Research Notes

Strand Consult’s new study of Mobile RAN in Albania, Bosnia and Herzegovina, Moldova, Montenegro, North Macedonia, Serbia, Türkiye, Ukraine, Georgia, and Kosovo shows that EU enlargement countries are ready for the EU toolbox for 5G security

Strand Consult’s new study maps mobile radio access network (RAN) equipment in 10 neighboring countries covered in the European Commission Enlargement Package. The countries Albania, Bosnia and Herzegovina, Moldova, Montenegro, North Macedonia, Serbia, Türkiye, Ukraine, Georgia, and Kosovo want to become members of the European Union (EU), and compliance with the EU’s toolbox for 5G security is one of many prerequisites for membership.

Strand Consult’s new study is the latest in a series about equipment vendors and mobile network security. This series includes Strand Consult’s 2022 report mapping 5G equipment vendor market share in 31 European countries and in its 2020 report mapping similar equipment vendor market share for 4G in 102 Mobile Network in Europe. These reports have become the de facto authoritative source for Chinese telecom equipment market share and perhaps the only publicly available studies on the issue. Thousands of professionals and policymakers globally have accessed these reports from Strand Consult.

Considering Strand Consult’s mapping of mobile networks in 21 European countries, it is natural to investigate how “new” and “candidate countries” compare to existing members of the EU and its allies. It is also interesting to explore how EU policy and regulation, including the toolbox, inform cooperation and expectation with other countries and regions including Africa and Latin America. 

Strand Consult´s new study is helpful for policymakers to assess how candidate countries perform on network security measures and specifically their exposure to high-risk vendors in 4G and 5G.

The report is also important for operators. Some believe that the EU 5G toolbox will not affect their business, or they are unclear of EU requirements for the security of critical infrastructure. This report is helpful for policymakers, operators, security experts, and many more.

Most of the ten countries demonstrate preliminary compliance and performance with EU network security standards for 5G.

Becoming a member of the European Union and the Telecommunications Requirements

While the path to joining the EU is lengthy, complex, and negotiated, member nations enjoy geopolitical, economic, security, and fiscal benefits. Minimum requirements include compliance with EU standards and rules, consent of EU member states and institutions, and consent of the citizens of the respective countries. Larger still, candidate countries must have stable democratic governments defending the rule of law, human rights, and respect for and protection of minorities; and a functioning market economy. Importantly, the candidate country is assessed for its adherence to the adoption, implementation, and enforcement of all current EU rules in different policy fields including by not limited to telecommunications, energy, transport, environment and so on.

Importantly, compliance with EU rules is the prerequisite for financial support, whether the nation is within or outside the EU. The EU today consists of 27 member states. Some of the covered countries in this research note are considered in European Commission adopted the 2023 Enlargement Package for EU enlargement. These are primarily countries in the Balkans and central Europe. Many of these covered countries already receive financial support from the EU.

Moreover, the EU provides financial aid and support to many countries around the world including nations in Africa and Latin America, such as through the Global Gateway.

Indeed EU financing is already underway as the European Commission (EC) notes, “Broadband national strategies were developed in Moldova and Georgia to facilitate investments in high-speed and affordable internet in the region. This included a EUR 70 million co-investment by the EIB and the World Bank in Georgia to roll out broadband in rural communities. The price of international connectivity for research and education institutions has decreased by 70% in recent years. In addition, two ultra-fast digital highways (up to 400 Gbps) were set up between the EU, Moldova, and Ukraine to facilitate cooperation in research and innovation, including participation in Horizon Europe.”

Since the EC Communication from June 2023, a prerequisite for obtaining financial support for the establishment of telecommunications infrastructure is compliance with the criteria laid down in the  EU’s 5G toolbox. The European Commission Communication on EU enlargement policy describes the enlargement principles, policy, and process, including the requirements for telecommunications networks detailed on p. 53.  

The prerequisite for receiving EU support is that these projects have been crucial to ensure their compliance with the EU’s digital standards, on cybersecurity (5G toolbox) and “open access to the internet.” In practice, this means that the prerequisite for these countries to be able to access aid from the EU is that they must comply with the rules that apply to receive the corresponding aid from the EU.

Notably the EU has had a strategy for the Balkans for some time, as noted in the Reform and Growth Facility for the Western Balkans states. It notes, “The Facility should support investment and reforms that promote the beneficiaries’ path to the digital transformation of the economy and society in line with the EU vision for 2030 presented in the Commission communication ‘2030 Digital Compass: the European way for the Digital Decade. It should strive to facilitate their achievement of the general objectives and digital targets regarding the Union. As outlined by the Commission in its communication of 15 June 20234, the 5G cybersecurity Toolbox should be the reference for EU funding to ensure security, resilience, and protection of integrity of digital infrastructure in the region.”

It is also important that EU is applying the same conditions for EU member states such as the CEF page 12 and 13 which may be eligible for some project with the covered countries like Latvia cooperation with Ukraine on Telecom.

The importance of the EU toolbox for 5G security in the EU and beyond

In addition to the conditions laid down in the EU’s enlargement package, the accession procedure allows the EU to push for the covered countries to develop domestic regulation to fulfill the recommendation laid down in the EU 5G toolbox. The EU 5G toolbox is a set of recommendations on 5G security developed by the EU member states with support of European Union Agency for Cybersecurity (ENISA) and the Body of European Regulators for Electronic Communication (BEREC). The toolbox is a comprehensive response to mitigate risks identified in the preceding EU-wide coordinated risk assessment.

