StrandConsult Analysis: European Commission second 5G Cybersecurity Toolbox report

by John Strand, StandConsult (edited by Alan J Weissberger)

European Commissioner Thierry Breton presented the European Commission’s plan for banning High-Risk Suppliers like Huawei and ZTE from European telecommunications networks.  Here is the first portion:

The security of 5G networks is essential. They are critical infrastructures in their own right and for other sectors that depend on them, such as energy, transport, health and finance.

This is why, in January 2020, the EU unanimously adopted a toolbox on the security of 5G networks. The “5G cybersecurity toolbox” defined the risks and the measures to be taken by Member States and telecoms operators to address them.

In particular, it recommended that the use of equipment in the core and access (RAN) parts of the networks should be restricted or prohibited for entities considered to be “high-risk suppliers”, notably because they are subject to highly intrusive third-country laws on national intelligence and data security.

3 years on, almost all Member States have transposed the toolkit’s recommendations into their national law. In other words, they can now decide to restrict or exclude suppliers on the basis of security risk analysis. But to date, only 10 of them have used these prerogatives to restrict or exclude high-risk vendors.


The Commission also released a status report on “Member States’ Progress in implementing the EU Toolbox on 5G Cybersecurity.”

Breton’s message is that the member must move more quickly to implement the 5G toolbox.

Image Credit:  European Union

Here are Breton’s key points with Strand Consult’s assessment (SC):

  1. All EU member states are committed to implementing the EU´s 5G Toolbox. To date, 24 Member States have adopted or are preparing legislative measures giving national authorities the powers to perform an assessment of suppliers and issue restrictions.
    • SC: This means that all EU countries support the 5G Toolbox, the implement of which will work to remove Huawei and ZTE from European networks.
  2. 10 Member States have imposed such restrictions, and an additional 3 Member States have relevant national legislation underway.
  3. The Commission considers that decisions adopted by Member States to restrict or exclude Huawei and ZTE from 5G networks are justified and compliant with the 5G Toolbox.
  4. The Commission will take measures to avoid conducting its official communications via mobile networks built with Huawei and ZTE equipment.
  5. The Commission also intends to reflect this decision in all relevant EU funding programs and instruments.
    • SC: The EU will further restrict grants, subsidies, and financing to European entities which use Huawei and ZTE equipment. This will have consequences for rural EU operators which receive EU money and recipients of European Investment Bank (EIB) loans.

Strand Consult is not surprised by today’s announcements. They are consistent with the security analyses and recommendations Strand Consult has published for years.

Some EU countries and operators will find it difficult to implement the EU’s new security and procurement policy. However Strand Consult believes that it is good business for an operator communication that it takes security seriously and backs it up with a clean network free of Huawei and ZTE equipment.

Strand Consult predicts that Huawei will make the road ahead difficult and will attempt to sabotage the European Commission’s efforts. Nations and operators should prepare for pushback by reading Strand Consult’s reports on Huawei’s tactics. Moreover, non-Chinese employees will likely find that working for Huawei has reputational risks.

How foreign network equipment is treated in China.

The foundation of any economy, be it the EU, the US or China, is national security. Some may find the EU approach tough, but it pales in comparison the blockade that China has imposed on foreign technology providers for years.

China restricts these technologies for ideological and economic reasons. Most people take for granted that the websites and media they access everyday are not available in China. These foreign technologies and their operators have been denied access to the world’s single largest online market, hundreds of millions of internet users, and a multi-trillion-dollar opportunity. Moreover, the Chinese people are denied to freedom to engage on an open internet.

Building upon censorship frameworks in traditional media which had been in place for decades in China, its State Council adopted rules and regulations to control internet traffic beginning in 1996.

The media focuses mainly on US and EU network security and associated vendor policies. However few if any investigate the rules in China.

A detailed review is available from White & Chase, February 2022. In general, China’s rules are significantly more rigid than those of the US and EU. These rules do not entail the same process and transparency which are standard and expected in the West.

The New Measures list the following main factors for assessing national security risk during cybersecurity review.

