European Commission announces next steps on cybersecurity of 5G networks

EU member states, with the support of the European Commission and ENISA (European Union Agency for Cybersecurity), published a second progress report on the implementation of the EU Toolbox on 5G cybersecurity. The report also addresses some of the recommendations of the European Court of Auditors’ special report of January 2022.

In complement to the progress report, the EC adopted a communication on the implementation of the toolbox by member states and in the EU’s own corporate communications and funding activities.

The progress report records that 24 member states have adopted or are preparing legislative measures giving national authorities the powers to assess suppliers and issue restrictions. Out of them, 10 member states have imposed such restrictions and three are currently working on the implementation of the relevant national legislation. Given the importance of the connectivity infrastructure for the digital economy and the dependence of many critical services on 5G networks, member states should achieve the implementation of the Toolbox.

The EC underlines concerns about the risks posed by certain suppliers of mobile network communication equipment to the security of the Union. The Commission considers that decisions adopted by member states to restrict or exclude Huawei and ZTE from 5G networks are justified and compliant with the 5G Toolbox. Consistently with such decisions, and based on a broad range of available information, the EC considers that Huawei and ZTE represent materially higher risks than other 5G suppliers.

Without prejudice to the member states’ competencies, as regards national security, the EC has also applied the Toolbox criteria to assess the needs and vulnerabilities of its own corporate communications systems and those of the other European institutions, bodies, and agencies, as well as the implementation of Union funding programmes in the light of the Union’s overall policy objectives. Drawing on its own assessment, which is consistent with that of certain member states, the EC urges member states that have not yet implemented the Toolbox, to adopt urgently relevant measures as recommended in the EU Toolbox, to address the risks posed by the identified suppliers.

As part of its corporate cybersecurity policy, and in the application of the 5G cybersecurity toolbox, the EC will take measures to avoid exposure of its corporate communications to mobile networks using Huawei and ZTE as suppliers. It will take relevant security measures so as not to procure new connectivity services that rely on equipment from those suppliers and will work with member states and telecom operators to make sure that those suppliers are progressively phased out from existing connectivity services of the Commission sites. The EC also intends to reflect this decision in all relevant EU funding programmes and instruments.

The Commission also intends to reflect this decision in all relevant EU funding programmes and instruments.

Second progress report on the 5G Toolbox

The report, adopted by member states, records that further progress was made in the implementation of the key measures of the EU Toolbox since the first Progress Report of July 2020. A vast majority of member states have reinforced or are in the process of reinforcing security requirements for 5G networks based on the EU Toolbox. However, despite the progress made, the report finds that this situation creates a clear risk of persisting dependency on high-risk suppliers in the internal market with potentially serious negative impacts on security for users and companies across the EU and the EU’s critical infrastructure.

The report includes recommendations for member states to:

  • Ensure they have detailed information from mobile operators about the 5G equipment currently deployed and about their plans for deploying or sourcing new equipment.
  • In assessing the risk profile of suppliers, member states should consider the objective criteria recommended in the EU Toolbox. In this context, it is evident that 5G suppliers exhibit clear differences in their characteristics, in particular as regards their likelihood of being influenced by specific third countries which have security laws and corporate governance that are a potential risk for the security of the Union. Furthermore, designations made by other member states concerning high-risk suppliers should be taken into account, with a view to promote consistency and a high level of security across the Union.
  • Based on the assessment of suppliers, member states should impose restrictions on high-risk suppliers without delay, i.e. considering that a loss of time can increase vulnerability of networks in the Union and the Union’s dependency on high-risk suppliers, especially for member states with a high presence of potential high-risk suppliers.
  • To effectively mitigate risks, member states should ensure that the restrictions cover critical and highly sensitive assets identified in the EU Coordinated risk assessment, including the radio access network.
  • For types of equipment covered by the restrictions, operators should not be allowed to install new equipment. If transition periods are allowed for the removal of existing equipment, they shall be defined to ensure the removal of equipment in place within the shortest possible timeframe, taking into account the security risk of keeping equipment from high-risk suppliers in place, and should not be applied to allow the continued deployment of new equipment from high-risk suppliers.
  • Implement restrictions for managed service providers (MSPs), and in case functions are outsourced to MSPs, impose enhanced security provisions around the access that MSPs are given.
  • Further discuss the applicability of measures related to diversification of suppliers, and how to ensure that any potential diversification does not result in new or increased security risks but contributes to security and resilience.
  • Enforce technical measures and ensure a level of supervision. Particular attention should be given to certain measures, notably ensuring the application of baseline security requirements, raising security standards in suppliers’ processes through procurement condition and ensuring secure 5G network management, operation and monitoring.

Comment on this article below or via Twitter: @VanillaPlus OR @jcvplus

RECENT ARTICLES

SoftBank acquires majority stake in Cubic Telecom

Posted on: April 29, 2024

SoftBank has announced that Cubic Telecom became a subsidiary on March 6, 2024, with its acquisition of a 51.0% equity stake, after dilution.

Read more
abstract technology background connecting dots digital network design

Verizon partners with Ribbon for network modernisation initiative

Posted on: April 26, 2024

Ribbon Communications has announced plans for a major network modernisation programme with Verizon to retire legacy TDM switching platforms and replace their function with modern cloud-based technologies.

Read more