The 5G Standard

Cooperation on Cybersecurity

Nov 24, 2022

EU cybersecurity certification project engages with 3GPP experts.

ENISA is the European Union Agency for Cybersecurity, contributing to the EU cyber policy. A part of their work is focused on delivering a voluntary industry 5G cybersecurity certification scheme. The scheme will be applied for network devices (not terminals) across that region, as required by the EU Cybersecurity Act (2019), from 2024.

Their EU5G Ad-Hoc Working Group is looking at the re-use of existing tools, including standards work completed, to help meet their objectives for the scheme. To that end, they have mapped against existing GSMA schemes and the 3GPP specifications they refer to, to enable them to assess the risks and to identify any standards gaps that need additional coverage.

During last week’s 3GPP working group meetings in Toulouse, ENISA representatives presented the ENISA EU5G status to 3GPP SA3. They introduced the current expected timeline and milestones for the initial (V1) candidate scheme.


Standards gaps are now being discussed within ENISA, as they draft certification schemes (from Nov. 2022). ENISA’s Vassiliki Gogou noted that the speed of 3GPP’s progress will be a challenge. 

During the presentation, Vassiliki Gogou noted that the ENISA timeline is well aligned with Rel-18, but acknowledged that they may need to look back and understand earlier 5G release capabilities.  During the SA3 discussion here in Toulouse, the challenge of keeping regulation up-to-date as specifications are updated release-by-release was raised. A solution could be for 3GPP to be referenced in an annex of the EU legal documents, making updates relatively straight forward.


Some takeaways from this presentation & discussion:


  • ENISA looking to engage with 3GPP, to ensure that standards meet the European cybersecurity certification scheme.
  • ENISA feel some direct participation in SA3 would be useful. SA3 agrees.
  • Although this is one regional programme – there is little difference between the regions, so this could be a productive benchmark activity. 

3GPP SA3 will now look to work with ENISA to consider extensions to 3GPP SCAS and technical standards to address any gaps identified by ENISA. SA3 is currently in discussions about how to proceed with the additional work, in order to minimise the impacts on current SA3 work plans. 

SA3 looks forward to further engagement with GSMA, ENISA, EU National Standards Organisations (NSOs) and European Commission (EC) to support requirements under the CSA and future Cyber Resilience Act (CSA).