Europe progresses with risk assessment for 5G

News

Most European Union (EU) member states – 24 out of 28 – have completed their 5G national risk assessments, the European Commission says.

The member states’ assessments will feed into an EU-wide risk assessment which will be completed by 1 October.

Julian King, Commissioner for the Security Union, and Mariya Gabriel, Commissioner for the Digital Economy and Society, issued a joint statement, saying, “The national risk assessments are essential to make sure that member states are adequately prepared for the deployment of the next generation of wireless connectivity that will soon form the backbone of our societies and economies.

“Close EU-wide cooperation is essential both for achieving strong cybersecurity and for reaping the full benefits, which 5G will have to offer for people and businesses.”

Common framework

King and Gabriel urged member states to use the outcomes from the risk assessments to inform 5G spectrum auction processes and 5G network deployment.

Their statement noted, “We need all key players, big and small, to accelerate their efforts and join us in building a common framework aimed at ensuring consistently high levels of security.”

National risk assessments include an overview of:
•    the main threats and actors affecting 5G networks
•    the degree of sensitivity of 5G network components and functions as well as other assets; and
•    various types of technical and non-technical vulnerabilities, including those potentially arising from the 5G supply chain.

Next steps

Based on the information received through the national reports, member states, together with the Commission and the EU Agency for Cybersecurity (ENISA), will prepare a coordinated EU-wide risk assessment by 1 October. ENISA is analysing the 5G threat landscape in parallel as an additional input.

By 31 December 2019, the NIS Cooperation Group, which leads the cooperation efforts together with the Commission, will outline a toolbox of mitigating measures to address the risks identified.

By 1 October 2020, member states will need to evaluate the effects of measures implemented to assess whether further intervention is required.

After the implementation of the Cybersecurity Act last month, Commission and the EU Agency for Cybersecurity will set up an EU-wide certification framework covering 5G networks and equipment.