Following the Commission Recommendation for a common European approach to the security of 5G networks, 24 EU Member States have now completed the first step and submitted national risk assessments. These assessments will feed into the next phase, a EU-wide risk assessment which will be completed by 1 October. Commissioner for the Security Union, Julian King, and Commissioner for the Digital Economy and Society, Mariya Gabriel, welcomed this important step forward and said:
“We are pleased to see that most Member States have now submitted their risk assessments. Following the support expressed by the European Council on 22 March for a concerted approach, Member States responded promptly to our call for concrete measures to help ensure the cybersecurity of 5G networks across the EU. The national risk assessments are essential to make sure that Member States are adequately prepared for the deployment of the next generation of wireless connectivity that will soon form the backbone of our societies and economies.
We urge Member States to remain committed to the concerted approach and to use this important step to gain momentum for a swift and secure rollout of 5G networks. Close EU-wide cooperation is essential both for achieving strong cybersecurity and for reaping the full benefits, which 5G will have to offer for people and businesses.
The completion of the risk assessments underlines the commitment of Member States not only to set high standards for security but also to make full use of this groundbreaking technology. We hope that the outcomes will be taken into account in the process of 5G spectrum auctions and network deployment, which is taking place across the EU now and in the coming months. Several Member States have already taken steps to reinforce applicable security requirements while others are considering introducing new measures in the near future.
We need all key players, big and small, to accelerate their efforts and join us in building a common framework aimed at ensuring consistently high levels of security. We look forward to continuing our close cooperation with Member States as we begin the work on an EU-wide risk assessment, due to be complete by 1 October, that will help to develop a European approach to protecting the integrity of 5G.”
National risk assessments include an overview of:
· the main threats and actors affecting 5G networks;
· the degree of sensitivity of 5G network components and functions as well as other assets; and
· various types of vulnerabilities, including both technical ones and other types of vulnerabilities, such as those potentially arising from the 5G supply chain.
In addition, the work on national risk assessments involved a range of responsible actors in the Member States, including cybersecurity and telecommunication authorities and security and intelligence services, strengthening their cooperation and coordination.
Based on the information received, Member States, together with the Commission and the EU Agency for Cybersecurity (ENISA), will prepare a coordinated EU-wide risk assessment by 1 October 2019. In parallel, ENISA is analysing the 5G threat landscape as an additional input.
By 31 December 2019, the NIS Cooperation Group that leads the cooperation efforts together with the Commission will develop and agree on a toolbox of mitigating measures to address the risks identified in the risk assessments at Member State and EU level.
Following the recent entry into force of the Cybersecurity Act at the end of June, the Commission and the EU Agency for Cybersecurity will set up an EU-wide certification framework. Member States are encouraged to cooperate with the Commission and the EU Agency for Cybersecurity to prioritise a certification scheme covering 5G networks and equipment.
By 1 October 2020, Member States should assess in cooperation with the Commission, the effects of measures taken to determine whether there is a need for further action. This assessment should take into account the coordinated European risk assessment.
Fifth generation (5G) networks will form essential digital infrastructure in the future, connecting billions of objects and systems, including in critical sectors such as energy, transport, banking, and health, as well as industrial control systems carrying sensitive information and supporting safety systems.
The European Commission recommended on 26 March 2019 a set of concrete actions to assess cybersecurity risks of 5G networks and to strengthen preventive measures, following the support from Heads of State or Government for a concerted approach to the security of 5G networks.
The Commission called on Member States to complete national risk assessments and review national measures as well as to work together at EU level on a coordinated risk assessment and a common toolbox of mitigating measures.