Strand Consult has followed the mobile telecom industry for 25 years and has published predictions for the last 20. See the collection here. This note reviews the highs and lows from the mobile telecom industry 2020 and makes predictions for 2021,  writes John Strand of Strand Consult. This year developed very differently than expected, including the bombshell in February that GSMA cancelled the Mobile World Congress. It’s an understatement to stay COVID-19 was a game changer, but the bottom line is that communications networks built and run by operators are even more important than ever. Strand Consult has long described how telecommunications is the foundation for the modern society; 2020 proved this assertion beyond the shadow of a doubt. Here are some of the issues that defined 2020 and will be relevant in 2021: COVID-19, China, cybersecurity, 5G, spectrum, climate, Open RAN, privacy, competition, consolidation, gender equality, and net neutrality. COVID-19, the all-purpose policy justification Private network providers by investing for the future ended up prepared for the unexpected.  The COVID19 brought unprecedented challenges to telecommunications networks, and these networks performed to meet pandemic requirements. During lockdown and the new normal of working from home (WFH), people have relied on these networks for work, school, shopping, and healthcare. By investing for the future, many network owners ensured that networks would perform under worst case scenarios. This outstanding network performance disproved the conventional regulatory wisdom that network owners left to their own devices would harm their customers, their networks, and third-party service providers. Indeed, the opposite happened, not only did network providers provide consistent service, many reduced prices in solidarity with their customers. This experience has important implications for price control regulation, investment incentives, and sustainability. Strand Consult’s report Network Behaviour Under Crisis: Reflections on Telecommunications, Transportation and Energy Regulation during COVID-19 examines the regulation that govern these networks to see what lessons policymakers can learn to improve regulation going forward. The experience shows that allowing operators to follow market incentives yields socially beneficial results, policymakers will likely use COVID to justify even more regulation. Here are six questions on the future of telecom regulation. Another love/hate relation in the time of corona is between regulators and platforms like Google and Apple for their track and trace apps. While antitrust efforts against these large players have been ongoing globally, COVID19 suddenly gave them a central position as “the good guys” with surveillance people actually want. Competition authorities put a lot of effort into high antitrust cases against the hyper giants; some of these will likely fail. A better strategy to reduce their dominance would be to stop making policy which unfairly favours and strengthens these platforms with free giveaways on radio frequencies (unlicensed spectrum), copyright (fair use), and data transmission (net neutrality) and so on. The mobile industry is still an old boys’ club 2020 was not the year in which women achieved management parity in the mobile telecom industry, and the most glaring inequality is on display at the industry’s global trade association. This is not for a lack of accomplished female executives in the industry, but rather a lack of will. GSMA’s website notes: “The GSMA Board has 26 members reflecting the largest operator groups and members from smaller independent operators with global representation.” While GSMA boasts of its board geographic and economic diversity, it fails on the basic front of gender. Just 3 of its board members are women, of which 2 are from the US and 1 from Singapore. GSMA has held many workshops on promoting women in the industry but fails to practice what it preaches. This pattern will likely continue in 2021. Birds of a Feather: Vodafone, Huawei, and China COVID-19 intensified the debate about Chinese equipment in networks. Many realized the increasing cost and vulnerability of Chinese elements in mobile networks and the fragility of associated supply chains, not to mention other critical technologies. In 2020 many nations asserted that China and its military-linked Huawei pose security risks and took steps to restrict equipment in mobile networks. However, there were some notable holdouts like Vodafone’s 'Foreign Minister' Joakim Reiter who repeatedly defends the use of Huawei equipment. Vodafone may prioritize its relationship with Huawei above customer safety and security, but smart operators will capitalize on their choice not to expose their customers’ data to the Chinese government. The competition in the mobile industry means that customers can choose whether they want the risk of exposing their data to the Chinese government. Opting out of Huawei equipment and other risky technology vendors will become a unique selling point for operators in 2021, particularly for corporate customers. Vodafone will likely take heat for defending its relationship with malicious vendors. 