EN
UA

Regulating Cybersecurity Issues in the 5G Sector

version for discussion during the presentation
By Stanislav Yukhymenko, Research Fellow at the IER

Introduction

The issue of the fifth-generation internet (5G), its capabilities, and potential threats began to be discussed even before the commercial implementation of the technology. The significant increase in speed and data transmission volumes allows for a qualitative change in the functionality of internet usage.

The volumes of information transmission through 5G enable real-time control of transportation, more detailed weather condition studies, coordination of thousands of AI-driven vehicles, and much more.

At the same time, such an expansion of the internet’s functionality significantly increases the dependence of various economic sectors on its operation. This is particularly true for enterprises of critical infrastructure.

The implementation of 5G for the operation of large enterprises enhances the requirements for cybersecurity, as it is necessary to process and verify a larger amount of information at a higher speed.

The issue of harmonizing Ukraine’s legislation with the EU standards in the field of cybersecurity of 5G networks is important because EU cybersecurity norms start not from the moment of providing the 5G service, but from the beginning of forming plans for building infrastructure for its provision. If we start implementing 5G, using the equipment which will not meet EU safety standards and will be considered a threat to national security, we risk significantly slowing down our integration into the digital space of the EU.

Regulation of 5G Cybersecurity in the EU

For the EU, this issue arose quite some time ago, at the moment of launching the first test models of 5G networks.

One of the first normative documents focusing on the development of the 5G Internet in the EU was the 5G Action Plan[1], adopted by the European Commission in 2016.

Subsequently, the main risks associated with the mass use of 5G were explored. In 2019, the Commission Recommendation on Cybersecurity of 5G Networks was published, highlighting the risks of a large-scale system failure. Additionally, due to the significant interconnection of internet spaces across different EU countries, the document points out the risk that cybersecurity issues in one EU country could have a substantial negative impact on other union countries. To overcome these risks, it is suggested to conduct national assessments of the risks from equipment and software suppliers from third countries, taking into account the peculiarities of their legislation. For further development of cybersecurity in the EU, it is proposed to develop a coordinated risk assessment at the EU level.

After considering the recommendations of the European Commission, the EU toolbox on 5G cybersecurity was developed – a set of tools that can be applied by EU member states to mitigate or eliminate risks caused by 5G[2].

The set of measures includes a combination of strategic and technical measures. Strategic measures involve strengthening the role of governments in supervising the security of 5G, controlling the use of components and equipment from third-party risky suppliers, diversifying equipment suppliers, and localizing equipment production to ensure cybersecurity within the EU. The EU toolbox on 5G cybersecurity recommends EU members assess the risks of suppliers based on: the likelihood of interference in the supplier’s operations by a non-EU country, for instance, due to a strong connection between the supplier and the government of a non-EU country, or because of the legislation of a non-EU country.

Technical measures include network security, standardization of equipment and software, considering risks when supplying equipment from third countries, cooperation with other EU countries, and using national budgets and EU funds to support the development of the 5G network within the EU.

In addition to the EU toolbox on 5G cybersecurity, from January 16, 2023, the European Union Directive on Network and Information Security (NIS2)[3] came into effect. The main task of the new regulation was to increase control over the risks of large companies in various sectors of the economy. Whereas the directive previously primarily concerned technological IT companies, from January 2023, it covers critical sectors of the economy (transport, energy, banking, healthcare, and others).

Challenges in Implementing the EU Toolbox on 5G Cybersecurity in EU Countries

Although cybersecurity issues in various EU countries are generally regulated by the EU Toolbox on 5G Cybersecurity, the degree of progress in its implementation varies among EU countries. The extent to which strategic and technical goals have been achieved and risks overcome by different EU countries is described in more detail in the Second Report on the Implementation of the EU Toolbox on 5G Cybersecurity[4]. This toolbox is still in the implementation stage.

One of the most challenging aspects of implementing the EU Toolbox on 5G Cybersecurity is ensuring the security of 5G network equipment. In the European Union, Chinese companies like Huawei and ZTE were among the first to supply equipment for 5G networks.

During the adoption of the EU toolbox on 5G cybersecurity, EU countries concluded that ensuring the cybersecurity of the EU’s cyberspace requires assessing 5G equipment suppliers, identifying which ones are risky, and limiting the supply of equipment from such risky suppliers.

As a significant portion of the 5G infrastructure in the EU was already built using equipment from Chinese companies, which were deemed high-risk, many EU countries must now transition to other suppliers.

For example, as of December 2022, 59% of 5G equipment in Germany was Chinese-made. The German government plans to reduce this share to 25% by the end of 2026, but representatives of German telecommunications companies call the deadline unrealistic[5]. The question arises as to who will bear the costs of this re-equipment: there is an example of the USA, where the state assumed additional re-equipment costs, but German officials indicate that the law does not require the German government to compensate operators.

