In a special report published today, the European Court of Auditors (ECA) calls for new impetus to boost the roll-out of 5G, the new global wireless standard for mobile networks, in the EU. Member States have experienced considerable delays in implementing their 5G networks, which is jeopardising the achievement of the EU’s objectives in terms of access and coverage. In parallel, further efforts are needed to address security issues in 5G deployment in a consistent and concerted manner, the auditors say.

5G services are essential for a wide range of applications that benefit many sectors of the EU economy and citizens’ daily lives. It is estimated that 5G could add up to €1 trillion to EU GDP between 2021 and 2025, with the potential to create or transform up to 20 million jobs. While 5G provides many opportunities for growth, it comes with certain risks: the limited number of vendors able to build and operate 5G networks increases dependency and the risks associated with interference by “hostile state actors”.

In its 2016 Action Plan, the European Commission set a deadline of 2025 for 5G to be rolled out across all urban areas and all major transport routes. In March last year, it set a further target of achieving EU-wide 5G coverage by 2030. However, the auditors observe that only half of the Member States have included those objectives in their national 5G strategies. The Commission has supported Member States in reaching these goals through different initiatives, guidance and funding. But it has never clearly defined the expected quality of 5G services. This could lead to inequalities in access to and the quality of 5G services across the EU, further widening the “digital divide”, the auditors underline.

“Across the EU, up to €400 billion will be spent by 2025 on developing 5G networks to support the future economic growth and competitiveness. But with many Member States lagging behind, the EU is still far from reaping the benefits 5G offers”, said Annemie Turtelboom, the member of the European Court of Auditors responsible for the report. “Moreover, Member States’ approaches towards 5G security, and in particular the need for concerted action, remains an issue of strategic importance for the EU’s technological sovereignty and the single market.”

All Member States except Cyprus, Lithuania, Malta and Portugal met the 2020 intermediary objective of having at least one major city with 5G access. But many EU countries are not on track with the deployment of their 5G networks. The Commission considers that for sixteen EU countries, the likelihood of achieving the 2025 goal is at best medium (Austria, the Czech Republic, Estonia, Germany, Ireland, Lithuania, Malta, the Netherlands, Poland, Portugal and Slovenia), and at worst low (Belgium, Bulgaria, Croatia, Cyprus and Greece). By November 2021, 23 Member States had still not transposed the EU Directive, setting deadlines for the assignment of 5G pioneer bands, among other actions. At the current pace of implementation, the auditors stress that the EU objectives for the current decade are very likely to be missed.

The 5G rollout goes hand in hand with security issues. Vendors based in EU countries are bound to comply with EU standards and legal requirements. But six of the eight largest vendors, for example Huawei (China) and Samsung (South Korea), are not based in the EU. Legislation in nonEU countries can differ considerably from EU standards, for example in terms of personal data protection. The auditors express concern that EU users may be subject to foreign laws when control centres are located outside the EU. The Commission reacted swiftly when 5G security became a major issue at EU level: the EU toolbox on 5G cybersecurity was adopted in January 2020. Nevertheless, this came too late for a number of mobile network operators which had already selected their vendors.

The auditors also note that, despite the cross-border nature of 5G security concerns, little publicly available information exists on how EU countries approach security matters, in particular the issue of high-risk vendors. This makes it difficult for Member States to take a concerted approach, and also limits the Commission’s ability to put forward improvements to the security of 5G networks. The auditors found that in practice, as measures contained in the toolbox have no binding effect, Member States apply divergent approaches regarding the use of equipment from specific vendors or the scope of restrictions on high-risk vendors. Furthermore, if the Member States are to exclude high-risk vendors from their networks without any transitional period, this might generate hefty substitution costs. Currently, it is not clear whether compensating for these costs could be considered state aid, and whether this would be in line with EU competition rules.

So far, the Commission has not assessed the potential impact of a Member State building its 5G networks using equipment from a vendor considered to be high-risk in another Member State. Such a scenario could impact cross-border security and even the functioning of the EU single market itself, warn the auditors.

Background information
Special report 3/2022 “5G roll-out in the EU: delays in deployment of networks with security issues remaining unresolved” is available on the ECA website (eca.europa.eu).