The European Commission has reported that EU Member States, with the support of the Commission and ENISA, the EU Agency for Cybersecurity, have published a report on the progress made in implementing the joint EU Toolbox of mitigating measures, which was agreed by Member States and endorsed by a Commission Communication in January 2020. The Toolbox sets out a joint approach based on an objective assessment of identified risks and proportionate mitigating measures to address security risks related to the rollout of 5G, the fifth generation of mobile networks.
While work is still ongoing in many Member States, the report notes that all Member States have launched a process to review and strengthen security measures applicable to 5G networks. For each of the Toolbox measures, the report reviews progress made since adoption of the Toolbox, showing what has already been done and identifying areas where measures have not been implemented so far.
The report on the EU 5G Toolbox shows that good progress has been made in the following areas:
- the large majority of Member States have either reinforced, or are in the processing of reinforcing, the powers of national regulatory authorities to regulate 5G security, including powers to regulate the procurement of network equipment and services by operators;
- measures aimed at restricting the involvement of suppliers based on their risk profile are already in place in a few Member States and at an advanced stage of preparation in many others. The report calls on other Member States to further advance and complete this process in the coming months; and
- the majority of Member States are reviewing network security and resilience requirements for mobile operators. The report stresses the importance of ensuring that these requirements are strengthened, that they follow the latest state-of-the-art practices and that their implementation by operators is effectively audited and enforced.
On the other hand, the report finds that some measures are at a less advanced stage of implementation. In particular, the report calls for:
- progress to be made urgently to mitigate the risk of dependency on high-risk suppliers, with a view to reducing dependencies at Union level. This should be based on a thorough inventory of the networks’ supply chain and implies monitoring the situation;
- challenges have been identified in designing and imposing appropriate multi-vendor strategies for individual mobile network operators or at national level due to technical or operational difficulties (e.g. lack of interoperability, size of the country); and
- steps need to be taken to introduce national screening of Foreign Direct Investments, without delay, in 13 Member States where it is not yet in place.
Going forward the report also recommends that Member State authorities:
- exchange more information about the challenges, best practices and solutions for implementing the Toolbox measures;
- continue monitoring and evaluating implementation of the Toolbox; and
- continue working with the Commission to implement EU-level actions set out in the Toolbox, including in the area of standardisation and certification, trade defence instruments and competition rules, to avoid distortions in the 5G supply market, as well as investing in EU capacity in 5G and post-5G technologies, and ensuring 5G projects supported by public funding take into account cybersecurity risks.
The Commission says that it will continue to work with Member States and ENISA to monitor the implementation of the Toolbox and to ensure its effective and consistent application. To read the Commission’s press release in full and for a link to the report, click here.