It is commonly believed that 5G networks will allow the development of new types of services based on innovative use cases, for the benefit of both private end users and companies, thus becoming the real "nervous system" of the future connected society. This will also have obvious positive effects on the economy: the European Commission estimated that 5G will generate a turnover of 225 billion euros in five years, and the related networks will be used by 2.6 billion users worldwide, that is 40% of the total world population. As early as 2016, the Commission adopted the 5G Action Plan to make sure that the Union has the connectivity infrastructure necessary for its digital transformation as of 2020, and for comprehensive deployment in urban areas and major transport paths by 2025[1]. This action plan set out a clear roadmap for public and private investments in 5G infrastructure in the EU.
On the other hand, making 5G networks a crucial infrastructural component for digital society in the coming years in turn brings attention to the enormous risks arising from possible malfunctions and abuses, especially of a malicious and intentional nature, to which they are subject. Most of the concerns come from the substantially new implementation paradigms of 5G networks, and from the extreme complexity of the hardware and software components on which they are based.
This scenario has led many governments, as well as their respective national and supranational regulatory authorities, to undertake careful preventive analyzes of the possible risk profiles related to the various scenarios of use of 5G, in view of the issuance of rigorous technical standards and safety measures. In fact, the EU considers it of paramount importance to ensure the security and resilience of 5G networks by adopting a common and balanced approach among member states.
Therefore, in March 2019 the Commission published a first recommendation[2] regarding the cybersecurity of 5G networks and then, a few months later, published a report[3] in which the main cybersecurity risks in 5G networks were identified and analyzed. They were: an increased attack surface consisting of potential vulnerabilities in the software used to implement the core and service components of the networks; problems of sensitivity and interoperability at the hardware level due to the particular architecture and new functions of the networks; increased exposure to attacks due to the risk profile of a supplier or manufacturer, as well as the dependence of mobile networks and enterprises on a third party supplier or manufacturer; IT network-level threats that compromise the availability and integrity of 5G networks that act as a backbone for mission-critical applications.
Following those studies, early in 2020 the Commission published the so-called “EU Toolbox”[4], a set of measures specifically developed to mitigate the cybersecurity risks of 5G networks identified at national and EU levels; it was backed by a Communication[5] which required all member states to take steps to implement the set of measures recommended in the Toolbox by 30 April 2020, and to prepare a joint report on its implementation by 30 June 2020.
The Toolbox identified and provided risk mitigation plans for each of the nine risk areas identified in the EU coordinated risk assessment document. Its goal was to create a robust, coherent and objective framework of security measures, at both the strategic and technical levels, in order to ensure an adequate level of cybersecurity of 5G networks across the EU. From this standpoint, a shared strategic view and a coordinated approach among member states are fundamental: in particular, the member states agreed to ensure that they would be able to restrict, prohibit, and/or impose specific requirements and conditions, in accordance with a risk-based approach, for the supply, deployment, and operation of 5G network equipment.
On 24 June 2020 the Commission released the report[6] on the progress made by the member states in implementing the Toolbox. The results are considered quite good in most areas, although a few aspects of the Toolbox are not fully covered yet and need some further work. One important point concerns the powers of national regulatory authorities in the member states: most of them have been or are in the process of being reinforced, to regulate both 5G security and the procurement of network equipment and services by operators. Measures aimed at restricting the involvement of suppliers based on their risk profile are already in place in a few member states, and at an advanced stage of preparation in many others. Network security and resilience requirements for mobile operators are also being reviewed in a majority of member states. The report stresses the importance of ensuring that these requirementsare strengthened, that they follow the latest state-of-the-art practices and that their implementation by operators is effectively audited and enforced.
In its Conclusions[7] of 9 June 2020, the Council “recognises that increased connectivity, while empowering digital services, can result in citizens, companies and governments being exposed to cyber threats and crimes that are increasing in number and sophistication”. In this context, it “emphasises the importance of safeguarding the integrity, security and resilience of critical infrastructures, electronic communications networks, services and terminal equipment” and “supports the need to ensure and implement a coordinated approach to mitigate the main risks, such as the ongoing joint work based on the EU Toolbox on 5G cybersecurity and the secure 5G deployment in the EU.”
[1] COM(2016) 588 of 14 June, 2016 on 5G for Europe: An Action Plan.
[2] Commission Recommendation of 26 March 2019 on Cybersecurity of 5G networks C(2019) 2335 final.
[3] EU coordinated risk assessment of the cybersecurity of 5G networks, NIS Cooperation Group, October 2019.
[4] Cybersecurity of 5G networks EU Toolbox of risk mitigating measures, NIS Cooperation Group, January 2020.
[5] COM(2020) 50 final of 29 January, 2020 on Secure 5G deployment in the EU -Implementing the EU toolbox.
[6] Report on Member States’ Progress in Implementing the EU Toolbox on 5G Cybersecurity , NIS Cooperation group, July 2020.
[7] Council Conclusions on Shaping Europe’s Digital Future, 9 June 2020.