The subject of this analysis is to examine how, from legal perspective, strategic issues have been addressed in a document entitled Cybersecurity of 5G networks. EU Toolbox of risk mitigating measures (ETRM) which was adopted and published by the NIS Cooperation Group (NCG) in January 2020. In the context of this publication, strategic issues should be understood as risks of this nature as well as measures to mitigate them. The analysis of the above document in this respect is necessary for four reasons.

First, it helps assess the scope of permitted actions in the selection and application of the strategic mitigation measures identified in the ETRM (see points 2.1. – 2.3. below), which EU Member States will take when managing two strategic risk scenarios (i.e. state interference through 5G supply chain and dependency on any single supplier within individual networks or lack of diversity on a nation-wide basis), which are also referred to in the ETRM. Second, the need to present this issue also results from the fact that during the public discussion on a number of decisions of individual EU Member States regarding the management of these strategic risk scenarios there has been no mention that these decisions had their source precisely in the ETRM. Third, it is very rarely emphasised that the adoption of the ETRM document, and thus each risk management–related decision it contains, was preceded by the adoption of a number of political but also analytical EU documents and statements including:

• support expressed by the European Council on 22 March 2019 for a common approach to the security of 5G network, 
• the European Commission’s Recommendation on the cybersecurity of 5G networks published on 26 March 2019,
• the NCG’s report on the EU Coordinated Risk Assessment on Cybersecurity in 5G Networks from 9 October 2019, and
• the European Council Conclusions of 3 December 2019.

Consequently, particular attention should be paid to the fact that the provisions of the ETRM were adopted with the political support of such EU bodies as the European Council, which defines the European Union’s overall political direction and priorities and comprises the heads of state or government of the EU Member States. This means that all actions currently taken by individual Member States to manage the strategic risk scenarios described above are very often only a consequence of the findings made jointly – within the EU – in the ETRM. Fourth, the analysis in this area also aims to show that the vast majority of EU Member States’ actions that are currently being taken do not apply to risk scenarios of a technical nature, but a strategic one. For this reason, the arguments of a technical nature presented by suppliers cannot be the only ones raised (e.g. rguments regarding the cybersecurity of certain products will not solve the problem of their producer’s dependence on the government of a given country). Fifth and finally, the purpose of this analysis is also to indicate the difficulties that individual EU Member States may encounter while implementing the ETRM provisions and the weakness of some proposals resulting from the ETRM.

All actions currently taken by individual Member States to manage the strategic risk scenarios described above are very often only a consequence of the findings made jointly – within the EU – in the ETRM.

NIS Cooperation Group

In order to analyse the ETRM in this respect, the first thing to do is to explain the nature of the activities of the strategic cooperation group that adopted the above document, i.e. NIS Cooperation Group. The NCG was established on the basis of art. 11 paragraph 1 of the NIS Directive (Directive (EU) 2016/1148) in order to: 

• support and facilitate strategic cooperation and 
• the exchange of information among EU Member States and
• to develop trust and confidence, and
• with a view to achieving a high common level of security of network and information systems in the EU.

Moreover, the NCG works according the EC Implementing Decision of 1 February 2017 and follows its own rules of procedure. According to these two documents, the decisions of the Group shall be taken by consensus, unless otherwise provided for in the EC Implementing Decision of 1 February 2017. What is important, the NCG is composed of representatives of the EU Member States, the European Commission (EC) and EU Agency for Cybersecurity (ENISA). The NCG’s tasks have been precisely indicated in art. 11 paragraph 3 of the NIS Directives, among them “exchanging best practice between Member States and, in collaboration with ENISA, assisting Member States in building capacity to ensure the security of network and information systems” (Article 11, paragraph 3(c) of the NIS Directive). NCG has published over eight working documents such as: Reference document on security measures for Operators of Essential Services (CG Publication 01/2018); Reference document on Incident Notification for Operators of Essential Services (CG Publication 02/2018); EU coordinated risk assessment of the cybersecurity of 5G networks (Report, 9 October 2019) and CG Publication 02/2020 – Report on Member States’ progress in implementing the EU Toolbox on 5G Cybersecurity.

The full article is available in The European Cybersecurity Journal (ECJ).