre de 2023, a las 18:29 horas por correo electrónico, el señor Neil Baute de la empresa Ericsson, responde a las consultas realizadas según se demuestra en el Anexo N.º 5 del Informe Técnico, del cual se solicita la confidencialidad dado que dichos datos están amparados en convenios que resguardan este tipo de información.

7. El 08 de setiembre de 2023, mediante oficio UL-2023-0460, el señor Eduardo Blanco González de la empresa GBM de Costa Rica, responde a las consultas realizadas según se demuestra en el Anexo N.º 6 del Informe Técnico, del cual se solicita la confidencialidad dado que dichos datos están amparados en convenios que resguardan este tipo de información.

8. El 11 de setiembre de 2023, el señor Marcel Aguilar Sandoval de la empresa Huawei Tecnologies (sic) Costa Rica, responde a las consultas realizadas según se demuestra en el Anexo N.º 7 del Informe Técnico, del cual se solicita la confidencialidad dado que dichos datos están amparados en convenios que resguardan este tipo de información.

9. En lo que concierne a las respuestas de Huawei Tecnologies (sic) Costa Rica, según podrá constatar el Honorable Tribunal Constitucional, no se evidencia que dicha empresa haya tenido algún tipo de disconformidad con lo consultado. (Ver Anexo N.º 7 del Informe Técnico).

10. Hasta el momento, lo que el ICE ha realizado es un estudio de mercado, de conformidad con el artículo 85 del Reglamento a la Ley General de Contratación Pública, con los posibles proveedores de la tecnología de la red de telecomunicaciones 5G, para verificar las condiciones del mercado y comprobar el cumplimiento de los mismos en materia de ciberseguridad, conforme las disposiciones del Decreto precitado; es decir, no existe a la fecha una publicación de un pliego de condiciones para un concurso específico, conforme dispone la Ley General de Contratación Pública.

(…)

• Las consultas realizadas por el ICE, en fase de estudio de estudio de mercado, son acordes con lo establecido en el Decreto Ejecutivo N.º 44196-MSP-MICITT denominado “Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores” emitido el 25 de agosto de 2023 por la Presidencia de la República, el Ministro de Seguridad Pública y la Ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones, publicado en el Alcance N.º 166 del Diario Oficial La Gaceta del 31 de agosto de 2023, vigente a partir de esa fecha.

• Dicha normativa emitida por el Poder Ejecutivo es acatamiento obligatorio para el ICE, según se ha explicado anteriormente.

• Si el ICE incumple con las disposiciones del Reglamento será sometido al régimen sancionatorio administrativo de la Ley General de Telecomunicaciones N.º 8642 (LGT).

• Conforme a lo indicado en la respuesta al hecho quinto, no se evidencia que Huawei Tecnologies (sic) Costa Rica haya tenido algún tipo de disconformidad, al momento de responder las consultas del ICE relativas al Reglamento en cuestión en el marco del estudio de mercado realizado.

(…) hasta el momento, lo que el ICE ha realizado es un estudio de mercado, de conformidad con el artículo 85 del Reglamento a la Ley General de Contratación Pública, con los posibles proveedores de la tecnología de la red de telecomunicaciones 5G, para verificar las condiciones del mercado y comprobar el cumplimiento de los mismos en materia de ciberseguridad, conforme las disposiciones del Decreto precitado; es decir, no existe a la fecha una publicación de un pliego de condiciones para un concurso específico, conforme dispone la Ley General de Contratación Pública.

(…)”. (Prueba aportada por el ICE).

El 9 de noviembre de 2023, el ICE publicó en el SICOP el “PLIEGO DE CONDICIONES PARA LA ADQUISICIÓN DE: GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, que en lo conducente señala:

“3. APARTADO DE CIBERSEGURIDAD RAN-CORE MOVIL 5G.

3.1. El oferente deberá cumplir todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en el Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT, a la hora de planificar, diseñar e implementar su oferta técnica, para lo cual deberá aportar junto con la oferta, el plan de gestión y mitigación de riesgos en concordancia con la normativa precitada.

3.2. El oferente deberá presentar una declaración jurada en donde indique que cumple con la adopción de los siguientes estándares de ciberseguridad:

Estándares de cumplimiento obligatorios Número Nombre ISO/IEC 27001:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos ISO/IEC 27002:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Controles de seguridad de la información ISO/IEC 27003:2017 Tecnologías de la información —Técnicas de seguridad — Sistemas de Gestión de la Seguridad de la Información —Guía ISO/IEC 27011:2016 Tecnologías de la información —Técnicas de seguridad — Código de prácticas para los controles de seguridad de la información basado en ISO/IEC 27002 para organizaciones de telecomunicaciones.

SCS 9001 Estándar de Seguridad de la Cadena de Suministro y Ciberseguridad GSMA NESAS Esquema de aseguramiento de ciberseguridad definido por GSMA y 3GPP.

ISO/IEC 27400 Ciberseguridad — Seguridad y privacidad en IoT — Guías de implementación 3GPP 33.501 Arquitectura y procedimiento de seguridad para sistemas 5G.

NIST 1800-33B 5G Ciberseguridad 3.3. De conformidad con el artículo 10 del Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT en donde se indica que no se puede tener un único suministrador en cuanto a hardware y software en elementos críticos de la red, el ICE no podrá adjudicar al mismo oferente el CORE Móvil (partidas 3 y 4) y la red de acceso móvil (partidas 1 y 2).

En caso de que la oferta, participe para el CORE Móvil (partidas 3 y 4) y la red de acceso móvil (partidas 1 y 2) y cumpla con todos los aspectos técnicos, financieros, jurídicos y ocupe el primer lugar en precio para todas las partidas mencionadas, el ICE adjudicará solamente las partidas 1 y 2 (red de acceso móvil) a este oferente y las partidas 3 y 4 (Core Móvil) se adjudicará al segundo lugar en precio, con el fin de no tener un único suministrador en cuanto a hardware y software en elementos críticos de la red, lo anterior en cumplimiento del 10 del Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT.

3.4. El oferente deberá presentar una declaración jurada en donde se indique su sede estáen (sic) un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). Para lo cual deberá adjuntar la documentación de respaldo. El ICE se reserva el derecho de verificar la valides (sic) de la información aportada.

3.5. El oferente deberá presentar una declaración jurada en donde se indique que, si la sede de la fábrica es o no susceptible de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones.

3.6. El oferente deberá presentar una declaración jurada en donde se indique si tiene su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses.

3.7. Para los requerimientos de 5G específicamente que aplican al CORE, se deberá cumplir con lo siguiente:

3.7.1 El contratista debe ejecutar dentro del plazo de ejecución contractual los respaldos de todos los sistemas involucrados en CORE, estos respaldos deben realizarse en los sistemas institucionales dispuestos para tal efecto.

3.7.2 Debe existir ejecución de pruebas de penetración periódicas, las mismas deben ser negociadas entre fabrica (sic) y contratista con el ICE, estas pruebas serán realizadas por las áreas de ciberseguridad del ICE dispuestas para estos temas.

3.7.3 Debe existir una integración con un sistema de gestión de vulnerabilidades basada en riesgo cibernético, el mismo deberá permitir integrarse a las soluciones dispuestas a nivel institucional.

3.7.4 Debe existir una gestión de parcheo y actualizaciones que involucre al fabricante y al contratista, para lo cual se requiere de un cronograma de actualizaciones definido y que permita cerrar brechas de ciberseguridad en un periodo negociable con el ICE.

3.7.5 Replicación de registros en formato CEF o Syslog a la solución de correlación de eventos o SIEM institucional, misma que permita detectar y analizar posibles actividades sospechosas o ataques y respuesta ante incidentes de ciberseguridad.

3.7.6 En el elemento de CORE 5G el oferente debe presentar soluciones orientadas a proteger una arquitectura de servicio basado en IP, que prevengan ataques o vulnerabilidades comunes de botnets a través de internet, esto con el fin que los servicios críticos no se degraden y que se mantengan disponibles a usuarios legítimos.

3.7.7 Para el elemento CORE 5G el oferente debe presentar soluciones orientadas a proteger las funciones principales de red a saber:

a)Función de administración de acceso y movilidad (AMF por sus siglas en ingles).

• b)Función de servidor de autenticación (AUSF por sus siglas en ingles).
• c)Función de administración de datos unificados (UDM por sus siglas en ingles).

Estas soluciones deberán proteger los datos almacenados de autenticación y suscripción contra amenazas similares botnets y ataques DDoS.

3.7.8 Para el elemento CORE 5G el oferente debe presentar soluciones orientadas que permitan el uso cifrado para el protocolo de internet seguro (IPSec por sus siglas en ingles) para tipos de acceso non-3GPP, que prevengan ataques o vulnerabilidades comunes de botnets a través de internet o ataques DDoS. Considerando los requerimientos de 5G específicamente aquellos que aplican al Red de acceso de radio (RAN por sus siglas en inglés).

3.8 Para los requerimientos de 5G específicamente que aplican a la RAN, se deberá cumplir con lo siguiente:

3.8.1 El contratista debe ejecutar dentro del plazo de ejecución contractual los respaldos de todos los sistemas involucrados en RAN, estos respaldos deben realizarse en los sistemas institucionales dispuestos para tal efecto.

3.8.2 Debe existir ejecución de pruebas de penetración periódicas, las mismas deben ser negociadas entre fabrica (sic) y contratista con el ICE, estas pruebas serán realizadas por las áreas de ciberseguridad del ICE dispuestas para estos temas.

3.8.3 Debe existir una integración con un sistema de gestión de vulnerabilidades basada en riesgo cibernético, el mismo deberá permitir integrarse a las soluciones dispuestas a nivel institucional.

3.8.4 Debe existir una gestión de parcheo y actualizaciones que involucre al fabricante y al contratista, para lo cual se requiere de un cronograma de actualizaciones definido y que permita cerrar brechas de ciberseguridad en un periodo negociable con el ICE.

3.8.5 Replicación de registros en formato CEF o Syslog a la solución de correlación de eventos o SIEM institucional, misma que permita detectar y analizar posibles actividades sospechosas o ataques y respuesta ante incidentes de ciberseguridad.

3.8.6 En el elemento de RAN 5G el oferente debe presentar soluciones orientadas a proteger sistemas y redes 5G que utilicen antenas para Entradas Múltiples y Salidas Múltiples (MIMO por sus siglas en ingles), que aseguren el espectro de bandas asignadas a esta función.

3.8.7 En el elemento de RAN 5G el oferente debe presentar soluciones orientadas a proteger los datos y señalización de transmisión y recepción a través de cifrado que protejan la integridad de estos.

3.8.8 En el elemento de RAN 5G el oferente debe presentar soluciones orientadas a proteger contra posibles amenazas de estaciones base maliciosas (RBS por sus siglas en ingles), que puedan generar ataques de hombre-en-el-medio (MiTM por sus siglas en inglés) entre el equipo de usuario móvil (UE por sus siglas en ingles) y la red móvil, que prevengan ataques o vulnerabilidades comunes de DDoS.

3.9 Para los requerimientos de 5G específicamente que aplican para UE, se deberá cumplir con lo siguiente:

3.9.1 Para el elemento UE de 5G el oferente debe presentar soluciones orientadas a proteger posibles amenazas como redes Botnets móviles ataques DDoS, ataques por infección de dispositivos (virus, gusanos etc.) y descarga de contenido malicioso desde internet. (…)”. (Prueba aportada por la parte actora y consulta en el Sistema Integrado de Compras Públicas).

El 18 de diciembre de 2023, la empresa [Nombre 002]. formuló oferta en cinco de las seis partidas del expediente electrónico 2023XE000023-0000400001 con descripción “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”. (Consulta en la página https://www.sicop.go.cr/ y respuesta del Micitt a la audiencia otorgada).

