The European Union, along with its Member States and ENISA, the EU Agency for Cybersecurity, have presented the second progress report concerning the ongoing implementation of the EU Toolbox on 5G cybersecurity. This report not only reflects the efforts made since the inception of the project but also encompasses several recommendations outlined in the Special Report by the European Court of Auditors issued in January 2022. In parallel to the progress report, the Commission has also endorsed a Communication, serving as a complement to the report, which elaborates on the application of the toolbox by the Member States and within the EU’s internal communication and funding activities.

The progress report emphasizes strategic measures that have been initiated, particularly focusing on the enforcement of restrictions on high-risk suppliers. Currently, 24 Member States are either in the process of or have already adopted legislative measures that provide national authorities with the power to assess and issue restrictions on suppliers. Out of these, ten have already implemented such restrictions, and three are engaged in facilitating the enactment of the relevant national legislation. Given the importance of the connectivity infrastructure for the digital economy and the dependence of many critical services on 5G networks, it is essential that the Member States expedite the complete implementation of the Toolbox without delay.

The Commission’s Communication brings to light, strong concerns about the risks posed by specific mobile network communication equipment suppliers to the security of the Union. The Commission considers that decisions adopted by Member States to restrict or exclude Huawei and ZTE from 5G networks are justified and compliant with the 5G Toolbox. The Communication indicates that, based on a broad spectrum of available information, the Commission considers that Huawei and ZTE represent materially higher risks than other 5G suppliers.

The Commission underscores that the security of 5G networks is a top priority, serving as an essential component of its Security Union Strategy. As those networks are central to infrastructure, they provide the bedrock for a wide range of services essential for the functioning of the internal market, as well as the maintenance and operation of vital societal and economic functions. The issue of 5G network security is pivotal to the Union’s sovereignty, strategic autonomy, and resilience.

The Commission also appeals to Member States that have yet to adopt the Toolbox, urging them to enact relevant measures as recommended in the EU Toolbox, to effectively and promptly address the risks posed by the identified suppliers.

As part of its corporate cybersecurity policy, the Commission will implement measures to avoid exposure of its corporate communications to mobile networks that use Huawei and ZTE as suppliers. Moreover, it will take relevant security measures to avoid procuring new connectivity services that rely on equipment from those suppliers and will work with Member States and telecom operators to ensure these suppliers are gradually phased out from existing connectivity services at Commission sites.

The second progress report reflects that a vast majority of Member States have reinforced or are in the process of bolstering security requirements for 5G networks based on the EU Toolbox. However, despite the progress made, the report acknowledges that this situation creates a clear risk of persisting dependency on high-risk suppliers in the internal market, potentially leading to serious negative impacts on security for users and companies across the EU and the EU’s critical infrastructure.

The EU Toolbox on 5G cybersecurity, published in January 2020 by Member States’ authorities with the support of the Commission and ENISA, aims to mitigate risks related to the cybersecurity of 5G networks. The first report on Member States’ progress was published in July 2020. Many Member States had already adopted or were well advanced in the preparation of more advanced security measures for 5G cybersecurity.