The Approach of the EU and Selected Member States to 5G Network Cybersecurity

September 21, 2020 (Updated February 22, 2021)

This White Paper presents a high-level overview of the current cybersecurity legislation in force or proposed at the European Union (EU) level as well as in a selection of EU member states.

This White Paper is not an exhaustive overview of cybersecurity legislation in the EU. Rather, it focuses on cybersecurity legislation to the extent it affects 5G networks as well as associated hardware, software, and technology in Europe. This White Paper is also limited to a selected sample of EU member states, representative of the very different approaches to cybersecurity of 5G networks of the EU and certain member states, on the one hand, and a group of other member states, on the other.

The EU’s cybersecurity toolbox, jointly agreed upon between the EU Commission and member states, advocates a risk-based approach to cybersecurity in line with general principles of EU law. The EU approach therefore proposes a risk assessment, which is based on objective, transparent, and proportionate criteria and is technology neutral. The toolbox recommends a well-balanced and coordinated set of risk-mitigating measures, notably relying on EU-wide standardisation and certification.

Some member states have recently started departing from this joint EU approach, instead choosing to rely on a selection of political criteria in order to address security of their 5G networks and other infrastructure.

This White Paper, which will be updated as developments require, highlights the differences in approach and the deviation from the jointly agreed EU toolbox, as well as, more fundamentally, general principles of EU law.