5G On Track in 2020 and 2021 While some operators stubbornly stuck with Chinese equipment, other operators moved forward on rippling and replacing Huawei equipment without increasing cost or slowing their timeline to 5G. Successful reboots include Denmark’s TDC, Norway’s Telenor, and Telia and Proximus in Belgium. Operators are replacing and upgrading their networks at a pace that exceeds the implementation of 3G and 4G. It is impressive to see how quickly new equipment can be deployed; it took TDC just 11 months to launch a 5G network with non-Chinese equipment covering 90% of the country. In most countries, these upgrades occur without operators having to increase their CAPEX. Strand Consult already described this in 2019. Strand Consult is cautiously optimistic for 5G in 2021. Operators can excel building and running and networks--even during a crisis. The question is whether the applications for 5G will prove compelling for consumer adoption. Spectrum Auctions – The sky is the limit As of this writing, the auction for the C-Band (3.7–3.98 GHz) in USA is on track to set a world record for a spectrum auction, breaking $70 billion. The excitement rivals the 3G spectrum auctions in 2000 and reflects that American operators can purchase rights without expiration. Europe’s short term spectrum licenses have led to dire situations in which licenses expire and cannot be renewed. In 2020 The Royal Swedish Academy of Sciences awarded the 2020 Economics Nobel Prize to Stanford University’s Paul R. Milgrom and Robert B. Wilson “for improvements to auction theory and inventions of new auction formats.” In a mere generation, spectrum auctions have demonstrated telecom operators’ ability to use scarce resources efficiently and to contribute significantly to the public treasury.  As the Royal Academy rightly observes, market-based allocation methods like auctions are preferable to administrative allocation. However, not all spectrum auctions have been beneficial. Indeed, high prices in some countries have reduced infrastructure investment. In some cases, governments and bidders have gamed the auctions. The findings of the 2020 Nobel winners, if applied, could solve these problems, but it requires political discipline. Strand Consult sees the Nobel award as a message to governments around the world to improve the practice of spectrum allocation, particularly as applied to auction rules, spectrum repurposing, unlicensed spectrum, and federal spectrum holdings. China – Not a good look Getting the real story on China proved difficult in 2020. The Chinese propaganda machine misleads many journalists, and many stories on Huawei originate with the company giving an exclusive interview with a friendly journalist in a preferred media. These stories portray Huawei as a helpless victim in the trade war between the US and China. Few media dare to publish an analysis comparing the operating conditions foreign companies get in China compared to the favourable treatment Chinese companies enjoy abroad. Moreover, there are few articles investigating Huawei’s role to suppress human rights in China. However, Huawei’s corporate practices are becoming untenable for Huawei itself. The company’s Danish communications director Tommy Zwick resigned on Twitter because he could not accept Huawei's role in Uyghur Muslim oppression.  And celebrities from sports stars to artists are cancelling their Huawei contracts. Strand Consult hopes that more people choose the path of integrity in 2021, as the focus on China’s appalling human rights record is long overdue. China has a dream that President Joe Biden will make life easier. Strand Consult does not subscribe to this view; if anything, rules may be tightened. Some countries will take restrictions on China a step further, outlawing its presence in communications networks altogether. See related notes here: Would a new President change the US view of the security of Huawei and ZTE in 5G networks?  Strand Consult’s reports on 4G RAN are used by policymakers to understand the market share of Chinese equipment in networks and to assess associated risk. Strand Consult has also published reports to help policymakers and journalists use critical thinking to address the many claims by Huawei’s corporate communication. Telecommunications and the Climate Agenda Operators have many initiatives to improve energy efficiency. These are important as total energy consumption will likely go up, even with efficiency improvements in the data production layer. Read the excellent report from Barclays Equity Research Analysts Environmental Social and Governance - Doing good, doing enough?by the team led by Maurice Patrick. This holistic approach to energy consumption is more meaningful than 5G climate hype which attempts to measure energy consumption as a function of the minutes or data an operator produces. Strand Consult describes some of these challenges and solutions here: New partnerships help telecom and tech companies become green. Google leads the way in Denmark. The reality check on Open Ran  In 2020 Open Ran was portrayed as a miracle “technology”. Many believe Open Ran will increase innovation, reduce operators' costs, and help rid Chinese equipment in telecommunications networks. Other Open Ran boosters want more nations to become manufactures of telecommunications infrastructure. 2021 will bring a needed reality check. It will take years before Open Ran can replace regular RAN on a 1:1 basis. Promised savings for operators will not be so great, and the purported openness of the solution will not necessarily deliver security, at least in the expectation of Open Ran reducing reliance on Chinese vendors. China Mobile, China Unicom and China Telecom are among some 44 Chinese government technology companies in the O-RAN Alliance. Other members are ZTE and Inspur, which the US bans because of links to the Chinese military. While purporting to offer the way out from Huawei, O-RAN appears to substitute one Chinese government owned firm for another, like Lenovo. Open Ran specifications may already violate cybersecurity rules in UK, Germany and France. Patent challenges are also likely as Open Ran is 100% dependent on 3GPP and the patents of non-members of the O-RAN Alliance. Strand Consult believes that industrial cooperation is important for technological development, investment, and innovation. Some of this cooperation is done in 3GPP, the O-RAN Alliance, and other organizations. Mobile operators should be free to choose the technological solutions that make sense for their business, provided