V.Sobre el caso concreto: En el sub lite, la parte accionante indica que [Nombre 002]. está preparada para participar en la licitación pública que abrirá el ICE para implementar y operar la tecnología 5G IMT en sus redes, dado que es uno de los principales proveedores de esa tecnología en este país. Señala que, el 31 de agosto de 2023, el Poder Ejecutivo promulgó y publicó en La Gaceta el “Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores”, el cual contiene disposiciones que expresamente impiden la participación de su representada en ese concurso público. Acota que el presidente de la República, la ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones, y el presidente ejecutivo del ICE, han manifestado públicamente que la promulgación del citado reglamento se hizo con el motivo específico de impedir la participación de empresas de diversas nacionalidades, especialmente las de origen chino, en los procedimientos licitatorios tendentes a la obtención y operación de la tecnología en telecomunicaciones 5G IMT y superiores de las redes del instituto recurrido. Agrega que, a las 16:20 horas de 5 de setiembre de 2023, su representada recibió un correo electrónico de parte de Huberth Valverde Batista, administrador de contratos del ICE, con un cuestionario sobre el cumplimiento del Reglamento de Ciberseguridad nro. 44196-MSP-MICITT. Añade que en tal comunicación se les otorgó un plazo de cuatro días hábiles para suministrar la información. Asevera que el cuestionario es una copia exacta de los requerimientos del reglamento mencionado, lo cual es prueba directa de la publicación inminente de la licitación y la afectación de su representada, pues resultará imposibilitada de participar. Refiere que lo anterior corresponde al estudio de mercado que exige la Ley de Contratación Pública, previo a la publicación del pliego de condiciones. Menciona que el presidente del ICE manifestó que a finales de setiembre sacará a concurso público la adquisición de la tecnología en telecomunicaciones 5G Móvil y que aplicarán los requisitos exigidos en el ‘Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores’. Afirma que el Presidente de la República ha declarado que la promulgación del reglamento tenía como objetivo impedir la participación de empresas de diverso origen en los concursos públicos próximos que abrirán el ICE y la SUTEL para la adquisición de la tecnología en telecomunicaciones 5G Móvil. Añade que lo anterior fue ratificado por la ministra del MICITT. Sostiene que es más que notorio el riesgo directo y manifiesto que enfrenta su representada. Asevera que existe una amenaza cierta, real, efectiva e inminente, casi en etapa de ejecución, lo que lesiona los derechos de su representada. Menciona que el concurso que abrirá el ICE le impedirá participar a [Nombre 002]. por tener origen chino. Asevera que no se le puede imputar a la empresa que el Gobierno de la República Popular China, dentro de sus potestades soberanas, no hubiese firmado el Convenio de Budapest. Agrega que tal instrumento fue publicado 18 años antes de que la tecnología 5G fuera lanzada al mercado, por lo que es imposible que alguna de sus consideraciones estuviera relacionada con esta. Refiere que el factor de evaluación está desfasado y no se encuentra directamente relacionado con ciberseguridad; además, viola el “principio de imparcialidad tecnológica” recogido en el Capítulo XIII del CAFTA. Estima discriminatorio que se le impida participar a su representada por una decisión del gobierno chino. Sostiene que la única forma de evitar la transgresión a los derechos constitucionales de libre competencia, igualdad de participación y no discriminación, es con la suspensión del concurso, toda vez que si llegara a materializarse se le causaría a su representada un perjuicio irreversible de imposible reparación, así como daños y perjuicios reputacionales. Refiere que la amenaza del ICE de sacar un concurso público en el que aplicará el artículo 10) incisos c), d), e) y f) y el numeral 11 del reglamento aludido implica una clara violación de los derechos fundamentales a la libre concurrencia en las contrataciones públicas y de igualdad de trato de los oferentes, pues el pliego de condiciones impedirá la participación de su representada en la contratación pública. Arguye que, conforme el artículo 33 constitucional, ninguna persona física o jurídica puede ser discriminada por ninguna razón (sexo, creencias religiosas, ideología, nacionalidad, etc.); empero, a su representada se le discrimina tanto por su ideología como por su nacionalidad. Aduce que es discriminatorio admitir solo empresas de países que hubiesen suscrito el Convenio de Budapest, pues este no se refiere estrictamente a temas de ciberseguridad sino que se enfoca en la pena de crímenes informáticos que incluyen: fraudes, infracciones a la propiedad intelectual, distribución y posesión de pornografía infantil, falsificación informática, entre otros, para aplicar una política penal común entre los estados. Añade que otra característica de ese instrumento es la cooperación internacional, aspecto que facilita la investigación de infracciones cibernéticas y que es relevante por las características de los delitos informáticos y la posibilidad de que sean cometidos fuera de las fronteras de un país, pero con impacto en un territorio determinado. Explica que la discriminación significa otorgamiento de trato diferente basado en desigualdades injustas o arbitrarias que son contrarias al principio de igualdad ante la ley. Señala que la prohibición de discriminar cobija la interdicción de hacerlo por cualquier circunstancia personal o social; es decir, que toda diferenciación que carezca de justificación objetiva y razonable puede calificarse de discriminatoria. Formula la siguiente petitoria: “1.- Que mi representada no puede ser impedida de participar en el citado concurso público introduciendo cláusulas de imposible cumplimiento para ella, porque ello viola los derechos fundamentales a la libre competencia, la igualdad de trato y la prohibición de la discriminación exclusivamente por razones ideológicas y de nacionalidad. 2.- Que una vez notificada al ICE la imposibilidad de continuar adelante con el concurso público tantas veces citado, se convierta este amparo en una acción de inconstitucionalidad con el fin de que varias normas del Reglamento impugnado puedan ser eliminadas del ordenamiento jurídico y, por tanto, no puedan ser aplicados en ninguna licitación presente o futura”.

En escritos posteriores, el apoderado de la parte actora señala que el 9 de noviembre de 2023 se publicó el ‘PLIEGO DE CONDICIONES PARA LA ADQUISICIÓN DE: GT-ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA’, el cual contiene requisitos de imposible cumplimiento para su representada por estar ubicada su casa matriz en la República Popular de China. Además, se impone el cumplimiento de los aspectos alusivos a la gestión y mitigación de riesgos contenidos en ‘Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores’, así como de los estándares ahí contemplados. Asevera que lo anterior transgrede los derechos de su representada a la libre competencia e igualdad de participación en los concursos públicos y a no ser discriminados en razón del origen de la empresa. Añade que su representada no puede cumplir el apartado 3 “CiberSeguridad RAN-CORE Móvil 5G”, el cual excluye a Huawei del concurso al exigir: ““3. APARTADO DE CIBERSEGURIDAD RAN-CORE MOVIL 5G. 3.1. El oferente deberá cumplir todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en el Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT, a la hora de planificar, diseñar e implementar su oferta técnica, para lo cual deberá aportar junto con la oferta, el plan de gestión y mitigación de riesgos en concordancia con la normativa precitada. 3.2. El oferente deberá presentar una declaración jurada en donde indique que cumple con la adopción de los siguientes estándares de ciberseguridad:

Estándares de cumplimiento obligatorios Número Nombre ISO/IEC 27001:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad- Sistemas de Gestión de la Seguridad de la Información Requerimientos ISO/IEC 27002:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Controles de seguridad de la información ISO/IEC 27003:2017 Tecnologías de la información —Técnicas de seguridad — Sistemas de Gestión de la Seguridad de la Información —Guía ISO/IEC 27011:2016 Tecnologías de la información —Técnicas de seguridad — Código de prácticas para los controles de seguridad de la información basado en ISO/IEC 27002 para organizaciones de telecomunicaciones.

SCS 9001 Estándar de Seguridad de la Cadena de Suministro Ciberseguridad GSMA NESAS Esquema de aseguramiento de ciberseguridad definido por GSMA y 3GPP.

ISO/IEC 27400 Ciberseguridad — Seguridad y privacidad en IoT— Guías de implementación 3GPP 33.501 Arquitectura y procedimiento de seguridad para sistemas 5G.

NIST 1800-33B 5G Ciberseguridad 3.3. De conformidad con el artículo 10 del Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT en donde se indica que no se puede tener un único suministrador en cuanto a hardware y software en elementos críticos de la red, el ICE no podrá adjudicar al mismo oferente el CORE Móvil (partidas 3 y 4) y la red de acceso móvil (partidas 1 y 2). En caso de que la oferta, participe para el CORE Móvil (partidas 3 y 4) y la red de acceso móvil (partidas I y 2) y cumpla con todos los aspectos técnicos, financieros, jurídicos y ocupe el primer lugar en precio para todas las partidas mencionadas, el ICE adjudicará solamente las partidas I y 2 (red de acceso móvil) a este oferente y las partidas 3 y 4 (Core Móvil) se adjudicará al segundo lugar en precio, con el fin de no tener un único suministrador en cuanto a hardware y software en elementos críticos de la red, lo anterior en cumplimiento del 10 del Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT. 3.4. El oferente deberá presentar una declaración jurada en donde se indique su sede está en un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). Para lo cual deberá adjuntar la documentación de respaldo. El ICE se reserva el derecho de verificar la valides (sic) de la información aportada. 3.5. El oferente deberá presentar una declaración jurada en donde se indique que, si la sede de la fábrica es o no susceptible de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones. 3.6. El oferente deberá presentar una declaración jurada en donde se indique si tiene su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses”. Refiere que plantearon recurso de objeción; empero, se rechazaron los alegatos relacionados con el apartado mencionado. Sostiene que, con base en lo expuesto, se configuró la discriminación hacia la parte actora por su nacionalidad.

Del estudio de los autos se tiene por demostrado, que la sociedad [Nombre 002]. con cédula jurídica [Valor 001] se encuentra inscrita en el Registro Nacional de Costa Rica. En el Alcance nro. 166 a La Gaceta nro. 159 de 31 de agosto de 2023, se publicó el decreto ejecutivo nro. 44196-MSP-MICITT, mediante el cual se emitió el ‘Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores’. El 5 de setiembre de 2023, la Gerencia de Telecomunicaciones del ICE, a través del Área Administradora de Contratos, envió a Huawei, Nokia, Ericsson, GBM Costa Rica y Rakuten, una comunicación electrónica con las siguientes consultas: “Buenas tardes: En vista de la reglamentación emitida en relación al (sic) tema de ciberseguridad para la tecnología 5G en Costa Rica, se solicitar (sic) indicar el cumplimiento de los siguientes puntos por parte de su representada, esto con el fin de realizar estudio de mercado: 1. El proveedor podrá cumplir todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en el presente reglamento, a la hora de planificar, diseñar e implementar su oferta técnica. 2. Indicar el cumplimiento de los siguientes estándares de ciberseguridad:

Número Nombres ISO/IEC 27001:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos ISO/IEC 27002:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos ISO/IEC 27003:2017 Tecnologías de la información —Técnicas de seguridad — Sistemas de Gestión de la Seguridad de la Información —Guía ISO/IEC 27011:2016 Tecnologías de la información —Técnicas de seguridad — Código de prácticas para los controles de seguridad de la información basado en ISO/IEC 27002 para organizaciones de telecomunicaciones.

