The publication in the UK follows the release of 5G risk assessments in most EU countries.
Background: The use of network equipment produced by Chinese companies (especially Huawei) in 5G networks has been the subject of lively discussions since early 2018, with some governments opting to ban the vendor from the respective countries’ infrastructure. In the UK, the government commenced a telecoms supply chain review in November 2018, white at the EU level, the Commission issued a Recommendation on 5G network security, asking member states to complete a national risk assessment by the end of June 2019.
The UK Government announces new legislation: On 22 July 2019, the UK Government published its supply chain review, but stopped short of making any recommendations on the use of Huawei – the most anticipated element of the reviewi. The review identifies three key concerns (commercial agreements not fostering risk management; inadequate policy and regulation; and lack of diversity across the supply chain, which poses risks to the security and resilience of the UK’s networks). As a response, the government proposes a framework of new Telecoms Security Requirements, overseen by Ofcom and Government. The Government will legislate to provide Ofcom with stronger powers for the enforcement of the requirements, and to establish stronger national security backstop powers for government. In the meantime, government and Ofcom will work with telecoms operators to secure voluntary adherence to the new requirements. The review does not currently restrict any vendor, and in fact suggests the government will look to foster diversity and competition in the supply chain. A decision on Huawei will come when there is more certainty in the US where it is subject to entity listing.
EU countries have (nearly) all completed their risk assessments: The EC recently announced that 24 of 28 member states have completed their national risk assessment for 5G network security. These will feed into the next phase, which involves the completion of an EU-wide risk assessment by 1 October 2019, overseen by the EC and ENISA. By the end of 2019, this must result in a toolbox of mitigating measures to address the risks.