The European Commission, the executive arm of the EU, endorsed a “joint toolbox of mitigating measures agreed by EU member states to address security risks related to the rollout of 5G,” a Commission’s statement says.
Thierry Breton, EU commissioner for the internal market, said the toolbox will equip “EU Member States, telecoms operators, and users with the tools to build and protect a European infrastructure with the highest security standards.”
“Billions of connected objects and systems are concerned, including in critical sectors such as energy, transport, banking, and health, as well as industrial control systems carrying sensitive information and supporting safety systems,” the commission statement says.
EU Toolbox of Risk-Mitigating Measures
The toolbox identifies a set of risk categories and sample scenarios that should be mitigated. Among them are lack of access controls, low quality of products in the supply chain, dependency on a single supplier or lack of diversity in the supply chain, state interference, exploitation of 5G networks by malicious groups or individuals targeting end-users, disruptions or massive failure of networks due to interdependence between 5G networks and other critical systems such as electricity grid, and exploitation of end-user devices such as smartphones.
The measures put forth to mitigate the risks include strengthening the role of national authorities, performing audits on mobile operators, restricting or even excluding high-risk suppliers for key assets, ensuring that each network operator uses a diverse range of suppliers, and controlling the use of third-line support by suppliers.
On a more detailed level, the measures include secure network design, strict access control, reinforcing physical security, software integrity including updates and patches, security standards for suppliers, using EU certification for 5G network components, and non-5G products and services such as devices or cloud services.
The toolbox allows EU countries to either restrict or exclude high-risk 5G vendors such as Huawei from core parts of their telecom networks. Some of its measures can be implemented at a national level, while others may require coordination and joint action at the EU level.
Comments on EU Approach to 5G Security
Britain granted Huawei a limited role in its 5G mobile network on Jan. 28, despite warnings from the United States, which has a firm stance against U.S. companies using telecommunications equipment or services that can pose a national security risk. Examples are Chinese telecom companies, which are required by law to serve the interests of the Chinese Communist Party and its intelligence services.
The European Union sees 5G as key to boosting economic growth and competing with the United States and China and, in its recommendations, allows individual countries to assess the risks and decide whether to exclude suppliers from their core infrastructure.
The approach means non-EU providers are welcome in Europe as long as they comply with the rules, Breton said at a news conference after the guidelines were issued.
“We are not picking on anybody; we are not ostracizing firms,” he said.
Before adopting the toolbox, Breton said on Jan. 22 in his post on LinkedIn that “Europe has everything it takes to lead the race in 5G.”
“Europe holds half of all the patents in the world when it comes to 5G,” Breton wrote, adding that China holds around 30 percent and the United States holds 14 percent. “This means that Europe can count on its own suppliers of 5G technologies” that “are ready to immediately deploy” the technology.
Huawei, competing with Sweden’s Ericsson and Finland’s Nokia, welcomed the guidelines, describing them as “non-biased and fact-based,” according to EU Reporter.
The EU Commission said it was ready to bolster the bloc’s 5G cybersecurity by using trade defense tools against dumping or foreign subsidies.
While the United States welcomed the toolbox because it acknowledges the high-security risks in a 5G network and recommends restricting risky vendors from critical parts of EU networks, “the United States does not assess it is possible to adequately mitigate risk by limiting the role of untrusted vendors to only certain parts of the network,” State Secretary Mike Pompeo said in a statement.
“All parts of future 5G networks should be considered critical infrastructure and each country should have measures in place to protect the safety, security, and privacy of citizens who rely on these networks,” Pompeo said.
The United States agrees with the EU’s assessment that high-risk suppliers “from countries that lack democratic checks and balances” should face restrictions, says the statement. The United States has excluded vendors such as Huawei and ZTE, which are controlled by the Chinese Communist Party, from its 5G networks.
“It is misguided to think that the risks associated with” equipment from such vendors “can be mitigated,” Pompeo said.
“We call on our European allies and partners to implement the EU recommendations by adopting strong, risk-based security measures that exclude high-risk suppliers from all parts of their 5G networks.”
Noah Barkin, visiting academic fellow at the Mercator Institute for China Studies in Germany, told Carnegie Europe, “There is a strong argument for excluding Huawei from European 5G networks based on two factors alone: 1) the absolutely critical nature of this infrastructure for the future functioning of economies; and 2) the risk that Chinese suppliers could be forced by Beijing to cooperate in intelligence gathering, data theft, or sabotage.”
Lobbying group European Telecommunications Network Operators Association (ETNO), which includes members Deutsche Telekom, Orange, and Telefonica, who all use Huawei equipment, have warned against disproportionate actions that may affect their investments.
“Europe’s decision-making on 5G should continue being based on facts, it should be proportionate to threats and build on a solid understanding of technology reality,” ETNO said in a statement.
EU countries have until April to implement the guidelines and June to report on their progress.
Reuters contributed to this report.