Report on the EU 5G Toolbox Implementation by Member States Published

Today, EU Member States, with the support of the European Commission and the European Union Agency for Cybersecurity, ENISA, published a report on the progress made in implementing the joint EU toolbox of mitigating measures for identified 5G risks, which was agreed by the Member States and endorsed by a Commission Communication in January 2020. The toolbox sets out a joint approach based on an objective assessment of identified risks and proportionate mitigating measures to address security risks related to the rollout of 5G, the fifth-generation of mobile networks.

The Agency has actively supported the Commission and the Member States in preparation of this implementation report and is working on various supporting actions defined in the toolbox that will enable and assist implementation of relevant strategic and technical measures.

Juhan Lepassaar, Executive Director of the EU Agency for Cybersecurity, said: "The toolbox sets the foundation for a coordinated EU approach towards 5G security based on a risk management approach. All Member States have made progress in implementing the necessary measures. Also, it is acknowledged by all that the job is not finished and we are reinforcing the measures as we go along. The EU Agency for Cybersecurity is committed to assist in this. We also update the 5G threat landscape and stand ready to develop an EU 5G cybersecurity certification scheme should it be requested.''

While work is still ongoing in many Member States, the report notes that all Member States have launched a process to review and strengthen security measures applicable to 5G networks, demonstrating their commitment to the coordinated approach defined at the EU level. For each of the toolbox measures, the report reviews progress made since the toolbox adoption, showing what has already been done and identifying areas where measures have not been implemented so far.

Ensuring resilience of 5G networks is essential to our society, since this technology is expected not only to have an impact on digital communications, but also on critical sectors such as energy, transport, banking and health, as well as on industrial control systems. 5G networks will be carrying sensitive information and will be supporting safety systems that will come to rely on them. Market players are largely responsible for the secure rollout of 5G, and Member States are responsible for national security – yet, collective work and coordinated implementation of appropriate measures is fundamental to ensure EU businesses and citizens can make full use of all the benefits of the new technology in a secure way.

The toolbox implementation is the result of collective work and of the strong determination by all Member States, together with the Commission and the EU Agency for Cybersecurity, to cooperate and respond to the security challenges of 5G networks and to assure the continued openness of the digital single market. In the toolbox, Member States agreed to strengthen security requirements through a possible set of recommended measures, in particular to assess the risk profiles of suppliers, to apply relevant restrictions for suppliers considered to be high risk (including necessary exclusions for key assets considered as critical and sensitive, such as the core network functions), and to have strategies in place to ensure the diversification of vendors.

Main insights of the report on the EU 5G toolbox

Today’s report analyses the progress made in implementing the toolbox measures at the national level, coming to a set of conclusions.

• Good progress has already been made for some of the toolbox measures, namely in the following areas:
  • The powers of national regulatory authorities to regulate 5G security, have been or are in the process of being reinforced in a large majority of Member States, including powers to regulate the procurement of network equipment and services by operators.
  • Measures aimed at restricting the involvement of suppliers based on their risk profile are already in place in a few Member States and at an advanced stage of preparation in many others. The report calls on other Member States to further advance and complete this process in the coming months. With regards to the precise scope of these restrictions, the report highlights the importance to look at the network as a whole and address core network elements as well as other critical and highly sensitive elements, including management functions and the radio access network, and of imposing restrictions also on other key assets, such as defined geographical areas, government or other critical entities. For those operators having already contracted with high risk vendors, transition periods should be put in place. 
  • Network security and resilience requirements for mobile operators are being reviewed in a majority of Member States. This report underlines the importance to ensure that these requirements are strengthened, that they follow the latest state-of-the-art practices and that their implementation by operators is effectively audited and enforced.

• Furthermore, some measures are at a less advanced stage of implementation. In particular, the report calls for:
  • Progress is urgently needed to mitigate the risk of dependency on high-risk suppliers, also with a view to reducing dependencies at the Union level. This should be based on a thorough inventory of the networks’ supply chains and implies monitoring the evolution of the situation.
  • Challenges have been identified in designing and imposing appropriate multi-vendor strategies for individual mobile network operators (MNOs) or at the national level due to technical or operational difficulties (e.g. lack of interoperability, size of the country).
  • Steps to be taken in the context of screening of Foreign Direct Investments (FDI), to introduce national FDI screening mechanism without delay in 13 Member States where it is not yet in place, including in view of the approaching application of the EU investment screening framework as of October 2020. These screening mechanisms should be applied to investment developments potentially affecting the 5G value chain, taking into account the objectives of the toolbox.

Going forward the report also recommends that Member State authorities:

• Exchange more information about the challenges, best practices and solutions for implementing the toolbox measures;
• continue monitoring and evaluating the implementation of the toolbox;
• and, continue working with the Commission to implement EU-level actions listed in the toolbox, including in the area of standardisation and certification, trade defence instruments and competition rules to avoid distortions in the 5G supply market. Also, investing in EU capacities in 5G and post-5G technologies, and ensuring 5G projects supported with public funding take into account cybersecurity risks.

Next Steps

The Commission will continue to work with Member States and the EU Agency for Cybersecurity within the framework of the NIS Cooperation Group, to monitor the implementation of the toolbox and to ensure its effective and consistent application. The Group will also promote the alignment of national approaches through further exchanges of experiences and by working with the Body of European Regulators for Electronic Communications (BEREC). As part of the implementation of the Commission Recommendation adopted last year, by 1 October 2020, Member States, in cooperation with the Commission, should assess the effects of the Recommendation and determine whether there is a need for further action. This assessment should take into account the outcome of the EU coordinated risk assessment that was published in October 2019, as well as of the effectiveness of the toolbox measures.

Background

In March 2019, following a call by the European Council for a concerted approach to the security of 5G, the Commission adopted a Recommendation on Cybersecurity of 5G networks. It called on Member States to complete national risk assessments, to review national measures and to work together at the EU level on a coordinated risk assessment and a common toolbox of mitigating measures.

Based on the Member States’ national risk assessment, the Report on the EU coordinated risk assessment of the cybersecurity of 5G networks, presented in October 2019, identified the main threats and threats actors, the most sensitive assets, the main vulnerabilities and a number of strategic risks.

To complement this report and as a further input for the toolbox, the European Union Agency for Cybersecurity carried out a dedicated threat landscape mapping, consisting of a detailed analysis of certain technical aspects, in particular the identification of network assets and of threats affecting these.

In January 2020, the Member States, acting through the NIS Cooperation Group, adopted the EU Toolbox of risk mitigating measures. The Commission adopted a Communication, on that same day, in which it endorsed the toolbox underlining the importance of its effective and quick implementation, and called on Member States to prepare a report on its implementation by 30 June 2020, which was therefore published today.  

Further Information

Progress report on the implementation of the joint EU toolbox

Commission Communication on Secure 5G Deployment in the EU

EU Toolbox on 5G Cybersecurity

Questions and Answers on the EU toolbox

NIS Cooperation Group website

Press Contact

For questions related to the press and interviews, please contact press (at) enisa.europa.eu.

Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!

News items:

http://www.enisa.europa.eu/media/news-items/news-wires/RSS

PRs:

http://www.enisa.europa.eu/media/press-releases/press-releases/RSS