Α common EU approach to the security of 5G networks

Following the support from Heads of State or Government expressed at the European Council on 22 March for a concerted approach to the security of 5G networks, the European Commission recommended today a set of concrete actions to assess cybersecurity risks of 5G networks and to strengthen preventive measures.

The recommendations are a combination of legislative and policy instruments meant to protect our economies, societies and democratic systems. With worldwide 5G revenues estimated at €225 billion in 2025, 5G is a key asset for Europe to compete in the global market and its cybersecurity is crucial for ensuring the strategic autonomy of the Union.

At national level, each Member State should complete a national risk assessment of 5G network infrastructures by the end of June 2019. On this basis, Member States should update existing security requirements for network providers and include conditions for ensuring the security of public networks, especially when granting rights of use for radio frequencies in 5G bands. These measures should include reinforced obligations on suppliers and operators to ensure the security of the networks. The national risk assessments and measures should consider various risk factors, such as technical risks and risks linked to the behaviour of suppliers or operators, including those from third countries. National risk assessments will be a central element towards building a coordinated EU risk assessment.

EU Member States have the right to exclude companies from their markets for national security reasons, if they do not comply with the country's standards and legal framework.

At EU level, Member States should exchange information with each other and with the support of the Commission and the European Agency for Cybersecurity (ENISA), will complete a coordinated risk assessment by 1 October 2019. On that basis, Member States will agree on a set of mitigating measures that can be used at national level. These can include certification requirements, tests, controls, as well as the identification of products or suppliers that are considered potentially non-secure.

Today's Recommendation will make use of the wide-range of instruments already in place or agreed to reinforce cooperation against cyber-attacks and enable the EU to act collectively in protecting its economy and society, including the first EU-wide legislation on cybersecurity (Directive on Security of Network and Information Systems), the Cybersecurity Act recently approved by the European Parliament, and the new telecoms rules. The Recommendation will help Member States to implement these new instruments in a coherent manner when it comes to 5G security.

Commission continues modernising its way of working

The Commission has today taken stock of the work done to further streamline its way of working and optimise the use of its scarce human resources, as called for by President Juncker at the start of his mandate.

Today's Communication draws the lessons from the 2016 synergies and efficiencies exercise. Its main takeaway is that substantial, serious and successful work has been done to make the Commission deliver even better on its priorities under very challenging circumstances, and in parallel to dealing with several crises and a number of new important tasks.

The synergies and efficiencies initiative has allowed the Commission to redirect its resources and put staff to priority policy fields like financial services and migration and home affairs. Staff across the Commission are now working in a more linked-up and collaborative fashion, also thanks to the good use of the latest digital technologies. Of course, the Commission will not stop there – it will continue on its way to being the best possible public administration - modern, attractive and efficient.

European Citizens' Initiative

The Commission has today decided to register a European Citizens' Initiative entitled ‘#NewRightsNow - Strengthening the rights of “uberised” workers'.

The organisers call on the Commission to ‘establish an obligation for digital platforms to pay a guaranteed minimum income to self-employed people who regularly work for them.' The organisers argue such measures would ‘safeguard and stabilise their income and […] specifically tackle job insecurity of ‘uberised' workers'.

Under the Treaties, the EU can take legal action to make it easier for Europeans to take-up and pursue activities as self-employed persons. The Commission therefore considered the initiative legally admissible and decided to register it. At this stage in the process, the Commission has not analysed the substance of the initiative, only its legal admissibility.

The registration of this initiative will take place on 1 April 2019, starting a one-year process of collection of signatures of support by its organisers. Should the initiative receive 1 million statements of support within 1 year, from at least 7 different Member States, the Commission will analyse it and react within 3 months. The Commission can decide either to follow the request or not, and in both instances would be required to explain its reasoning.

Related Links

Recommendation on Cybersecurity of 5G Networks

Questions and Answers

Security Union: 15 out of 22 legislative initiatives agreed so far

Press release: EU negotiators agree on strengthening Europe's cybersecurity

Press release: Joint Communication ‘EU-China – A Strategic Outlook'