October 14, 2019

Member States, with the support of the Commission and the European Agency for Cyber Security (ENISA), have published a report on the EU coordinated risk assessment on cyber security in Fifth Generation (5G) networks. This is part of the implementation of the European Commission Recommendation adopted in March 2019 to ensure a high level of cyber security of 5G networks across the EU.

In a joint press release with the Council of the EU, the Commission explains that the report is based on the results of the national cyber security risk assessments by all EU Member States. It identifies the main threats and threats actors, the most sensitive assets, the main vulnerabilities and a number of strategic risks. The assessment provides a basis on which to identify mitigation measures that can be applied at national and European level.

The report identifies a number of important security challenges, which are likely become more prominent in 5G networks, compared with the situation in existing networks. These security challenges are mainly linked to:

• key innovations in 5G technology (which will also bring a number of specific security improvements), in particular the important part of software and the wide range of services and applications enabled by 5G; and
• the role of suppliers in building and operating 5G networks and the degree of dependency on individual suppliers.

Specifically, the rollout of 5G networks is expected to have the following effects:

• an increased exposure to attacks and more potential entry points for attackers;
• increased sensitivity of network equipment or functions due to new characteristics of the 5G network architecture and new functionalities;
• an increased exposure to risks related to the reliance of mobile network operators on suppliers, leading to a higher number of attack paths that might be exploited by threat actors and increase the potential severity of the impact of such attacks;
• the risk profile of individual suppliers becoming particularly important due to the increased exposure to attacks facilitated by suppliers, including the likelihood of the supplier being subject to interference from a non-EU country;
• increased risks from major dependencies on suppliers, such as increased exposure to a potential supply interruption resulting from a commercial failure, and its consequences; and
• threats to the availability and integrity of networks becoming major security concerns, in addition to confidentiality and privacy threats.

Together, the press release states, these challenges create a new security paradigm, making it necessary to reassess the current policy and security framework applicable to the sector and its ecosystem, and essential for Member states to take the necessary mitigating measures.

To complement the Member States’ report, ENISA is finalising a specific threat landscape mapping related to 5G networks, which considers in more detail certain technical aspects covered in the report.

By 31 December 2019, the Cooperation Group should agree on a toolbox of mitigating measures to address the identified cyber security risks at national and EU level.

By 1 October 2020 Member States, in co-operation with the Commission, should assess the effects of the Recommendation in order to determine whether there is a need for further action. This assessment should take into account the outcome of the coordinated European risk assessment and of the effectiveness of the measures. To read the press release in full, click here.