Cybersecurity has been an important priority in the context of 5G development. The EU toolbox for 5G security is a set of robust and comprehensive measures for an EU coordinated approach to secure 5G networks. This page provides a brief overview of the progress and efforts undertaken by MS with the 5G Toolbox implementation, based on a report prepared by the NIS Cooperation Group, with the support of the Commission and ENISA.
In January 2020, the NIS Cooperation Group which is formed of representatives of Member States, the Commission and ENISA (European Union Agency for Cybersecurity), published the EU toolbox of risk-mitigating measures. On the same date, the Commission adopted a Communication which endorsed the measures outlined in the Toolbox and underlined the importance of their implementation.
The Toolbox addresses cybersecurity risks outlined in the previously published EU coordinated risk assessment report. These risks can be largely categorised into four categories. These include:
- Local or global 5G network disruption (Availability);
- Spying on traffic/data in the 5G network infrastructure (Confidentiality);
- Modification or rerouting of the traffic/data in the 5G network infrastructure (Integrity and/or Confidentiality);
- Destruction or alteration of other digital infrastructures or information systems through the 5G networks (Integrity and/or Availability).
The Toolbox found a total of eight strategic measures that address these risks. In July 2020, the NIS Cooperation Group published a report that tracks Member States progress towards the EU Toolbox on 5G Security. Below you will find a summary of the eight strategic measures as well as an illustrative example from a Member State which was extracted from the progress report (if available):
- SM01 Strengthening the role of national authorities;
- Example – Estonia: In May 2020, the Estonian Parliament approved an amendment to the Electronic Communications Act. This amendment gives the government power to compel communication companies to provide information about the hardware and software used in their networks and to apply for authorisation to use the hardware and software of a network.
- SM02 Performing audits on operators and requiring information;
- Example – Austria: Following a new telecom regulation, MNOs operating a 5G network have to comply with information security measures and have to maintain an Information Security Management System (ISMS).
- SM03 Assessing the risk profile of suppliers and applying restrictions for suppliers considered to be high risk – including necessary exclusions to effectively mitigate risks- for key assets;
- Example – France: Key network assets are defined in the Order of 6 December 2019 and regulated as sensitive assets subject to control and authorisation before being rolled out. Those key assets include the radio access functions and most core network functions.
- SM04 Controlling the use of Managed Service Providers (MSPs) and equipment suppliers’ third line support;
- Example – Finland: MNOs are required to ensure that, in a state of emergency, critical systems and their guidance, maintenance and control can be returned to Finland without delay. The regulator, Traficom also has the power to issue regulations relating to network management.
- SM05 Ensuring the diversity of suppliers for individual MNOs through appropriate multi- vendor strategies;
- Example – Cyprus: The forthcoming regulatory framework will include guidelines for MNOs to develop and adopt appropriate multi-vendor strategies, using a risk-based approach.
- SM06 Strengthening the resilience at national level;
- Example – Spain: Diversification objectives at national level will be considered in the national 5G Strategy.
- SM07 Identifying key assets and fostering a diverse and sustainable 5G ecosystem in the EU;
- SM08 Maintaining and building diversity and EU capacities in future network technologies.
In addition, the report also outlined 11 technical measures and 10 targeted supporting actions that Member States can take.
The Commission called on the Member States to take concrete steps to implement these recommendations and prepare a report on their implementation. In July 2020, the NIS Cooperation Group published this report. It is important to note that this report was published on the 29th of January 2020, and developments may have taken place since then. Furthermore, this report is based entirely on contributions from Member States.
Notable findings in the report include:
- A large majority of Member States are in the process of significantly strengthening national regulator powers (SM01).
- The implementation of measures aimed at minimising the exposure to high-risk suppliers (SM03) is ongoing in many Member States, however, there is uncertainty surrounding the timeframe for adopting this as it is a complex and sensitive matter.
- A significant number of Member States appear to have yet to review existing practices and adopt measures to limit the types of activity and conditions under which MNOs are able to outsource particular functions (SM04).
- Most Member States have not yet established or communicated clear plans to effectively address existing situations of dependency on high-risk suppliers and prevent future dependencies (SM05 and SM06).
In conclusion, the report found that a large number of Member States have already taken concrete steps to implement the various strategic measures. However, it also found that work is still ongoing in the Member States on defining the content and scope of the measures. Going forward, it recommends that Member States should intensify efforts to exchange information amongst each other to facilitate Toolbox implementation.
The following notable developments have taken place since the publication of the EU toolbox of risk-mitigating measures:
- In November 2021, the Irish Government announced its plan to use the EU 5G Security Toolbox as a framework for securing its 5G network. This will include legislation that will allow the Minister of the Environment, Climate and Communications to assess the risk profile of providers of electronic communications network equipment and, if required, to designate certain vendors as being high risk. The new legislation will be drafted in consultation with relevant Departments and Agencies, and a Regulatory Impact Assessment and consultation process will be conducted in early 2022.
- In December 2021, Estonia’s State assembly passed the new 5G cybersecurity regulations in an amendment of the country’s Electronic Communications Act. The law will now need to be approved by the president.