EU publishes second report on member states’ progress in implementing Toolbox on 5G cybersecurity

The EU member states, with the support of the European Commission and ENISA, the EU Agency for Cybersecurity, published a second progress report on the implementation of the EU Toolbox on 5G cybersecurity, which aims to address risks related to the cybersecurity of 5G networks. The report provides an updated overview of the state of play of the implementation of the Toolbox by member states and covers the implementation of the strategic and technical measures of the EU Toolbox. Additionally, the report addresses some of the recommendations of the European Court of Auditors’ Special Report of January 2022. 

In addition to the progress report, the Commission has also adopted a Communication on the implementation of the toolbox by member states and in the EU’s own corporate communications and funding activities. 

The EU Toolbox on 5G Cybersecurity was adopted by the NIS Cooperation Group and endorsed by the European Council and the Commission. In October 2020, the European Council called on the EU and the member states “to make full use of the 5G cybersecurity Toolbox adopted on 29 January 2020, and in particular to apply the relevant restrictions on high-risk suppliers for key assets defined as critical and sensitive in the EU coordinated risk assessment, based on common objective criteria”

The coordinated action on 5G cybersecurity at EU-level and the EU Toolbox is part of a broader European framework for the protection of electronic communications networks and other critical infrastructures and complements existing measures such as the European Electronic Communications Code (EECC), the Telecoms Framework, the Cybersecurity Act, and the Directive on the security of network and information systems (NIS Directive). 

The second report finds that a vast majority of member states have reinforced or are in the process of reinforcing security requirements for 5G networks based on the EU Toolbox. However, despite the progress made, the report finds that this situation creates a clear risk of persisting dependency on high-risk suppliers in the internal market with potentially serious negative impacts on security for users and companies across the EU and the EU’s critical infrastructure.

The report provides an updated overview of the EU Toolbox implementation process by member states until May 2023, on the implementation of the EU Toolbox. It also provides detail on the progress made since the first Progress Report of 2020. The latest report has been prepared and agreed upon by the NIS Cooperation Group, with the support of the Commission and the ENISA. 

The report covers the implementation of the strategic and technical measures of the EU Toolbox. Strategic Measures (SMs) include measures concerning increased regulatory powers for authorities to scrutinize network procurement and deployment, specific measures to address risks related to non-technical vulnerabilities, as well as possible initiatives to promote a sustainable and diverse 5G supply and value chain in order to avoid systemic, long-term dependency risks. 

Technical Measures (TMs) include measures to strengthen the security of 5G networks and equipment by addressing the risks arising from technologies, processes, and human and physical factors. The report also gives an overview of the ongoing strands of work on 5G cybersecurity at the EU level. Specifically, based on the information gathered, the report provides the status of implementation of the EU Toolbox measures, an overview of national measures adopted or planned, and key findings of the analysis.

As regards SMs and in particular enacting restrictions on high-risk suppliers, the progress report records that 24 member states have adopted or are preparing legislative measures giving national authorities the powers to perform an assessment of suppliers and issue restrictions, the Commission said. “Out of them, 10 Member States have imposed such restrictions and 3 Member States are currently working on the implementation of the relevant national legislation. Given the importance of the connectivity infrastructure for the digital economy and dependence of many critical services on 5G networks, Member States should achieve the implementation of the Toolbox without delay,” it added.

The Commission underlines in its Communication its strong concerns about the risks posed by certain suppliers of mobile network communication equipment to the security of the Union. 

The report identified that the situation creates a clear risk of persisting dependency on high-risk suppliers in the internal market with potentially serious negative impacts on security for users and companies across the EU and the EU’s critical infrastructure. “A lack of swift actions by Member States regarding high-risk suppliers could also affect over time the EU consumers and companies’ trust in the internal market, and increase the risk of spill-over in case of cyber-attacks, especially where MNOs provide cross-border services and in case it affects critical 5G use cases or other sectors dependent on telecoms,” it added.

Additionally, the Commission considers that decisions adopted by member states to restrict or exclude Huawei and ZTE from 5G networks are justified and compliant with the 5G Toolbox. Consistently with such decisions, and on the basis of a broad range of available information, the Commission considers that Huawei and ZTE represent in fact materially higher risks than other 5G suppliers.

“As also indicated in the NIS report, Huawei and ZTE have been subject to public decisions and advice in certain Member States, based on national security concerns, including assessments by those Member States’ intelligence services,” according to a Communication from the Commission on the implementation of the 5G cybersecurity Toolbox. “In other Member States, decisions to restrict or exclude certain suppliers from their 5G networks have been made confidentially, based on their assessment. The findings of those Member States are similar to the analysis of the competent authorities of certain third countries.” 

