EU auditors raise the alarm about delays and security risks in the rollout of 5G networks

EU auditors raise the alarm about delays and security risks in the rollout of 5G networks
Credit: ECA

The majority EU member states are not on track with the deployment of their 5G networks and lack a common approach to security concerns linked to high-risk non-EU vendors, according to a special audit report published last week by the European Court of Auditors (ECA).

The fifth generation of mobile and wireless telecommunication systems (‘5G’) offers ultra-highspeed connection supporting not only individual users but also a high number of connected devices, known as the “internet of things”. In this way, it marks a revolutionary advance on the former standards, 3G and 4G.

A European Commission study estimates that benefits of €113 billion a year will arise from the introduction of 5G capabilities across four key strategic industries – automotive, health, transport and energy. It also indicates that 5G investments are likely to create 2.3 million jobs in the member states. Up to €400 billion will be spent in the EU by 2025 in the EU on developing 5G networks.

Summarising the findings of the audit at a press conference (24 January), Annemie Turtelboom, the Belgian ECA member leading the audit, said that, “With many Member States lagging behind, the EU is still far from reaping the benefits 5G offer.“

“Moreover, Member States’ approaches towards 5G security, and in particular the need for concerted action, remains an issue of strategic importance for the EU’s technological sovereignty and the single market.”

In its 2016 Action Plan, the European Commission set a deadline of 2025 for 5G to be rolled out across all urban areas and all major transport routes. In March last year, it set a further target of achieving EU-wide 5G coverage by 2030. However, the auditors observe that only half of the member states have included those objectives in their national 5G strategies.

The Commission has supported member states in reaching these goals through different initiatives, guidance and funding. But it has never clearly defined the expected quality of 5G services. This could lead to inequalities in access to and the quality of 5G services across the EU, further widening the “digital divide”, the auditors underline.

All member states except Cyprus, Lithuania, Malta and Portugal met the 2020 intermediary objective of having at least one major city with 5G access. But many EU countries are not on track with the deployment of their 5G networks.

The Commission considers that for 16 EU countries, the likelihood of achieving the 2025 goal is at best medium (Austria, the Czech Republic, Estonia, Germany, Ireland, Lithuania, Malta, the Netherlands, Poland, Portugal and Slovenia), and at worst low (Belgium, Bulgaria, Croatia, Cyprus and Greece).

The 5G rollout goes hand in hand with security issues. Six of the eight largest vendors are not based in the EU. Legislation in non-EU countries can differ considerably from EU standards, for example in terms of personal data protection. The auditors expressed concern that EU users may be subject to foreign laws when control centres are located outside the EU.

“We know that EU standards are higher,” ECA Turtelboom said. These standards also depend on the overall rule of law situation in the country.

The Commission adopted the so-called EU toolbox on 5G cybersecurity in January 2020. Nevertheless, the toolbox was too little and came too late for a number of mobile network operators which had already selected their vendors, according to the auditors.

The auditors also found that in practice, as measures contained in the toolbox have no binding effect, member states apply divergent approaches regarding the use of equipment from specific vendors or the scope of restrictions on high-risk vendors.

The scope the audit was limited to quality and security issues in the roll-out of 5G and did not include its effect on different sectors of the economy or the costs of the delays in the rollout. All recommendations in the report were accepted by the European Commission.

How sure can we be that European vendors are bound to or will comply with EU standards?

“Vendors based in the EU are bound to comply with the EU standards and legal requirements,” ECA member Turtelboom underlined. “In addition, there are checks and balances in place for this, such as the respect for the rule of law and the judicial independence, which are at the heart of the EU framework.”

Can a member state rollout 5G if its neighbours have not yet done it or if they have selected another vendor (non-European)?

“Indeed, this is the case,” she replied. “Nevertheless, people living in territories not covered by 5G risk not benefitting from the digital transformation.”

“So far, the European Commission has not assessed what the impact of divergent approaches on 5G security would be, where one member state builds its 5G networks using equipment from a vendor considered to be high-risk in another member state. This could impact either cross-border security or competition between mobile network operators operating in the EU single market.”

A European Commission spokesperson told The Brussels Times that it has taken note of the audit and been in contact with ECA throughout the process but declined to address the issue of competition when selecting a vendor. The Commission is going to revise its regulatory toolbox to facilitate the roll-out.

“The report identifies delays in 5G deployment,” the spokesperson commented and recalled that the deployment is a member state competency.  “The report supports our view that efforts for 5G rollout should be stepped up. While 5G coverage increased from 14% of the population in 2020 to more than 20% in 2021, even exceeding 50% in several Member States, this is far from optimal.”

As regard the security of 5G networks, the Commission replied that, “Since January 2020, the overwhelming majority of member states put in place the risk mitigating measures of the EU Toolbox. Based on that, most member states have managed to protect the most sensitive parts of the networks from high-risk suppliers.”

Moreover, the ambitions for the Digital Decade have grown, according to the Commission. By the end of the decade, EU needs fixed high-speed connectivity everywhere in Europe and 5G coverage of all populated areas.

The Brussels Times

Copyright © 2024 The Brussels Times. All Rights Reserved.