Procedure : 2019/2575(RSP)
Document stages in plenary
Document selected : B8-0160/2019

Texts tabled :

B8-0160/2019

Debates :

Votes :

PV 12/03/2019 - 9.22

Texts adopted :

P8_TA(2019)0156

<Date>{06/03/2019}6.3.2019</Date>
<NoDocSe>B8‑0160/2019</NoDocSe>
PDF 142kWORD 55k

<TitreType>MOTION FOR A RESOLUTION</TitreType>

<TitreSuite>to wind up the debate on the statements by the Council and the Commission</TitreSuite>

<TitreRecueil>pursuant to Rule 123(2) of the Rules of Procedure</TitreRecueil>


<Titre>on security threats connected with the rising Chinese technological presence in the EU and possible action at EU level to reduce them</Titre>

<DocRef>(2019/2575(RSP))</DocRef>


<RepeatBlock-By><Depute>Reinhard Bütikofer</Depute>

<Commission>{Verts/ALE}on behalf of the Verts/ALE Group</Commission>

</RepeatBlock-By>

See also joint motion for a resolution RC-B8-0154/2019

B8‑0160/2019

European Parliament resolution on security threats connected with the rising Chinese technological presence in the EU and possible action at EU level to reduce them

(2019/2575(RSP))

The European Parliament,

 having regard to Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code[1],

 having regard to Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union[2],

 having regard to Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA[3],

 having regard to the Commission proposal for a regulation of the European Parliament and of the Council, of 13 September 2017, on ENISA, the ‘EU Cybersecurity Agency’, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (‘Cybersecurity Act’) (COM(2017)0477),

 having regard to the Commission proposal for a regulation of the European Parliament and of the Council, of 12 September 2018, establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres (COM(2018)0630),

 having regard to China’s National Intelligence Law of 28 June 2017 and State Security Law of 1 July 2015,

 having regard to the statements by the Council and the Commission of 13 February 2019 on security threats connected with the rising Chinese technological presence in the EU and possible action on the EU level to reduce them,

 having regard to the adoption by the Australian Government of the Government’s Telecommunications Sector Security Reforms, in effect as of 18 September 2018,

 having regard to its position adopted at first reading on 14 February 2019 on the proposal for a regulation of the European Parliament and of the Council establishing a framework for screening of foreign direct investments into the European Union[4],

 having regard to its resolutions on EU-China relations, in particular that of 12 September 2018 on the state of EU China relations[5],

 having regard to the Commission communication of 14 September 2016 entitled ‘5G for Europe: an action plan’ (COM(2016)0588),

 having regard to its resolution of 1 June 2017 on internet connectivity for growth, competitiveness and cohesion: European gigabit society and 5G[6],

 having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)[7],

 having regard to Regulation (EU) No 1316/2013 of the European Parliament and of the Council of 11 December 2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010[8],

 having regard to the Digital Europe programme,

 having regard to Rule 123(2) of its Rules of Procedure,

A. whereas the EU has promoted the digitalisation of its industry and the deployment of next generation networks and equipment and has actively taken steps to be a standard setter for 5G;

B. whereas vulnerabilities in 5G networks could be exploited in order to compromise IT systems, potentially causing very serious damage to economies at European and national levels; whereas a risk analysis based approach across the value chain is necessary in order to minimise the risks;

C. whereas the 5G network will be the backbone of our digital infrastructure, extending the possibility to connect various devices to networks (internet of things, etc.), and will bring new benefits and opportunities to society and businesses in many areas, including critical sectors of the economy, including the transport, energy, health, finance, telecom, defence, space and security sectors;

D. whereas Parliament has repeatedly called for the development of a European strategy for greater IT independence and online privacy that would boost the IT industry in the EU;

E. whereas concerns were raised about third country equipment vendors that might present a security risk for the EU due to the laws of their country of origin, especially after the enactment of the Chinese State Security Law, which provides for a very broad definition of national security and obligations for all citizens, enterprises and other entities to cooperate with the state to safeguard state security; whereas there is no guarantee that these obligations are without extraterritorial application; whereas the response to the Chinese regulations have varied among countries such as the United States, Australia and New Zealand, ranging from security assessments to an outright ban;

