The EU is working to develop a common approach to security of 5G networks.
 
Head of state and government had on March 22 supported a concerted approach to the security of 5G networks and the EU Commission followed up on Wednesday with a set of actions to assess the cybersecurity risks of 5G networks and to strengthen preventive measures.
 
The recommendations are a combination of legislative and policy instruments meant to protect EU economies, societies and democratic systems.
 
With worldwide 5G revenues estimated at €225 billion in 2025, 5G is a key asset for Europe to compete in the global market and its cybersecurity is crucial for ensuring the strategic autonomy of the Union.
 
At national level, each Member State should complete a national risk assessment of 5G network infrastructures by the end of June 2019.
 
On this basis, Member States should update existing security requirements for network providers and include conditions for ensuring the security of public networks, especially when granting rights of use for radio frequencies in 5G bands.
 
These measures should include reinforced obligations on suppliers and operators to ensure the security of the networks.
 
The national risk assessments and measures should consider various risk factors, such as technical risks and risks linked to the behaviour of suppliers or operators, including those from third countries. National risk assessments will be a central element towards building a coordinated EU risk assessment.  
 
EU Member States have the right to exclude companies from their markets for national security reasons, if they do not comply with the country’s standards and legal framework.
 
At EU level, Member States should exchange information with each other and with the support of the Commission and the European Agency for Cybersecurity (ENISA), will complete a coordinated risk assessment by October 1, 2019.
 
On that basis, Member States will agree on a set of mitigating measures that can be used at national level. These can include certification requirements, tests, controls, as well as the identification of products or suppliers that are considered potentially non-secure.
 
The Recommendation will make use of the wide-range of instruments already in place or agreed to reinforce cooperation against cyber-attacks and enable the EU to act collectively in protecting its economy and society, including the first EU-wide legislation on cybersecurity (Directive on Security of Network and Information Systems), the Cybersecurity Act recently approved by the European Parliament, and the new telecoms rules.
 
The Recommendation will help Member States to implement these new instruments in a coherent manner when it comes to 5G security.