No ban on Huawei or ZTE as EU sets out 5G cyber security rules

No ban on Huawei or ZTE as EU sets out 5G cyber security rules

Mariya Gabriel.jpg

Member states of the European Union (EU) will complete a cyber security risk assessment of 5G by 30 June, leading to an EU-wide risk strategy.

The dates have been set by the European Commission, which is recommending a common EU approach to the security of 5G networks.

Vice-president Andrus Ansip, in charge of the EU’s digital single market, said: “5G technology will transform our economy and society and open massive opportunities for people and businesses. But we cannot accept this happening without full security built in. It is therefore essential that 5G infrastructures in the EU are resilient and fully secure from technical or legal backdoors.”

The rules will apply to all 27 member states of the EU – or to all 28 if the UK decides at the last moment to remain a member. Even if the UK leaves it seems likely that it will follow the EU’s rules under any transition agreement.

The European Commission – the Brussels-based executive arm of the EU – says that EU member states can exclude companies from their markets for national security reasons, if they do not comply with the country’s standards and legal framework.

But the EU is not naming any companies – and it has certainly not followed the US line of banning Huawei and ZTE from telecoms infrastructure outright. Many European telecoms companies have Huawei equipment and some – in Italy, for example – have ZTE kit.

But after 1 October, when a coordinated approach is accepted, member states will agree on a set of mitigating measures that can be used at national level.

The Commission says that “these can include certification requirements, tests, controls, as well as the identification of products or suppliers that are considered potentially non-secure”.

Commissioner Julian King, the British commissioner who is in charge of security issues for the EU, said: “The resilience of our digital infrastructure is critical to government, business, the security of our personal data and the functioning of our democratic institutions. We need to develop a European approach to protecting the integrity of 5G, which is going to be the digital plumbing of our interconnected lives.”

He was backed by commissioner Mariya Gabriel (pictured) of Bulgaria, who is in charge of the digital economy and society.

She added: “Protecting 5G networks aims at protecting the infrastructure that will support vital societal and economic functions – such as energy, transport, banking, and health, as well as the much more automated factories of the future. It also means protecting our democratic processes, such as elections, against interference and the spread of disinformation.”

Yesterday’s recommendation will make use of the wide-range of instruments already in place or agreed to reinforce cooperation against cyber-attacks and enable the EU to act collectively in protecting its economy and society, including the first EU-wide legislation on cybersecurity – Directive on Security of Network and Information Systems – as well as the Cybersecurity Act recently approved by the European Parliament, and the new telecoms rules.

The Commission said that the recommendation will help member states to implement these new instruments in a coherent manner when it comes to 5G security.

The Commission has set out a timetable of next steps:

30 June 2019: member states should complete their national risk assessments and update necessary security measures.

15 July 2019: the national risk assessment should be transmitted to the Commission and European Agency for Cybersecurity (ENISA). 

1 October 2019: ENISA will complete a 5G threat landscape that will support member states in the delivery by of the EU-wide risk assessment.

31 December 2019: the Network and Information Systems (NIS) Cooperation Group to agree on mitigating measures to address the cyber security risks identified at national and EU levels.

1 October 2020: member states – in cooperation with the Commission – should assess the effects of the recommendation in order to determine whether there is a need for further action.