SCS 9001 Estándar de Seguridad de la Cadena de Suministro y Ciberseguridad 3. Que la solución ofertada no es de un único suministrador en cuanto a hardware y software. Entiéndase por Suministradores de hardware y software a: Entidades que brindan servicios o equipo activo a los sujetos comprendidos en el artículo 2 del presente reglamento. Esta categoría incluye: i) fabricantes de equipos de telecomunicaciones; y ii) otros proveedores externos, como proveedores de infraestructura en la nube, integradores de sistemas, contratistas de seguridad y mantenimiento, y fabricantes de equipos de transmisión, cuando estos se encargan de configurar e integrar los equipos activos y software de la solución. 4. Indicar si su sede está en un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). 5. Que proveedor es o no susceptible de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones. 6. Indicar si tiene su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de los servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses” La información requerida se debe dar respuesta para el próximo 08 de setiembre de 2023”. El 11 de setiembre de 2023, desde la dirección <[email protected]> se envió al correo <[email protected]>, lo siguiente: “Estimado Huberth, Espero que se encuentre muy bien. Por este medio me permito brindar respuesta a las consultas enviadas el pasado 5 de setiembre. 1. El proveedor podrá cumplir todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en el presente reglamento, a la hora de planificar, diseñar e implementar su oferta técnica. Huawei tiene la capacidad de cumplir con todos los requerimientos técnicos y de seguridad definidos, estandarizados, adoptados y probados por la industria, en lo que a Diseño, Implementación y Operación de redes móviles (3G, 4G y 5G) se refiere. 2. Indicar el cumplimiento de los siguientes estándares de ciberseguridad:

Número Nombre ISO/IEC 27001:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos Huawei se adhiere a las directrices y principios establecidos en esta Norma.

ISO/IEC 27002:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos Huawei se adhiere a las directrices y principios establecidos en esta Guía.

ISO/IEC 27003:2017 Tecnologías de la información —Técnicas de seguridad — Sistemas de Gestión de la Seguridad de la Información —Guía Huawei se adhiere a las directrices y principios establecidos en esta Guía.

ISO/IEC 27011:2016 Tecnologías de la información —Técnicas de seguridad — Código de prácticas para los controles de seguridad de la información basado en ISO/IEC 27002 para organizaciones de telecomunicaciones.

Este estándar es una extensión de ISO27001, basado en los controles de ISO27002, pero agregando Controles adicionales que están dirigidos a los proveedores de Servicios de Telecomunicaciones (Operadores, tal como ICE).

SCS 9001 Estándar de Seguridad de la Cadena de Suministro y Ciberseguridad Huawei excede los principios y requerimientos de seguridad en la cadena de suministro, incorporados en estándares internacionales como los listados en la Tabla No. 1.

En los siguientes enlaces pueden encontrar más información al respecto.

https://www-file.huawei.com/-/media/corp2020/pdf/trust-center/huawei-5g-security-white-paper-2021-en.pdf?la=en https://www.huawei.com/en/trust-center/transparency/standard-certification https://www.gsma.com/security/nesas-results/ Tabla No.1 Entity Code Name ISO 9001 Quality management 27001 Information Security 27017 Security techniques for Cloud Services 27018 Security techniques for Privacy Protection in Cloud Services 27034 Application Security 27701 Privacy Management 28000 Security in Supply Chain 22301 Business Continuity 19790 Security Cryptographic Modules 30111 Vulnerability Handling Processes 29147 Vulnerability Disclosure GSMA NESAS/SCAS GSMA Mobile Security PCI SSC Secure Software Secure Software Development NIST FIPS 140-2 Security Cryptographic Modules CSA STAR 711080 Cloud Security ISCC Information Security Qualification of Information Security 3. Que la solución ofertada no es de un único suministrador en cuanto a hardware y software. Entiéndase por Suministradores de hardware y software a: Entidades que brindan servicios o equipo activo a los sujetos comprendidos en el artículo 2 del presente reglamento. Esta categoría incluye: i) fabricantes de equipos de telecomunicaciones; y ii) otros proveedores externos, como proveedores de infraestructura en la nube, integradores de sistemas, contratistas de seguridad y mantenimiento, y fabricantes de equipos de transmisión, cuando estos se encargan de configurar e integrar los equipos activos y software de la solución. Dado que la redacción del artículo, al que se refiere esta pregunta, se presta a interpretaciones, recomendamos que se aclare con las instancias pertinentes cuál de los siguientes tipos de diversidad están considerando: a) Horizontal, que indica dos fabricantes en la misma capa de red (Acceso, Core, etc). Por ejemplo, asignar el acceso móvil (RAN) de una región a un fabricante y en otra región a otro fabricante. b) Hibrido (sic), que indica tener fabricantes para el Hardware y otros para el software en cada capa de la red. 4. Indicar si su sede está en un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). [Nombre 002], es una empresa constituida bajo las leyes de la República de Costa Rica, nuestra sede global de manufactura está en China. 5. Que (sic) proveedor es o no susceptible de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones. Huawei es una empresa privada independiente. La operación, la toma de decisiones y la gestión de Huawei no están controladas por ningún gobierno o terceros. 6. Indicar si tiene su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses. Huawei es una empresa privada independiente. La operación, la toma de decisiones y la gestión de Huawei no están controladas por ningún gobierno o terceros. Adicionalmente, nuestra línea de negocios es el suministro de equipos de Telecomunicaciones y su instalación. El proveedor de servicios de telecomunicaciones es quien gestiona los datos de Usuario. Quedo a la orden para cualquier comentario o consulta adicional”. El director del Programa General 5G de la Dirección Planificación de Infraestructura y Espectro de la Gerencia de Telecomunicaciones del ICE, en el informe técnico interno 9191-1520-2023 de 6 de octubre de 2023, consignó: “1. El Decreto Ejecutivo N.º 44196-MSP-MICITT denominado “Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores” emitido por la Presidencia de la República, el Ministro de Seguridad Pública y la Ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones, según se comentó anteriormente, entró a regir el 31 de agosto de 2023. (Ver Anexo N.º1)” 2. Este Reglamento, según se indica en el artículo 1, “tiene por objeto establecer medidas de ciberseguridad para garantizar el uso y la explotación segura y con resguardo de la privacidad de las personas, de las redes y los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores”. Asimismo, el artículo 2 establece lo siguiente: (Ver Anexo N.º 1) “Artículo 2º-Ámbito de aplicación. Está sometida al presente reglamento la operación activa de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, por parte de las personas físicas o jurídicas, públicas o privadas, nacionales o extranjeras, que operen redes o presten servicios de telecomunicaciones basadas en la tecnología de quinta generación móvil (5G) y superiores que se originen, terminen o transiten por el territorio nacional, exceptuando la operación de redes privadas de telecomunicaciones. En el caso de procesos de compra pública que tengan por objeto la habilitación de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, así como de equipamiento tecnológico activo necesario para el despliegue de éstas, para el uso y explotación del espectro radioeléctrico, la Administración o entidad contratante deberá adoptar los mecanismos idóneos para verificar que los potenciales oferentes han considerado todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en la presente normativa, a la hora de planificar, diseñar e implementar su oferta técnica. En caso de resultar adjudicatario, las disposiciones de la presente norma serán de acatamiento obligatorio durante la operación de las redes y prestación de los servicios basados en la tecnología de quinta generación móvil (5G) o superiores.” (El resaltado, con excepción del título del artículo, es proveído). 3. Ante la entrada en vigor de dicho Reglamento, obligatorio para los operadores y proveedores de servicios de telecomunicaciones, el 5 de setiembre de 2023 la Gerencia de Telecomunicaciones del ICE, a través del Área Administradora de Contratos, y para efectos de un estudio de mercado, envió a potenciales interesados (Huawei, Nokia, Ericsson, GBM Costa Rica y Rakuten) una comunicación electrónica con la siguiente redacción y consultas: (Ver Anexo N.º 2) “Buenas tardes: En vista de la reglamentación emitida en relación al (sic) tema de ciberseguridad para la tecnología 5G en Costa Rica, se solicitar (sic) indicar el cumplimiento de los siguientes puntos por parte de su representada, esto con el fin de realizar estudio de mercado: 1. El proveedor podrá cumplir todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en el presente reglamento, a la hora de planificar, diseñar e implementar su oferta técnica. 2. Indicar el cumplimiento de los siguientes estándares de ciberseguridad:

Número Nombres ISO/IEC 27001:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos ISO/IEC 27002:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos ISO/IEC 27003:2017 Tecnologías de la información —Técnicas de seguridad — Sistemas de Gestión de la Seguridad de la Información —Guía ISO/IEC 27011:2016 Tecnologías de la información —Técnicas de seguridad — Código de prácticas para los controles de seguridad de la información basado en ISO/IEC 27002 para organizaciones de telecomunicaciones.

SCS 9001 Estándar de Seguridad de la Cadena de Suministro y Ciberseguridad 3. Que la solución ofertada no es de un único suministrador en cuanto a hardware y software. Entiéndase por Suministradores de hardware y software a: Entidades que brindan servicios o equipo activo a los sujetos comprendidos en el artículo 2 del presente reglamento. Esta categoría incluye: i) fabricantes de equipos de telecomunicaciones; y ii) otros proveedores externos, como proveedores de infraestructura en la nube, integradores de sistemas, contratistas de seguridad y mantenimiento, y fabricantes de equipos de transmisión, cuando estos se encargan de configurar e integrar los equipos activos y software de la solución. 4. Indicar si su sede está en un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). 5. Que proveedor es o no susceptible de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones. 6. Indicar si tiene su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de los servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses” La información requerida se debe dar respuesta para el próximo 08 de setiembre de 2023” 4. El 08 de setiembre de 2023, a las 12:24 horas, por medio de correo electrónico, el señor Juan Carlos Blanco Infante de la empresa NOKIA responde a las consultas realizadas, según se demuestra en el Anexo N.º 3 del Informe Técnico, del cual se solicita la confidencialidad dado que dichos datos están amparados en convenios que resguardan este tipo de información. 5. El 08 de setiembre de 2023, a las 15:46 horas, por correo electrónico, el señor Mustafa Syed de la empresa Rakuten, responde a las consultas realizadas, según se demuestra en el Anexo N.º 4 del Informe Técnico, del cual se solicita la confidencialidad dado que dichos datos están amparados en convenios que resguardan este tipo de información. 6. El 08 de setiembre de 2023, a las 18:29 horas por correo electrónico, el señor Neil Baute de la empresa Ericsson, responde a las consultas realizadas según se demuestra en el Anexo N.º 5 del Informe Técnico, del cual se solicita la confidencialidad dado que dichos datos están amparados en convenios que resguardan este tipo de información. 7. El 08 de setiembre de 2023, mediante oficio UL-2023-0460, el señor Eduardo Blanco González de la empresa GBM de Costa Rica, responde a las consultas realizadas según se demuestra en el Anexo N.º 6 del Informe Técnico, del cual se solicita la confidencialidad dado que dichos datos están amparados en convenios que resguardan este tipo de información. 8. El 11 de setiembre de 2023, el señor Marcel Aguilar Sandoval de la empresa Huawei Tecnologies (sic) Costa Rica, responde a las consultas realizadas según se demuestra en el Anexo N.º 7 del Informe Técnico, del cual se solicita la confidencialidad dado que dichos datos están amparados en convenios que resguardan este tipo de información. 9. En lo que concierne a las respuestas de Huawei Tecnologies (sic) Costa Rica, según podrá constatar el Honorable Tribunal Constitucional, no se evidencia que dicha empresa haya tenido algún tipo de disconformidad con lo consultado. (Ver Anexo N.º 7 del Informe Técnico). 10. Hasta el momento, lo que el ICE ha realizado es un estudio de mercado, de conformidad con el artículo 85 del Reglamento a la Ley General de Contratación Pública, con los posibles proveedores de la tecnología de la red de telecomunicaciones 5G, para verificar las condiciones del mercado y comprobar el cumplimiento de los mismos en materia de ciberseguridad, conforme las disposiciones del Decreto precitado; es decir, no existe a la fecha una publicación de un pliego de condiciones para un concurso específico, conforme dispone la Ley General de Contratación Pública. (…)• Las consultas realizadas por el ICE, en fase de estudio de estudio de mercado, son acordes con lo establecido en el Decreto Ejecutivo N.º 44196-MSP-MICITT denominado “Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores” emitido el 25 de agosto de 2023 por la Presidencia de la República, el Ministro de Seguridad Pública y la Ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones, publicado en el Alcance N.º 166 del Diario Oficial La Gaceta del 31 de agosto de 2023, vigente a partir de esa fecha. • Dicha normativa emitida por el Poder Ejecutivo es acatamiento obligatorio para el ICE, según se ha explicado anteriormente. • Si el ICE incumple con las disposiciones del Reglamento será sometido al régimen sancionatorio administrativo de la Ley General de Telecomunicaciones N.º 8642 (LGT). • Conforme a lo indicado en la respuesta al hecho quinto, no se evidencia que Huawei Tecnologies (sic) Costa Rica haya tenido algún tipo de disconformidad, al momento de responder las consultas del ICE relativas al Reglamento en cuestión en el marco del estudio de mercado realizado. (…) hasta el momento, lo que el ICE ha realizado es un estudio de mercado, de conformidad con el artículo 85 del Reglamento a la Ley General de Contratación Pública, con los posibles proveedores de la tecnología de la red de telecomunicaciones 5G, para verificar las condiciones del mercado y comprobar el cumplimiento de los mismos en materia de ciberseguridad, conforme las disposiciones del Decreto precitado; es decir, no existe a la fecha una publicación de un pliego de condiciones para un concurso específico, conforme dispone la Ley General de Contratación Pública. (…)”. El 9 de noviembre de 2023, el ICE publicó en el SICOP el “PLIEGO DE CONDICIONES PARA LA ADQUISICIÓN DE: GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, que en lo conducente señala: “3. APARTADO DE CIBERSEGURIDAD RAN-CORE MOVIL 5G. 3.1. El oferente deberá cumplir todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en el Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT, a la hora de planificar, diseñar e implementar su oferta técnica, para lo cual deberá aportar junto con la oferta, el plan de gestión y mitigación de riesgos en concordancia con la normativa precitada. 3.2. El oferente deberá presentar una declaración jurada en donde indique que cumple con la adopción de los siguientes estándares de ciberseguridad:

