The commission said that member states will be able to exclude vendors over security allegations
The European Commission has recommended a number of operational steps and measures to ensure a high level of cybersecurity for 5G networks across the European Union.
The EC’s recommendations for member states, which are a combination of legislative and policy instruments, came about after March’s European Council meeting, where members asked for a concerted approach to 5G network security.
The EC said that 5G networks “will form the future backbone of European societies and economies, connecting billions of objects and systems in critical sectors such as energy, transport, banking, and health, as well as industrial control systems carrying sensitive information and supporting safety systems” — and noted that “democratic processes, such as elections, increasingly rely on digital infrastructures.”
“5G technology will transform our economy and society and open massive opportunities for people and businesses. But we cannot accept this happening without full security built in,” said Vice-President Andrus Ansip, in charge of the Digital Single Market. “It is therefore essential that 5G infrastructures in the EU are resilient and fully secure from technical or legal backdoors.”
Commissioner Mariya Gabriel, in charge of the Digital Economy and Society, added that “protecting 5G networks aims at protecting the infrastructure that will support vital societal and economic functions – such as energy, transport, banking, and health, as well as the much more automated factories of the future. It also means protecting our democratic processes, such as elections, against interference and the spread of disinformation.”
The European body also acknowledged that any vulnerability in 5G networks or a cyber-attack targeting the future networks in one member state would affect the EU as a whole.
The European Commission said that each member state should complete a national risk assessment of 5G network infrastructure by the end of June 2019. On the basis of that risk assessment, member states should then update existing security requirements for network providers and include conditions for ensuring the security of public networks, especially when granting rights of use for radio frequencies in 5G bands. These measures should include reinforced obligations on suppliers and operators to ensure the security of the networks, the EC said.
The national risk assessments and measures should consider various risk factors, such as technical risks and risks linked to the behavior of suppliers or operators, including those from third countries. National risk assessments will be a central element towards building a coordinated EU risk assessment, the commission said.
The recommendations also stipulate that member states have the right to exclude companies from their markets for national security reasons, if they do not comply with the country’s standards and legal framework.
The EC said that at an EU level, member states should exchange information with each other and with the support of the Commission and the European Agency for Cybersecurity (ENISA) and a coordinated risk assessment will be completed by October 2019. On that basis, Member States will agree on a set of mitigating measures that can be used at the national level. The commission said these could include certification requirements, tests, controls, as well as the identification of products or suppliers that are considered potentially non-secure.
The European body added that member states have to ensure that the integrity and security of public communications networks are maintained, with obligations to ensure that operators take technical and organizational measures to appropriately manage the risks posed to security of networks and services.