29 January 2020 the EU toolbox on 5G network security risk mitigating measures was published with recommendation for EU wide implementation by 30 April 2020
The European Commission has estimated worldwide 5G revenues to be €225 billion in 2025. There is no doubt that the development of 5G, the race to transfer to a 5G-native region but also to do this in way that takes cybersecurity into consideration are all equally crucial for Europe. 5G has a less centralised architecture with a higher dependency on software and edge technology than earlier generation networks, which offers more potential entry points for malicious incidents. 5G will be used widely in critical parts of European and local networks and will apply broadly across most sectors. Ensuring the security of 5G networks is thus a key factor to a wide rollout of 5G.
For this reason, a toolbox has been created with the aim to ensure a common approach and adequate level of cybersecurity protection across the EU. The toolbox was endorsed and published by the EU Commission on 29 January 2020 and is part of a mission to achieve a high common level of security of network and information systems in the EU.
The objectives of the toolbox are to i) identify a common set of measures which are able to mitigate the main cybersecurity risks of 5G networks and to ii) provide guidance on the selection of measures to be prioritised on member state and EU level. The ultimate goal is to ensure an adequate level of cybersecurity of 5G networks across the EU through coordinated approaches among Member States.
The toolbox includes recommendations on key actions for Member States and/or the Commission, including among other things to i) strengthen security requirements for mobile network operators, ii) assess the risk profile of suppliers and based on this assessment apply relevant restrictions on suppliers considered high risk especially in relation to critical elements of the network (which has been exemplified as core network functions, network management and access network functions, etc.), iii) ensure that there is no major dependency on a single supplier by having multi-vendor strategies and avoid dependency on suppliers considered high risk, iv) develop relevant EU-wide certification schemes to promote more secure products and processes; and v) maintain a diverse and sustainable 5G supply chain to avoid long-term dependency.
The toolbox also includes risk mitigating plans that consist of a combination of strategic measures (increased regulatory powers, assessing suppliers' risk profile) and technical measures (strict access control, network management, certification schemes).
Are the toolbox measures mandatory?
The toolbox measures are not per se mandatory, but the Commission strongly recommends Member States to fully implement a key set of recommended measures, as the coordinated EU approach on 5G cybersecurity relies on the Member States' and Commission's strong commitment. The toolbox does not prevent Member States from going further than proposed in the toolbox where such measures are considered necessary.
Other network security initiatives
In addition, ENISA recently published a report on security supervision under the European Electronic Communications Code (EECC) with the aim to support EU countries with the implementation of the EECC.
Next step developments to follow:
The Commission calls on Member States to take steps to implement the set of measures recommended in the toolbox conclusions by 30 April 2020 and to prepare a joint report on the implementation in each Member State by 30 June 2020.
Some of the key findings of the Toolbox are expected to be set out in the local Member State implementation of the EECC with a deadline for the Member States on 21 December 2020 and the development of network element certification schemes under the Cyber Security Act (Regulation 2019(881).
Denmark has not yet begun its implementation of the EECC, but at this stage the implementation is in full process in Spain, Germany, the Netherlands, Sweden, Finland, Belgium and the Czech Republic.
Bird & Bird has a tracker for the implementation of the EECC in Europe, which can be found here.