European Commission publishes second report on Member States’ progress in implementing the EU Toolbox on 5G Cybersecurity

Marin IvezicJune 16, 2023

1 minute read

The European Commission and the EU Agency for Cybersecurity (ENISA), published a second progress report on the implementation of the EU Toolbox on 5G cybersecurity. This report also addresses recommendations from the European Court of Auditors’ Special Report of January 2022. Additionally, the Commission adopted a Communication on the implementation of the toolbox by Member States and in the EU’s corporate communications and funding activities.

Key points from the report and the Commission’s Communication include:

Strategic Measures and High-Risk Suppliers:
- 24 Member States have adopted or are preparing legislative measures to assess suppliers and issue restrictions.
- 10 Member States have imposed restrictions, and 3 are working on implementing relevant national legislation.
- The Commission emphasizes the urgency for Member States to implement the Toolbox to secure the digital economy and critical services dependent on 5G networks.
Commission’s Concerns and Decisions:
- The Commission expresses strong concerns about risks posed by certain suppliers, specifically Huawei and ZTE, to the Union’s security.
- Decisions to restrict or exclude Huawei and ZTE from 5G networks are seen as justified and compliant with the 5G Toolbox.
- The Commission will avoid using Huawei and ZTE in its corporate communications networks and will phase them out from existing services.
Implementation of the 5G Toolbox:
- The majority of Member States have reinforced or are reinforcing 5G network security based on the EU Toolbox.
- Despite progress, there’s a risk of continued dependency on high-risk suppliers, impacting the EU’s internal market and security.
Recommendations for Member States:
- Gather detailed information on 5G equipment from mobile operators.
- Assess the risk profile of suppliers based on the EU Toolbox criteria.
- Impose restrictions on high-risk suppliers promptly.
- Ensure restrictions cover critical and sensitive assets, including the Radio Access Network.
- Implement restrictions for Managed Service Providers (MSPs) and enforce enhanced security provisions.
- Discuss measures related to diversification of suppliers and enforce technical measures with strong supervision.
Background of the EU Toolbox:
- The EU Toolbox, published in January 2020, aims to mitigate cybersecurity risks in 5G networks.
- It includes strategic and technical measures to reinforce security, endorsed by the Commission and Member States.
- The first report on the Toolbox’s implementation was published in July 2020, showing concrete steps taken by many Member States.

The full report is available here: https://digital-strategy.ec.europa.eu/en/library/second-report-member-states-progress-implementing-eu-toolbox-5g-cybersecurity

Marin Ivezic

Website | Other articles

For over 30 years, Marin Ivezic has been protecting critical infrastructure and financial services against cyber, financial crime and regulatory risks posed by complex and emerging technologies.

He held multiple interim CISO and technology leadership roles in Global 2000 companies.