MOTION FOR A RESOLUTION on security threats connected with the rising Chinese technological presence in the EU and possible action at EU level to reduce them
6.3.2019 - (2019/2575(RSP))
pursuant to Rule 123(2) of the Rules of Procedure
Dan Nica, Peter Kouroumbashevon behalf of the S&D Group
See also joint motion for a resolution RC-B8-0154/2019
B8‑0159/2019
European Parliament resolution on security threats connected with the rising Chinese technological presence in the EU and possible action at EU level to reduce them
The European Parliament,
– having regard to Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code[1],
– having regard to Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union[2],
– having regard to the Commission proposal for a regulation of the European Parliament and of the Council of 13 September 2017 on ENISA, the ‘EU Cybersecurity Agency’, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (‘Cybersecurity Act’) (COM(2017)0477),
– having regard to the proposal for a regulation establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres (COM(2018)0630),
– having regard to the adoption of the new National Intelligence Law by the Chinese National People’s Congress on 28 June 2017,
– having regard to the statements by the Council and the Commission of 13 February 2019 on Security threats connected with the rising Chinese technological presence in the EU and possible action at EU level to reduce them,
– having regard to its position adopted at first reading on 14 February 2019 on the proposal for a regulation of the European Parliament and of the Council establishing a framework for the screening of foreign direct investments into the European Union[3],
– having regard to its resolution of 12 September 2018 on the state of EU China relations[4],
– having regard to the Commission communication of 14 September 2016 entitled ‘5G for Europe: an action plan’ (COM(2016)0588),
– having regard to its resolution ‘Internet connectivity for growth, competitiveness and cohesion: European gigabit society and 5G’ adopted on 1 June 2017[5]
– having regard to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
– having regard to Rule 123(2) of its Rules of Procedure,
A. whereas the 5G network will become the backbone of our digital infrastructure, by providing connectivity and data in everyday life in addition to critical sectors of the economy, such as transport, energy, health, finance, telecoms, defence, space and the security sector;
B. whereas it has been estimated that the rollout cost for 5G across Europe will be between EUR 300 billion and EUR 500 billion, making these networks difficult to replace in the short term once rolled out;
C. whereas 5G equipment is provided by only a restricted number of companies, mostly from China and the European Union;
D. whereas a number of third countries have banned or are planning to introduce restrictions on Chinese-manufactured 5G equipment;
E. whereas currently, no EU Member State has publicly stated that its telecommunications networks contain embedded backdoors;
F. whereas the Member States are in the process of auctioning spectrum to facilitate the roll-out of 5G before 31 December 2020, as required by the European Electronic Communications Code;
G. whereas the 2017 Chinese Intelligence Law requires Chinese citizens and entities to provide the Chinese Government with access to private data on grounds of national security or national interests;
H. whereas the Chinese Cybersecurity Law, which came into effect on 1 June 2017, states that network operators shall provide technical assistance to the state security organs in their work;
I. whereas similar legislation has been passed in other third countries, in particular in the US with the recent adoption of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which requires US data and communications companies to provide stored data for US citizens on any server they own and operate when so requested by warrant;
J. whereas in June 2018 the EU filed a dispute settlement case at the World Trade Organisation, supplemented in December 2018, against Chinese practices that force European companies to give up sensitive technology and know-how as a precondition for investing in China;
1. Expresses deep concern about the recent allegations that 5G equipment developed by Chinese companies would contain embedded backdoors allowing manufacturers and Chinese authorities to have unauthorised access to private data and private telecommunications of EU citizens and businesses; believes that these allegations should be thoroughly assessed and investigated;
2. Believes that the potential presence of major vulnerabilities in the 5G equipment created by these manufacturers is something that should also be assessed and investigated when rolling out 5G networks in the coming years;
3. Reiterates that any entity established in the EU or that places products on the single market, regardless of its nationality, must comply with EU and Member State law and with fundamental rights obligations, including those relating to privacy, data protection and cybersecurity;
4. Reiterates that any entity providing products, services and processes in the EU, regardless of its nationality, must meet the Secure By Design criteria, which will not only deter embedded backdoors, but also help counter other possibilities of cyber- interference with the network, e.g. Distributed Denial-of-Service (DDoS) attacks;
5. Calls on the Commission to urgently provide a single response to these new cyber threats and vulnerabilities arising from the next-generation telecommunications networks; calls on the Member States to inform the Commission of any national measure they intend to adopt in order to coordinate the Union’s response so as to ensure the highest standards of cybersecurity throughout the Union; reiterates the importance of refraining from introducing disproportionate unilateral measures that would unnecessarily fragment the single market;
