Communication from the Commission: Implementation of the 5G cybersecurity Toolbox

The Commission takes note of and welcomes the adoption of the Second Progress report on the implementation of the EU Toolbox by the NIS Cooperation Group. 

In light of this report, the Commission is strongly concerned by the risks posed by certain suppliers of mobile network communication equipment to the security of the Union, as reflected also by decisions taken by some Member States. The NIS Report highlights the ‘clear risk of persisting dependency on high-risk suppliers in the internal market with potentially serious negative impacts on security for users and companies across the EU and the EU’s critical infrastructure’.

As mentioned in the NIS Progress Report and in an earlier report by the European Court of Auditors, it is evident that 5G suppliers exhibit clear differences in their characteristics, in particular as regards their likelihood of being influenced by specific third countries which have security laws and corporate governance that are a potential risk for the security of the Union. As also indicated in the NIS report, Huawei and ZTE have been subject to public decisions and advice in certain Member States, based on national security concerns, including assessments by those Member States’ intelligence services. 

In other Member States, decisions to restrict or exclude certain suppliers from their 5G networks have been made confidentially, based on their assessment. The findings of those Member States are similar to the analysis of the competent authorities of certain third countries. 

Due to these high risks, and based on an assessment of the criteria set out in the Toolbox for identifying ‘high-risk suppliers’, the Commission considers that decisions adopted by Member States to restrict or exclude Huawei and ZTE are justified and compliant with the 5G Toolbox. Without prejudice to the Member States’ competences as regards national security, the Commission has also applied the Toolbox criteria to assess the needs and vulnerabilities of its own corporate communications systems and those of the other European institutions, bodies and agencies, as well as the implementation of Union funding programmes in the light of the Union’s overall policy objectives. 

In this context, consistently with certain Member States’ application of the 5G Toolbox, the Commission considers, that Huawei and ZTE represent in fact materially higher risks than other 5G suppliers.