  • The risk of any critical information infrastructure being illegally controlled, tampered with or sabotaged after any product or service is used.
  • The risk of an interruption in the supply of any product or service endangering the continuity of any critical information infrastructure.
  • The security, openness, transparency, diversity of sources and reliability of any supply channel of any product or service, and the risk of its supply being interrupted due to political, diplomatic, trade or other factors.
  • The compliance of the provider of any product or service with the laws, administrative regulations, and departmental rules of China.
  • The risk of any core data, important data or a large amount of personal information being stolen, leaked, destroyed, illegally used, or illegally transferred abroad.
  • The risk of any critical information infrastructure, core data, important data, or a large amount of personal information being affected, controlled, or maliciously used by foreign governments, as well as any network information security risk.
  • Any other factor that may endanger the security of any critical information infrastructure, network security or data security.

The effect of these rules is to limit foreign providers from the market from the start and to favor Chinese providers.

While the media sensationalizes cases like Huawei and TikTok, these pale in comparison to the systematic restriction undertaken by China against foreign technology for the last 20 years. Moreover, Chinese technology companies enjoy more freedom abroad than foreign technologies do in China.


Technological and informational control and restriction are widely practiced across China. This fulfills many political, social, cultural, economic, and religious objectives for the PRC,and is practiced by the government, corporations, and individual themselves. It has increased under General Secretary Xi. This Censorship is coupled with pervasive surveillance of people. Meanwhile PRC has attempted to export this “new world media order.”

Strand Consult addresses Chinas restrictions in its 2020 report You Are Not Welcome: An Analysis of Thousands Foreign Technology Companies Blocked by China Since 1996. It describes how and why China has systematically restricted thousands of foreign internet technologies like online news and media outlets, social media platforms, virtual private networks, content delivery networks, mobile applications, telecommunications equipment, cloud services, and other technologies.

With its new 2023 report The Market for 5G RAN in Europe: Share of Chinese and Non-Chinese Vendors in 31 European Countries, Strand Consult brings valuable evidence of the location, amount, and share of Chinese and non-Chinese equipment in European telecom networks. This report, the second of its kind, describes the respective amounts of 5G equipment from Huawei, ZTE, and non-Chinese vendors in European mobile networks and the share of such in equipment in the 5G Radio Access Network (RAN).


StrandConsult: 2022 Year in Review & 2023 Outlook for Telecom Industry

IEEE ComSoc/SCU SoE March 22, 2022 event: OpenRAN and Private 5G – New Opportunities and Challenges.  Video:

Strand Consult: Open RAN hype vs reality leaves many questions unanswered

O-RAN Alliance tries to allay concerns; Strand Consult disagrees!


3 thoughts on “StrandConsult Analysis: European Commission second 5G Cybersecurity Toolbox report

  1. CCH Incorporated-EU Officials Seek Swifter Action on 5G Security:

    European Union nations need to move more quickly to implement 5G security measures recommended by the European Commission, including bans on the use of network components from suppliers deemed to be national security threats, according to a progress report published yesterday.

    A “toolbox” issued by the EC in 2020 urged EU member nations to implement a variety of measures to improve the security of 5G networks, including possibly banning the use of equipment from Huawei Technologies Co. Ltd. and ZTE Corp. in some parts of the 5G network (TR Daily, Jan. 29, 2020).

    Out of 27 EU nations, 24 “have adopted or are preparing legislative measures giving national authorities the powers to perform an assessment of suppliers and issue restrictions,” the EC said in a news release.

    But only 10 member states “have imposed such restrictions and 3 Member States are currently working on the implementation of the relevant national legislation,” the EC said. “Given the importance of the connectivity infrastructure for the digital economy and dependence of many critical services on 5G networks, Member States should achieve the implementation of the Toolbox without delay.”

    The slow pace of toolbox implementation “creates a clear risk of persisting dependency on high-risk suppliers in the internal market with potentially serious negative impacts on security for users and companies across the EU and the EU’s critical infrastructure,” according to the progress report.

    “A lack of swift actions by Member States regarding high-risk suppliers could also affect over time the EU consumers and companies’ trust in the internal market, and increase the risk of spill-over in case of cyber-attacks, especially where MNOs [mobile network operators] provide cross-border services and in case it affects critical 5G use cases or other sectors dependent on telecoms,” it says.