6. Considers that the EU should provide an independent response based on a risk assessment and solid evidence;
7. Calls on the Member States, cybersecurity agencies, telecoms operators, manufacturers and providers of critical infrastructure services to report to the Commission and ENISA any evidence of backdoors or other major vulnerabilities that could compromise the integrity and security of telecoms networks or infringe Union law and fundamental rights;
8. Recalls that telecommunication networks are interlinked and that any vulnerability in the system might affect and compromise other parts of the network; calls on the Commission to assess the robustness of the Union’s legal framework in order to address concerns about the presence of vulnerable equipment in strategic sectors and backbone infrastructure; urges the Commission to present, in due time, initiatives, including legislative proposals, to address potential shortfalls;
9. Recalls that the current legal framework on telecommunication mandates the Member States to ensure that telecoms operators comply with the integrity and availability of public electronic communications networks; highlights that, according to the European Electronic Communication Code, the Member States have all the powers necessary to investigate and apply a wide range of remedies in case of non-compliance, guaranteeing ‘privacy-by-design’ products on the EU’s market;
10. Calls on the Member States and the Commission to ensure that the 5G equipment to be deployed is ‘secure by design’ and continues to operate securely throughout its lifetime; calls on the Commission, in cooperation with ENISA, to provide guidance on how to tackle cyber threats and vulnerabilities when procuring 5G equipment and other services with large amounts of private data (i.e. diversifying equipment from vendors, conditions on auction of spectrum, etc.); believes this approach should not be limited to manufacturers and vendors of 5G network equipment, but should also extend to existing networks and the entire supply chain; calls on the European Cybersecurity Competence Centre to take the above-mentioned guidance into account in its operations and when fixing its strategic orientation;
11. Urges the Member States that have not transposed Directive (EU) 2016/1148 on the security of network and information systems (NIS) to urgently adopt national legislation in order to comply with the directive; calls on the Commission to assess the need to further enlarge the scope of the directive to new sectors and services where large amounts of private data are exposed and are not covered by specific legislation (e.g. telecommunications and electronic identification);
12. Welcomes the adoption of the Cybersecurity Act, which will reinforce ENISA’s role in effectively responding to cyber-attacks, increase cooperation and coordination at Union level, and introduce new certification schemes for connected products and processes;
13. Urges the Commission to mandate ENISA to prioritise working on a certification scheme for 5G equipment in order to ensure that the rollout of 5G in the Union meets the highest security standards and is resilient to backdoors or other major vulnerabilities that would endanger the security of the Union’s telecommunications networks and dependent services; calls on the Commission to include certification schemes for Artificial Intelligence (AI) systems that are able to detect, mitigate and instantly report malware and security flaws in 5G equipment;
14. Recalls, however, that certification should not exclude competent authorities and operators from scrutinising the supply chain in order to ensure the integrity and security of their equipment that operates in critical environments and telecoms networks;
15. Notes that Chinese companies – including state-owned enterprises – benefit, despite the lack of reciprocity, from wide open markets in the EU, and that China has become a net investor in the EU since 2016; expresses its concern at the existing numerous restrictions that European companies continue to face in China, such as the ever more stringent conditions for obtaining market access, including forced technology transfers, joint venture obligations, discriminatory technical requirements including forced data localisation, and source code disclosure;
16. Expresses its concern over the fact that state-orchestrated acquisition and investments from China might compromise European strategic interest and public security objectives, the competitiveness of European companies and high-quality employment in the Union;
17. Reiterates the urgent need for the EU to have the industrial capacities in key strategic sectors (e.g. 5G network equipment and similar backbone technologies), in order to reduce dependency on third-country manufacturers operating under domestic laws that fundamentally clash with the Union’s privacy and industrial property law; welcomes the adoption of the new regulation establishing a framework for screening of foreign direct investments[6] in the EU in order to assess potential security risks, including cyber-related threats, that are likely to affect security or public order and could be triggered by foreign investments at Member State or Union level;
18. Instructs its President to forward this resolution to the Council, the European External Action Service, the Commission, the governments and parliaments of the Member States and the accession and candidate countries, the Government of the People’s Republic of China and the Chinese National People’s Congress.
- [1] OJ L 321, 17.12.2018, p. 36
- [2] OJ L 194, 19.7.2016, p. 1
- [3] Texts adopted, P8_TA_(2019)0121
- [4] Text adopted, P8_TA-PROV(2018)0343
- [5] Texts adopted, P8_TA(2017)0234.
- [6] Text adopted, P8_TC1-COD(2017)0224.