the adherence to national security laws. Open Ran should not be the justification for protectionism. Regulation is acquired by industry and designed for its benefit US and EU policymakers talk a big game about antitrust, platform regulation, and data protection. They tweet, like, friend, and stream their criticism against Google, Facebook, Amazon, Apple, and Netflix while using these platforms themselves. The platforms have never had it so good; they enjoyed yet another year with increased earnings and market shares. They should send a Christmas card thanking Margrethe Vestager. Like smokers who rage against the tobacco industry, politicians can’t live without the platforms. Some politician’s tweets even more than US President Donald Trump. Take the Danish Member of the EU Parliament Karen Melchior  who has tweeted 193,000 times since October 2008. That’s 43 tweets a day for 12 years. She is three times more active than Donald Trump, who has tweeted 59,000 tweets since March 2009, about 13 tweets a day. Melchior has 21,000 followers: Trump, 88 million. Melchior follows 16,000; Trump; only 51. The more that big tech is regulated, the larger it grows. Policies which force Netflix to buy more local content only increases Netflix’ popularity in the local policy. These policies look good/feel good on the surface, but they have the opposite of their intended effect. The losers, of course, are traditional radio, TV, and print. Competition and Consolidation: A time for honesty for operators and policymakers Competition authorities should look more realistically at decisions purported to improve competition and consumer protection, notably restrictions against 4 to 3 mergers. Courts rebuked the regulatory experts, showing the European Commission to be wrong in blocking the merger between Hutchison and O2. Europe has lagged in telecom investment, prices continue to fall, and the region is an ever-decreasing share of the world market (where it once was the world leader). Operators can bridge the gap by reducing the hype in the merger declarations.  The alternative to consolidation is "consolidation light" in which operators share infrastructure. One of the ways to do this is through national roaming agreements, as described this in the report  Understanding the impact of national roaming on investments and competition. Strand Consult has published extensively on mergers and acquisitions in the mobile industry. Look at what creates competition in the telecommunications industry? Can the number of mobile operators be compared with the number infrastructure equipment providers like Huawei, Ericsson, Nokia, Samsung and ZTE? Broadband via wireless solutions - fibre in the air 2021 will see increasing substitution of 4G and 5G/FWA solutions for fixed broadband connections. While consumers are increasingly cutting the cord and going all wireless for broadband, many policymakers and advocates have resisted accepting this trend. They want to perpetuate outdated regulatory silos. Meanwhile mobile operators will join forces with fibre to the home providers and offer broadband through Fixed Wireless Access (FWA). Larger operators with a fixed and a mobile busines will rely on these solutions to supplement fixed broadband. The coming focus on hardware security The most common cyberattacks come from organized crime and state-sponsored actors for financial and espionage reasons. This year was no different than others for the large-scale cyberattacks. This policy failing reflects the lack of a holistic approach to network security and frequently an overfocus on software. 2021 should see a greater focus on all network elements and their provenance, including the servers which process data and the laptops and devices connected to them.  While efforts to remove Huawei should be applauded, security is not improved if Huawei’s replacement is just another Chinese government-owned vendor like GE, Motorola, and Lenovo, once American companies, now owned by Chinese government affiliated interests. Net neutrality back from the dead “Open internet”, “internet regulation”, and “net neutrality” are predicated on the theory that network owners will harm network users. Europe has long had these rules in place, rules based on flawed theories which have not been shown to increase innovation, investment, or user rights. When practice disproves the theory, it’s time to update the rules. In the US, the Federal Communication Commission repealed such rules in 2017. It restored jurisdiction of anticompetitive practices in the broadband market to the Federal Trade Commission. This move is associated with an increase in broadband investment, speed, and quality. It would be unfortunate to return to a policy which deters network investment and innovation precisely when people increasingly depend on networks for work, school, and health care. As Strand Consult’s many reports on net neutrality assiduously document, internet regulation is promoted by Silicon Valley hyper giants and their policy advocates. Open internet means that Silicon Valley pays zero for data transmission while consumers pay 100 percent, whether or not they use the services from the giants. This policy contradicts the practice and experience of other communications networks in which content providers played a role to reduce the cost to end users. Hard net neutrality is not empirically correlated with increased innovation. Moreover, many countries with such rules have a persistent gap in investment, particularly in rural areas. Conclusion In 2020 Strand Consult published many research notes and reports to help mobile telecom companies navigate a complex world and to create transparency in policy and regulatory debates. For the last 19 years, Strand Consult has reviewed the year and offered predictions for the coming year. We invite you to see for yourself whether we were right over the years.

