Secure 5G networks: EU toolbox of risk mitigating measures

EU Member States have identified risks and vulnerabilities at national level and published a joint EU risk assessment. Through the toolbox, the Member States are committing to move forward in a joint manner based on an objective assessment of identified risks and proportionate mitigating measures.

Toolbox measures and supporting actions

“Europe has everything it takes to lead the technology race. Be it developing or deploying 5G technology – our industry is already well off the starting blocks. Today we are equipping EU Member States, telecoms operators and users with the tools to build and protect a European infrastructure with the highest security standards so we all fully benefit from the potential that 5G has to offer,” said Thierry Breton, Commissioner for the Internal Market.

Coordinated implementation of the toolbox

While market players are largely responsible for the secure rollout of 5G, and Member States are responsible for national security, 5G network security is an issue of strategic importance for the entire Single Market and the EU’s technological sovereignty.

Closely coordinated implementation of the toolbox is indispensable to ensure EU businesses and citizens can make full use of all the benefits of the new technology in a secure way.

5G will play a key role in the future development of Europe’s digital economy and society. It will be a major enabler for future digital services in core areas of citizens’ lives and an important basis for the digital and green transformations.

With worldwide 5G revenues estimated at €225 billion in 2025, 5G is a key asset for Europe to compete in the global market and its cybersecurity is crucial for ensuring the strategic autonomy of the Union.

Billions of connected objects and systems are concerned, including in critical sectors such as energy, transport, banking, and health, as well as industrial control systems carrying sensitive information and supporting safety systems.

At the same time, due to a less centralized architecture, smart computing power at the edge, the need for more antennas, and increased dependency on software, 5G networks offer more potential entry points for attackers.

Cyber security threats are on the rise and become increasingly sophisticated. As many critical services will depend on 5G, ensuring the security of networks is of highest strategic importance for the entire EU.

Secure 5G networks: EU toolbox conclusions

The Member States, acting through the NIS Cooperation Group, have adopted the toolbox. The toolbox addresses all risks identified in the EU coordinated assessment, including risks related to non-technical factors, such as the risk of interference from non-EU state or state-backed actors through the 5G supply chain.

In the toolbox conclusions, Member States agreed to strengthen security requirements, to assess the risk profiles of suppliers, to apply relevant restrictions for suppliers considered to be high risk including necessary exclusions for key assets considered as critical and sensitive (such as the core network functions), and to have strategies in place to ensure the diversification of vendors.

While the decision on specific security measures remains the responsibility of Member States, the collective work on the toolbox demonstrates a strong determination to jointly respond to the security challenges of 5G networks.

This is essential for a successful and credible EU approach to 5G security and to ensure the continued openness of the internal market provided risk-based EU security requirements are respected.

The Commission will support the implementation of an EU approach on 5G cybersecurity and will act, as requested by Member States, using, where appropriate, all the tools at its disposal to ensure the security of the 5G infrastructure and supply chain:

• Telecoms and cybersecurity rules
• Coordination on standardization as well as EU-wide certification
• Foreign direct investment screening framework to protect the European 5G supply chain
• Trade defense instruments
• Competition rules
• Public procurement, ensuring that due consideration is given to security aspects
• EU funding programs, ensuring that beneficiaries comply with relevant security requirements.