Estándares de cumplimiento obligatorios Número Nombre ISO/IEC 27001:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos ISO/IEC 27002:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Controles de seguridad de la información ISO/IEC 27003:2017 Tecnologías de la información —Técnicas de seguridad — Sistemas de Gestión de la Seguridad de la Información —Guía ISO/IEC 27011:2016 Tecnologías de la información —Técnicas de seguridad — Código de prácticas para los controles de seguridad de la información basado en ISO/IEC 27002 para organizaciones de telecomunicaciones.

SCS 9001 Estándar de Seguridad de la Cadena de Suministro y Ciberseguridad GSMA NESAS Esquema de aseguramiento de ciberseguridad definido por GSMA y 3GPP.

ISO/IEC 27400 Ciberseguridad — Seguridad y privacidad en IoT — Guías de implementación 3GPP 33.501 Arquitectura y procedimiento de seguridad para sistemas 5G.

NIST 1800-33B 5G Ciberseguridad 3.3. De conformidad con el artículo 10 del Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT en donde se indica que no se puede tener un único suministrador en cuanto a hardware y software en elementos críticos de la red, el ICE no podrá adjudicar al mismo oferente el CORE Móvil (partidas 3 y 4) y la red de acceso móvil (partidas 1 y 2). En caso de que la oferta, participe para el CORE Móvil (partidas 3 y 4) y la red de acceso móvil (partidas 1 y 2) y cumpla con todos los aspectos técnicos, financieros, jurídicos y ocupe el primer lugar en precio para todas las partidas mencionadas, el ICE adjudicará solamente las partidas 1 y 2 (red de acceso móvil) a este oferente y las partidas 3 y 4 (Core Móvil) se adjudicará al segundo lugar en precio, con el fin de no tener un único suministrador en cuanto a hardware y software en elementos críticos de la red, lo anterior en cumplimiento del 10 del Reglamento Ciberseguridad Costa Rica Nº 44196-MSP-MICITT. 3.4. El oferente deberá presentar una declaración jurada en donde se indique su sede estáen (sic) un país que ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest). Para lo cual deberá adjuntar la documentación de respaldo. El ICE se reserva el derecho de verificar la valides (sic) de la información aportada. 3.5. El oferente deberá presentar una declaración jurada en donde se indique que, si la sede de la fábrica es o no susceptible de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones. 3.6. El oferente deberá presentar una declaración jurada en donde se indique si tiene su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses. 3.7. Para los requerimientos de 5G específicamente que aplican al CORE, se deberá cumplir con lo siguiente: 3.7.1 El contratista debe ejecutar dentro del plazo de ejecución contractual los respaldos de todos los sistemas involucrados en CORE, estos respaldos deben realizarse en los sistemas institucionales dispuestos para tal efecto. 3.7.2 Debe existir ejecución de pruebas de penetración periódicas, las mismas deben ser negociadas entre fabrica (sic) y contratista con el ICE, estas pruebas serán realizadas por las áreas de ciberseguridad del ICE dispuestas para estos temas. 3.7.3 Debe existir una integración con un sistema de gestión de vulnerabilidades basada en riesgo cibernético, el mismo deberá permitir integrarse a las soluciones dispuestas a nivel institucional. 3.7.4 Debe existir una gestión de parcheo y actualizaciones que involucre al fabricante y al contratista, para lo cual se requiere de un cronograma de actualizaciones definido y que permita cerrar brechas de ciberseguridad en un periodo negociable con el ICE. 3.7.5 Replicación de registros en formato CEF o Syslog a la solución de correlación de eventos o SIEM institucional, misma que permita detectar y analizar posibles actividades sospechosas o ataques y respuesta ante incidentes de ciberseguridad. 3.7.6 En el elemento de CORE 5G el oferente debe presentar soluciones orientadas a proteger una arquitectura de servicio basado en IP, que prevengan ataques o vulnerabilidades comunes de botnets a través de internet, esto con el fin que los servicios críticos no se degraden y que se mantengan disponibles a usuarios legítimos. 3.7.7 Para el elemento CORE 5G el oferente debe presentar soluciones orientadas a proteger las funciones principales de red a saber: a)Función de administración de acceso y movilidad (AMF por sus siglas en ingles). b) Función de servidor de autenticación (AUSF por sus siglas en ingles). c) Función de administración de datos unificados (UDM por sus siglas en ingles). Estas soluciones deberán proteger los datos almacenados de autenticación y suscripción contra amenazas similares botnets y ataques DDoS. 3.7.8 Para el elemento CORE 5G el oferente debe presentar soluciones orientadas que permitan el uso cifrado para el protocolo de internet seguro (IPSec por sus siglas en ingles) para tipos de acceso non-3GPP, que prevengan ataques o vulnerabilidades comunes de botnets a través de internet o ataques DDoS. Considerando los requerimientos de 5G específicamente aquellos que aplican al Red de acceso de radio (RAN por sus siglas en inglés).3.8 Para los requerimientos de 5G específicamente que aplican a la RAN, se deberá cumplir con lo siguiente: 3.8.1 El contratista debe ejecutar dentro del plazo de ejecución contractual los respaldos de todos los sistemas involucrados en RAN, estos respaldos deben realizarse en los sistemas institucionales dispuestos para tal efecto. 3.8.2 Debe existir ejecución de pruebas de penetración periódicas, las mismas deben ser negociadas entre fabrica (sic) y contratista con el ICE, estas pruebas serán realizadas por las áreas de ciberseguridad del ICE dispuestas para estos temas. 3.8.3 Debe existir una integración con un sistema de gestión de vulnerabilidades basada en riesgo cibernético, el mismo deberá permitir integrarse a las soluciones dispuestas a nivel institucional. 3.8.4 Debe existir una gestión de parcheo y actualizaciones que involucre al fabricante y al contratista, para lo cual se requiere de un cronograma de actualizaciones definido y que permita cerrar brechas de ciberseguridad en un periodo negociable con el ICE. 3.8.5 Replicación de registros en formato CEF o Syslog a la solución de correlación de eventos o SIEM institucional, misma que permita detectar y analizar posibles actividades sospechosas o ataques y respuesta ante incidentes de ciberseguridad. 3.8.6 En el elemento de RAN 5G el oferente debe presentar soluciones orientadas a proteger sistemas y redes 5G que utilicen antenas para Entradas Múltiples y Salidas Múltiples (MIMO por sus siglas en ingles), que aseguren el espectro de bandas asignadas a esta función. 3.8.7 En el elemento de RAN 5G el oferente debe presentar soluciones orientadas a proteger los datos y señalización de transmisión y recepción a través de cifrado que protejan la integridad de estos. 3.8.8 En el elemento de RAN 5G el oferente debe presentar soluciones orientadas a proteger contra posibles amenazas de estaciones base maliciosas (RBS por sus siglas en ingles), que puedan generar ataques de hombre-en-el-medio (MiTM por sus siglas en inglés) entre el equipo de usuario móvil (UE por sus siglas en ingles) y la red móvil, que prevengan ataques o vulnerabilidades comunes de DDoS. 3.9 Para los requerimientos de 5G específicamente que aplican para UE, se deberá cumplir con lo siguiente: 3.9.1 Para el elemento UE de 5G el oferente debe presentar soluciones orientadas a proteger posibles amenazas como redes Botnets móviles ataques DDoS, ataques por infección de dispositivos (virus, gusanos etc.) y descarga de contenido malicioso desde internet. (…)”. El 18 de diciembre de 2023, la empresa [Nombre 002]. formuló oferta en cinco de las seis partidas del expediente electrónico 2023XE000023-0000400001 con descripción “GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”.

Desde este panorama, la Sala descarta alguna situación que, en este momento, amerite su intervención.

En primer lugar, a la fecha de interposición de este recurso, el ICE no había publicado cartel alguno para contrataciones relacionadas con la tecnología de la red de telecomunicaciones 5G, sino que únicamente había efectuado un estudio con los posibles proveedores para verificar condiciones del mercado y aspectos relacionados con ciberseguridad. Sin perjuicio de lo anterior, si bien la publicación del pliego no se dio sino hasta el 9 de noviembre de 2023 (durante la tramitación de este proceso) y no en los periodos aludidos en el escrito de interposición, no menos cierto es que, en el fondo, la parte accionante lo que cuestiona es la implementación de requisitos alusivos a la gestión y mitigación de riesgos, así como los estándares contemplados en el ‘Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores’; concretamente, reclama la presunta imposibilidad de [Nombre 002]. de cumplir los requisitos ahí establecidos.

Ahora, el aludido reglamento, en relación con los alegatos de la parte recurrente, señala:

“Artículo 2º-Ámbito de aplicación. Está sometida al presente reglamento la operación activa de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, por parte de las personas físicas o jurídicas, públicas o privadas, nacionales o extranjeras, que operen redes o presten servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores que se originen, terminen o transiten por el territorio nacional, exceptuando la operación de redes privadas de telecomunicaciones.

En el caso de procesos de compra pública que tengan por objeto la habilitación de redes y servicios basados en la tecnología de quinta generación móvil (5G) y superiores, así como de equipamiento tecnológico activo necesario para el despliegue de éstas, para el uso y explotación del espectro radioeléctrico, la Administración o entidad contratante deberá adoptar los mecanismos idóneos para verificar que los potenciales oferentes han considerado todos los aspectos alusivos a la gestión y mitigación de riesgos contenidos en la presente normativa, a la hora de planificar, diseñar e implementar su oferta técnica. En caso de resultar adjudicatario, las disposiciones de la presente norma serán de acatamiento obligatorio durante la operación de las redes y prestación de los servicios basados en la tecnología de quinta generación móvil (5G) o superiores.