Did you get this e-mail forwarded from a colleague? Then sign up for the Strand Consult newsletter and receive free research notes.

See also our latest reports about the mobile industry Learn about our workshops

About Strand Consult Strand Consult, an independent company, produces strategic reports, research notes and workshops on the mobile telecom industry. Learn more about John Strand. Learn more about Strand Consult.

 

On 4 January, the Commission launched a European competence centre aiming to preserve and conserve European Cultural Heritage. The centre, which will work for a period of three years, has been granted up to €3 million from the Horizon 2020 programme. It will set up a collaborative digital space for cultural heritage conservation and give access to repositories of data, metadata, standards and guidelines. Istituto Nazionale di Fisica Nucleare in Italy co-ordinates the team of 19 beneficiaries that are coming from 11 EU member states, Switzerland and Moldova.

The Commission has also launched two projects to support digital education, worth up to €1 million each, through Horizon 2020. The first project, MenSI, focuses on mentoring for school improvement and will run until February 2023. MenSI aims to mobilise 120 schools in six member states (Belgium, Czechia, Croatia, Italy, Hungary, Portugal) and the United Kingdom to advance digital innovation, in particular in small or rural schools and for socially disadvantaged students. The second project, iHub4Schools, will run until June 2023 and will accelerate digital innovation in schools thanks to the creation of regional innovation hubs and a mentoring model. 600 teachers in 75 schools will participate and the hubs will be established in 5 countries (Estonia, Lithuania, Finland, United Kingdom, Georgia). Italy and Norway will also benefit from the mentoring scheme. More information about the newly launched projects is available here.

Today (16 December) the Commission and the High Representative of the Union for Foreign Affairs and Security Policy are presenting a new EU Cybersecurity Strategy. As a key component of Shaping Europe's Digital Future, the Recovery Plan for Europe and the EU Security Union Strategy, the Strategy will bolster Europe's collective resilience against cyber threats and help to ensure that all citizens and businesses can fully benefit from trustworthy and reliable services and digital tools. Whether it is the connected devices, the electricity grid, or the banks, planes, public administrations and hospitals Europeans use or frequent, they deserve to do so with the assurance that they will be shielded from cyber threats.

The new Cybersecurity Strategy also allows the EU to step up leadership on international norms and standards in cyberspace, and to strengthen cooperation with partners around the world to promote a global, open, stable and secure cyberspace, grounded in the rule of law, human rights, fundamental freedoms and democratic values. Furthermore, the Commission is making proposals to address both cyber and physical resilience of critical entities and networks: a Directive on measures for high common level of cybersecurity across the Union (revised NIS Directive or ‘NIS 2'), and a new Directive on the resilience of critical entities.

