EU auditors slam fragmented, sluggish 5G rollout
The EU deadline for the deployment of 5G networks by 2025 is very likely to be missed, EU auditors said on Monday (24 January), warning that the EU still has a fragmented approach to the use of equipment from vendors considered to be "high-risk".
In 2016, EU states committed to having uninterrupted 5G coverage across all urban areas and all major transport routes by 2025. But only 11 member states are on track to achieve this target.
Join EUobserver today
Get the EU news that really matters
Instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Already a member?
While the EU Commission has been supporting member states in reaching the goal, the auditors said inequalities in the access and quality of EU services could increase the 'digital divide' in the EU and affect economic developments in sectors like health care or education.
Self-driving cars or industrial robotics, for example, will benefit significantly from the speed and bandwidth provided by the next generation of wireless technology.
But 5G also creates new and potentially greater security risks, due to the increasing number of connected devices.
In the report, EU auditors argued that the limited number of vendors able to build and operate 5G infrastructure increases EU dependency on third countries as well as privacy and security risks associated with interference by "hostile state actors."
The EU adopted in early 2020 a toolbox on 5G cybersecurity to use common criteria for the risk profile of suppliers, aiming to mitigate potential cybersecurity threats.
However, several mobile network operators had already selected their vendors before the toolbox was adapted. And national authorities from several member states have raised concerns about the lack of clarity surrounding the classification of high-risk vendors.
These factors, plus the lack of legally-binding measures under the toolbox, has resulted in different approaches across member states to the use of equipment from specific vendors or the scope of restrictions on high-risk vendors.
The year-long audit revealed, for example, that three projects supported with EU funds in Spain were using Chinese 5G equipment, which was banned in Sweden.
"Member states' approaches towards 5G security, and in particular the need for concerted action, remains an issue of strategic importance for the EU's technological sovereignty and the single market," said Annemie Turtelboom, a member of the audit team responsible for the report.
The EU Commission did not assess the risks that emerge when a member state builds its 5G networks using equipment from a vendor considered to be high-risk in another country.
'Knock-on' risks not considered
However, according to the auditors, this lack of coordination could trigger cross-border security risk and even impact the functioning of the EU internal market.
As 5G networks are predominantly software-run, the auditors also warned that EU users could be potentially subject to foreign laws when software control centres are located in third countries, and, subsequently, to lower standards of data protection or judicial independence.
They also noted that EU member states could face significant costs if they exclude high-risk vendors from their networks without any transitional period, adding that the EU has not clarified whether compensating for these costs could be considered state aid, and in line with competition rules.