The report finds good progress in giving national regulators the necessary powers, but that more work is needed in designing multi-vendor strategies.
The EC has adopted a risk-based approach: In January 2020, the European Commission set out a ‘toolbox’ to assess and mitigate security risks in the rollout of 5G. The toolbox is the main instrument of the risk-based approach the EC has adopted towards network vendors such as Huawei, which has been identified as high-risk and banned from 5G networks in countries such as the US and Australia, but which have a significant presence in mobile networks across Europe.
Regulators are given the powers they need: On 24 July 2020, the EC published a report prepared by the EU Network and Information Security Agency (ENISA) to assess the progress EU countries have made in implementing the EC’s approach. The powers of national regulators are being reinforced in a large majority of member states to ensure they can oversee procurement of operators’ network equipment. Measures to restrict the involvement of suppliers based on their risk profile are already in place in some countries, and at an advanced stage in many others. The report highlights the importance of looking at the network as a whole and addressing core network elements as well as other critical elements. For those operators having already contracted with high-risk vendors, transition periods should be put in place.
Foreign investment needs stronger oversight: In other areas, the report points out the room for improvement needed. Progress is urgently needed to reduce dependency on high-risk suppliers. It has been slow so far given the challenges in designing and imposing appropriate multi-vendor strategies for individual MNOs, given technical or operational difficulties (e.g. lack of interoperability). The report also recommends screening mechanisms for foriegn investment be introduced urgently in 13 member states, and applied to investment developments potentially affecting the whole 5G supply chain. The EC is due to conduct an annual review of the Recommendation on 5G Cybersecurity in October 2020.