The report, drafted in conjunction with ENISA, will inform any action to be taken by the end of 2019.
Background: In March 2019, the European Commission adopted a Recommendation to member states, to ensure a common approach in setting out security requirements for 5G networks. The Recommendation came at a time when several countries around the world were considering restrictions on Chinese vendors of 5G equipment (particularly Huawei) due to alleged security risks. Member states were required to carry out individual risk assessments, which they had to send to the European Network and Information Security Agency (ENISA) by July 2019. ENISA was then tasked to complete a pan-European risk assessment by October 2019.
The high-level report is out: Individual member states have now published the EU-wide coordinated risk assessment. It identifies the main threats and actors, the most sensitive assets, the main vulnerabilities (including technical ones and other types of vulnerabilities), and a number of strategic risks. This assessment provides the basis to identify mitigation measures that can be applied at a national and European level. The security challenges are mainly linked to key innovations in 5G, and to the role of suppliers in building and operating 5G networks. Six areas of risks have been identified, including increased exposure to attacks, and increased reliance of mobile network operators on suppliers, among other aspects.
Next steps: The report will inform the creation of a ‘toolbox’ of measures to mitigate the identified risks, which is due to be agreed by the Network and Information Security Cooperation Group by the end of 2019. By 1 October 2020, member states will review the impact of the Recommendation and of the measures they have adopted as a result of it. In the meantime, it’s likely that individual countries continue with their own assessments.