In September 2019, the European Union (EU) came up with a set of guidelines¹ for the introduction of 5G communication technologies in the member countries. The guidelines are considered essential for security of 5G networks. Cyber security is key for ensuring the “strategic autonomy” of the Union, say the newly launched 5G guidelines.

The EU recognizes that 5G is essential for its members to remain competitive globally. An EU parliament resolution of 12 March 2019 states, “the 5G network will be the backbone of our digital infrastructure, extending the possibility to connect various devices to networks (internet of things, etc.), and will bring new benefits and opportunities to society and businesses in many areas, including critical sectors of the economy such as the transport, energy, health, finance, telecoms, defence, space and security sectors.” ² According to the EU assessment, worldwide 5G revenues should reach the equivalent of €225 billion in 2025 and the introduction of 5G in automotive, health, transport and energy sectors may reach €114 billion per year. ³

But security of the 5G networks is equally important. It is recognized that without adequate security, the economy and society will be seriously impacted. The threat from rising Chinese technological presence is explicitly acknowledged in the resolution. The European Parliament resolution of 12 March 2019 ‘on security threats connected with the rising Chinese technological presence in the EU and possible action on the EU level to reduce them’⁴ provides for regular screening of the foreign investment in EU networks to strengthen cyber security. Member states will “actively engage with all other involved stakeholders in the development of dedicated EU-wide certification schemes related to 5G.” Further, the new 5G guidelines stipulate that “EU Member States have the right to exclude companies from their markets for national security reasons, if they do not comply with the country's standards and legal framework.”⁵

This is the heart of the 5G guidelines. The EU recognizes that China has the ambition of becoming a global power and that “In Europe that the balance of challenges and opportunities presented by China has shifted”. This will require a review of EU’s China policy. More importantly, EU must “strengthen its own domestic policies and industrial base” to deal with China effectively.
The EU has been struggling with to come out with a strategy to engage with China, seeking a “more balanced and reciprocal conditions governing the economic relationship.” In 2017, EU had exported EUR 217 billion and imported EUR 332 billion from China. The relationship is growing rapidly as China makes deep inroads into the EU. Breaking ranks with other counties, sixteen (now seventeen) EU members have launched their own format of engagement with China called, ‘16+1’. The EU parliament resolution takes note of this and urges these countries to remain consistent with EU laws, rules and regulations while dealing with China. Concerned that China’s growing influence in the EU may fracture the EU solidarity, it urges them to maintain “full unity” within the EU while dealing with China. There is a fear that some of the European countries may opt for Chinese 5G products and services without adequate security scrutiny. The EU wide certification under the 5G guidelines will help bring uniformity in EU 5G policies.

Last year the EU adopted a common Cyber Security Act and Telecommunication Rules applicable throughout the EU. An EU-wide certification schemes for cyber security products, services is being launched to ensure cyber security. Under the telecom rules, the operators will have to do proper risk assessment of networks and services, and take “technical and organisational measures to appropriately manage the risks”. In 2018, after years of tough negotiations the EU parliament approved a EU wide Cyber Security Act which, inter alia, creates a framework for European Cyber Security Certificates for products, processes and services that will be valid throughout the EU. Thus cyber security measures would be harmonized across the EU. The Cyber Security Act also enhances the mandate and resources of the EU Agency for cyber security, also known as the European Union Agency for Network and Information and Security (ENISA). The Cyber Security Agency will support the Member States in dealing with cyber threats and attacks.

There is lot of uncertainty in India’s 5G policy. India needs to get into the 5G but must ensure that the security of its networks is not compromised by Chinese products and services. There are many unresolved issues with respect to the introduction of 5G and Internet of Things in the country. The government’s Task Force on 5G which gave its report in August 2018 did not pay attention to the security issues. This was unfortunate.

India needs to study how other countries are dealing with the issue. The certification scheme launched in the EU can be adopted in India. India, like the EU, should also reserve the right to exclude any company from its telecom market f it does not comply with the cyber security standards. India needs to develop its own cyber security standards and certification guidelines to ensure that 5G is introduced in a well thought out manner. India should also consider setting up a cyber security agency which would ensure compliance with standards and certificates while providing capacity building support to the industry as well as users.

End notes

1. https://europa.eu/rapid/press-release_IP-19-1832_en.htm
2. http://www.europarl.europa.eu/doceo/document/TA-8-2019-0156_EN.html?redirect
3. https://europa.eu/rapid/press-release_IP-19-1832_en.htm
4. Resolution number (2019/2575(RSP).
5. https://europa.eu/rapid/press-release_IP-19-1832_en.htm