ProtectEU internal security strategy: will proposals for 5G security be prioritised?
The EU has no shortage of security rules - but enforcement remains the real challenge. The European Commission's internal security plan, ProtectEU, aims to unify and strengthen Europe’s security approach, particularly around supply chains, including ICT and 5G.
Two weeks ago, the European Commission unveiled ProtectEU - European Internal Security Strategy, labelling it a complementary plan to Preparedness Union to better tackle the EU's security issues. Addressing the patchwork of national rules that continue to leave the region vulnerable - particularly in telecom and other critical infrastructure - is also one of the goals, at least between the lines:
Second, security considerations need to be integrated and mainstreamed across all EU legislation, policies and programmes, including EU external action. Legislation, policies, and programmes will need to be prepared, reviewed and implemented with a security perspective in mind, making sure that the necessary security considerations are addressed so as to promote a coherent and comprehensive approach to security.
Protect EU promises to tackle everything from 5G and cloud computing to AI and quantum tech - all spiced with a strong dose of digital sovereignty. One of its central aims is to streamline crisis responses - a longstanding gap in the EU’s approach, despite repeated alerts on state-sponsored hacking. Debates around GPS jamming incidents make it clear how vulnerable the bloc remains if countries don’t share information or follow consistent protocols.
Limitations of 5G security toolbox addressed
Most importantly for 5G-related matters, the ProtectEU addresses the limitations of the 5G security toolbox and gives a modest nod toward updating the Cybersecurity Act and improving the European Cybersecurity Certification Framework to address these gaps.
“The 5G Cybersecurity Toolbox provides the relevant framework to protect 5G networks, but is currently insufficiently implemented by Member States. Unacceptable security risks remain, specifically regarding the substitution of high-risk providers. A harmonised approach to the security of the ICT supply chain can address the current fragmentation of the internal market caused by different approaches at a national level, avoid critical dependencies and de-risk our ICT supply chains from high-risk suppliers, in this way securing our critical infrastructure.”
In line with this approach, in the upcoming revision of the Cybersecurity Act, the Commission will look more broadly at the security and resilience of ICT supply chains and infrastructure. In addition, the Commission will propose to improve the European Cybersecurity Certification Framework, to ensure that future certification schemes can be adopted promptly and respond to policy needs.”
Will the proposal take off?
Still, there’s a real possibility that ProtectEU’s proposals for 5G security could remain broad ideas that never gain traction. With updates to the Cybersecurity Certification Framework and the Cybersecurity Act involving numerous complexities and competing priorities, 5G security risks getting lost in the debate and not receiving the focused attention it needs.
That being said, the rationale behind ProtectEU’s proposals for ICT supply chain security is hard to dismiss. As we've written before, 5G security in particular needs a serious update to prevent patchwork enforcement and to strengthen the EU’s overall resilience - across infrastructure, consumers, and Member States alike.
