The Commission sets a path for a common approach across member states.

Background: Concerns on the security of network equipment for 5G has led to restrictions against Chinese vendors in several countries, including Australia, New Zealand, US. As the issue grabbed more headlines in the press, other countries have considered following suit, and the European Commission announced earlier this year that it would take action to avoid inconsistent approaches between member states.

The EC’s action: The initiative has resulted in a Recommendation issued today, which sets a roadmap for a common approach to 5G network security in three stages. The first one requires member states to carry out a national risk assessment of 5G network infrastructures by the end of June 2019; in the second, states exchange information with each other and complete a coordinated risk assessment by 1 October 2019, with the support of the Commission and the European Agency for Cybersecurity (ENISA); finally, this work results in a ‘tool box’ of measures to manage and mitigate risks.

What happens now: A Recommendation is not binding, which means member states can depart from it without facing legal consequences. It remains to be seen whether member states will manage to complete their risk assessments by the deadline of June 2019, and if this is all too little too late. At the end of 2020, the Commission will review the results of the Recommendation.