5G security: Member States report on progress on implementing the EU toolbox and strengthening safety measures

Today, EU Member States, with the support of the European Commission and ENISA, the EU Agency for Cybersecurity, published a report on the progress made in implementing the joint EU toolbox of mitigating measures, which was agreed by the Member States and endorsed by a Commission Communication in January 2020. The toolbox sets out a joint approach based on an objective assessment of identified risks and proportionate mitigating measures to address security risks related to the rollout of 5G, the fifth-generation of mobile networks.

While work is still ongoing in many Member States, the report notes that all Member States have launched a process to review and strengthen security measures applicable to 5G networks, demonstrating their commitment to the coordinated approach defined at EU level. For each of the toolbox measures, the report reviews progress made since the toolbox adoption, showing what has already been done and identifying areas where measures have not been implemented so far.

Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age, said: “The timely rollout of 5G networks is strategically important for all Member States as it can open new opportunities for businesses, transform our critical sectors and benefit European citizens. Our common priority and responsibility is to ensure that these networks are secure and, while this report shows we have undergone great strides, a lot of work remains ahead.”

Thierry Breton, Commissioner for the Internal Market, added: “With 5G network rollout going ahead across the EU, and our economies increasingly relying on digital infrastructure, as the coronavirus crisis demonstrated, it is more important than ever to ensure a high level of security. Together with Member States, we are committed to put in place robust measures, in a coordinated manner, not only to ensure 5G cybersecurity but also to strengthen our technological autonomy. Today’s report reaffirms our commitment and outlines the areas where further efforts and vigilance are needed.”

German Federal Minister for Economic Affairs and Energy, Peter Altmaier, said: „The 5G network rollout will provide completely new opportunities for business and society. Due to the importance of 5G as a central critical infrastructure for future technologies, it is important that the rollout of 5G infrastructure can proceed quickly and safely – in all member states. The 5G toolbox report shows that we are on the right track.“

Horst Seehofer, German Federal Minister of the Interior, Building and Community said: “The integrity of telecommunication networks is an essential part of the security architecture in all Member States. All risks – technical as well as non-technical – must be contained as much as possible. The progress report on the EU’s 5G toolbox demonstrates that the common approach is the right way to synchronise national measures as far as possible.“

Ensuring resilience of 5G networks is essential to our society, since this technology will not only have an impact on digital communications, but also on critical sectors such as energy, transport, banking, and health, as well as on industrial control systems. 5G networks will be carrying sensitive information and will be supporting safety systems that will come to rely on them. Market players are largely responsible for the secure rollout of 5G, and Member States are responsible for national security – yet, collective work and coordinated implementation of appropriate measures is fundamental to ensure EU businesses and citizens can make full use of all the benefits of the new technology in a secure way.

Indeed, the toolbox implementation is the result of collective work and of the strong determination by all Member States, together with the Commission and ENISA, to cooperate and respond to the security challenges of 5G networks and to assure the continued openness of the digital single market. In the toolbox, Member States agreed to strengthen security requirements through a possible set of recommended measures, in particular to assess the risk profiles of suppliers, to apply relevant restrictions for suppliers considered to be high risk (including necessary exclusions for key assets considered as critical and sensitive, such as the core network functions), and to have strategies in place to ensure the diversification of vendors.

Main insights of the report on the EU 5G toolbox

Today’s report analyses the progress made in implementing the toolbox measures at national level, coming to a set of conclusions.

Good progress has already been achievedfor some of the toolbox measures, namely in the following areas:
o The powers of national regulatory authorities to regulate 5G security, have been or are in the process of being reinforced in a large majority of Member States, including powers to regulate the procurement of network equipment and services by operators.

o Measures aimed at restricting the involvement of suppliers based on their risk profile are already in place in a few Member States and at an advanced stage of preparation in many others. The report calls on other Member States to further advance and complete this process in the coming months. With regards to the precise scope of these restrictions, the report highlights the importance to look at the network as a whole and address core network elements as well as other critical and highly sensitive elements, including management functions and the radio access network, and of imposing restrictions also on other key assets, such asdefined geographical areas, government or other critical entities. For those operators having already contracted with a high risk vendors,transition periods should be put in place.

o Network security and resilience requirements for mobile operators are being reviewed in a majority of Member states. The report stresses the importance to ensure that these requirements are strengthened, that they follow the latest state-of-the-art practices and that their implementation by operators is effectively audited and enforced.

On the other hand, some measures are at a less advanced stage of implementation. In particular, the report calls for:
o Progress is urgently needed to mitigate the risk of dependency on high-risk suppliers, also with a view to reducing dependencies at Union level. This should be based on a thorough inventory of the networks’ supply chain and implies monitoring the evolution of the situation.

o Challenges have been identified in designing and imposing appropriate multi-vendor strategies for individual MNOs or at national level due to technical or operational difficulties (e.g. lack of interoperability, size of the country)

o As regards the screening of Foreign Direct Investments, steps should be taken to introduce national FDI screening mechanism without delay in 13 Member States where it is not yet in place, including in view of the approaching application of the EU investment screening framework as of October 2020. These screening mechanisms should be applied to investment developments potentially affecting the 5G value chain, taking into account the objectives of the Toolbox.

Going forward the report also recommends that Member States authorities:

Exchange more information about the challenges, best practices and solutions for implementing the Toolbox measures;
continue monitoring and evaluating the implementation of the Toolbox;
and, continue working with the Commission to implement EU-level actions listed in the toolbox, including in the area of standardisation and certification, trade defence instrumentsand competition rules to avoid distortions in the 5G supply market. Also, investing in EU capacities in the 5G and post-5G technologies, and ensuring 5G projects supported with public funding take into account cybersecurity risks.
Next Steps

The Commission will continue to work with Member States and ENISA within the framework of the NIS Cooperation Group, to monitor the implementation of the toolbox and to ensure its effective and consistent application. The Group will also promote the alignment of national approaches, through further exchanges of experiences, and by working with the Body of European Regulators for Electronic Communications (BEREC). As part of the implementation of the Commission Recommendation adopted last year, by 1 October 2020, Member States, in cooperation with the Commission, should assess the effects of the Recommendation and determine whether there is need for further action. This assessment should take into account the outcome of the EU coordinated risk assessment that was published in October 2019 as well of the effectiveness of the toolbox measures.

Background

In March 2019, following a call by the European Council for a concerted approach to the security of 5G, the Commission adopted a Recommendation on Cybersecurity of 5G networks. It called on Member States to complete national risk assessments, review national measures and to work together at EU level on a coordinated risk assessment and a common toolbox of mitigating measures.

Based on the Member States’ national risk assessment the Report on the EU coordinated risk assessment of the cybersecurity of 5G networks, presented in October 2019, identified the main threats and threats actors, the most sensitive assets, the main vulnerabilities and a number of strategic risks.

To complement this report and as a further input for the toolbox, ENISA carried out a dedicated threat landscape mapping, consisting of a detailed analysis of certain technical aspects, in particular the identification of network assets and of threats affecting these.

In January 2020, the Member States, acting through the NIS Cooperation Group, adopted the EU Toolbox of risk mitigating measures. The Commission adopted a Communication, on that same day, in which it endorsed the toolbox underlining the importance of its effective and quick implementation, and called on Member States to prepare a report on its implementation by 30 June 2020, which was therefore published today.