They cover a wide range of sectors and aim to address current and future online and offline risks, from cyberattacks to crime or natural disasters, in a coherent and complementary way. Trust and security at the heart of the EU Digital Decade The new Cybersecurity Strategy aims to safeguard a global and open Internet, while at the same time offering safeguards, not only to ensure security but also to protect European values and the fundamental rights of everyone.

Building upon the achievements of the past months and years, it contains concrete proposals for regulatory, investment and policy initiatives, in three areas of EU action: 1. Resilience, technological sovereignty and leadership
Under this strand of action the Commission proposes to reform the rules on the security of network and information systems, under a Directive on measures for high common level of cybersecurity across the Union (revised NIS Directive or ‘NIS 2'), in order to increase the level of cyber resilience of critical public and private sectors: hospitals, energy grids, railways, but also data centres, public administrations, research labs and manufacturing of critical medical devices and medicines, as well as other critical infrastructure and services, must remain impermeable, in an increasingly fastmoving and complex threat environment. The Commission also proposes to launch a network of Security Operations Centres across the EU, powered by artificial intelligence (AI), which will constitute a real ‘cybersecurity shield' for the EU, able to detect signs of a cyberattack early enough and to enable proactive action, before damage occurs. Additional measures will include dedicated support to small and medium-sized businesses (SMEs), under the Digital Innovation Hubs, as well as increased efforts to upskill the workforce, attract and retain the best cybersecurity talent and invest in research and innovation that is open, competitive and based on excellence.
2. Building operational capacity to prevent, deter and respond
The Commission is preparing, through a progressive and inclusive process with the member states, a new Joint Cyber Unit, to strengthen cooperation between EU bodies and member state authorities responsible for preventing, deterring and responding to cyber-attacks, including civilian, law enforcement, diplomatic and cyber defence communities. The High Representative puts forward proposals to strengthen the EU Cyber Diplomacy Toolbox to prevent, discourage, deter and respond effectively against malicious cyber activities, notably those affecting our critical infrastructure, supply chains, democratic institutions and processes. The EU will also aim to further enhance cyber defence cooperation and develop state-of-the-art cyber defence capabilities, building on the work of the European Defence Agency and encouraging Mmmber states to make full use of the Permanent Structured Cooperation and the European Defence Fund.
3. Advancing a global and open cyberspace through increased co-operation
The EU will step up work with international partners to strengthen the rules-based global order, promote international security and stability in cyberspace, and protect human rights and fundamental freedoms online. It will advance international norms and standards that reflect these EU core values, by working with its international partners in the United Nations and other relevant fora. The EU will further strengthen its EU Cyber Diplomacy Toolbox, and increase cyber capacity-building efforts to third countries by developing an EU External Cyber Capacity Building Agenda. Cyber dialogues with third countries, regional and international organizations as well as the multistakeholder community will be intensified.

The EU will also form an EU Cyber Diplomacy Network around the world to promote its vision of cyberspace. The EU is committed to supporting the new Cybersecurity Strategy with an unprecedented level of investment in the EU's digital transition over the next seven years, through the next long-term EU budget, notably the Digital Europe Programme and Horizon Europe, as well as the Recovery Plan for Europe. Member States are thus encouraged to make full use of the EU Recovery and Resilience Facility to boost cybersecurity and match EU-level investment.

The objective is to reach up to €4.5 billion of combined investment from the EU, the member states and the industry, notably under the Cybersecurity Competence Centre and Network of Coordination Centres, and to ensure that a major portion gets to SMEs. The Commission also aims at reinforcing the EU's industrial and technological capacities in cybersecurity, including through projects supported jointly by EU and national budgets. The EU has the unique opportunity to pool its assets to enhance its strategic autonomy and propel its leadership in cybersecurity across the digital supply chain (including data and cloud, next generation processor technologies, ultra-secure connectivity and 6G networks), in line with its values and priorities.

