The European Commission (EC) this week set out its strategy to ensure the security of 5G networks across the European Union (EU), but ignored U.S. calls to ban Huawei equipment from next-generation mobile networks.
The EC is recommending a set of actions that all member states should use to assess the cybersecurity risks of 5G networks. It stopped short of banning any suppliers outright, merely stating that member states “have the right to exclude companies from their markets for national security reasons if they do not comply with the country’s standards and legal framework.”
The overall aim is to build a coordinated EU risk assessment that will ensure the security of key infrastructure, including 5G.
The EC’s position could have been predicted based on Germany’s recent robust response to a perceived threat by the U.S. to limit intelligence sharing if Huawei was allowed to be part of Germany’s future 5G infrastructure. Germany has refused to explicitly ban Huawei from future network deployments, including 5G.
In concrete terms, each EU member state will be expected to complete a national risk assessment of 5G network infrastructures by the end of June. Based on this assessment, existing security requirements for network providers should be updated if required and should include “reinforced obligations on suppliers and operators to ensure the security of the networks.” At the EU level, the emphasis will be on exchanging information and completing a coordinated risk assessment by October 1.
“On that basis, member states will agree on a set of mitigating measures that can be used at national level. These can include certification requirements, tests, controls, as well as the identification of products or suppliers that are considered potentially non-secure,” the EC said in a statement.
The EC is taking a coordinated approach based on the premise that cybersecurity incidents on 5G networks in member state would affect the EU as a whole because of the “interconnected and transnational nature of the infrastructures underpinning the digital ecosystem.”
While the EU’s executive body has stopped short of banning Chinese suppliers, it has noted the concerns raised by the European Parliament on security threats “connected with the rising Chinese technological presence in the Union,” and is now attempting to implement the parliament’s resolution that calls on the EC and member states to take action at the EU level.
Earlier this month, members of the European Parliament (MEPs) adopted the EU Cybersecurity Act that establishes the first EU-wide cybersecurity certification scheme to ensure that certified products, processes, and services sold in EU countries meet cybersecurity standards.