The EU collaboration on 5G security started with European Council recommendations in 2019 and a Commission recommendation to Member States to take steps to address risks with the 5G roll out. Since the introduction of the 5G toolbox in 2020, EU member states have started to implement strategic and technical measures. ENISA, Commission and BEREC also initiated work on the supporting actions mentioned in the 5G toolbox. By mid-2020, the NIS Cooperation Group of the member states published a first progress report of the implementation of the 5G toolbox with a second progress report published on June 15, 2023, which Strand Consult covered here.

Looking beyond the EU neighboring countries, EU is also engaging in promoting ICT infrastructure in other third-countries through the Global Gateway and its regional initiatives such as EU-LAC there cover funding to investments in digital transformation in Latin America and the Caribbean.

The Global Gateway creates the opportunity to condition EU’s funding for ICT infrastructure with adherence to EU 5G toolbox. The prerequisite for participating in these projects is that they live and are compliant with the EU 5G toolbox.

Moreover, the European Commission has implemented the EU 5G toolbox for its own procurement of telecommunications services and expects other EU institutions to do the same. This is important for the credibility of the European Commission to “walk the talk”. It also means that transparency of the suppliers to European Telecommunication services is a necessary first step. In any event, there are many options of trusted telecommunication operators in the EU, and these vendors should be selected over those telecommunication service providers that continue to rely on high-risk vendors in their mobile networks. This is a critical point for Europeans consumers for whom the EU wants to ensure safe, reliable, and high-quality networks.

Key findings from Strand Consult’s report

The report reviews each country, the respective operators, and population, and details the total and relative share of mobile network equipment vendors, noted numerically and graphically. Strand Consult has studied the global growth of Chinese network providers Huawei and ZTE for some 15 years and offers a library of information on the topic. 

Building on the mapping of Chinese and Non-Chinese Vendors in 31 European Countries across 102 mobile operators Strand Consult now examines ten countries on the EU enlargement list. Here are some key data for these countries:

  • Of the ten total countries, four have 100% non-Chinese RAN.
  • In three countries, 45–70% of the mobile RAN is from trusted vendors. In three other countries, 60–70% of the mobile RAN comes from non-trusted Chinese infrastructure vendors.  
  • Albania, Kosovo and North Macedonia have 100% non-Chinese networks.
  • In Montenegro, Georgia, Serbia and Moldova, 45-70% of RAN infrastructure is from trusted vendors. Montenegro has 2 clean networks: Moldova has 2; Serbia has 2; and Georgia has 1.  
  • Bosnia and Herzegovina, Türkiye, and Ukraine have 60–76% of mobile RAN from non- trusted vendors.
  • Ukraine has a significant level of untrusted vendors for mobile RAN. Kyivstar has 100% of its mobile RAN is from Chinese vendors. Vodafone has 75% from Chinese vendors. Lifecell has 50% of mobile RAN from Chinese vendors.

Overall, most of the ten countries on the EU enlargement list are well on their way to living up to the EU’s 5G toolbox. There are still challenges in Ukraine and Türkiye with equipment from non-trusted vendors. At the very least, consumers should have access to at least one clean network from a trusted vendor, as Strand Consult details.

Good news for neighboring countries seeking EU aid

Nations must consider whether they comply with EU requirements before seeking aid from the EU. At the very least, complying with the EU’s 5G security toolbox does not need to be expensive. Notably there is little to no cost difference between purchasing trusted versus non-trusted equipment. Fortunately for the ten EU candidate countries, most already comply with the EU’s 5G Toolbox.

However, most of the 10 countries are still primarily in the 4G evolution. They have not started their 5G implementation. As operators move from 4G to 5G, they will upgrade new equipment. It is a cost which must be undertaken regardless of vendor. As operators have experienced in Europe and Strand Consult has documented, the costs of switching suppliers to upgrade to 5G is minimal. In other words, prices for 5G equipment are competitive regardless of vendor. There is no or limited additional cost related to using trusted vendors.

In the report “The real cost to rip and replace Chinese equipment from telecom networks”, Strand Consult examined the costs associated with replacing old 2G, 3G and 4G equipment with new equipment with an upgrade to 5G.

This report offers a critical review of the discussion of whether to replace mobile network equipment made by firms owned and/or affiliated with the Chinese government, notably Huawei and ZTE. The need for network security is not a new debate. Since 2005 many intelligence officials, militaries agencies, and security analysts have noted security risks of using such equipment, including theft of intellectual property, surveillance, espionage, and sabotage.

Strand Consult´s analysis shows that the concerns about Chinese made network equipment is not limited to national governments and the military intelligence operations. Nor is the concern confined to telecom operators which build and run networks.  It is the small, medium, and large enterprises that use networks which fear that their valuable data will be surveilled, sabotaged, or stolen by actors associated with the Chinese government and military. Consequently, it is also the clients of telecom operators which push to restrict Chinese-made equipment from networks. 

Find more research on the topic in the library on Strand Consult´s reports and research notes about China and cyber security.

For a free copy of Strand Consult ́s mapping of the mobile RAN in the 10 countries on the EU enlargement list (Albania, Bosnia and Herzegovina, Moldova, Montenegro, North Macedonia, Serbia, Türkiye, Ukraine, Georgia and Kosovo), contact Strand Consult.