5G security in the EU: time for tougher measures

Reposted from The Brussels Times, originally issued on April 9, 2025

Five years into the 5G rollout, Europe is grappling with a stark reality: the very networks designed to propel its digital future are riddled with security gaps that could leave millions of consumers exposed. While some Europeans explore digital sovereignty ideas for the digital services sector, the EU is clearly not doing enough to avoid dependence in another area - namely, telecommunications dependence, which can be particularly difficult to reverse in the future.

The transition to 5G was supposed to revolutionize connectivity, enabling faster speeds, reduced latency, and seamless integration with everything from smart cities to autonomous vehicles.

However, as with any transformative technology, it has introduced new vulnerabilities. Unlike previous generations, 5G networks are more software-driven, decentralized, and cloud-dependent, making them a prime target for cyber threats.

In response, the European Union (EU) introduced the 5G Security Toolbox in 2020 - an initiative to mitigate risks and ensure network security.

Yet, four years later, the EU Member States’ approach remains fragmented, with inconsistent implementation, economic dependencies on high-risk vendors, and a lack of binding regulations. The consumer, who is ultimately the most affected, remains an afterthought in this security equation.

With a recent call by 35 Members of the European Parliament to make the 5G security toolbox legally binding and the failure of voluntary measures plain to see, the question is whether this will finally be enough for the Commission to act accordingly to protect Europe’s critical infrastructure.

The 5G security toolbox: a good start, but not enough

When the EU released the 5G security toolbox in January 2020, it was a step in the right direction. The framework addressed growing cybersecurity concerns, particularly the risks posed by high-risk vendors such as Huawei and ZTE. It introduced guidelines for assessing supplier risks, securing supply chains, and diversifying vendor reliance. However, these guidelines were just that - recommendations - rather than enforceable laws.

Fast forward to 2025, and the results are mixed. While most EU Member States have taken steps to enhance 5G security, the implementation remains fragmented. For instance, Germany has committed to phasing out Huawei and ZTE components by 2029, acknowledging the long-term risks of supplier dependency. Meanwhile, Ireland has adopted the toolbox’s risk assessment framework but still allows high-risk vendors to operate within its network. This patchwork approach creates a security gap, leaving some consumers more vulnerable than others.

Further contradictions highlight the inconsistencies. Estonia has empowered its government to scrutinize network hardware and software, requiring authorization, while Ireland maintains a more lenient stance on high-risk vendors. France has classified key network assets as sensitive and subject to strict controls, yet other countries lack similar safeguards. Finland mandates that critical systems be locally controllable in emergencies, whereas many EU nations still rely on foreign-managed services. Despite efforts to promote diversity, supplier dependency remains an issue, and without a unified approach, security risks persist.

Why is the 5G security toolbox falling short?

The main flaw of the 5G security toolbox is its optional adoption by the Member States. While some act swiftly, others hesitate due to economic and political concerns. This leads to inconsistent security across the EU and leaves some consumers more exposed to cyber threats.

Another issue is that economic dependencies trump security concerns. Huawei, a leading provider, offers advanced yet affordable technology. Replacing these vendors entails high costs, service disruptions, and political fallout, making some EU nations reluctant to sever ties due to existing contracts and transition expenses.

Lastly, the security threats are not perceived uniformly across the EU. While some countries, like Germany, recognize the risks associated with foreign-controlled 5G infrastructure, others prioritize economic factors over potential vulnerabilities. This divergence in risk assessment has led to delayed or diluted enforcement of security measures, ultimately undermining the purpose of the 5G Security Toolbox.

The consumer’s perspective: a neglected priority

While the EU’s 5G security discussions focus heavily on geopolitics and vendor restrictions, consumer protection remains a secondary concern. Yet, ordinary users stand to lose the most in the event of cyberattacks, surveillance, or data breaches.

First, consumers are exposed to data privacy risks. The widespread adoption of 5G increases the amount of personal data being transmitted and stored. A breach in network security could expose millions of consumers to identity theft, financial fraud, and unauthorized surveillance.

Second, lack of awareness. Unlike corporate entities that receive cybersecurity briefings and updates, most consumers remain unaware of the risks associated with 5G networks. There has been no large-scale EU initiative to educate the public on how 5G security (or the lack of it) affects their personal data.

Third, weak consumer protection laws for 5G. The EU has stringent data protection laws like GDPR, yet there are no equivalent consumer protection measures in the event of a 5G security failure. If a network is compromised due to poor security policies, where does that leave the individual consumer?

What needs to change?

It’s time for the EU to move beyond fragmented efforts and enforce a comprehensive, consumer-first security strategy. Until then, European users remain at the mercy of geopolitical interests, corporate hesitations, and policy indecision—an unacceptable reality in an increasingly digital world.

A more aggressive and binding approach is needed to secure the EU’s 5G infrastructure and protect consumers.

The EU must shift from voluntary guidelines to legally binding regulations. A uniform security standard across all Member States would prevent patchwork enforcement and strengthen the region’s security. Some argue that the Commission might want to introduce similar measures in the upcoming Digital Networks Act - which would be a correct move towards increased security for Europe.