(…)

Artículo 6º- Adopción de estándares. Los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Decreto Ejecutivo, deberán adoptar, implementar, y mantener estándares y/o marcos de referencia sobre ciberseguridad, incluyendo los siguientes:

Número Nombre ISO/IEC 27001:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Sistemas de Gestión de la Seguridad de la Información — Requerimientos ISO/IEC 27002:2022 Seguridad de la Información, Ciberseguridad y Protección de la Privacidad — Controles de seguridad de la información ISO/IEC 27003:2017 Tecnologías de la información —Técnicas de seguridad — Sistemas de Gestión de la Seguridad de la Información —Guía ISO/IEC 27011:2016 Tecnologías de la información —Técnicas de seguridad — Código de prácticas para los controles de seguridad de la información basado en ISO/IEC 27002 para organizaciones de telecomunicaciones.

SCS 9001 Estándar de Seguridad de la Cadena de Suministro y Ciberseguridad (…)

Artículo 10º- Parámetros de riesgo alto. Los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento, deberán considerar los siguientes parámetros de riesgo alto para la operación de redes de telecomunicaciones 5G o superiores y la prestación de sus servicios:

(…)

• c)Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento o sus suministradores de hardware y software sean susceptibles de presión por parte de un gobierno extranjero por disposición normativa o política pública oficial de dicho gobierno extranjero, en relación con la ubicación o ejecución de sus operaciones.
• d)Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento o sus suministradores de hardware y software tienen su base en un país, o, de alguna manera, están sujetos a la dirección de un gobierno extranjero con leyes o prácticas establecidas que les puedan requerir que compartan la información de los usuarios finales de servicios de telecomunicaciones en ausencia de un proceso legal transparente que proteja adecuadamente sus derechos e intereses.
• e)Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento utilizan suministradores de hardware y software que tengan su sede en un país que no ha manifestado su consentimiento de obligarse al cumplimiento del Convenio sobre Ciberdelincuencia (Convenio de Budapest).
• f)Cuando los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este reglamento utilizan suministradores de hardware y software que no cumplen con los estándares de ciberseguridad dispuestos en el artículo 6 de este Reglamento.

Artículo 11º. Medidas aplicables ante la identificación de riesgo alto. Cuando alguno de los sujetos comprendidos en el ámbito de aplicación del artículo 2 del presente Reglamento identifique la presencia de alguno o varios de los parámetros de riesgo alto consignados en el artículo anterior, deberá informarlo a la Superintendencia de Telecomunicaciones (Sutel) de conformidad con las disposiciones del artículo 42 de la Ley General de Telecomunicaciones, Nº8642, dentro de los 3 (tres) días naturales siguientes a su identificación y adoptar las medidas técnicas y administrativas idóneas para garantizar la seguridad de sus redes y sus servicios.

Cuando se identifique la presencia de alguno o varios de los parámetros de riesgo alto por parte de los sujetos comprendidos en el ámbito de aplicación del artículo 2 de este Reglamento, quedará sujeto a la adopción inmediata de las siguientes medidas técnicas de ciberseguridad:

• 1)No podrán ser utilizados en elementos críticos de la red, equipos de telecomunicación, sistemas de transmisión, equipos de conmutación o encaminamiento y demás recursos, que permitan el transporte de señales por representar un alto riesgo de ciberseguridad para las redes 5G y superiores, y la seguridad nacional. Para tal efecto, se declaran elementos críticos de la red 5G y superiores los siguientes: i. Los relativos a las funciones d i. Los relativos a las funciones del núcleo de la red.

ii. Los sistemas de control y gestión y los servicios de apoyo.

iii. La red de acceso en aquellas zonas geográficas y ubicaciones que proporcionen cobertura a centros vinculados con la seguridad nacional y la provisión de servicios públicos esenciales.

• 2)Llevar a cabo la sustitución de los equipos, productos y servicios de la red 5G y superiores cuando ello fuera necesario, para lo cual, deberá tener en cuenta la situación del mercado de los suministradores de hardware y software, las alternativas de suministro de equipos y productos sustitutivos viables, la implantación de esos equipos y productos en la red 5G y superiores, especialmente en los elementos críticos de la red, la dificultad intrínseca para llevar a cabo la sustitución de equipos, los ciclos de actualización de equipos, así como su impacto económico. En ningún caso, el plazo de sustitución de los equipos podrá ser superior a cinco años, contados a partir de la clasificación como de alto riesgo.

El cumplimiento de las presentes disposiciones reglamentarias deberá ser consideradas para la operación de redes 5G y superiores y sus servicios, de conformidad con las disposiciones del artículo 49 numerales 1 y 3 de la Ley N°8642, Ley General de Telecomunicaciones”.

Al respecto, el ICE reconoció que las consultas efectuadas se basaron en el reglamento de marras y, en efecto, el pliego de condiciones publicado hace alusión expresa a aspectos relativos a la gestión y mitigación de los riesgos de ciberseguridad contenidos en tal cuerpo normativo; sin embargo, tomando en consideración los términos expuestos por la parte accionante, no se observa alguna disposición manifiesta y expresa que impida, de forma arbitraria, absoluta e injustificada, la participación de empresas únicamente en razón de su origen. Precisamente, sin entrar a analizar el fondo de cada una de las disposiciones reglamentarias, se puede observar que, según tal cuerpo normativo, las compañías con parámetros de riesgo alto pueden adoptar “medidas técnicas y administrativas idóneas para garantizar la seguridad de sus redes y sus servicios”; incluso, en el pliego de condiciones de la contratación de marras se consignó expresamente que “a la hora de planificar, diseñar e implementar su oferta técnica, para lo cual deberá aportar junto con la oferta, el plan de gestión y mitigación de riesgos en concordancia con la normativa precitada”. Ahora, no corresponde a esta jurisdicción constitucional analizar si el ICE contempló o no la totalidad de las disposiciones contenidas en el reglamento, ni tampoco si indirectamente limitó la participación de empresas con requisitos injustificados desde el punto de vista técnico. Ergo, si existiese alguna inconformidad con las condiciones y demás especificaciones técnicas, esta deberá ser ventilada en las vías comunes. Asimismo, las medidas técnicas y administrativas idóneas para garantizar la seguridad de redes y servicios en empresas con parámetros de riesgo altos, son propias de ser ventiladas en las vías comunes.

En relación con lo anterior, es importante mencionar que lo relativo a la tecnología para la red de telecomunicaciones, así como los requisitos y estándares de ciberseguridad en Costa Rica (verbigracia, las normas ISO/IEC, SCS, entre otras), son aspectos técnicos, en principio, propios de políticas públicas de Estado que, salvo que entrañen alguna afectación al núcleo esencial de derechos fundamentales o transgredan manifiestamente el bloque de constitucionalidad, constituyen materia de gobierno. De ahí que prima facie su procedencia, conveniencia u oportunidad no es propia de ser valorada por este Tribunal, en virtud del principio de autocontención del juez constitucional. En ese sentido, los argumentos de la parte accionante no evidencian alguna arbitrariedad contraria al Derecho de la Constitución, por lo que, en este momento, no corresponde a la Sala analizar el contenido técnico general de tales estándares, ni tampoco valorar si el Convenio de Europa sobre Ciberdelincuencia (instrumento ratificado en nuestro país a través de la ley nro. 9452) resulta imprescindible para la implementación de la tecnología de quinta generación móvil. Ergo, si [Nombre 002]. desea cuestionar los requisitos técnicos establecidos por el ICE el apartado 3 “CiberSeguridad RAN-CORE Móvil 5G” del “PLIEGO DE CONDICIONES PARA LA ADQUISICIÓN DE: GT- ADQUISICIÓN DE BIENES Y SERVICIOS PARA LA IMPLEMENTACIÓN DE LA RED 5G ENTREGA SEGÚN DEMANDA”, o bien, si considera que satisface o excede los parámetros sacados a concurso sin exponer al país a riesgos en materia de ciberseguridad, podrá plantear sus alegatos en sede administrativa, o bien, en la vía jurisdiccional ordinaria, a los efectos de que someta a contradictorio su posición y evacúe de forma amplia la prueba que estime pertinente.

De igual forma, aun cuando se acusa discriminación, tal y como se indicó ut supra, no se verifica alguna situación manifiesta en ese sentido y, además, no se aportan elementos comparativos equiparables que permitan, en este momento y a través de este recurso de amparo, analizar alguna transgresión al principio de igualdad con respecto a otras personas físicas o jurídicas.

En adición, si bien se acusa la violación al “principio de imparcialidad tecnológica” recogido en el Capítulo XIII del Tratado de Libre Comercio entre República Dominicana, Centroamérica y Estados Unidos, la Sala prima facie no estima que el alegado principio constituya parámetro de constitucionalidad para el caso concreto, dada la generalidad y abstracción con que se planteó el argumento y la naturaleza comercial en que enmarca tal acuerdo. Nótese que la parte accionante no explica en qué términos la presunta afectación a [Nombre 002]. (empresa constituida en Costa Rica e inscrita en el Registro Nacional de este país) contravendría las estipulaciones adoptadas entre República Dominicana, Centroamérica y Estados Unidos, de forma tal que resultara trascendente para el Derecho de la Constitución. No está de más señalar que la ministra de Ciencia, Innovación, Tecnología y Telecomunicaciones, hizo notar que: “el principio de flexibilidad en las opciones tecnológicas (neutralidad tecnológica) surge en el marco del proceso de apertura comercial del sector telecomunicaciones, como parte de los “IV. Principios Regulatorios aprobados en el Anexo 13 de los “Compromisos Específicos de Costa Rica en Materia de Servicios de Telecomunicaciones” del Tratado de Libre Comercio República Dominicana- Centroamérica - Estados Unidos (TLC) Ley N° 8622, el cual en lo conducente dispone: “10. Flexibilidad en las Opciones Tecnológicas Costa Rica no impedirá que los proveedores de servicios públicos de telecomunicaciones tengan la flexibilidad de escoger las tecnologías que ellos usen para suministrar sus servicios, sujeto a los requerimientos necesarios para satisfacer los intereses legítimos de política pública.” (El resaltado es propio) A partir de este principio regulatorio se desprende que en materia de telecomunicaciones los operadores y proveedores de servicios disponibles al público, gozan efectivamente de la flexibilidad para escoger las tecnologías que prefieran para operar las redes públicas y suministrar sus servicios, por ejemplo para prestar servicios de Telecomunicaciones Móviles Internacionales conocidas como IMT por sus siglas en inglés (en cualquiera de sus generaciones técnicamente disponibles), siempre y cuando, se satisfagan los intereses legítimos de política pública. En este ámbito es importante señalar que la política pública en materia de telecomunicaciones se define a través del Plan Nacional de Desarrollo de las Telecomunicaciones (PNDT) 2022-2027 “Costa Rica: Hacia la disrupción digital inclusiva”, el cual fue aprobado por el Poder Ejecutivo mediante Decreto Ejecutivo N° 43843-MICITT publicado en el Diario Oficial La Gaceta N°5 de fecha 13 de enero de 2023, (…). Por lo cual, la política pública para la operación de redes y la prestación de servicios de telecomunicaciones está plasmada en Plan Nacional de Desarrollo de las Telecomunicaciones (PNDT) 2022-2027 “Costa Rica: Hacia la disrupción digital inclusiva”, con el objetivo de marcar el desarrollo del sector desde la perspectiva de la política pública sectorial, que permita durante los próximos años atender los retos y desafíos de las telecomunicaciones. Debe de subrayarse que en su sección “3.3.3.3 Estrategia Nacional de Ciberseguridad Costa Rica” el PNDT 2022-2027 señala que “La estrategia en materia de ciberseguridad data de 2017 y procura la búsqueda de acciones conducentes al aseguramiento de datos y la protección en línea en diferentes aspectos, considera a la persona como prioridad, el respeto a los derechos humanos y la privacidad, la coordinación con múltiples partes interesadas y la cooperación internacional”. En consecuencia, en los términos planteados, la alegada inconformidad en cuanto a este extremo es propia de ser dilucidada a través de las vías previstas para tales efectos.

