Under the joint package, Member States agreed to tighten safety requirements with a possible set of recommended measures, in particular to assess supplier risk profiles, apply relevant restrictions to suppliers considered to be at high risk and devise strategies to diversify suppliers.
Member States of the European Union published on Friday, 24 July, with the support of the European Commission and ENISA, the EU Cyber Security Agency, a progress report on the implementation of the agreed joint package of EU instruments with risk mitigation measures, which the Commission supported by the Communication in January 2020.
This package of instruments establishes a common approach to the assessment of identified risks and appropriate measures to mitigate security risks associated with the introduction of 5G technology, the fifth generation of mobile networks.
Although work is still ongoing in many Member States, the report states that all Member States have launched audits and a process to strengthen the security measures applied to 5G networks, demonstrating their commitment to a harmonized approach at EU level.
For each of the measures in the instrument package, the report analyzes the progress made since the adoption of the package and indicates what has been done, as well as the areas in which the measures have not yet been implemented.
Stricter security requirements
Under the package, Member States agreed to tighten security requirements with a possible set of recommended measures, in particular to assess supplier risk profiles, apply relevant restrictions to suppliers considered high-risk (including necessary exclusions for infrastructure considered critical and sensitive, such as core network functions). ) and devise strategies to diversify suppliers.
The powers of national regulatory authorities to regulate the security of 5G networks, including the powers to regulate the procurement of network equipment and operator services, have been strengthened or are in the process of being strengthened in the vast majority of Member States.
Measures to limit the participation of suppliers based on their risk profile are already in place in several Member States, and in many others preparations are at an advanced stage. Other Member States are invited to speed up and complete this process in the coming months.
Regarding the exact scope of these restrictions, the report emphasizes the importance of observing the network as a whole and considering the basic elements of the network, as well as other critical and highly sensitive elements, including management functions and radio access network, and introducing restrictions for other critical infrastructure, such as are defined geographical areas, administration or other key entities. Transition periods should be set for operators who have already contracted with high-risk suppliers.
Risks related to high-risk suppliers
Network security and resilience requirements for mobile operators are being reviewed in most Member States. The report emphasizes the importance of tightening these requirements, following state-of-the-art practices and effectively reviewing the way operators implement them.
The report says implementation of some measures is slower. Thus, it is emphasized that measures should be accelerated to mitigate the risks of dependence on high-risk suppliers, inter alia due to the reduction of dependence at Union level.
This measure should be based on a detailed inventory of the supply chain of networks and involves monitoring the development of the situation.There are also problems in designing and implementing appropriate multi-vendor strategies for individual mobile network operators or at the national level due to technical or operational difficulties, such as lack of interoperability or country size.
With regard to foreign direct investment verification, steps need to be taken to introduce a national foreign direct investment verification mechanism without delay in 13 Member States where it has not yet been established, given that the EU investment verification framework has been in place since October 2020. These mechanisms should apply to investments that could affect the 5G value chain, taking into account the objectives of the instrument package.
The report also recommends that the competent authorities of the Member States exchange more information on challenges, best practices and solutions for the implementation of the instrument package, continue to monitor and evaluate the implementation of the instrument package and cooperate with the Commission on the implementation of the EU package, including areas of standardization and certification and trade protection and competition instruments to avoid distorting the 5G supply market; to continue investing in EU capacities for 5G and post-5G technologies and to ensure that publicly funded 5G projects take into account the risks associated with cybersecurity.
The timely introduction of 5G networks is of strategic importance for all Member States as it can create new opportunities for businesses, improve our key sectors and benefit European citizens. It is our common priority and responsibility to ensure the security of these networks.
The report shows that we have made great progress, but there is still a lot of work ahead of us, ”said Margrethe Vestager, Executive Vice President for Europe for the Digital Age. depend on digital infrastructure.
Economies depend on digital infrastructure
Thierry Breton, the commissioner for the internal market, added that economies are increasingly dependent on digital infrastructure and that this crisis has shown that ensuring a high level of security is more important than ever before. “We are committed to establishing concrete and coordinated measures to ensure the cybersecurity of 5G and strengthen our technological autonomy.
In this report, we reaffirm our commitment and identify areas where further work and caution are needed, ”Breton said.German Federal Minister of Economy and Energy Peter Altmaier stressed that 5G infrastructure should be “introduced quickly and safely in all member states” because it provides new opportunities for businesses and society. “The integrity of telecommunications networks is a key part of the security architecture of all Member States.
All risks – technical or non-technical – must be kept to a minimum.The progress report on the EU’s 5G package shows that a common approach is the right way to harmonize national measures as much as possible, said German Federal Minister of the Interior, Construction and Community Horst Seehofer.
The resilience of 5G networks is important to reap all the benefits
The resilience of 5G networks is important to our society because this technology will affect digital communications, key sectors such as energy, transport, banking and healthcare, and industrial control systems. 5G networks will contain sensitive information and will support security systems that will rely on them. Market participants are mainly responsible for the safe deployment of 5G technology, and Member States for national security. However, working together and coordinating the implementation of appropriate measures is crucial to ensure that EU businesses and citizens can safely reap the full benefits of the new technology.
The Commission will continue to work with Member States and ENISA within the Network and Information Security Cooperation Group to monitor the implementation of the instrument package and ensure its effective and consistent implementation. The group will also promote the harmonization of national approaches through further exchange of experiences and cooperation with the Body of European Regulators for Electronic Communications (BEREC). In the framework of the implementation of the Commission Recommendation adopted last year, Member States should, in cooperation with the Commission, assess the effects of the Recommendation by 1 October 2020 and determine whether there is a need for further action.The assessment should take into account the results of the harmonized risk assessment at EU level published in October 2019 and the effectiveness of the measures in the instrument package.