The European Commission (EC) unveiled a plan recommending the European Union’s (EU) 28 countries adopt a common approach to security of future 5G networks, as it sidestepped US calls for a ban on Chinese vendor Huawei.
In a statement, the commission said it had received support from heads of states or governments across the continent for a “concerted approach to the security of 5G networks”.
It explained that any vulnerability in 5G networks or a cyberattack targeting the “future networks in one member state would affect the Union as a whole”.
In its proposal, the EC recommended a set of actions to assess cybersecurity risks of 5G and to strengthen preventive measures, with the plan running through to 1 October 2020.
The security of 5G networks is a major topic for national governments and regulators, particularly in the EU, due to US concerns that Chinese vendor equipment contains backdoors allowing China’s government to spy.
However, while the EC said its plan was part of a broader European effort, including the perceived security threats connected to Chinese technological companies, it did not recommend a ban on the vendors.
“5G technology will transform our economy and society and open massive opportunities for people and businesses,” said Andrus Ansip, VP for the Digital Single Market. “But we cannot accept this happening without full security built in. It is therefore essential that 5G infrastructures in the EU are resilient and fully secure from technical or legal backdoors.”
Long term effort
At national level, the EU said each member state should complete a national risk assessment of 5G network infrastructure by the end of June.
As part of this measure, each country is required to update existing security requirements for network providers “and include conditions for ensuring the security of public networks, especially when granting rights of use for radio frequencies in 5G bands”.
These measures should “include reinforced obligations on suppliers and operators to ensure the security of networks”.
It also stated member states have the right to exclude companies from their markets for national security reasons, “if they do not comply with the country’s standards and legal framework”.
At an EU level, the EC said member states should exchange intelligence with each other, as well as complete a coordinated risk assessment by 1 October. This will enable member states to agree on a set of measures, used at national level, including certification requirements; tests; controls; and the identification “of products or suppliers that are considered potentially non-secure”.
By 1 October 2020, member states, in cooperation with the commission, will be required to assess the effects of the measures taken to see if there is a need for further action.