• EU 5G Toolbox measures are being adopted
• Member states encouraged to complete implementation within months
• Germany takes key steps but doesn’t single out Chinese vendors 

The European Union is pressing its member states to “complete the implementation of the EU 5G Toolbox, a comprehensive and objective risk-based approach for the security of 5G and future generations of networks” as part of a new cybersecurity effort by the regional power.

The EU has unveiled a new Cybersecurity Strategy that aims to create a “shield” around the region and key to this effort are measures to ensure the security of 5G network rollouts and operations, for which the EU 5G Toolbox, first published in detail in January 2020, has been designed.  

And according to an update report, “most Member States are already well on track of implementing the recommended measures. They should now aim to complete their implementation by the second quarter of 2021 and ensure that identified risks are adequately mitigated, in a coordinated way, particularly with a view to minimising the exposure to high-risk suppliers and avoiding dependency on these suppliers.” (See Commission reviews the impacts of the EU process and EU Toolbox, and sets out next steps to ensure secure 5G networks in a coordinated way.)

Ah, the high-risk suppliers… which, in essence, refers to Huawei, which is finding itself increasingly ostracized across the region, including by formerly very friendly states such as the UK (which, of course, has had to make its own arrangements and rules as it’s jumping off the EU ship in a few weeks’ time). 

So where is the EU in trying to protect itself from the dangers that 5G deployments bring? 

Here’s a slice of the update:

“A large majority of Member States have adopted or are at a final stage of adopting the legal framework to strengthen the regulatory powers of national authorities to be able to impose 9 strengthened obligations on operators and to impose restrictions or to prohibit the supply, deployment and operation of 5G network equipment. 

As regards high-risk suppliers, as of November 2020, measures aimed at applying restrictions based on the risk profile of suppliers have been adopted, proposed or planned in nearly all Member States, taking into account the approach recommended in the Toolbox. Only a small minority of Member States have yet to define clear plans to implement these measures. This reflects the high degree of priority given to the risks that these measures are intended to address in the national risk assessments (risk of lack of access controls and risk of interference by a State actor). This also reflects the strong commitment by Member States in this area, as reiterated by the European Council on 2 October 2020, which called on Member States “to apply the relevant restrictions on high-risk suppliers for key assets defined as critical and sensitive in the EU coordinated risk assessments, based on common objective criteria”. 

As a consequence, the reliance on high-risk suppliers, which is currently estimated by many Member States as medium to high, is expected to decrease in the coming year(s) as 5G network roll-outs progress, albeit with variations between individual Member States, depending on the initial level of exposure (especially where network operators had already entered into 5G contracts with high-risk suppliers before the adoption of the Toolbox), on the scope of the restrictions imposed and on the timeframe for switching to more secure suppliers.”

To help identify the best course of action, BEREC (Body of European Regulators for Electronic Communications) has bene helping out by surveying member states and operators and has “identified the need to establish a greater understanding of several issues, in particular as regards: (1) specific risk scenarios related to the 5G supply chain (e.g. risks related to the MNOs’ full supply chain, including in case of disruption in the supply market), (2) potential gains and limitations of network architectures such as Open RAN, i.e. more open and interoperable interfaces in Radio Access Networks (RAN), including the likely timeline before they can become a viable approach; and (3) a more holistic understanding of the costs and impacts related to implementing various approaches of multi-vendor strategies by MNOs.” 

It'll be interesting to see what conclusions such studies reach about Open RAN, given the rift that currently exists in the market about whether such disaggregated systems create more of a cybersecurity risk or help operators with their security strategies: In theory, of course, a disaggregated RAN would make it easier to swap out and replace elements that were deemed insecure.

But the Toolbox isn’t just focused on risky kit: There’s also the matter of Foreign Direct Investment (FDI) screening.

The report notes “there are now 15 Member States which have national screening mechanisms in place. In addition, several other Member States have indicated that a process to develop a FDI screening system is underway. The EU framework for the screening of FDI became fully operational as of 11 October 2020. EU rules provide a framework to ensure the protection of legitimate public policy objectives if such objectives are threatened by foreign investments. The EU Regulation lays down a number of factors and considerations that are relevant to determine whether a Foreign Direct Investment is likely to affect security or public order. In its Communication of 13 March 2020, the Commission indicated that the Member States ‘need to be vigilant and use all tools available at Union and national level to avoid that the current crisis leads to a loss of critical assets and technology’ which are crucial to Europe’s security, and are part of the backbone of its economy.”

And while there is one set of guidelines and rules, the implementation, particularly related to high-risk vendors, is variable, with Huawei being called out by some countries as a specific risk, while others take a more measured approach.

In the latter category is Germany, which is set to introduce strict security measures that will apply to all telecoms equipment vendors. If any of the measures are breached, it could result in a ban on certain products or the entire portfolios of companies, reports Reuters. Crucially, the rules apply to companies from any country, and are not focused just on those from China, though there is a suspicion that Huawei may struggle to make the grade, even though the Chinese vendor has welcomed the level playing field. The measures are currently proposals and would need to be passed by the country’s parliament before becoming enforceable, but it does raise the prospect of companies from nations usually regarded as friendly and safe coming unstuck if their technology is found to have any loopholes, back doors, licensing issues or to enable unwanted snooping.

- Ray Le Maistre, Editorial Director, TelecomTV