Cyber and physical resilience of network, information systems and critical entities Existing EU-level measures aimed at protecting key services and infrastructures from both cyber and physical risks need to be updated. Cybersecurity risks continue to evolve with growing digitalisation and interconnectedness. Physical risks have also become more complex since the adoption of the 2008 EU rules on critical infrastructure, which currently only cover the energy and transport sectors. The revisions aim at updating the rules following the logic of the EU's Security Union strategy, overcoming the false dichotomy between online and offline and breaking down the silo approach.

To respond to the growing threats due to digitalisation and interconnectedness, the proposed Directive on measures for high common level of cybersecurity across the Union (revised NIS Directive or ‘NIS 2') will cover medium and large entities from more sectors based on their criticality for the economy and society. NIS 2 strengthens security requirements imposed on the companies, addresses security of supply chains and supplier relationships, streamlines reporting obligations, introduces more stringent supervisory measures for national authorities, stricter enforcement requirements and aims at harmonising sanctions regimes across Member States. The NIS 2 proposal will help increase information sharing and cooperation on cyber crisis management at national and EU level. The proposed Critical Entities Resilience (CER) Directive expands both the scope and depth of the 2008 European Critical Infrastructure directive. Ten sectors are now covered: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration and space. Under the proposed directive, member states would each adopt a national strategy for ensuring the resilience of critical entities and carry out regular risk assessments. These assessments would also help identify a smaller subset of critical entities that would be subject to obligations intended to enhance their resilience in the face of non-cyber risks, including entitylevel risk assessments, taking technical and organisational measures, and incident notification.

The Commission, in turn, would provide complementary support to member states and critical entities, for instance by developing a Union-level overview of cross-border and cross-sectoral risks, best practice, methodologies, cross-border training activities and exercises to test the resilience of critical entities. Securing the next generation of networks: 5G and beyond Under the new Cybersecurity Strategy, member states, with the support of the Commission and ENISA - the European Cybersecurity Agency, are encouraged to complete the implementation of the EU 5G Toolbox, a comprehensive and objective risk-based approach for the security of 5G and future generations of networks.

According to a report published today, on the impact of the Commission Recommendation on the Cybersecurity of 5G networks and the progress in implementing the EU toolbox of mitigating measures, since the progress report of July 2020, most Member States are already well on track of implementing the recommended measures. They should now aim to complete their implementation by the second quarter of 2021 and ensure that identified risks are adequately mitigated, in a coordinated way, particularly with a view to minimising the exposure to high-risk suppliers and avoiding dependency on these suppliers. The Commission also sets out today key objectives and actions aimed at continuing the coordinated work at EU-level.

A Europe Fit for the Digital Age Executive Vice President Margrethe Vestager said: "Europe is committed to the digital transformation of our society and economy. So we need to support it with unprecedented levels of investment. The digital transformation is accelerating, but can only succeed if people and businesses can trust that the connected products and services - on which they rely – are secure."

High Representative Josep Borrell said: "International security and stability depends more than ever on a global, open, stable and secure cyberspace where the rule of law, human rights, freedoms and democracy are respected. With today's strategy the EU is stepping up to protect its governments, citizens and businesses from global cyber threats, and to provide leadership in cyberspace, making sure everybody can reap the benefits of the Internet and the use of technologies."

Promoting our European Way of Life Vice President Margaritis Schinas said: "Cybersecurity is a central part of the Security Union. There is no longer a distinction between online and offline threats. Digital and physical are now inextricably intertwined. Today's set of measures show that the EU is ready to use all of its resources and expertise to prepare for and respond to physical and cyber threats with the same level of determination."

Internal Market Commissioner Thierry Breton said: "Cyber threats evolve fast, they are increasingly complex and adaptable. To make sure our citizens and infrastructures are protected, we need to think several steps ahead, Europe's resilient and autonomous Cybersecurity Shield will mean we can utilise our expertise and knowledge to detect and react faster, limit potential damages and increase our resilience. Investing in cybersecurity means investing in the healthy future of our online environments and in our strategic autonomy."

Home Affairs Commissioner Ylva Johansson said: "Our hospitals, waste water systems or transport infrastructure are only as strong as their weakest links; disruptions in one part of the Union risk affecting the provision of essential services elsewhere. To ensure the smooth functioning of the internal market and the livelihoods of those living in Europe, our key infrastructure must be resilient against risks such as natural disasters, terrorist attacks, accidents and pandemics like the one we are experiencing today. My proposal on critical infrastructure does just that."

