The European Commission has recommended Tuesday a series of operational measures to ensure a high level of cybersecurity for 5G networks across the EU, a decision that fell far short of the full ban that the US was pressuring the EU to implement amid growing concerns that Chinese telecom giant Huawei’s participation in the development of 5G in Europe could pose a major security risk for NATO allies.
Fifth generation, or 5G networks, will form the backbone of all communication in regards to trade, elections, and commerce in the coming years. As society becomes more reliant on digital infrastructure, any security vulnerabilities in the development of 5G networks have been high on the Commission’s agenda.
“Today we are proposing a common European approach to the security of our 5G networks based on a shared assessment of risks and vulnerabilities to Europe’s critical digital infrastructure,” said the European Commission Vice President Andrus Ansip in Strasbourg. “There is a clear need to bolster the cybersecurity of 5G networks, regardless of who makes the equipment or provides the services”.
The Brussels plan is not intended to ban Chinese groups from European tenders, which has been the case in the US, Australia, Japan, and New Zealand, but to establish a way to exchange of information between the bloc’s members without sacrificing the EU’s own security.
“5G technology will transform our economy and society,” added Ansip. “We cannot accept this to happen without total integrated security.”
The Commission’s plan does not quote Huawei in its text but invites each EU member to evaluate by 30 June, “the risks related to the infrastructure of 5G”. The European Network and Information Security Agency (ENISA) will then be responsible for providing EU-wide evaluation by 1 October. This assessment should take into account the outcome of the coordinated European risk assessment and of the effectiveness of the toolbox.
The 28 members of the EU should complete their national risk assessments by 30 June and update all necessary security measures. A national risk assessment will then be transmitted to the Commission and European Agency for Cybersecurity by 15 July.
By the end of December, the NIS Cooperation Group should agree on mitigating measures to address the cybersecurity risks identified at national and EU levels. Once the Cybersecurity Act enters into force after its vote by the MEPs, the Commission and ENISA will set up the EU-wide certification framework and the EU-27 will be then encouraged to cooperate with the Commission and ENISA to prioritise a certification scheme covering 5G networks and equipment.
“These 3 steps, together with other existing or planned instruments such as the screening of foreign direct investment into European companies, will help us put in place a common approach to protecting Europe’s critical digital infrastructure,” added Ansip.
The Global System for Mobile Communications Association (GSMA), the trade body that represents the interests of mobile network operators worldwide, welcomed the Commission’s “ambitions to strengthen Europe’s critical digital infrastructure through a common EU approach to the security of 5G networks.”
In February, the GSMA said it believes that European governments and mobile operators need to work together to maintain confidence in network security while ensuring competition in the supply of network equipment.