EU launches 'toolbox' to build secure 5G in Europe

(BRUSSELS) - The European Commission endorsed a joint 5G 'toolbox' Wednesday, a concerted EU approach to addressing security risks related to the building and protection of a European infrastructure for fifth-generation of mobile networks.

The joint toolbox of mitigating measures was agreed by EU Member States to address security risks related to the rollout of 5G, following the European Council's call for a concerted approach to the security of 5G and the ensuing Commission Recommendation of March 2019.

Member States have since identified risks and vulnerabilities at national level and published a joint EU risk assessment.  With its Communication, the Commission is launching relevant actions within its competence and calling for key measures to be put in place by 30 April 2020.

Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age, said: "We can do great things with 5G. The technology supports personalised medicines, precision agriculture and energy grids that can integrate all kinds of renewable energy. This will make a positive difference. But only if we can make our networks secure. Only then will the digital changes benefit all citizens."

Internal Market Commissioner Thierry Breton added: "Today we are equipping EU Member States, telecoms operators and users with the tools to build and protect a European infrastructure with the highest security standards so we all fully benefit from the potential that 5G has to offer."

Market players are largely responsible for the secure rollout of 5G, while EU Member States are responsible for national security. But 5G network security is seen as an issue of strategic importance for the entire Single Market and the EU's technological sovereignty. The EU executive says that closely coordinated implementation of the toolbox is indispensable to ensure EU businesses and citizens can make full use of all the benefits of the new technology in a secure way.

5G is expected to be a major enabler for future digital services in core areas of citizens' lives and an important basis for the digital and green transformations. With worldwide 5G revenues estimated at EUR 225 billion in 2025, 5G is a key asset for Europe to compete in the global market and its cybersecurity is crucial for ensuring the strategic autonomy of the Union. Billions of connected objects and systems are concerned, including in critical sectors such as energy, transport, banking, and health, as well as industrial control systems carrying sensitive information and supporting safety systems.

At the same time, due to a less centralised architecture, smart computing power at the edge, the need for more antennas, and increased dependency on software, 5G networks offer more potential entry points for attackers. Cyber security threats are on the rise and become increasingly sophisticated. As many critical services will depend on 5G, ensuring the security of networks is of highest strategic importance for the entire EU.

The toolbox addresses all risks identified in the EU coordinated assessment, including risks related to non-technical factors, such as the risk of interference from non-EU state or state-backed actors through the 5G supply chain. Based on last October's EU risk assessment report, the toolbox includes strategic and technical measures and corresponding actions to reinforce their effectiveness. These are calibrated based on objective factors.

In the toolbox conclusions, Member States agreed to strengthen security requirements, to assess the risk profiles of suppliers, to apply relevant restrictions for suppliers considered to be high risk including necessary exclusions for key assets considered as critical and sensitive (such as the core network functions), and to have strategies in place to ensure the diversification of vendors.

While the decision on specific security measures remains the responsibility of Member States, the collective work on the toolbox demonstrates a strong determination to jointly respond to the security challenges of 5G networks. This is essential for a successful and credible EU approach to 5G security and to ensure the continued openness of the internal market provided risk-based EU security requirements are respected.

The Commission says it will support the implementation of an EU approach on 5G cybersecurity and will act, as requested by Member States, using, where appropriate, all the tools at its disposal to ensure the security of the 5G infrastructure and supply chain:

• Telecoms and cybersecurity rules;
• Coordination on standardisation as well as EU-wide certification;
• Foreign direct investment screening framework to protect the European 5G supply chain;
• Trade defence instruments;
• Competition rules;
• Public procurement, ensuring that due consideration is given to security aspects;
• EU funding programmes, ensuring that beneficiaries comply with relevant security requirements.

The Commission calls on Member States to take steps to implement the set of measures recommended in the toolbox conclusions by 30 April 2020 and to prepare a joint report on the implementation in each Member State by 30 June 2020. Together with the EU Cybersecurity Agency, the Commission will continue to provide its full support including by launching relevant actions in the areas under its competence. The NIS Cooperation Group will continue to work in order to support the implementation of the toolbox.

Secure 5G networks: EU toolbox - background guide

Commission Communication on Secure 5G Deployment in the EU

Cybersecurity of 5G networks - EU Toolbox of risk mitigating measures - Commission website