Asimismo, la parte accionante pretende que se declare con lugar el recurso a los efectos de que se ordene que su representada no puede ser impedida de participar en un concurso público a través de cláusulas de imposible cumplimiento para ella; sin embargo, tal y como se indicó ut supra, no se verificó alguna transgresión al Derecho de la Constitución, por lo que determinar si está en posibilidad o no de cumplir los requisitos, así como el sustento técnico de estos, constituyen extremos de legalidad que, en principio, exceden la sumariedad del recurso de amparo. En ese sentido, determinar si los oferentes pueden justificar o motivar presuntas restricciones son aspectos propios de ser dilucidades en el procedimiento de contratación, o bien, en la vía jurisdiccional ordinaria a fin de que sometan a contradictorio su posición y evacúen la prueba técnica que estimen pertinente.

Por otra parte, en escrito posterior al curso de este proceso, la parte accionante alega inconstitucionalidad e inconvencionalidad del ‘Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores’ a los efectos del numeral 75 de la Ley de la Jurisdicción Constitucional; sin embargo, este recurso, por las consideraciones expuestas líneas arriba, no constituye medio razonable para amparar el derecho o interés que se considera lesionado.

Por las consideraciones expuestas, no solo resulta improcedente prima facie la tutela cautelar pretendida, sino que procede declarar sin lugar el recurso en todos sus extremos.

VI.- Voto salvado de los magistrados Cruz Castro y Araya García.- Dar plazo para presentar la acción de inconstitucionalidad en contra del Reglamento en cuestión:

Consideramos que en este caso debe dársele un enfoque distinto al que impera en el voto de mayoría. La cuestión tiene una vertiente directamente relacionada con derechos fundamentales (derecho de consumidores y acceso a internet), así que no se trata de que esta Jurisdicción conozca en amparo de las cuestiones técnicas relacionadas con ciberseguridad, sino que corresponde examinar si la normativa del reglamento en cuestión que dispone excluir (o calificar como alto riesgo, que viene siendo lo mismo) de una licitación pública a ciertas empresas, en razón de su nacionalidad, es acorde al Derecho de la Constitución.

Así, por la trascendencia de la materia en cuestión y su impacto para los derechos fundamentales de acceso a internet de toda la población, resulta procedente otorgarle al recurrente el plazo establecido en la Ley de la Jurisdicción Constitucional para presentar la acción de inconstitucionalidad correspondiente en contra de las normas que considere inconstitucionales del “Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (SG) y Superiores”. Eso, a efectos de que este amparo sirva como asunto base de la acción, si es que no se ha presentado ya una acción al respecto. No se trata en este amparo, en realidad, de cuestionar criterios técnicos del ICE, sino lo que disponen las normas de un reglamento y su incidencia en derechos fundamentales.

Tal como se observa, el recurso de amparo procede también en contra de amenazas (artículo 29 Ley de la Jurisdicción Constitucional). En este caso, se indica que la licitación pública que sacará el ICE para implementar y operar la tecnología 5G IMT en sus redes estará basada en el “Reglamento sobre Medidas Cibernéticas aplicables a los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (SG) y Superiores”, amenaza los derechos de la empresa amparada por cuanto dicho reglamento contiene disposiciones que expresamente impiden la participación de su representada en ese concurso público. Disposiciones que por tanto, considera el recurrente, resultan contrarias a los derechos constitucionales de libre competencia, igualdad de participación y no discriminación.

Con vista en lo anterior, consideramos que lo procedente en este caso es darle plazo al recurrente para que plantee la acción de inconstitucionalidad correspondiente -a efectos de que este amparo sirva como asunto base de la acción-, en contra de las normas del reglamento en cuestión, que considera son inconstitucionales. Nótese que una exclusión a priori de participantes de una licitación pública tiene un impacto directo en los servicios que recibirá el consumidor, pues el principio de libre participación redunda en una mejor protección de los derechos de los consumidores. Entre más oferentes participen, mayor será la trasparencia y valoración en la escogencia del servicio público de telecomunicaciones. Una normativa restrictiva en la cantidad de oferentes para este servicio público, tendría una incidencia directa en las tarifas, la brecha digital, y en general, en el derecho fundamental de acceso a internet.

En la acción de inconstitucionalidad se podrá examinar con mayor detalle si la exclusión a priori de los países que no han estado adheridos al Convenio de Budapest (2001) resulta razonable, o si por el contrario, es discriminatorio, violatorio del principio de libre participación en las licitaciones públicas y amenaza los derechos de los consumidores.

Tal como lo ha indicado esta Sala (ver voto n°2010-10627, y entre otros 2010-12790, 2011-8408, 2017-11212) existe un verdadero derecho fundamental a la comunicación derivado del derecho a la libertad de expresión, del derecho de información y del derecho de acceso a internet. Particularmente en la mencionada sentencia del 2017, donde esta Sala examinó la política de uso justo de acceso a internet, se indicó que el acceso a internet no solo es un derecho fundamental por sí mismo sino que “(…) es una herramienta que potencia de manera incalculable el ejercicio de otros derechos fundamentales: democratiza el conocimiento al poner una cantidad inmensurable de información al alcance de cualquier persona; facilita la participación de los ciudadanos en la gestión estatal, fomentando la transparencia en la gestión pública; establece medios para que las personas puedan ejercer su libertad de expresión; constituye una herramienta de trabajo para muchas profesiones, incluso ajenas a la rama de las tecnologías de la información,”. De allí se derivó la obligación del Estado de “proteger a las personas frente a amenazas que busquen limitar injustificadamente dicho derecho, sino que conlleva también la obligación del Estado de velar por su progresivo crecimiento y mejoramiento, así como la implementación de nuevas tecnologías que potencien el derecho de acceso a Internet.” Por lo anterior, por la incidencia directa que el reglamento tendría en la licitación pública relacionada con los Servicios de Telecomunicaciones Basados en la Tecnología de Quinta Generación Móvil (SG) y Superiores, y por su íntima relación con el derecho fundamental de acceso a internet, lo procedente en este caso es examinar la normativa en cuestión en un proceso de acción de inconstitucionalidad.

VII.- Voto salvado del magistrado Rueda Leal. Este recurso de amparo debió rechazarse de plano, por cuanto se interpuso en representación de [Nombre 002].; sin embargo, del escrito de interposición no se deriva el vínculo esencial entre esta persona jurídica y alguna natural, en relación con los presuntos derechos fundamentales agraviados. De importancia para el sub examine, en el voto salvado que consigné en la sentencia nro. 2019-2355 de las 9:30 horas de 12 de febrero de 2019, sostuve:

“en la Opinión Consultiva 22-16 del 26 de febrero de 2016, la Corte Interamericana de Derechos Humanos indicó que si bien algunos Estados reconocen el derecho de petición a personas jurídicas con condiciones especiales, como lo son los sindicatos, partidos políticos o representantes de pueblos indígenas, comunidades afrodescendientes o grupos específicos, lo cierto es que “El artículo 1.2 de la Convención Americana sólo consagra derechos a favor de personas físicas, por lo que las personas jurídicas no son titulares de los derechos consagrados en dicho tratado”. Por otro lado, en la misma opinión consultiva, la Corte Interamericana dispuso que, en ciertos contextos particulares, las personas físicas pueden llegar a ejercer sus derechos a través de personas jurídicas (verbigracia, a través de un medio de comunicación, como acaeció en el caso Granier y otros contra Venezuela); empero, a efectos de que ello sea tutelable ante el sistema interamericano, “el ejercicio del derecho a través de una persona jurídica debe involucrar una relación esencial y directa entre la persona natural que requiere protección por parte del sistema interamericano y la persona jurídica a través de la cual se produjo la violación, por cuanto no es suficiente con un simple vínculo entre ambas personas para concluir que efectivamente se están protegiendo los derechos de personas físicas y no de las personas jurídicas. En efecto, se debe probar más allá de la simple participación de la persona natural en las actividades propias de la persona jurídica, de forma que dicha participación se relacione de manera sustancial con los derechos alegados como vulnerados.” (énfasis agregado) (OC. 22/16)”.

En mi criterio, la lectura de la Ley de la Jurisdicción Constitucional obliga a la misma ratio de la hermenéutica convencional supracitada respecto a todo derecho fundamental. Así, en un proceso de constitucionalidad formulado en nombre o a favor de una persona jurídica, su admisión para estudio exige una relación esencial y directa entre la persona jurídica que aduce verse afectada por alguna vulneración al orden constitucional y la persona natural que, por tal lesión, viene a ver menoscabado, de forma refleja pero directa, algún derecho fundamental. Para tales efectos es insuficiente la mera referencia a una conexión o vínculo entre la persona jurídica y la natural para poder colegir que, precisamente, por medio del proceso de constitucionalidad se esté procurando el resguardo de los derechos fundamentales de la última, no meramente los de la primera. El requerimiento antedicho deviene entonces un presupuesto sine qua non para la procedencia del control de constitucionalidad en esta vía. A partir de lo expuesto, considero que esta debe ser la pauta con que se tiene que interpretar la Ley de la Jurisdicción Constitucional, de manera que en el sub iudice deviene improcedente la aplicación del control jurisdiccional de constitucionalidad, puesto que no se ha demostrado el referido vínculo, en relación con el presunto derecho agraviado. Esta tesis la he seguido no solo cuando se ha tenido como parte tutelada a empresas del sector de Telecomunicaciones (verbigracia, la sentencia nro. 2019014375 de las 14:20 horas del 1º de agosto de 2019), sino también cuando, en general, se han planteado recursos en nombre o a favor de personas jurídicas sin establecer la aludida relación esencial entre la persona natural y la persona jurídica (por ejemplo, las resoluciones nros. 2023014282 de las 9:30 horas de 16 de junio de 2023, 2022029898 de las 9:21 horas de 16 de diciembre de 2022, 2022005751 de las 9:20 horas de 11 de marzo de 2022, 2020014695 de las 9:15 horas de 7 de agosto de 2020, 2020012170 de las 10:05 horas de 30 de junio de 2020, 2020009074 de las 9:15 horas de 15 de mayo de 2020, 2020006905 de las 9:20 horas de 3 de abril de 2020, entre otras).

VIII.-Documentación aportada al expediente. Se previene a las partes que de haber aportado algún documento en papel, así como objetos o pruebas contenidas en algún dispositivo adicional de carácter electrónico, informático, magnético, óptico, telemático o producido por nuevas tecnologías, éstos deberán ser retirados del despacho en un plazo máximo de 30 días hábiles contados a partir de la notificación de esta sentencia. De lo contrario, será destruido todo aquel material que no sea retirado dentro de este plazo, según lo dispuesto en el "Reglamento sobre Expediente Electrónico ante el Poder Judicial", aprobado por la Corte Plena en sesión N° 27-11 del 22 de agosto del 2011, artículo XXVI y publicado en el Boletín Judicial número 19 del 26 de enero del 2012, así como en el acuerdo aprobado por el Consejo Superior del Poder Judicial, en la sesión N° 43-12 celebrada el 3 de mayo del 2012, artículo LXXXI .

Por tanto:

Por mayoría se declara sin lugar el recurso. La magistrada Garro Vargas consigna nota. Los magistrados Cruz Castro y Araya García salvan el voto y otorgan plazo a la parte recurrente para que interponga acción de inconstitucionalidad contra el ‘Reglamento sobre medidas de ciberseguridad aplicables a los servicios de telecomunicaciones basados en la tecnología de quinta generación móvil (5G) y superiores’. El magistrado Araya García consigna nota. El magistrado Rueda Leal salva el voto y rechaza de plano el recurso.

Fernando Castillo V.

Fernando Cruz C. Paul Rueda L.

Luis Fdo. Salazar A. Jorge Araya G.

Anamari Garro V. Ingrid Hess H.

Sentencia 2024-002222 Nota de la magistrada Garro Vargas Consideraciones preliminares He concurrido con la mayoría porque coincido en lo sustancial con los argumentos de la sentencia. Además, he considerado oportuno consignar esta nota para poner de manifiesto que a mi juicio este es un asunto que desde el inicio debió ser rechazado, porque de manera palmaria se advierte que su objeto no corresponde ser conocido mediante un recurso sumario como lo es el amparo.

