The European Commission last week published the long-awaited EU Toolbox on 5G Cyber Security to help European Union member states deal with the risks involved in the roll-out and future use of 5G networks. The toolbox is another element of a step-by-step process towards achieving this goal, as tasked by the member states in the European Council conclusions of March 2019. It is the first deliverable of the new commission in what is likely to be one of the most decisive issues of the coming years. The question of 5G and which vendors to choose to build this critical infrastructure cuts to the heart of Europe’s digital future, its economic competitiveness, and its geopolitical positioning.
The competencies of the commission in the area of network security are limited, and the suggestions in the toolbox are non-binding. But, there is a strong case for member states to implement the measures, given that they were devised by the NIS Cooperation Group, the entity tasked with drafting an EU response, which is composed of representatives of member states, the commission, and the EU Agency for Cybersecurity and where they all work jointly on the group’s proposals. In other words, when drawing up new national rules on network security, it is virtually not an option for member states to fail to take account of the risk-mitigation measures that the NIS Cooperation Group has devised.
In recent months, the 5G debate became polarised around a ‘Huawei or no Huawei’ choice. This gravely oversimplified the complex question of network security. Fortunately, the toolbox succeeds in addressing the vast scope of questions around the secure functioning of 5G, among which the question of vendor is only one, albeit an important one.
In the entire document, there is no mention at all of China, or leading Chinese telecommunications firms Huawei and ZTE. This comes as little surprise. But the toolbox is crystal-clear in the direction it sets: high-risk vendors (read: Huawei and ZTE) will have to be restricted or excluded from sensitive parts of the network in order to mitigate the risk of state interference through the 5G supply chain. The sensitive parts of the network are explicitly not limited to “core” functions, but also include the access network, which the October 2019 EU Risk Assessment already underlined. The toolbox directly acknowledges the strategic and technical risks in this issue. It states that the strategic risks cannot be mitigated with technical measures alone, and it points to the need for a political and regulatory response, especially when it comes to the “risk of interference by a third country or dependency risks”.
In the entire document, there is no mention at all of China, or of Huawei and ZTE
At the same time, the lack of diversity of suppliers remains a key concern in the toolbox’s assessment. Contrary to the often-repeated assumption that this limited supply implicitly calls for a role for Chinese vendors, the opposite holds true: the current dominant role of Chinese kit in European existing 3G/4G infrastructure in many member states is a problem and this situation should, according to the EU recommendation in the toolbox, be mitigated in 5G networks. At the same time, the diversity of the supply should be guaranteed by targeting subsidised vendors directly with anti-dumping/anti-subsidy measures. The latter especially is a measure that lies squarely within the competencies of the commission. The paragraph spelled out in the toolbox document is almost a mild threat: “The European Commission is responsible for investigating allegations of dumping by exporting producers from non-EU countries, or in the case of trade-distorting subsidies. It usually opens an investigation after receiving a complaint from the EU producers concerned, but it could also exceptionally do so on its own initiative” (emphasis added).
The EU appears set to use the tools it has available to enhance European technological sovereignty. This includes EU Research & Innovation Funding programmes as well as industrial policy tools and the foreign direct investment screening mechanism, which was one of the key achievements of 2018-19, designed in light of Beijing’s market-distorting practices and demonstrating the possibilities of united European action. Indeed, the direct referencing of the new investment screening framework – in both the commission’s communication around the toolbox and the toolbox itself – indicates that the documents should be read very comprehensively as part of Europe’s attempts to strengthen its defensive mechanisms against the systemic challenge from China.
But Brussels remains realistic about applying these measures. As such, the toolbox indicates that an outright ban on high-risk vendors will unlikely lead to the best and most favourable economic results. Its reasonable suggestion is that each member state, depending on its specific timeframe of deployment, should devise a plan for reducing dependencies. In other words, the commission provides member states with a roadmap to slowly wean themselves off high-risk vendors at the same time as they proceed with upgrading their infrastructure. It suggests that member states should consider exclusions and restrictions within normal cycles of replacement, thus creating a transition period to mitigate the economic impact of replacing existing kit from Chinese vendors.
The commission provides member states with a roadmap to slowly wean themselves off high-risk vendors
This puts significant pressure on member states with regard to monitoring, regulating and implementation. In recognition of this problem, the toolbox calls for the exchange of best practice in the non-technical measures “in particular national frameworks for assessing the risk profile of suppliers”. At the same time, it underlines the commission’s willingness to provide member states with the support they require, especially those with more limited capacities to handle the risk-assessment and mitigation measures on a national level.
The advent of 5G illustrates the complex nature of the technological and political challenges that member states are facing, and will continue to face, in the decades to come. It also underlines the capacity gaps that exist. Brussels has proven that increased cooperation on the issue is not only useful, but highly necessary, when it comes to cyber security and Europe’s technological sovereignty. Member states have been waiting for the toolbox before starting to make their national choices. And Brussels could yet be even more helpful if equipped with greater competencies in this specific field. Cyber security is by definition hard to tackle on a national level and it is not only less costly and more effective if competencies such as joint testing or certification measures are moved to Brussels. It also provides better cover for member states in the new geopolitical reality of increasing competition with China and shrinking willingness to cooperate unconditionally with the United States. What the EU Risk Assessment and new toolbox show is that Brussels is up to the job.
The European Council on Foreign Relations does not take collective positions. This paper, like all publications of the European Council on Foreign Relations, represents only the views of its authors.