The document added that due to these high risks, and based on an assessment of the criteria set out in the Toolbox for identifying ‘high-risk suppliers’, the Commission considers that decisions adopted by member states to restrict or exclude Huawei and ZTE are justified and compliant with the 5G Toolbox. “Without prejudice to the Member States’ competences as regards national security, the Commission has also applied the Toolbox criteria to assess the needs and vulnerabilities of its own corporate communications systems and those of the other European institutions, bodies, and agencies, as well as the implementation of Union funding programmes in the light of the Union’s overall policy objectives,” it added.

“As part of its corporate cybersecurity policy, and in the application of the 5G cybersecurity toolbox, the Commission will take measures to avoid exposure of its corporate communications to mobile networks using Huawei and ZTE as suppliers,” the EU said. “It will take relevant security measures so as not to procure new connectivity services that rely on equipment from those suppliers, and will work with Member states and telecom operators to make sure that those suppliers are progressively phased out from existing connectivity services of the Commission sites.”

The Commission also intends to reflect this decision in all relevant EU funding programs and instruments.

Responding to the EU move, Reuters reported that a Chinese foreign ministry spokesperson said on Friday that the country firmly opposes some EU countries’ ban on Huawei and said the European Commission has no legal basis nor factual evidence to prohibit the Chinese telecom giant. 

“As an economic operator in the EU, Huawei holds procedural and substantial rights and should be protected under the EU and Member States’ laws as well as their international commitments,” the person said.

The second progress report includes recommendations for member states to ensure they have comprehensive and detailed information from mobile operators about the 5G equipment currently deployed and about their plans for deploying or sourcing new equipment. In assessing the risk profile of suppliers, member states should consider the objective criteria recommended in the EU Toolbox. Furthermore, designations made by other member states concerning high-risk suppliers should be taken into account, with a view to promoting consistency and a high level of security across the Union.

“Based on the assessment of suppliers, Member States should impose restrictions on high-risk suppliers without delay, i.e. considering that a loss of time can increase vulnerability of networks in the Union and the Union’s dependency on high-risk suppliers, especially for Member States with a high presence of potential high-risk suppliers,” the report said. “To effectively mitigate risks, Member States should ensure that the restrictions cover critical and highly sensitive assets identified in the EU Coordinated risk assessment, including the Radio Access Network.”

For types of equipment covered by the restrictions, operators should not be allowed to install new equipment. If transition periods are allowed for the removal of existing equipment, they shall be defined to ensure the removal of equipment in place within the shortest possible time frame, taking into account the security risk of keeping equipment from high-risk suppliers in place, and should not be applied to allow the continued deployment of new equipment from high-risk suppliers.

The report also covered the implementation of restrictions for Managed Service Providers (MSPs), and in case functions are outsourced to MSPs, impose enhanced security provisions around the access that MSPs are given. It also suggests discussing the applicability of measures related to the diversification of suppliers, and how to best ensure that any potential diversification does not result in new or increased security risks but contributes to security and resilience.

Lastly, the report enforces technical measures and ensures a strong level of supervision. Particular attention should be given to certain measures, notably ensuring the application of baseline security requirements, raising security standards in suppliers’ processes through robust procurement conditions, and ensuring secure 5G network management, operation, and monitoring.

Last November, the U.K. administration called for a ban on Chinese equipment across ‘sensitive’ government sites. The move came following a review undertaken by the U.K. Government Security Group of current and future possible security risks associated with the installation of visual surveillance systems on the government estate. The review concluded that, in light of the threat to the U.K and the increasing capability and connectivity of these systems, additional controls are required, essentially leading to a ban on Chinese equipment operating within ‘sensitive’ government sites.

Around the same time, the U.S. Federal Communications Commission (FCC) adopted new rules prohibiting communications equipment deemed to pose an unacceptable risk to national security from being authorized for importation or sale in the United States. The move marked the latest step by the Commission to protect the nation’s communications networks.

The Canadian government also said last May that it intends to prohibit its telecommunications service providers from deploying Huawei and ZTE products and services in their 5G networks. The Canadian government also has serious concerns about suppliers such as Huawei and ZTE who could be compelled to comply with extrajudicial directions from foreign governments in ways that would conflict with Canadian laws or would be detrimental to Canadian interests.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.