Ejemplos de la línea jurisprudencial sostenida por la suscrita En similares ocasiones, e incluso en otras cuyo objeto ha sido de menor mucho menor envergadura, he dicho que no basta que estén presuntamente involucrados derechos fundamentales para que proceda que el asunto sea residenciado en esta sede y que sea resuelto mediante un recurso de amparo.

He aquí algunos ejemplos:

• 1)Casos de los exámenes de admisión al Instituto Tecnológico de Costa Rica En esos casos, que por cierto fueron muy numerosos, los recurrentes impugnaban los criterios de admisión a esa institución de educación superior. El tema hacía directísima relación al derecho a la educación, al derecho a la igualdad y al principio de razonabilidad. La Sala, siguiendo una antigua y muy razonable línea jurisprudencial, rechazó de plano esos numerosos recursos, con afirmaciones como la siguiente:

“Como se desprende de las sentencias transcritas, este Tribunal ha sido consistente en señalar que los requisitos de ingreso a las universidades estatales es materia que le compete a estas. En adición, la Sala ha reiterado que la controversia acerca del método y contenido de una prueba de admisión universitaria corresponde dirimirse en la vía de la legalidad, toda vez que se trata de una cuestión de gran especificidad técnica, cuya revisión obliga a un profundo diligenciamiento de prueba técnica, lo que resulta ajeno a la naturaleza sumaria del amparo” (sentencias 2020-023153, 2020-023160, 2020-024016, 2021-04817, entre otras; el destacado no es del original).

En esas numerosísimas sentencias similares, la magistrada Hernández López y yo, consignamos la siguiente nota:

“Nota de las Magistradas Hernández López y Garro Vargas con redacción de la segunda.

El recurso de amparo es un proceso sumario por naturaleza y, a tenor del artículo 48 de la Constitución Política, está diseñado para proteger los derechos constitucionales (con excepción de la libertad e integridad personal) y los de carácter fundamental establecidos en instrumentos internacionales de derechos humanos aplicables a la República. Por ende, un asunto es susceptible de ser conocido mediante un recurso de amparo cuando se invoca la presunta de lesión de alguno de esos derechos. Pero eso no es suficiente. Es preciso que el objeto en discusión pueda ser conocido adecuadamente en un proceso sumario: es decir, en un trámite sencillo sin necesidad de una fase probatoria compleja. Además, el carácter sumario debe manifestarse no sólo en la fase de conocimiento sino también en su fase de ejecución. Sobre la base de lo anterior, las suscritas magistradas estimamos que el presente asunto no corresponde ser conocido en la Sala Constitucional mediante el recurso de amparo, pues, aunque podrían estar involucrados derechos fundamentales, para analizarlo debidamente se requiere producir prueba técnica proveniente de diversas disciplinas, con el fin de examinar los diversos elementos que entran en juego en su resolución”. (Sentencia 2020-23160; el destacado no es del original).

• 2)Caso Rainforest Alliance En otra ocasión, la Sala conoció de un recurso de amparo interpuesto contra Rainforest Alliance (expediente 21-023756-0007-CO), que declaró con lugar (sentencia 2022-005556). Consigné mi voto salvado en el que, entre otros argumentos, afirmé lo siguiente:

“3. Sobre el procedimiento del recurso de amparo Como se anunció en el preámbulo de este voto salvado, para que la aducida lesión a un derecho constitucional o fundamental pueda ser conocida ante esta jurisdicción, la naturaleza del reclamo debe ser compatible con las características del recurso de amparo. Si bien este no es el caso ‒por no existir un derecho constitucional o fundamental de por medio‒, cabría afirmar que muchos otros agravios podrían ser reconducidos hacia el Derecho de la Constitución, porque en definitiva esta es la base de la que dimana el resto del ordenamiento jurídico.

No obstante, no toda infracción a un derecho constitucional debe ser necesariamente valorada en el recurso de amparo, pues por la naturaleza del reclamo, en muchos casos, la mejor manera de examinarlo con detalle y profundidad es residenciarlo en la vía ordinaria, que ofrece amplias garantías para las partes a fin de resolver el conflicto que hay entre ellas y que cuenta con las posibilidades de acudir a una robusta justicia cautelar. Al respecto, este Tribunal ha reiterado una línea jurisprudencial en el sentido de que “el proceso de amparo es de carácter eminentemente sumario porque tiene como única finalidad brindar tutela oportuna contra infracciones o amenazas inminentes a los derechos y libertades fundamentales, por lo que su tramitación no se aviene bien con la práctica de diligencias probatorias lentas y complejas” (entre muchos otros se pueden consultar los votos números 2003-14336, 2006-014421 y 2020-019038). Esta línea jurisprudencial no hace sino recordar la naturaleza propia de este proceso. [El destacado no es del original].

También es preciso indicar que existen otros mecanismos jurisdiccionales paralelos, en donde con amplias garantías se puede conceder tutela a reclamos relacionados con infracciones a derechos de rango constitucional o fundamentales. Un ejemplo de ello es la tesis de la Sala Constitucional que ordenó, bajo una mejor ponderación, residenciar los reclamos relacionados con la dilación de los procedimientos administrativos en la jurisdicción contencioso-administrativa, pues en el fondo su análisis implica un examen de los plazos legales con los que cuentan las administraciones públicas para atender los reclamos de los administrados. Así, desde la sentencia n.°2008-002545 la Sala Constitucional viene sosteniendo de forma ininterrumpida lo siguiente:

“Es evidente que determinar si la administración pública cumple o no los plazos pautados por la Ley General de la Administración Pública (artículos 261 y 325) o las leyes sectoriales para los procedimientos administrativos especiales, para resolver por acto final un procedimiento administrativo –incoado de oficio o a instancia de parte- o conocer de los recursos administrativos procedentes, es una evidente cuestión de legalidad ordinaria que, en adelante, puede ser discutida y resuelta ante la jurisdicción contencioso-administrativa con la aplicación de los principios que nutren la jurisdicción constitucional, tales como los de la legitimación vicaria, la posibilidad de la defensa material –esto es de comparecer sin patrocinio letrado- y de gratuidad para el recurrente”. (Lo destacado no corresponde al original).

En forma similar, desde la sentencia n.°2017-017948, este Tribunal ha venido resolviendo, en relación con la tutela de derechos laborales, lo siguiente:

“Ciertamente, la tutela de la Sala Constitucional, en tratándose de la materia laboral, deriva de la aplicación del Título V, Capítulo Único, de la Constitución Política, denominado Derechos y Garantías Sociales. Es allí, donde encuentran protección constitucional, por medio del recurso de amparo, el derecho al trabajo, al salario mínimo, a la jornada laboral, al descanso semanal, a vacaciones anuales remuneradas, a la libre sindicalización, al derecho de huelga, a la celebración de convenciones colectivas de trabajo, entre otros; todo ello, con ocasión del trabajo. Sin embargo, bajo una nueva ponderación, dada la promulgación de la Reforma Procesal Laboral, Ley N° 9343 de 25 de enero de 2016, vigente desde el 25 de julio de 2017, esta Sala considera que ahora todos los reclamos relacionados con esos derechos laborales, derivados de un fuero especial (por razones de edad, etnia, sexo, religión, raza, orientación sexual, estado civil, opinión política, ascendencia nacional, origen social, filiación, discapacidad, afiliación sindical, situación económica, así como cualquier otra causal discriminatoria contraria a la dignidad humana), tienen un cauce procesal expedito y célere, por medio de un proceso sumarísimo y una jurisdicción plenaria y universal, para su correcto conocimiento y resolución, en procura de una adecuada protección de esos derechos y situaciones jurídicas sustanciales, con asidero en el ordenamiento jurídico infra constitucional, que tiene una relación indirecta con los derechos fundamentales y el Derecho de la Constitución. Iguales razones caben aplicar para las personas servidoras del Estado, respecto del procedimiento ante el Tribunal de Servicio Civil que les garantiza el ordenamiento jurídico, así como las demás personas trabajadoras del Sector Público para la tutela del debido proceso o fueros semejantes a que tengan derecho de acuerdo con el ordenamiento constitucional o legal. En fin, el proceso sumarísimo será de aplicación, tanto del sector público como del privado, en virtud de un fuero especial, con goce de estabilidad en el empleo o de procedimientos especiales para su tutela, con motivo del despido o de cualquier otra medida disciplinaria o discriminatoria, por violación de fueros especiales de protección o de procedimientos, autorizaciones y formalidades a que tienen derecho, las mujeres en estado de embarazo o periodo de lactancia, las personas trabajadoras adolescentes, las personas cubiertas por el artículo 367, del Código de Trabajo, las personas denunciantes de hostigamiento sexual, las personas trabajadoras indicadas en el artículo 620, y en fin, de quienes gocen de algún fuero semejante mediante ley, normas especiales o instrumentos colectivos de trabajo”.

Esto pone de manifiesto que, incluso, cuando hay de por medio derechos de orden constitucional o fundamental, no necesariamente su restablecimiento y protección debe residenciarse en la jurisdicción constitucional a través del recurso de amparo, sino que pueden existir vías paralelas más garantistas desde el punto de vista procesal, destinadas a conocer –con la profundidad que el caso lo requiere– reclamos relacionados con estos derechos. Justamente, por la forma en que está diseñado el recurso de amparo, es que los agravios que se deben conocer en esta sede son aquellos en los cuales la tutela del derecho sea compatible con las características y posibilidades de este proceso sumario. Por el contrario, no corresponde conocer en el recurso de amparo aquellos asuntos que necesiten un complejo análisis probatorio, fases de contradicción, e inmediación de la prueba, que desnaturalizan por completo la esencia del recurso de amparo” [El destacado no es del original].

• 3)Parque Viva Posteriormente, la Sala conoció del caso Parque Viva (expediente 22-016697-0007-CO). En la parte dispositiva (sentencia 2022-25167), en lo que a mí atañe dice: “La magistrada Garro Vargas salva parcialmente el voto en el siguiente sentido: lo declara con lugar, por sus propias razones, respecto de la libertad de expresión; y lo declara sin lugar respecto de la anulación de la orden sanitaria y del citado oficio, por cuanto estima que lo relativo a estos no procede ser conocido en esta jurisdicción”. De mi voto salvado deseo destacar lo siguiente, que es relevante para el presente asunto:

“La competencia del órgano también está determinada por el respeto de la naturaleza del proceso.

No todo acto u omisión o vía de hecho, que provengan de una autoridad, aunque sean de suyo impugnable, es susceptible de ser conocido en un proceso sumario e informal. Las razones pueden ser diversas: la complejidad jurídica o técnica del acto, la necesidad de contar con un amplio acervo probatorio para determinar su validez y eficacia, etc. Sobre esto hay jurisprudencia consolidada que la Sala reitera todas las semanas al rechazar buena parte de los recursos de amparo que le son presentados.

Igualmente, el tribunal debe constatar si el objeto protegido (los derechos fundamentales presuntamente conculcados) puede ser efectivamente garantizado mediante un recurso de amparo, que es un proceso sumario e informal. Al respecto hay una reiteradísima jurisprudencia sobre el particular, que la Sala también recoge de modo habitual.

Justamente en este sentido, suscribí con la magistrada Hernández López una nota que reiteramos en muchas ocasiones [ya citada acá] (…) (nota a la sentencia 2020-23153).

Esto es así porque ciertamente muchos asuntos involucran derechos fundamentales, pero deben ser conocidos en su sede correspondiente”. (El destacado no es del original).

En esa ocasión añadí unos párrafos con un tono un tanto didácticos, pero que reflejaban de manera simple mi aproximación al tema.

