Almost on the eve of Brexit, the European Union (EU) has found common ground with the UK by producing guidelines allowing EU member states to either limit access to or ban so-called high-risk technology suppliers’ products from the core elements of their countries’ telecoms networks.

Europe is currently one of the world’s most advanced regions when it comes to 5G services, with an investment of €1bn, including €300m in EU funding. By the end of this year, the first 5G services are expected to be available in 138 European cities.

While market players are largely responsible for the secure roll-out of 5G, and EU member states are responsible for national security, 5G network security is an issue of strategic importance for the entire EU Single Market and technological sovereignty.

To support the deployment and take-up of 5G networks across the EU, the European Commission (EC) presented a 5G Action Plan in September 2016 and in March 2019, following a call from the European Council, the EC adopted a recommendation on cyber security of 5G networks calling on member states to complete national risk assessments, review their measures and work together on a coordinated risk assessment and a common toolbox of mitigating measures.

The toolbox addresses all risks identified in the EU’s coordinated assessment, including risks related to non-technical factors, such as the risk of interference from non-EU state or state-backed actors through the 5G supply chain. It includes strategic and technical measures and corresponding actions to reinforce their effectiveness. These are calibrated based on objective factors.

In the toolbox conclusions, member states agreed to strengthen security requirements, to assess the risk profiles of suppliers, to apply relevant restrictions for suppliers considered to be high risk, including necessary exclusions for key assets considered critical and sensitive – such as core network functions – and to have strategies in place to ensure diversification of suppliers.

In October 2019, the NIS Cooperation Group published a coordinated EU report identifying the main threats and threat actors, the most sensitive assets, the main vulnerabilities and a number of strategic risks. The report highlighted a number of security challenges linked to 5G networks, and defined factors to assess the risk profiles of individual suppliers. In November 2019, the EU Cybersecurity Agency published a dedicated 5G threat landscape mapping as further input to the toolbox.

The EC is now endorsing the joint toolbox of mitigating measures agreed by EU member states to address security risks related to the roll-out of 5G and notes that, since March 2019, member states have identified risks and vulnerabilities at national level and published a joint EU risk assessment. The EC is now launching relevant actions within its competence and is calling for key measures to be put in place by 30 April 2020.

The EU sees closely coordinated implementation of the toolbox as indispensable to ensure EU businesses and citizens can make full use of all the benefits of the new technology in a secure way. “We can do great things with 5G,” said Margrethe Vestager, executive vice-president for a Europe Fit for the Digital Age. “The technology supports personalised medicines, precision agriculture and energy grids that can integrate all kinds of renewable energy.

“This will make a positive difference, but only if we can make our networks secure. Only then will the digital changes benefit all citizens.”

Thierry Breton, commissioner for the EU Internal Market, added: “Europe has everything it takes to lead the technology race. Be it developing or deploying 5G technology, our industry is already well off the starting blocks. Today we are equipping EU member states, telecoms operators and users with the tools to build and protect a European infrastructure with the highest security standards, so we all fully benefit from the potential that 5G has to offer.”

The report does not single out companies such as Huawei, but the Chinese supplier has welcomed the EU’s announcement. It said in a statement: “This non-biased and fact-based approach towards 5G security allows Europe to have a more secure and faster 5G network.”

The news from the EU comes just a day after the UK government announced that restrictions would be placed on the use of companies such as Huawei and ZTE in the UK’s 5G and gigabit-capable networks, with such firms excluded from all safety-related and safety-critical networks in critical national infrastructure, and excluded from security-critical core functions.