February 3, 2020

The Commission has endorsed a EU “Toolbox” of risk-mitigating measures that has been agreed by EU Member States to address security risks related to the rollout of 5G, the fifth generation of mobile networks. This follows the European Council’s call for a concerted approach to the security of 5G and the ensuing Commission Recommendation of March 2019. Member States have since identified risks and vulnerabilities at national level and published a joint EU risk assessment. By means of the toolbox, the Member States are committing to move forward jointly based on an objective assessment of identified risks and proportionate mitigating measures. With this Communication, the Commission launched relevant actions and called for key measures to be put in place by 30 April 2020.

The Commission says that while market players are largely responsible for the secure rollout of 5G, and Member States are responsible for national security, 5G network security is an issue of strategic importance for the entire Single Market and the EU’s technological sovereignty. Closely coordinated implementation of the toolbox is indispensable to ensure EU businesses and citizens can make full use of all the benefits of the new technology in a secure way.

The Commission says that 5G will play a key role in the future development of Europe’s digital economy and society. It will be a major enabler for future digital services in core areas of citizens’ lives, and an important basis for the digital and green transformations. However, due to a less centralised architecture, smart computing power at the edge, the need for more antennas, and increased dependency on software, 5G networks offer more potential entry points for attackers. Cyber security threats are on the rise and become increasingly sophisticated. As many critical services will depend on 5G, ensuring the security of networks is of highest strategic importance for the entire EU.

The toolbox, which has been adopted by all Member States, addresses all risks identified in the EU coordinated assessment, including risks related to non-technical factors such as the risk of interference from non-EU state or state-backed actors through the 5G supply chain. Based on last October’s EU risk assessment report, the toolbox includes strategic and technical measures and corresponding actions to reinforce their effectiveness. These are calibrated based on objective factors.

In the toolbox conclusions, Member States agree to strengthen security requirements, to assess the risk profiles of suppliers, to apply relevant restrictions for suppliers considered to be high risk including necessary exclusions for key assets considered as critical and sensitive (such as the core network functions), and to have strategies in place to ensure the diversification of vendors.

While the decision on specific security measures remains the responsibility of Member States, the collective work on the toolbox demonstrates a strong determination to jointly respond to the security challenges of 5G networks. The Commission says that this is essential for a successful and credible EU approach to 5G security and to ensure the continued openness of the internal market provided risk-based EU security requirements are respected.

The Commission will support the implementation of an EU approach on 5G cyber security and will act, as requested by Member States, using, where appropriate, all the tools at its disposal to ensure the security of the 5G infrastructure and supply chain:

• telecoms and cyber security rules;
• coordination on standardisation as well as EU-wide certification;
• foreign direct investment screening framework to protect the European 5G supply chain;
• trade defence instruments;
• competition rules;
• public procurement, ensuring that due consideration is given to security aspects; and
• EU funding programmes, ensuring that beneficiaries comply with relevant security requirements.

The Commission calls on Member States to take steps to implement the set of measures recommended in the toolbox conclusions by 30 April 2020 and to prepare a joint report on the implementation in each Member State by 30 June 2020. Together with the EU Cybersecurity Agency, the Commission will continue to provide its full support including by launching relevant actions in the areas under its competence. For more information, click here.