The European Commission is opting for the soft approach towards Huawei. In a non-binding recommendation presented on Tuesday 26 March, it suggests starting with a risk analysis at both a national and European level. It also announces the development, by the end of the year, of a toolbox to be used in the event of danger.
The recommendation sets out a clear timetable for a coordinated approach to 5G network security. 1) Before the end of June 2019: each Member State must complete a national risk assessment of 5G network infrastructure; 2) before 1 October 2019: the European Cyber Security Agency (ENISA) must complete a European assessment; 3) before 31 December 2019: the coordination group of the Network Security Directive must develop a toolbox to address identified threats at both a national and European level; 4) before 1 October 2020: Member States, together with the EU Commission, must assess the effects of the recommendation to determine whether further action is needed.
Is a ban included among the tools?
The toolbox provided for in this timetable will be developed by the coordination group linked to the Network Security Directive. It may include, the Commission notes, “certification requirements, tests, checks, as well as the identification of products or suppliers considered to be potentially unsafe”.
Vice-President Andrus Ansip refused to indicate, during a press briefing on the evening before the College meeting, whether this toolbox could lead to a ban on Huawei operating on European territory. “I don't want to speculate. Let's do the risk assessments first”, he replied.
It should be noted that Member States have the right to exclude companies from their markets for reasons of national security if they do not comply with the country's standards and legal framework. The recommendation also instructs Member States to define specific security requirements that may apply in the context of public procurement related to 5G networks “including mandatory requirements for the implementation of cybersecurity certification schemes”. This provision echoes the conclusions developed by the EU Council (see EUROPE 12217/25).
Huawei is satisfied
For its part, Huawei welcomed the recommendation, which is non-binding by definition, in a very positive manner: “Huawei welcomes the objective and considered approach of the recommendation”, commented Abraham Liu, Huawei's Chief Representative to the European institutions. “Huawei understands the cybersecurity concerns of European regulators. On the basis of mutual understanding, Huawei looks forward to contributing to the European framework on cybersecurity.” (Original article in French by Sophie Petitjean)