The Commission is today endorsing the joint toolbox of mitigating measures agreed by EU Member States to address security risks related to the rollout of 5G, the fifth-generation of mobile networks. This follows the European Council's call for a concerted approach to the security of 5G and the ensuing Commission Recommendation of March 2019. Member States have since identified risks and vulnerabilities at national level and published a joint EU risk assessment. Through the toolbox, the Member States are committing to move forward in a joint manner based on an objective assessment of identified risks and proportionate mitigating measures. With its Communication adopted today, the Commission is launching relevant actions within its competence and is calling for key measures to be put in place by 30 April 2020.

Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age, said: “We can do great things with 5G. The technology supports personalised medicines, precision agriculture and energy grids that can integrate all kinds of renewable energy. This will make a positive difference. But only if we can make our networks secure. Only then will the digital changes benefit all citizens.”

Margaritis Schinas, Vice-President for Promoting our European Way of Life, said: “A genuine Security Union is one which protects Europe's citizens, companies and critical infrastructure. 5G will be a ground-breaking technology but it cannot come at the expense of the security of our internal market. The toolbox is an important step in what must be a continuous effort in the EU's collective work to better protect our critical infrastructures.”

Thierry Breton, Commissioner for the Internal Market, said: “Europe has everything it takes to lead the technology race. Be it developing or deploying 5G technology – our industry is already well off the starting blocks. Today we are equipping EU Member States, telecoms operators and users with the tools to build and protect a European infrastructure with the highest security standards so we all fully benefit from the potential that 5G has to offer.”

While market players are largely responsible for the secure rollout of 5G, and Member States are responsible for national security, 5G network security is an issue of strategic importance for the entire Single Market and the EU's technological sovereignty. Closely coordinated implementation of the toolbox is indispensable to ensure EU businesses and citizens can make full use of all the benefits of the new technology in a secure way.

5G will play a key role in the future development of Europe's digital economy and society. It will be a major enabler for future digital services in core areas of citizens' lives and an important basis for the digital and green transformations. With worldwide 5G revenues estimated at €225 billion in 2025, 5G is a key asset for Europe to compete in the global market and its cybersecurity is crucial for ensuring the strategic autonomy of the Union. Billions of connected objects and systems are concerned, including in critical sectors such as energy, transport, banking, and health, as well as industrial control systems carrying sensitive information and supporting safety systems.

At the same time, due to a less centralised architecture, smart computing power at the edge, the need for more antennas, and increased dependency on software, 5G networks offer more potential entry points for attackers. Cyber security threats are on the rise and become increasingly sophisticated. As many critical services will depend on 5G, ensuring the security of networks is of highest strategic importance for the entire EU.

A new Eurobarometer survey, also published today, shows that awareness of cybercrime is rising, with 52% of respondents stating they are fairly well or very well informed about cybercrime, up from 46% in 2017.

EU toolbox conclusions

The Member States, acting through the NIS Cooperation Group, have adopted the toolbox. The toolbox addresses all risks identified in the EU coordinated assessment, including risks related to non-technical factors, such as the risk of interference from non-EU state or state-backed actors through the 5G supply chain. Based on last October's EU risk assessment report, the toolbox includes strategic and technical measures and corresponding actions to reinforce their effectiveness. These are calibrated based on objective factors.

In the toolbox conclusions, Member States agreed to strengthen security requirements, to assess the risk profiles of suppliers, to apply relevant restrictions for suppliers considered to be high risk including necessary exclusions for key assets considered as critical and sensitive (such as the core network functions), and to have strategies in place to ensure the diversification of vendors.

While the decision on specific security measures remains the responsibility of Member States, the collective work on the toolbox demonstrates a strong determination to jointly respond to the security challenges of 5G networks. This is essential for a successful and credible EU approach to 5G security and to ensure the continued openness of the internal market provided risk-based EU security requirements are respected.

The Commission will support the implementation of an EU approach on 5G cybersecurity and will act, as requested by Member States, using, where appropriate, all the tools at its disposal to ensure the security of the 5G infrastructure and supply chain:

    Telecoms and cybersecurity rules;
    Coordination on standardisation as well as EU-wide certification;
    Foreign direct investment screening framework to protect the European 5G supply chain;
    Trade defence instruments;
    Competition rules;
    Public procurement, ensuring that due consideration is given to security aspects;
    EU funding programmes, ensuring that beneficiaries comply with relevant security requirements.
Next Steps

The Commission calls on Member States to take steps to implement the set of measures recommended in the toolbox conclusions by 30 April 2020 and to prepare a joint report on the implementation in each Member State by 30 June 2020. Together with the EU Cybersecurity Agency, the Commission will continue to provide its full support including by launching relevant actions in the areas under its competence. The NIS Cooperation Group will continue to work in order to support the implementation of the toolbox.

Background

To support the deployment and take-up of 5G networks, the Commission has presented a 5G Action Plan in September 2016. Today, Europe is one of the most advanced regions in the world when it comes to the commercial launch of 5G services, with an investment of €1 billion, including €300 million in EU funding. By the end of this year, the first 5G services are expected to be available in 138 European cities.

On 26 March 2019, following a call from the European Council, the Commission adopted a Recommendation on Cybersecurity of 5G networks calling on Member States to complete national risk assessments, review their measures and work together on a coordinated risk assessment and a common toolbox of mitigating measures. Member State completed their national risk assessments and transmitted the results to the Commission and the EU Cybersecurity Agency. In October 2019, the NIS Cooperation Group published a coordinated EU report, identifying the main threats and threats actors, the most sensitive assets, the main vulnerabilities and a number of strategic risks. The report highlighted a number of security challenges linked to 5G networks, and defined factors to assess the risk profiles of individual suppliers. In November 2019, the EU Cybersecurity Agency published a dedicated 5G threat landscape mapping as further input to the toolbox.