So, #EU #5G #toolbox is out.
ec.europa.eu/newsroom/dae/d…

IMHO, excellent work. Seriously.

What becomes crystal clear, though: 𝗡𝗮𝘁𝗶𝗼𝗻𝗮𝗹 𝗮𝘂𝘁𝗵𝗼𝗿𝗶𝘁𝗶𝗲𝘀 𝘄𝗶𝗹𝗹 𝗵𝗮𝘃𝗲 𝘁𝗼 𝘀𝘁𝗲𝗽 𝘂𝗽 𝘁𝗵𝗲𝗶𝗿 𝗴𝗮𝗺𝗲, 𝗔 𝗟𝗢𝗧. In the future they will have to... [Thread]

+ continuously assess the risk of deploying particular 5G network equipment and restrict/prohibit if necessary. (p20)

+ audit MNOs at an "in-depth technical level" (p20)

+ assess operators' sourcing strategy and the involvement of 3rd party suppliers (p20)

+ assess to what extent an operator implemented baseline technical network security measures (p20)

+ "perform rigorous assessments of the risk profile of all relevant suppliers at national level" (p21)

+ assess/restrict whether MNOs rely on Managed Service Providers (p21)

+ "ensure that each MNO has an appropriate multivendor strategy taking into account the technical constraints and interoperability requirements" (p22)

+ continuously review MNO's risk assessment plans (p23)

+ ensure that MNOs/suppliers adequately implement 3GPP standards (p24)

+ assess whether MNOs adequately utilize Network Function Virtualization (p24)

+ scrutinize MNO's Network/Security Operation Centers (p25)

+ engage technical standardization bodies (p28)

+ "Analyse critical dependencies between the 5G networks and other critical sectors" (p29)

... the list goes on. The challenge will be how to enable national authorities (especially from smaller member states) to actually achieve all of that?

Last time I checked, IT/5G security experts do not grow on trees.

Of course, EC will help to coordinate and ENISA steps in with facilitation... but at the end of the day, most of the national authorities will struggle to find personnel for even half of those new responsibilities.