Sweden in 2020 prohibited operators from using 5G equipment. By January 2025, operators have to gradually replace Huawei and ZTE equipment[6]. Huawei filed a lawsuit demanding the cancellation of the ban on using its equipment for the development of the 5G network in Sweden, but the courts left the regulator’s decision unchanged.

Portugal also effectively bans the supply of Chinese 5G equipment without directly stating it: in Portugal, the supply of equipment for 5G networks from countries that are not part of the EU or NATO is prohibited.[8] Huawei reported that it would sue the Portuguese regulator for violating the company’s rights regarding compensation.

5G Cybersecurity in Ukraine

In Ukraine, the main document currently regulating the field of cybersecurity is the Law of Ukraine “On the Basic Principles of Cybersecurity of Ukraine[9]. It describes the basics of protecting the vital interests of citizens and the national interests of Ukraine in cyberspace, the main goals, directions, and principles of state policy in the field of cybersecurity, the powers of state bodies, enterprises, institutions, organizations, entities, and citizens in cybersecurity.

Also, the Cybersecurity Strategy of Ukraine[10] and the Plan for the Implementation of the Cybersecurity Strategy of Ukraine[11] have been approved in Ukraine.

Ukraine is in the process of preparing for the second reading of bill 8087[12], which is intended to implement the requirements of the EU Directive on Network and Information Security (NIS2 Directive) into Ukrainian legislation. It is worth noting that some experts believe[13] that this bill gives excessive powers to the State Special Communications Service, as the law does not clearly define the grounds and situations for involving employees of the national cybersecurity system.

The issue of mobile internet is regulated by the Law of Ukraine on Electronic Communications. So far, it only mentions the third and fourth generation of mobile communication services.

To implement the fifth-generation mobile internet, it is necessary to free up radio frequencies used in the 5G network (currently used by television, but it can also operate in lower frequency bands), conduct auctions for the use of these radio frequencies, and certify the equipment provider for infrastructure development.

On February 28, 2023, the Supreme Court of Ukraine denied LLC “Ukrainian New Technologies” the extension of the license for the use of the radio frequency resource in the frequency bands 3400…3600 MHz for broadband radio access[14]. This decision allows Ukraine to conduct new auctions on these frequencies, which are used for the 5G internet network.

Since, in fact, a 5G network in Ukraine has not yet been developed even at the level of experimental samples, legislation regulating cybersecurity specifically for fifth-generation networks is still absent.

Deputy Prime Minister – Minister of Digital Transformation Mykhailo Fedorov in an interview with Forbes stated that a pilot version of 5G in Ukraine could be launched as early as 2024.[15]. The question arises, on what equipment this will be done.

Before implementing 5G in Ukraine, it is worth harmonizing its legislation with EU standards, including the safety of equipment. It is necessary to do everything possible to avoid the situation that Germany or Sweden, which are now forced to re-equip networks, are in.

Another risk for the rapid introduction of 5G is the state of war. Some works to free up the radio spectrum for 5G networks cannot be carried out during the period of martial law, as it is used by the military.

At the same time, the issue of cybersecurity of future fifth-generation mobile internet networks can already be implemented now at the legislative level. This gives time to calmly prepare for all market participants.

Recommendations

  1. NIS2. It is necessary to introduce legislation that will incorporate the regulatory norms of the EU Directive NIS2 into the Ukrainian regulatory field. As we wrote earlier, a bill whose purpose is to harmonize this aspect of Ukrainian legislation with EU standards has already been registered, but representatives of the expert environment believe that it needs further refinement.
  2. EU Toolbox on 5G Cybersecurity: It is advisable to begin consultations and implementation of the EU Toolbox on 5G Cybersecurity, as it is the main document of the EU in the field of 5G network cybersecurity. We have already shown the consequences for countries that were forced to transition to new 5G cybersecurity standards after developing their fifth-generation mobile internet networks. The result was either additional government expenses to compensate telecommunications operators for re-equipment costs or re-equipment at the expense of the operators themselves.
  3. Implementation Roadmap: The EU Toolbox on 5G Cybersecurity does not contain very strict restrictions for countries regarding the timeframes for achieving the strategic and technical goals of the EU. Therefore, a well-prepared roadmap for implementing these norms and goals of the EU into Ukrainian legislation can significantly facilitate the process of developing the fifth-generation mobile internet network in Ukraine.
Useful materials:
1. Follow the link or Continue reading
2. Follow the link or Continue reading
3. Follow the link or Continue reading
4. Follow the link or Continue reading
5. Follow the link or Continue reading
6. Follow the link or Continue reading
7. Follow the link or Continue reading
8. Follow the link or Continue reading
9. Follow the link or Continue reading
10. Follow the link or Continue reading
11. Follow the link or Continue reading
12. Follow the link or Continue reading
13. Follow the link or Continue reading
14. Follow the link or Continue reading
15. Follow the link or Continue reading