Next steps

The European Commission and the High Representative are committed to implementing the new Cybersecurity Strategy in the coming months. They will regularly report on the progress made and keep the European Parliament, the Council of the European Union, and stakeholders fully informed and engaged in all relevant actions. It is now for the European Parliament and the Council to examine and adopt the proposed NIS 2 Directive and the Critical Entities Resilience Directive. Once the proposals are agreed and consequently adopted, member states would then have to transpose them within 18 months of their entry into force.

The Commission will periodically review the NIS 2 Directive and the Critical Entities Resilience Directive and report on their functioning. Background Cybersecurity is one of the Commission's top priorities and a cornerstone of the digital and connected Europe. An increase of cyber-attacks during the coronavirus crisis have shown how important it is to protect hospitals, research centres and other infrastructure. Strong action in the area is needed to future-proof the EU's economy and society. The new Cybersecurity Strategy proposes to integrate cybersecurity into every element of the supply chain and bring further together EU's activities and resources across the four communities of cybersecurity – internal market, law enforcement, diplomacy and defence.

It builds on the EU' Shaping Europe's Digital Future and the EU Security Union Strategy, and leans on a number of legislative acts, actions and initiatives the EU has implemented to strengthen cybersecurity capacities and ensure a more cyber-resilient Europe. This includes the Cybersecurity strategy of 2013, reviewed in 2017, and the Commission's European Agenda on Security 2015-2020. It also recognises the increasing inter-connection between internal and external security, in particular through the Common Foreign and Security Policy. The first EU-wide law on cybersecurity, the NIS Directive, that came into force in 2016 helped to achieve a common high level of security of network and information systems across the EU. As part of its key policy objective to make Europe fit for the digital age, the Commission announced the revision of the NIS Directive in February this year.

The EU Cybersecurity Act that is in force since 2019 equipped Europe with a framework of cybersecurity certification of products, services and processes and reinforced the mandate of the EU Agency for Cybersecurity (ENISA). As regards Cybersecurity of 5G networks, Member States, with the support of the Commission and ENISA have established, with the EU 5G Toolbox adopted in January 2020, a comprehensive and objective risk-based approach. The Commission review of its Recommendation of March 2019 on the cybersecurity of 5G networks found that most member states have made progress in implementing the Toolbox. Starting from the 2013 EU Cybersecurity strategy, the EU has developed a coherent and holistic international cyber policy.

Working with its partners at bilateral, regional and international level, the EU has promoted a global, open, stable and secure cyberspace guided by EU's core values and grounded in the rule of law. The EU has supported third countries in increasing their cyber resilience and ability to tackle cybercrime, and has used its 2017 EU cyber diplomacy toolbox to further contribute to international security and stability in cyberspace, including by applying for the first time its 2019 cyber sanctions regime and listing 8 individuals and 4 entities and bodies. The EU has made significant progress also on cyber defence cooperation, including as regards cyber defence capabilities, notably in the framework of its Cyber Defence Policy Framework (CDPF), as well as in the context of the Permanent Structured Cooperation (PESCO) and the work of the European Defence Agency. Cybersecurity is a priority also reflected in the EU's next long-term budget (2021-2027).

Under the Digital Europe Programme the EU will support cybersecurity research, innovation and infrastructure, cyber defence, and the EU's cybersecurity industry. In addition, in its response to the Coronavirus crisis, which saw increased cyberattacks during the lockdown, additional investments in cybersecurity are ensured under the Recovery Plan for Europe. The EU has long recognized the need to ensure the resilience of critical infrastructures providing services which are essential for the smooth running of the internal market and the lives and livelihoods of European citizens. For this reason, the EU established the European Programme for Critical Infrastructure Protection (EPCIP) in 2006 and adopted the European Critical Infrastructure (ECI) Directive in 2008, which applies to the energy and transport sectors. These measures were complemented in later years by various sectoral and cross-sectoral measures on specific aspects such as climate proofing, civil protection, or foreign direct investment.