    The EC said “lack of action” by EU nations could force it to “look at further actions to enhance the resilience of the internal market, including exploring possible legislative avenues … without prejudice to existing legislation that has already implemented restrictions in line with and/or based on the EU Toolbox.”

    The EC said it had “applied the Toolbox criteria to assess the needs and vulnerabilities of its own corporate communications systems and those of the other European institutions, bodies and agencies.”

    “As part of its corporate cybersecurity policy, and in application of the 5G cybersecurity toolbox, the Commission will take measures to avoid exposure of its corporate communications to mobile networks using Huawei and ZTE as suppliers,” it said.

    “It will take relevant security measures so as not to procure new connectivity services that rely on equipment from those suppliers, and will work with Member States and telecom operators to make sure that those suppliers are progressively phased out from existing connectivity services of the Commission sites,” it said.

    “We need further urgent actions under the EU toolbox, in particular to adopt the necessary restrictions for high-risk suppliers, in order to ensure the security of the Union’s critical infrastructure,” EC Executive Vice President Margrethe Vestager said. “While some Member States have made progress today’s report shows that we are not yet where we need to be.”

    Policy-makers worldwide view the use of equipment from Huawei and ZTE as a security threat based on assessments that Chinese authorities could use the presence of such equipment in critical networks for surveillance or disruption of critical infrastructure. But a Huawei spokesperson today told TR Daily that the focus on Huawei equipment as a security threat was misplaced and discriminatory.

    “Huawei understands the European Commission’s concern to protect cybersecurity within the EU. However, restrictions or exclusions based on discriminatory judgments will pose serious economic and social risks. It would hamper innovation and distort the EU market. An Oxford Economics report states that excluding Huawei could increase 5G investment costs by up to tens of billions of euros, and it will have to be paid by European consumers,” the spokesperson said.

    “Publicly singling out an individual entity as ‘HRV’ (High Risk Vendor) without legal basis is against principles of free trade,” the spokesperson added. “It is of paramount importance to emphasize that the discriminatory ‘HRV’ assessment shall not be applied to any vendor without justified procedure and adequate hearing. As an economic operator in the EU, Huawei holds procedural and substantial rights and should be protected under the EU and Member States’ laws as well as their international commitments.” —Tom Leithauser, [email protected]

  2. EU Commissioner Thierry Breton wrote in a statement that his office is now officially backing those member states that have moved to remove “high-risk suppliers” from their telecommunication networks. That backing is through “a communication confirming that the decisions taken by certain member states to restrict or exclude completely Huawei and ZTE from their 5G networks are justified and in line with the toolbox.”

    That “toolbox” was introduced by the EU in early 2020. The extensive document explained that member states agreed to “strengthen security requirements, to assess the risk profiles of suppliers, to apply relevant restrictions for suppliers considered to be high risk including necessary exclusions for key assets considered as critical and sensitive — such as the core network functions — and to have strategies in place to ensure the diversification of vendors.”

    However, it stopped short of directing member states to take specific measures to prevent high-risk vendors from participating in 5G build-outs. This was left to member states to decide.

    Breton in his most recent statement said that only 10 of the 27 EU member states have officially moved to restrict or exclude high-risk vendors.
    “This is too slow, and it poses a major security risk and exposes the union’s collective security, since it creates a major dependency for the EU and serious vulnerabilities,” he wrote.

    The EU Commission has now produced a second report for its 5G security toolbox that furthers its efforts. Breton also said the EU Commission would continue to work with member states that have not officially adopted the toolbox, and that the commission itself will implement the toolbox for its own procurement of telecoms services “to avoid exposure to Huawei and ZTE” and take into account the adoption of the toolbox when allocating EU funding.

    “We have been able to reduce or eliminate our dependencies in other sectors such as energy in record time, when many thought it was impossible. The situation with 5G should be no different: we can’t afford to maintain critical dependencies that could become a ‘weapon’ against our interests,” Breton wrote. “That would be too critical a vulnerability and too serious a risk to our common security. I therefore call on all EU member states and telecom operators to take the necessary measures without further delay.”

  3. This will likely accelerate the exodus of corporate customers from European network operators which don’t want to conduct their business on Chinese networks.

Comments are closed.