The progress report highlights that 24 Member States have either adopted or are in the process of preparing legislative measures that empower national authorities to assess suppliers and impose restrictions on high-risk suppliers. Ten of these Member States have already implemented such restrictions, and three are currently working on implementing relevant national legislation. Given the crucial role of connectivity infrastructure for the digital economy and the dependence of critical services on 5G networks, Member States are urged to implement the Toolbox as soon as possible.
In its Communication, the Comission has expressed significant concerns regarding the risks posed by certain suppliers of mobile network communication equipment to the Union’s security. It considers the decisions made by Member States to restrict or exclude Huawei and ZTE from 5G networks as justified and compliant with the 5G Toolbox.
Furthermore, the European Commission emphasizes the importance of 5G network security as a priority and an integral part of its Security Union Strategy, as these networks serve as critical infrastructure, supporting a wide range of essential services for the internal market and the functioning of key societal and economic functions. This issue is crucial for the Union’s sovereignty, strategic autonomy, and resilience.
While recognizing the Member States’ competence in national security matters, the Commission has also applied the Toolbox criteria to evaluate the vulnerabilities of its own corporate communications systems and those of other European institutions, bodies, and agencies. It has also assessed the implementation of Union funding programs in alignment with the Union’s policy objectives.
As part of its corporate cybersecurity policy and the application of the 5G cybersecurity toolbox, the Commission will implement appropriate security measures to refrain from procuring new connectivity services that rely on equipment from Huawei and ZTE. The Commission intends to collaborate with Member States and telecom operators to gradually phase out these suppliers from existing connectivity services at Commission sites, as well as reflect this decision across all relevant EU funding programs and instruments.
The second progress report includes recommendations for Member States to:
- Obtain comprehensive and detailed information from mobile operators regarding currently deployed 5G equipment and future plans for equipment deployment or sourcing.
- Consider objective criteria recommended in the EU Toolbox while assessing the risk profile of 5G suppliers. They should also take into account designations made by other Member States concerning high-risk suppliers to promote consistency and enhance security across the Union.
- Urgently impose restrictions on high-risk suppliers, as any delay can increase network vulnerability and the Union’s dependency on such suppliers.
- Ensure that restrictions cover critical and highly sensitive assets identified in the EU Coordinated risk assessment, including the Radio Access Network.
- Prohibit the installation of new equipment for the types covered by the restrictions. If transition periods are allowed for the removal of existing equipment, they should be defined to ensure the quickest possible removal.
- Implement restrictions for Managed Service Providers (MSPs) and apply enhanced security provisions for MSPs involved in outsourced functions.
- Further discuss the applicability of measures related to supplier diversification, ensuring that any diversification efforts do not introduce new or increased security risks but rather contribute to overall security and resilience.
- Enforce technical measures and ensure strong supervision, with particular attention given to baseline security requirements, enhanced security standards in suppliers’ processes through robust procurement conditions, and the secure management, operation, and monitoring of 5G networks.