F. whereas market access is already conditioned by compliance with European rules for a large number of products but cybersecurity is not yet a requirement and the certification schemes as provided for in the Cybersecurity Act do not provide an adequate response to the urgency of the situation, especially in the case of ubiquitous consumer connections and connected devices;

G. whereas there have already been security incidents within the EU due to vulnerabilities in communications networks, including unauthorised access to the Belgian telecom operator that provides services to the European institutions;

H. whereas a thorough investigation is needed to clarify whether the devices involved in such incidents, or any other devices or suppliers, pose security risks due to features such as backdoors to systems;

I. whereas solutions should be coordinated and treated at EU level in order to avoid different levels of security and potential gaps in cybersecurity; whereas coordination is also needed at global level in order to provide a strong response;

J. whereas the benefits of the single market come with the obligation to comply with EU standards and the Union’s legal framework and whereas suppliers should not be treated differently based on their country of origin;

K. whereas the forthcoming EU regulation establishing a framework for screening of foreign direct investments into the European Union provides a list of factors that are considered to be related to security and public order, which include critical infrastructure, such as communications infrastructure, critical technologies, cybersecurity, access to sensitive information and the freedom to control such information; whereas such factors as whether a foreign investor is indirectly controlled by the government of the country of origin are to be considered relevant for security and public order; whereas the regulation also covers projects and programmes of Union interest such as Trans-European Networks for Telecommunications and Horizon 2020; whereas the regulation establishes a mechanism which allows the Commission and Member States to cooperate in their assessment of security risks posed by foreign direct investments;

1. Believes that the Union take the lead on cybersecurity, by means of a common approach based on the effective and efficient use of EU, Member State and industry expertise, since a patchwork of divergent national decisions would be detrimental to the digital single market;

2. Underlines the importance of swiftly developing an EU approach to infrastructure security in view of the deployment of 5G technology, taking into account risks to security and public order through interference and influence exerted by third countries; stresses that this is a matter of the EU’s own security and fundamental interest;

3. Welcomes the upcoming entry into force of a regulation establishing a framework for the screening of foreign direct investments for reasons of security and public order, and underlines that this regulation establishes for the first time a list of areas and factors that are relevant for security and public order at EU level;

4. Expresses deep concern about the recent allegations that 5G equipment developed by Chinese companies may have embedded backdoors that would allow manufactures and authorities to have unauthorised access to data and telecommunications from EU citizens and businesses; is equally concerned about the potential presence of major vulnerabilities in the 5G equipment developed by these manufacturers if they were to be installed when rolling out 5G networks in the coming years; asks the Commission and the Member States to consider banning 5G equipment providers that cannot give adequate security guarantees;

5. Underlines that the implications for the security of networks and equipment are similar across the world and calls for the EU to draw lessons from the experience available to be able to ensure the highest standards of cybersecurity; is of the view that, whenever compliance with security requirements cannot be guaranteed, adequate measures must be applied; notes that, as part of the assessment for security adequacy, the EU should ask for substantial and credible assurances, particularly in cases where a company is not publicly traded, has opaque organisational structures and is not transparent about its funding and decision-making;

6. Calls on the Member States to inform the Commission of any pertinent national measure they intend to adopt in order to coordinate the Union’s response to be able to ensure the highest standards of cybersecurity throughout the Union;

7. Reiterates that that any entities providing equipment or services in the EU, irrespective of their country of origin, must comply with fundamental rights obligations and with EU and Member State law, including the legal framework as regards privacy, data protection and cybersecurity;

8. Calls on the Commission to assess the robustness of the Union’s legal framework in order to address concerns about the presence of vulnerable equipment in strategic sectors and backbone infrastructure; urges the Commission to present initiatives, including legislative proposals where appropriate, to address in due time any shortfalls detected since the Union is in a constant process of identifying and addressing cybersecurity challenges and enhancing cybersecurity resilience in the EU;

9. Urges those Member States that have not yet fully transposed the NIS Directive to do so without delay and calls on the Commission to monitor this transposition closely to ensure that its provisions are properly applied and enforced and that European citizens are better protected from external and internal security threats;

