Authors: Kristof De Vulder, Heidi Waem, Gilles Hachez
The EU has been steadily ramping up its cybersecurity efforts over the last few years. This has been previously evidenced by its adoption of a new Cybersecurity strategy (the ‘Cybersecurity Strategy for the Digital Decade’ part of its Shaping Europe’s Digital Future strategy, its Recovery Plan for Europe and its Security Union Strategy 2020-2025) and by the adoption of a proposal for a Directive on measures for a high common level of cybersecurity across the Union (the “NIS II Directive”) which revises the current Directive on Security of Network and Information Systems (read more about this proposal in our previous blogpost here).
This month, the EU Commission announced yet another measure aimed at boosting its cybersecurity framework by tasking ENISA, the EU Agency for Cybersecurity, with the preparation of a “cybersecurity certification scheme for 5G networks” (the “5G certification scheme”). The development of certification schemes was one of the aims of the Cybersecurity Act (adopted in 2019), which introduced an EU-wide cybersecurity certification framework for ICT products, services and processes. Moreover, the development of a 5G certification scheme also builds on the previously adopted ‘Toolbox on 5G Cybersecurity’, which sets out a coordinated European approach based on a common set of measures to mitigate the main cybersecurity risks of 5G networks. Such risks were identified in the EU coordinated risk assessment report and led a number of EU Member States to take measures aimed at excluding Huawei and ZTE, considered a ‘high-risk vendors’, from “critical or sensitive” parts of their 5G networks.
The 5G certification scheme is expected to help address risks related to technical vulnerabilities of the networks and further enhance their cybersecurity. According to the Commission “certification plays a critical role in increasing trust and security in digital products and services – however, at the moment, there are various security certification schemes for IT products, including 5G networks, in Europe”. ENISA has already indicated that it will base its 5G certification scheme on “provisions already available by means of existing cybersecurity certification schemes as well as experience already acquired since [it] started engaging in cybersecurity certification”. Taking into account the importance of 5G for the EU’s digital economy and society, the ever-increasing amount and sophistication of cyber-attacks, and the annual cost of cybercrime (estimated at around €5.5 trillion in 2020), this 5G certification scheme will undoubtedly have a key role to play in the future.