5G cybersecurity toolbox implementation

  • Cybersecurity is an important priority in the context of 5G development.
  • The EU toolbox for 5G security is a set of robust and comprehensive measures for an EU-coordinated approach to secure 5G networks.
  • This page provides a brief overview of the progress and efforts undertaken by MS with the 5G Toolbox implementation.

In January 2020, the NIS Cooperation Group which is formed of representatives of Member States, the Commission and ENISA (European Union Agency for Cybersecurity), published the EU toolbox of risk-mitigating measures. On the same date, the Commission adopted a Communication which endorsed the measures outlined in the Toolbox and underlined the importance of their implementation.

The Toolbox addresses cybersecurity risks outlined in the previously published EU coordinated risk assessment report. These risks can be largely categorised into four categories. These include:

  • Local or global 5G network disruption (Availability);
  • Spying on traffic/data in the 5G network infrastructure (Confidentiality);
  • Modification or rerouting of the traffic/data in the 5G network infrastructure (Integrity and/or Confidentiality);
  • Destruction or alteration of other digital infrastructures or information systems through the 5G networks (Integrity and/or Availability).

The Toolbox found a total of eight strategic measures that address these risks. In July 2020, the NIS Cooperation Group published a report that tracks Member States progress towards the EU Toolbox on 5G Security. Below you will find a summary of the eight strategic measures as well as an illustrative example from a Member State which was extracted from the progress report (if available):

  • SM01 Strengthening the role of national authorities;
    • Example – Estonia: In May 2020, the Estonian Parliament approved an amendment to the Electronic Communications Act. This amendment gives the government power to compel communication companies to provide information about the hardware and software used in their networks and to apply for authorisation to use the hardware and software of a network.
  • SM02 Performing audits on operators and requiring information;
    • Example – Austria: Following a new telecom regulation, MNOs operating a 5G network have to comply with information security measures and have to maintain an Information Security Management System (ISMS).
  • SM03 Assessing the risk profile of suppliers and applying restrictions for suppliers considered to be high risk – including necessary exclusions to effectively mitigate risks- for key assets;
    • Example – France: Key network assets are defined in the Order of 6 December 2019 and regulated as sensitive assets subject to control and authorisation before being rolled out. Those key assets include the radio access functions and most core network functions.
  • SM04 Controlling the use of Managed Service Providers (MSPs) and equipment suppliers’ third line support;
    • Example – Finland: MNOs are required to ensure that, in a state of emergency, critical systems and their guidance, maintenance and control can be returned to Finland without delay. The regulator, Traficom also has the power to issue regulations relating to network management.
  • SM05 Ensuring the diversity of suppliers for individual MNOs through appropriate multi- vendor strategies;
    • Example – Cyprus: The forthcoming regulatory framework will include guidelines for MNOs to develop and adopt appropriate multi-vendor strategies, using a risk-based approach.
  • SM06 Strengthening the resilience at national level;
    • Example – Spain: Diversification objectives at national level will be considered in the national 5G Strategy.
  • SM07 Identifying key assets and fostering a diverse and sustainable 5G ecosystem in the EU;
  • SM08 Maintaining and building diversity and EU capacities in future network technologies.

In addition, the report also outlined 11 technical measures and 10 targeted supporting actions that Member States can take.

The Commission called on the Member States to take concrete steps to implement these recommendations and prepare a report on their implementation. In July 2020, the NIS Cooperation Group published this report. It is important to note that this report was published on the 29th of January 2020, and developments may have taken place since then. Furthermore, this report is based entirely on contributions from Member States.

Notable findings in the report include:

  • A large majority of Member States are in the process of significantly strengthening national regulator powers (SM01).
  • The implementation of measures aimed at minimising the exposure to high-risk suppliers (SM03) is ongoing in many Member States, however, there is uncertainty surrounding the timeframe for adopting this as it is a complex and sensitive matter.
  • A significant number of Member States appear to have yet to review existing practices and adopt measures to limit the types of activity and conditions under which MNOs are able to outsource particular functions (SM04).
  • Most Member States have not yet established or communicated clear plans to effectively address existing situations of dependency on high-risk suppliers and prevent future dependencies (SM05 and SM06).

In conclusion, the report found that a large number of Member States have already taken concrete steps to implement the various strategic measures. However, it also found that work is still ongoing in the Member States on defining the content and scope of the measures. Going forward, it recommends that Member States should intensify efforts to exchange information amongst each other to facilitate Toolbox implementation.

The following notable developments have taken place since the publication of the EU toolbox of risk-mitigating measures:

  • In November 2021, the Irish Government announced its plan to use the EU 5G Security Toolbox as a framework for securing its 5G network. This will include legislation that will allow the Minister of the Environment, Climate and Communications to assess the risk profile of providers of electronic communications network equipment and, if required, to designate certain vendors as being high risk. The new legislation will be drafted in consultation with relevant Departments and Agencies, and a Regulatory Impact Assessment and consultation process will be conducted in early 2022.
  • In December 2021, Estonia’s State assembly passed the new 5G cybersecurity regulations in an amendment of the country’s Electronic Communications Act. The law will now need to be approved by the president.

Latest News in Europe

Polish operator Plus expands 5G coverage

The Polish mobile operator now reaches 20 million people with its 5G network.

Spain to fund private 5G networks for the military

The Ministry has launched several tenders with the total value of €50 million.

Smart 5G bus launched in Spain

Vodafone has announced it is providing 5G connectivity for public transport in the Spanish city of Zaragosa.

Report: Global telecoms equipment market grows 3% in 2022

A new report suggests growth has slowed from last year.

Vodafone Spain targets 65% 5G population coverage

The Spanish mobile operator has announced plans to expand its 5G network to 2,000 municipalities by the end of the year.

Belgian government to fund 21 pilot 5G projects

A total of €20 million euros will be distributed to projects in various fields such as healthcare, emergency services, logistics and defence.

Croatian 5G auction concluded

Croatia’s regulator HAKOM has awarded 5G spectrum at national level in the 800, 900, 1800, 2100 and 2600 MHz bands, and at regional level in the 3600 MHz band.

France publishes 5G industry guides

Ericsson and ABB have teamed up to showcase their contributions to the French Industrial 5G strategy. The guides explain innovative 5G applications, including those deployed at the Ford Motors factory in Spain.

Huawei promotes 5.5G vision at Mobile World Congress

The company proposed a new standard for 5G at a summit in Barcelona.

all news in Europe
Subscribe to our mailing list