5G rollout in Europe: what lies ahead?

The development and roll-out of the fifth-generation mobile communications system (5G) in Europe raises a number of issues for regulators, including costs and security concerns. We explain the measures the European Commission is putting forward to provide a regulatory framework for 5G to address these issues.

Below we provide an overview some of the main issues on 5G rollout in Europe and the EU’s approach to them.

The issues

Security: A European Commission and European Agency for Cybersecurity report, ‘EU coordinated risk assessment on cybersecurity in 5G networks’, warns that relying on a single supplier for software and services in 5G networks may lead “to vulnerabilities deriving from the risk profile of the suppliers”. Recently, the Belgium National Security Council imposed restrictions on “high-risk” 5G equipment. This has caused difficulties for telecom operators that have already procured parts for their 5G network, as they have now five years to bring the networks in line with the new rules. Equally, Sweden has amended its Electronic Communications Act so the use of radio transmitters is approved only if radio usage will not harm national security. France has also passed a law whereby authorisation from the Prime Minister is required for the roll-out and operating of sensitive 5G equipment.

Costs: 5G rollout is expected to cost at least three times as much as the deployment of previous mobile technologies. China estimates that 5G will be at least a ten-year programme to become fully working and completely rolled out nationally. A European Parliament study claims there is a campaign by the telecoms supply industry to convince governments that 5G deployment will bring significant benefits to the economy, by framing it as a race between countries to develop the 5G infrastructure. Given the limited capacity for investments by mobile network operators that are still recovering their investments from 3G and 4G rollouts, governments are being asked to stimulate and support financially the 5G rollout. At EU level, however, only 700 million euros have been granted through the Horizon 2020 Programme to accelerate research and innovation in 5G technologies. The Commission has highlighted though, that foreign investments in critical technologies and infrastructure in the EU may lead to heightened risk level for the EU’s security.

The regulatory framework for 5G

The EU’s competence for 5G rollout is comprised within different types of acts and institutional powers. Telecom operators are subject to the supervisory system outlined in the EU Telecommunications Framework, which also verifies the implementation of security policies. Based on the current framework, the majority of the EU Member States have introduced basic security obligations. In addition, the European Electronic Communications Code Directive empowers the Commission to adopt several implementing acts for technical norms, which are immediately enforceable in all Member States simultaneously. Recently, the Commission adopted the Implementing Regulation on small-area wireless access points, specifying the physical and technical characteristics of small cells for 5G networks, which implicitly addresses some of the concerns around radiation exposure resulting from 5G.

Building on the this baseline, the EU toolbox for Cybersecurity of 5G networks, released in January 2020 recommended additional security measures to address the risks such as “interference from non-EU state or state-backed actors through the 5G supply chain”. Currently, fourteen Member States are implementing restrictions for “high-risk” suppliers. Italy, for instance, has introduced provisions so that the Government can veto the contract or impose security measures when use of equipment or services for deploying 5G is sourced from extra-EU suppliers. However, it is worth noting that across the EU, only a few Member States also declare they have in place a framework for determining the risk profile of suppliers.

As a follow up on the Toolbox, the Commission issued a (legally non-binding) Recommendation on Cybersecurity of 5G networks to ensure a high level of common cybersecurity for 5G networks across the EU. It seeks to ensure sovereignty when it comes to foreign investment in 5G networks, and diversity of suppliers.

The Commission is also urging Member States to introduce reinforced obligations on suppliers and operators to ensure the security of sensitive parts of the networks as well as obligations to have specific information technology components and systems tested in advance for security and integrity purposes. Most of the Member States have already introduced and communicated plans to introduce a legal basis to impose restrictions or to prohibit the supply, deployment, and operation of 5G network equipment.

Although at EU level 5G deployment is strongly supported and encouraged, the Commission is clear on what risks should be addressed and how Member States should approach them. The telecom industry should pay careful consideration to both national and EU level developments, given that further legislative measures are expected as part of the Member States’ implementation of the Toolbox. Measures for mitigating the identified risks may entail a number of regulatory uncertainties for telecoms and increased compliance requirements.