- European Commission publishes update to its Toolbox on 5G Cybersecurity implementation report
- Commissioner Thierry Breton said not enough has been done to restrict or remove ‘high-risk vendors’ – Huawei and ZTE – from 5G networks
- Countries that have banned the Chinese vendors are ‘justified’ and urgent action is needed by other countries without further delay, he stated
- Commission will not use communications services provided by telcos using Huawei or ZTE gear in their networks
Any hope that Chinese vendors Huawei and ZTE retained of clinging on to mobile network equipment business in European Union member states has been dashed by a progress report from the European Commission (EC) on the implementation of its Toolbox on 5G Cybersecurity measures and a stinging security risk statement by Thierry Breton, commissioner for the internal market of the European Union (pictured above).
The commission introduced the 5G toolbox in 2020, since when member states have been required to introduce “a legislative framework” that enables “national authorities to be able to assess the risk profile of suppliers and apply restrictions/exclusions on this basis.” The measures also recommend member states “concretely perform the assessment of the risk profile of suppliers and apply restrictions, including necessary exclusions, to effectively mitigate the risks for sensitive and critical assets.”
Identifying and addressing “high-risk” technology suppliers has been one of the main outcomes from the start, but the toolbox documents did not initially identify any individual companies.
Now, though, the update names companies against which action has been taken, and mentions which trusted companies are being selected in their place.
The problem for Breton is that too few member states have taken any action.
The update notes that 21 of the commission’s 27 member states had adopted a legislative framework as of May this year, another three countries are in the process of legislating, and three have not yet taken any action (the report doesn’t identify the countries in each case).
Of the 24 that already have a legal framework or are in the process of implementing one, 17 member states have implemented or will implement specific measures that enable their authorities to prohibit the deployment of certain 5G equipment, while 19 countries are able to mandate the removal of equipment from high-risk vendors that has already been deployed.
But having the ability to take action and actually doing something are two different things.
The updated report shows that only 10 countries have actually imposed specific restrictions on high-risk technology suppliers, three are in the process of implementing some legislation against such vendors, and 14 countries have no restrictions in place at all. Even then, some of the restrictions are opaque, with the report noting that in some member states the details of the restrictions have been kept confidential and the “scope is not known”.
But the toolbox measures, most likely coupled with pressure from the US (which has been imposing sanctions on Huawei and ZTE for years and encouraging other nations to ban the Chinese vendors too) have been making an impact.
The report notes that in multiple member states, “one or several operators have changed suppliers when procuring 5G RAN equipment. In particular, in at least eight member states, one or several operators have moved from one of two non-EU-controlled suppliers [Huawei and ZTE] to an EU-controlled supplier [Ericsson or Nokia]. In some cases, those changes were made before decisions about restrictions on high-risk suppliers were adopted, or in member states where no decisions are in place yet,” according to the report.
In addition, one country “has taken a public decision to exclude Huawei and ZTE from its 5G network” to make the situation very clear to the affected network operators.
Not every country, though, is pulling in the same direction. “In at least two member states, one operator has changed from an EU to a non-EU-controlled supplier,” while in others 5G procurement decisions have not yet been taken.
For the waiverers, Breton has a very clear message.
Noting that only 10 member states have taken action to “restrict or exclude high-risk vendors,” he stated during a speech on the cybersecurity of 5G networks that “this is too slow, and it poses a major security risk and exposes the union's collective security, since it creates a major dependency for the EU and serious vulnerabilities.”
So now the gloves are off, with Breton noting it has “published a communication confirming that the decisions taken by certain member states to restrict or exclude completely Huawei and ZTE from their 5G networks are justified and in line with the toolbox.”
And he urged others to follow suit. “We will continue to work with determination with the member states that are lagging behind and the telecommunications operators. I can only emphasise the importance of speeding up decisions to replace high-risk suppliers from their 5G networks. I have also reminded the telecoms operators concerned that it is time to get to grips with this issue.”
And not only is Breton ramping up the invective but the EC is now taking steps to lead by example.
“The commission will implement the 5G toolbox principles to its own procurement of telecoms services, to avoid exposure to Huawei and ZTE,” noted Breton. “We will also take into account the toolbox and the assessment in the report when allocating EU funding throughout our programmes. We have been able to reduce or eliminate our dependencies in other sectors such as energy in record time, when many thought it was impossible. The situation with 5G should be no different: we cannot afford to maintain critical dependencies that could become a ‘weapon’ against our interests. That would be too critical a vulnerability and too serious a risk to our common security. I therefore call on all EU member states and telecom operators to take the necessary measures without further delay.”
Well, if there’s one thing that will make countries and companies move with haste, it’s the threat of defunding, while the commission’s move to stop buying communications services from companies deploying Chinese gear will also encourage enterprise users to do the same, so for those operators still working with Huawei and ZTE – and there are some big names, including Deutsche Telekom and Telefónica – the implications are significant.
Germany, it has been noted previously, has been particularly slow to implement toolbox measures, but there are signs that this might change very soon, as the country’s chancellor, Olaf Scholz, this week launched the country’s first ever national security strategy, which highlights China as a “growing threat to global security.”
It’s likely that Huawei and ZTE will soon find themselves with even fewer friends in Europe. And that will be even better news for Ericsson and Nokia.
- Ray Le Maistre, Editorial Director, TelecomTV