By 2025, 5G revenue is estimated to reach €225bn (around $254bn). 5G networks will connect billions of objects, including those in critical sectors, so it is essential that any vulnerabilities in the networks are addressed. On March 26, 2019, the EC released its recommendation to conduct national and EU-wide reviews of the cybersecurity of 5G networks, and introduced measures to strengthen existing security rules to ensure that they reflect the strategic importance of 5G networks. The recommendation also intends to reflect the evolution of cyberthreats. Member states are expected to ensure the integrity and security of networks, with obligations on operators to take technical and organizational measures to manage the security risks. The EC's recommendation is intended to reinforce cooperation among members, as well as complementing the recently approved Cybersecurity Act and Directive on Security of Network and Information Systems.
Several EU member states have started to consider tightening security restrictions for mobile network operators and equipment suppliers ahead of the rollout of 5G. In Sweden, for example, the government announced it would review whether certain components, suppliers, and operators should be excluded from the upcoming buildout of 5G. In an effort to avoid conflicting approaches across Europe, on March 26, 2019, the EC released its recommendations for a common EU approach to the security of 5G networks. It has recommended a set of operational steps and measures to ensure a higher level of cybersecurity of 5G networks across the EU.
As 5G networks will connect billions of objects and systems, including those in critical sectors such as energy, transport, banking, and health, as well as systems carrying sensitive information and supporting safety systems, it is important that any security vulnerabilities are addressed. Security must be built into 5G technology to ensure people and businesses can effectively and securely exploit the technology, and 5G infrastructures must be resilient and fully secure from technical or legal backdoors.
The EC's recommendations include a set of legislative and policy instruments to assess cybersecurity risks of 5G networks and to strengthen any existing preventive measures. It is likely that any vulnerability in 5G networks or a cyberattack in one member state will affect the whole of the EU, so it is crucial for the EU to work together on a European-wide approach to cybersecurity, as well as recommending national measures.
At a national level, the EC recommendation sets out that each member state should complete a national risk assessment of 5G network infrastructures by June 30, 2019, and communicate the results to the EC and the EU Agency for Network and Information Security (ENISA) by July 15, 2019. Member states should update existing security requirements for network providers with reinforced obligations and include conditions for ensuring the security of networks, especially when granting rights of use for frequencies in 5G spectrum bands. The national risk assessments and measures are expected to consider various risk factors, such as technical risks and risks linked to the behavior of suppliers or operators, including those from third countries. The idea is that national risk assessments will be used to build a coordinated EU risk assessment. The EC has also advised in its recommendation that member states have the right to exclude companies from their markets for national security reasons, if they do not comply with the country's standards and legal framework.
At the EU level, the EC has outlined that member states should exchange information with each other and, with the support of the EC and ENISA, must complete a coordinated risk assessment by October 1, 2019. By December 31, 2019, member states are expected to agree on a set of mitigating measures to address the cybersecurity risks identified at national and EU levels, and can include certification requirements, tests, controls, as well as the identification of products or suppliers that are considered potentially non-secure. This coordinated effort should also support member states' actions at a national level and provide guidance to the EC for possible further steps at EU level.
In the future, once the Cybersecurity Act enters into force, the EC and ENISA will create an EU-wide certification framework. The European cybersecurity certification framework for digital products, processes, and services should support and promote consistent levels of security. This can then be used to develop a dedicated EU-wide certification scheme related purely to 5G, and eventually this certification will be made mandatory through national technical regulations.
The world of cybersecurity is constantly evolving, so it is essential that organizations are able to continue to effectively protect themselves. It is good to see that the EC has asked all member states to assess the effects of the recommendations by October 1, 2020, to determine whether more action may be required. It is important that legal frameworks continue to evolve as technology progresses.
Cybersecurity: Impact and Opportunities, INT003-000336 (March 2019)
2019 Trends to Watch: Cybersecurity, INT003-000295 (December 2018)
"Smart home cybersecurity is now critical for greater IoT adoption," CES006-000072 (April 2019)
Sarah McBride, Analyst, Regulation