“Por ejemplo, si una persona aduce que la defraudaron en una compraventa de un lote, qué duda cabe –si en efecto fue así– que le han violado su derecho y que este es un derecho fundamental. Se trata del derecho reconocido en el artículo 45 de la Constitución Política; pero es claro que el litigio sobre el particular no corresponde ser conocido en la Sala Constitucional, ni siquiera si el vendedor fue un sujeto de derecho público, porque para resolver este tipo de conflictos está la jurisdicción correspondiente. Sin ir más lejos, pues los ejemplos podrían ser abundantísimos, si un transeúnte dispara a otro, el victimario está violando el derecho fundamental a la vida o, al menos, a la integridad de la víctima, pero evidentemente el asunto tampoco puede ser conocido mediante un recurso de amparo, porque esa conducta está tipificada y, por tanto, será el juez penal quien determine la responsabilidad y el alcance y las consecuencias de esta. Pues bien, esto la Sala habitualmente lo ha tenido muy claro en su jurisprudencia, por eso, cada semana, rechaza muchos recursos de amparo señalando que se trata de asuntos propios de la legalidad ordinaria.

Lo anterior significa que, para que un caso sea examinado y resuelto en un recurso de amparo, no basta aducir que la lesión del derecho fundamental alegada tiene su causa en una conducta de la parte recurrida. Y la Sala procura respetar esos criterios justamente para no invadir las competencias de la jurisdicción ordinaria (establecidas en los artículos 49 y 153 de la Constitución Política) o las de las autoridades administrativas, según corresponda. Pero no solo por ese motivo, sino porque de esa manera, residenciándose el asunto donde corresponde, las partes tendrán todas las garantías procesales propias del debido proceso, que en un recurso sumario e informal como el amparo se reducen. Así, por ejemplo, los informes de las autoridades, al ser dados bajo fe de juramento, se tienen por ciertos, por lo que las posibilidades de desvirtuarlos son mucho menores que en procesos plenarios.

Por eso la Sala debe constatar si en atención al objeto impugnado (los actos presuntamente lesivos), al objeto protegido (los derechos fundamentales presuntamente conculcados) y al tipo de lesión (si la afectación es directa o no) el asunto es susceptible de ser conocido en un proceso sumario como es el amparo”. (El destacado no es del original).

• 4)Asuntos ambientales de gran complejidad Esta Sala conoció de un asunto ambiental (expediente 22-003777-0007-CO) en el que se declaró parcialmente con lugar (sentencia 2022-9857). En lo que interesa, estimó que los aspectos de gran complejidad no debían ser residenciados en esta jurisdicción. En esa oportunidad los magistrados Castillo Víquez, Garita Navarro y la suscrita consignamos una nota, que sostiene lo siguiente:

“X.- NOTA DE LOS MAGISTRADOS CASTILLO VÍQUEZ Y GARITA NAVARRO Y DE LA MAGISTRADA GARRO VARGAS, CON REDACCIÓN DE LA ÚLTIMA.

Estimamos necesario consignar esta nota en la que advertimos que, bajo una mejor ponderación, en asuntos ambientales de tanta complejidad ‒como el que se cuestiona en el caso concreto‒ valoramos que corresponde desestimar el recurso para residenciar la discusión en la vía ordinaria en donde con mayores posibilidades probatorias y procesales, así como de ejecución, se examine con detalle la conducta cuestionada.

En primer lugar, se hace necesario enfatizar que consideramos que esta Sala es competente para conocer recursos de amparo relacionados con la lesión al derecho fundamental a un medio ambiente sano y ecológicamente equilibrado en los términos del artículo 50 de la Constitución Política. Lo anterior, como lo ha hecho este Tribunal con tanto éxito en el pasado. Sin embargo, advertimos que hay cuestionamientos y denuncias que, por su complejidad, rebasan la naturaleza sumaria del recurso de amparo y, en tales circunstancias, resulta más garantista para todas las partes, e incluso para la tutela efectiva del derecho al ambiente sano y ecológicamente equilibrado y de la protección de los recursos naturales, residenciar el conflicto en una vía ordinaria, de conocimiento plenario, en la que con más oportunidades procesales se pueda examinar la prueba y contrastar los agravios. En definitiva, para juzgar con detalle la regularidad de la conducta omisiva y/o activa de las administraciones públicas competentes en la atención y resolución del conflicto ambiental denunciado.

Recuérdese que históricamente esta Sala ha sostenido la línea jurisprudencial de que “el proceso de amparo es de carácter eminentemente sumario porque tiene como única finalidad brindar tutela oportuna contra infracciones o amenazas inminentes a los derechos y libertades fundamentales, por lo que su tramitación no se aviene bien con la práctica de diligencias probatorias lentas y complejas” (entre muchos otros se pueden consultar los votos números 2003-14336, 2006-014421 y 2020-019038). Esta línea jurisprudencial no hace sino recordar la naturaleza propia de este proceso. Por otra parte, a partir de la entrada en vigencia del Código Procesal Contencioso Administrativo se determinó que dicha jurisdicción posee amplias competencias para conocer de agravios como los que se cuestionan en el sub lite. A tales efectos, este Tribunal ha reiterado lo siguiente:

“[A]nte la promulgación del Código Procesal Contencioso-Administrativo (Ley No. 8508 de 24 de abril de 2006) y su entrada en vigencia a partir del 1° de enero de 2008, ha quedado patente que ahora los justiciables cuentan con una jurisdicción contencioso-administrativa plenaria y universal, sumamente expedita y célere por los diversos mecanismos procesales que incorpora al ordenamiento jurídico esa legislación, tales como el acortamiento de los plazos para realizar los diversos actos procesales, la amplitud de la legitimación, las medidas cautelares, el numerus apertus de las pretensiones deducibles, la oralidad –y sus subprincipios concentración, inmediación y celeridad-, la única instancia con recurso de apelación en situaciones expresamente tasadas, la conciliación intra-procesal, el proceso unificado, el proceso de trámite preferente o “amparo de legalidad”, los procesos de puro derecho, las nuevas medidas de ejecución (multas coercitivas, ejecución sustitutiva o comisarial, embargo de bienes del dominio fiscal y algunos del dominio público), los amplios poderes del cuerpo de jueces de ejecución, la extensión y adaptación de los efectos de la jurisprudencia a terceros y la flexibilidad del recurso de casación. Todos esos institutos procesales novedosos tienen por fin y propósito manifiesto alcanzar la economía procesal, la celeridad, la prontitud y la protección efectiva o cumplida de las situaciones jurídicas sustanciales de los administrados, todo con garantía de derechos fundamentales básicos como el debido proceso, la defensa y el contradictorio”. (Ver, por ejemplo, las sentencias números 2010-17909, 2020-011247 y 2022-003724).

En contraposición, la ausencia de una fase probatoria plenaria que facilite la inmediación y el contradictorio de la prueba, imponen necesariamente que, en aras de una adecuada y prudente protección del derecho, se recurra a la vía ordinaria para conocer conflictos medio ambientales de suyo complejos como el que se plantea en el caso concreto. (…).

De la enumeración de agravios y el análisis de la pretensión de la parte recurrente es posible constatar que el conflicto denunciado es sumamente complejo de resolver mediante el proceso de amparo y, por lo tanto, correspondería ser residenciado en una sede ordinaria que, con mayores herramientas, pueda conocer con profundidad la denuncia de fondo, adoptar medidas cautelares y dictar amplias y específicas órdenes para atender la problemática apuntada.

La Sala debe conocer de los asuntos ambientales en todos aquellos casos cuya pretensión sea compatible con la naturaleza sumaria del recurso de amparo. Todo lo que pueda conocerse y residenciarse ante la jurisdicción constitucional porque la pretensión es compatible con las cualidades y posibilidades que este proceso otorga, debe mantenerse en esta sede. No así las denuncias ambientales cuya dilucidación requiera para su conocimiento y adecuado análisis un espacio probatorio plenario como el que se prevé en la Jurisdicción Contencioso Administrativa. Esa es la excepción. Estimamos que la regla es entonces que procede conocer en un recurso de amparo cuando sea relativamente sencilla la constatación de la problemática y la Sala tenga las herramientas apropiadas para una oportuna y apropiada reparación, es decir, que su ejecución sea también propia de un proceso sumario.

Al respecto, es preciso advertir que hay agravios que son fácilmente constatables y no sería tan difícil su conocimiento, pero son parte de un todo. Por lo tanto es mejor que ese todo sea residenciado en una sede que, por sus características, permita que el asunto sea conocido integralmente con el análisis de todas las aristas que revisten el caso concreto. Eso sucede precisamente en el sub lite en el que se acusa la falta de resolución de una denuncia para dotar de más personal para custodiar el Área de Conservación de Osa y, paralelamente, se denuncian y enumeran una serie de problemáticas que justifican ‒a juicio de los recurrentes‒ la necesidad de nombrar más personal técnico para salvaguardar la zona.

En definitiva, consideramos que, bajo una mejor ponderación, se hace preciso concluir que hay conflictos que, por su magnitud, requieren necesariamente de un proceso probatorio plenario para su atención y resolución. Este es justamente uno de esos casos, por lo que estimamos que lo correspondiente es declarar sin lugar el recurso y remitir la totalidad del conflicto planteado ‒denuncia por escasez de personal en detrimento de la biodiversidad‒ ante la jurisdicción contencioso-administrativa.

Esta nota la realizamos en aras de garantizar la debida seguridad jurídica en las líneas jurisprudenciales de esta Jurisdicción Constitucional y advertir concretamente en qué consiste el cambio de criterio parcial de los suscritos magistrados”. (El destacado no es del original).

En términos similares me he referido en otros asuntos ambientales (por ejemplo, sentencias 2023-11233 y 2023-16088).

Conclusión

Lo dicho hasta acá es suficiente para mostrar que he procurado ser consistente en mi línea de votación. Esta puede resumirse diciendo que, para que la Sala Constitucional determine con acierto su propia competencia al conocer de asuntos que se le someten mediante un recurso de amparo, ha de respetar la necesaria congruencia que debe haber entre el objeto protegido (derechos fundamentales), objeto impugnado (conducta administrativa o de sujeto de derecho) y mecanismo procesal (proceso sumario). Esto significa que debe admitir a su trámite solo asuntos en los que, además de estar involucrada la presunta lesión de un derecho fundamental, el objeto impugnado sea susceptible de ser conocido mediante un proceso sumario, sencillo, sin complejidad probatoria. Esto además corresponde hacerlo en aras del debido proceso, el respeto de la naturaleza de los procesos y de la finalidad misma de esta jurisdicción.

Conviene agregar que si se afirmara que sólo la Sala Constitucional está llamada a proteger derechos fundamentales sería tanto como poner en entredicho, desde su raíz misma, el principio de supremacía constitucional y el de unidad del ordenamiento. Además, supondría ‒en este caso‒ menospreciar injustamente la jurisdicción contencioso-administrativa y su robusta justicia cautelar y sus mecanismos de ejecución.

Anamari Garro Vargas Vista la redacción final de la sentencia de esta Sala, número 2024-2222, de las catorce horas de 26 de enero de 2024, por la cual se declara sin lugar el presente recurso de amparo, el suscrito Magistrado renuncia a la nota que durante la discusión de dicha sentencia indicó que consignaría.

San José, 31 de julio de 2024.

Jorge Araya G.

1 [1] Voto 1998-001650 de las 17:36 horas del 10 de marzo de 1998.

[2] Barth Jiménez. Jose Francisco. “Recurso de Amparo y regulación de telecomunicaciones”. En Constitución y Justicia Constitucional Corte Suprema de Justicia, San José, Costa Rica, 2013. Página 499.

[3] [4] [5] [6] [7] Observaciones de SALA CONSTITUCIONAL votado con boleta Clasificación elaborada por SALA CONSTITUCIONALdel Poder Judicial. Prohibida su reproducción y/o distribución en forma onerosa.