10. Welcomes and supports the agreement reached on the Cybersecurity Act and the reinforcement of the mandate of the EU Agency for Network and Information Security (ENISA), in order to better support Member States in tackling cybersecurity threats and attacks;

11. Recalls that cybersecurity demands high security requirements; calls for networks and products that are secure by default and by design; urges the Commission to mandate ENISA to make it a priority to work on a certification scheme for 5G equipment in order to ensure that the rollout of 5G in the Union meets the highest security standards and is resilient to backdoors or major vulnerabilities that would endanger the security of the Union’s telecommunication networks and dependent services; recommends that special attention be given to commonly used processes, products and software that by their sheer scale have an important impact on the day-to-day life of citizens and the economy;

12. Warmly welcomes the proposals on cybersecurity competence centres and a network of national coordination centres, which is designed to help the EU retain and develop the technological and industrial capacities in cybersecurity that are needed to secure its digital single market;

13. Welcomes the Digital Europe programme, which imposes security requirements and Commission oversight on entities established in the EU but controlled from third countries, in particular for cybersecurity-related actions; underlines the importance of excluding security interference generated by executive requests for intelligence cooperation by third country authorities;

14. Calls on the Member States to ensure that public institutions and private companies involved in ensuring the proper functioning of critical infrastructure networks such as telecom, energy, health and social systems, undertake relevant risk analysis assessments taking into account the security threats specifically linked to technical features of the respective system or dependence on external suppliers of hardware and software technologies;

15. Recalls that the current legal framework on telecommunication mandates the Member States to ensure that telecom operators comply with the integrity and availability of public electronic communications networks and that encryption, preferably end-to-end encryption, is a way of addressing some security concerns; highlights that, according to the European Electronic Communication Code, the Member States have all the powers necessary to investigate and apply a wide range of remedies in the event of non-compliance of products on the EU market;

16. Calls on the Commission and the Member States to make security an obligatory aspect in all public procurement procedures for relevant infrastructure at both EU and national level, including, where appropriate, the use of European standards and technical requirements aimed at increasing resilience and tackling security risks;

17. Expects national data protection authorities as well as the European Data Protection Supervisor to thoroughly investigate indications of data breaches by external vendors and to impose appropriate penalties and sanctions in line with European data protection law;

18. Reiterates that the EU needs to support cybersecurity across the entire value chain, from research to the deployment and uptake of key technologies, disseminate relevant information, and promote an education curricula about cybersecurity, and believes that, among other measures, the Digital Europe programme will be an efficient tool for that;

19. Urges the Commission and the Member States to take the necessary steps to create an innovation-friendly environment within the EU, which should be accessible to all businesses in the EU digital economy, including small and medium-sized enterprises (SMEs), and should allow European vendors to develop new products, services and technologies, enabling them to win back market share from their third country competitors;

20. Calls on the Commission to assess the cybersecurity aspect of market surveillance and control and propose measures that would efficiently tackle cybersecurity risks; recalls that EU industry actors, and especially SMEs, are vulnerable to unfair competition by state-sponsored actors, strategic acquisition and unauthorised access to their data; argues that these industry actors should be involved in the elaboration of potential legislative measures;

21. Calls on the Commission to include IT security requirements in the revision of the New Legislative Framework for Product Safety;

22. Calls on the Council to speed up its work on the proposed e-Privacy regulation, and to take into account the mandatory end-to-end encryption and the ban on government-mandated backdoors proposed by Parliament in its position adopted in first reading;

23. Calls on the European Council to consider actions in line with the recommendations expressed in this resolution at its next meeting on 21 March 2019;

24. Instructs its President to forward this resolution to the Council and the Commission.

 

[1] OJ L 321, 17.12.2018, p. 36.

[2] OJ L 194, 19.7.2016, p. 1.

[3] OJ L 218, 14.8.2013, p. 8.

[4] Texts adopted, P8_TA(2019)0121.

[5] Texts adopted, P8_TA(2018)0343.

[6] OJ C 307, 30.8.2018, p. 144.

[7] OJ L 119, 4.5.2016, p. 1.

[8] OJ L 348, 20.12.2013, p. 129.

Last updated: 7 March 2019Legal notice