This annex contains guidance for regulatory capability issues not being formal LI requirements.
In general, LI obligations are determined by the service being provided, regardless of how that service is implemented. For example, if a 3GPP network operator's voice service replaces a legacy CS voice service, or is equivalent to a CS voice service, then the same LI obligations as for the CS voice (e.g. providing interception capability for roamers) apply. This also applies to new 3GPP networks without legacy CS voice service.
A visited network is generally not required to be able to intercept supplementary services (e.g. voicemail, home network based call forwarding) or 3rd party services not directly provided by the visited network. However, if such a service is observable in the visited network, national regulation may specify a minimum set of LI requirements for that service.
The availability and reliability of the near-real-time transport mechanism of the LI data from the CSP to the LEA have to be addressed in bilateral agreement.
A mechanism to reduce Interception Product volume based on information received from the LEA (e.g. exclusion of particular flows such as movies) may be bilaterally agreed.
The Quality of Service (QoS), capacity, and integrity of the delivered IRI and CC need to be specified by a bilateral agreement between the CSP and the LEA.
In addition it is recommended to implement jurisdiction-appropriate auditing procedures.
It is recommended to make risks assessment and management on LI system and LI deployment environment, based on based on industry best practise security and risk assessment techniques (e.g., ISO/IEC 27000  family or TVRA of ETSI ) in order to reduce risks on such LI system to the minimum possible. Such assessment have to be made regularly and at any new major change in terms of services or networks function.
LI system are recommended to be securely protected and any attack attempts should be logged. The accesses to any target list or LI functions, or to LI administrative system, are recommended to be isolated from the other network management and supervision. Secured access based control or ID based access control to LI system is recommended.
By bilateral agreement the security of the negotiated delivery mechanism from the CSP to the LEA is to be specified.
The CSP is recommended to ensure the highest level of security of LI system if only part of the infrastructure (physical and virtual) is owned and/or managed by the CSP. This for example applies if a CSP does not manage all slices and to the degree of control of ownership is with partners or third parties.
For NFV compliance with NFV security ref Sec012 reference document  is necessary to achieve compliance with the majority of requirements in the present document but it is by no means sufficient. Consequently, the CSP is to complement its LI implementation with sound operational security policies, processes, and procedures.
A choice should be considered for security optimised and/or LI functionality optimised implementations in situations where functionality for LI functions might be required at the edge (periphery) of the network (e.g. mission critical services, ProSE relays, (e)NB, H(e)NB, gNB).