As a follow-up to the Nevers Call of 9 March 2022 and building on the coordinated work already done at EU-level to strengthen the security of 5G networks, Member States conducted a risk assessment on Europe’s communications infrastructures and networks.
This risk assessment identified a number of threats for communication networks and infrastructure, such as wipers, ransomware attacks, supply chain attacks, physical attacks, sabotage, etc. These threats, taking advantage of vulnerabilities, could pose a significant risk for the security and resilience of the connectivity infrastructure. Based on these findings and in addition to the nine risk scenarios already identified in the EU Coordinated risk assessment of 5G networks, the report develops ten risk scenarios of strategic importance for the Union, such as a supply chain attack to gain access to the infrastructure of operators or a coordinated physical sabotage attack on digital infrastructure.
In order to mitigate these risks, the report puts forward a number of strategic and technical recommendations for Member States, the Commission and ENISA, to be implemented with the support of the Body of European Regulators for Electronic Communications. As regards strategic aspects, the report recommends to:
- Assess resilience of international interconnections;
- Assess criticality, resilience and redundancy of core Internet infrastructure, such as submarine cables;
- Implement the recommendations related to suppliers in the second Progress Report on the EU Toolbox implementation;
- Create transparency on the landscape of suppliers and managed service provider or managed security service provider used for fixed networks, fibre technology, submarine cables, satellite networks and other important ICT suppliers;
- Involve the electronic communications sector in cyber exercises and operational collaboration;
- Foster information sharing and improve situational awareness about threats for operators;
- Provide funding support to operators for technical measures against cyber attacks in their networks;
- Exchange good practices among national authorities about physical attacks on digital infrastructure;
- Extend physical stress testing of critical infrastructure to include digital infrastructure.
Given the criticality of the infrastructures and networks in scope of this report and in view of the fast-evolving threat landscape, and without prejudice to the Member States’ competences as regards national security, Member States, Commission and ENISA are encouraged to implement these resilience-enhancing measures as soon as possible, based on the work that has already started on the implementation of some of the recommendations.
Background
On 9 March 2022, the informal Council meeting of Telecom Ministers organised in Nevers (France) resulted in a joint call to reinforce the EU’s cybersecurity capabilities. Point 4 of the call asks relevant national authorities, such as the Body of European Regulators for Electronic Communications (BEREC), ENISA, and the NIS Cooperation Group to make recommendations to EU Member States and the Commission based on a risk assessment in order to reinforce the resilience of the EU’s communications infrastructures and networks.
Find out more information about connectivity and cybersecurity, policies, Europe’s 5G strategy and funding opportunities related to backbone connectivity.