ENISA Releases 5G Threat Landscape 2023 Report — January 23, 2024
ENISA’s 2023 5G Threat Landscape demands telecom boards tighten supply chain assurance, slicing isolation, and open RAN governance, providing a blueprint for NIS2-era resilience programmes.
Executive briefing: On , the European Union Agency for Cybersecurity (ENISA) published its 5G Threat Landscape 2023, a 150-page analysis of how adversaries are targeting European fifth-generation (5G) networks. The report catalogues vulnerabilities across radio access networks (RAN), 5G core, supply chains, and operational processes, providing telecom operators and national regulators with a roadmap for implementing the EU 5G Toolbox and preparing for NIS2 enforcement. For boards overseeing communications providers, the study sets expectations for governance, investment, and assurance as 5G becomes critical infrastructure for industry, energy, health, and smart city services.
Evolving threat environment. ENISA observes that geopolitical tensions, the proliferation of advanced persistent threat (APT) actors, and the expansion of 5G into industrial control use cases have elevated the stakes for telecom security. Attackers are refining techniques against service-based architecture interfaces (e.g., Nsmf_PDUSession, Nnrf_NFDiscovery), exploiting vendor management gaps to implant backdoors, and targeting virtualised infrastructure with ransomware. The adoption of open RAN and cloud-native network functions introduces new software supply chains and accelerates release cycles, increasing the risk of misconfigurations and unpatched components. ENISA also highlights insider threats, fraudulent provisioning, and weaknesses in lawful intercept implementations as rising areas of concern.
Supply chain assurance. The report dedicates significant attention to third-party risk, noting that 5G networks rely on complex ecosystems of hardware suppliers, software developers, integrators, and managed service providers. ENISA recommends rigorous vendor onboarding, including threat intelligence-informed risk assessments, contractual requirements for secure development lifecycle practices, and continuous monitoring of firmware and software bill of materials. Operators should align with ETSI TS 103 645 for IoT components, use Common Criteria or EUCC certification where available, and require tamper-evident logging on maintenance interfaces. Boards should demand an enterprise-wide supplier assurance programme that maps dependencies, tracks vulnerability disclosures, and documents mitigation responses for regulators.
Network slicing and edge computing controls. As operators monetise 5G network slicing for enterprise customers, ENISA warns that inadequate isolation between slices could allow lateral movement or traffic sniffing. The report advises implementing strict admission control policies, per-slice telemetry, micro-segmentation, and authentication of slice management APIs. For mobile edge computing environments, operators must ensure that workload orchestration, hardware root of trust, and secure boot mechanisms are consistent with centralised cloud security standards. Governance teams should maintain risk registers for each high-value slice (e.g., emergency services, industrial automation) and conduct joint exercises with customers to validate failover and incident response processes.
Open RAN governance. ENISA acknowledges the innovation benefits of open RAN but stresses the need for rigorous certification and integration testing. Operators should verify conformance with the O-RAN Alliance’s security specifications, implement mutual authentication between network functions, and monitor the RAN Intelligent Controller (RIC) for anomalous xApps or rApps. Change management processes must cover the lifecycle of third-party applications deployed in the RIC, including code reviews, penetration testing, and rollback plans. Boards should mandate that procurement decisions for open RAN components include independent security assessments and that deviations from baseline configurations receive executive approval.
Alignment with EU policy instruments. The report reiterates the link between ENISA guidance and the EU 5G Toolbox, which outlines strategic, technical, and supporting measures for member states. Operators should document how each Toolbox recommendation—such as enforcing strict access controls, limiting suppliers per network, and performing regular security audits—is implemented within their networks. The study also connects 5G risk management to the forthcoming application of the NIS2 Directive, which will impose stricter incident reporting timelines, supply chain oversight, and accountability for essential entities. Governance teams must ensure they can produce evidence of compliance, including security policy documents, third-party contracts, and incident response playbooks mapped to NIS2 obligations.
Operational resilience priorities. ENISA emphasises detection and response capabilities, recommending continuous monitoring of signalling traffic, anomaly detection for control-plane messages, and deployment of deception technologies to spot rogue base stations. Operators should maintain cross-functional security operations centres (SOCs) with expertise in telecommunications protocols such as Diameter, GTP, and HTTP/2 used by service-based architectures. Incident response plans must address coordinated attacks that span physical sites, virtual infrastructure, and customer-facing services. Boards should review resilience metrics—mean time to detect, mean time to restore, number of zero-day mitigations implemented—to ensure investment aligns with risk appetite.
Data protection and lawful intercept. The report notes that privacy regulators expect robust controls over subscriber data in 5G core functions, especially when data is distributed across edge nodes. Operators should enforce encryption for data at rest and in transit, implement strict key management practices, and audit access to subscriber identity information (SUCI/SUPI). ENISA also calls for enhanced oversight of lawful intercept systems, including segregation of duties, immutable logging, and independent audits to prevent abuse. Compliance teams must coordinate with data protection officers to align 5G deployments with the General Data Protection Regulation (GDPR) and forthcoming EU electronic communications regulations.
Third-party ecosystem coordination. ENISA recommends that operators collaborate with equipment vendors, cloud providers, and enterprise customers through threat intelligence sharing, joint red-teaming, and coordinated vulnerability disclosure. Service level agreements should stipulate response times for security patches, participation in emergency exercises, and access to forensic data during incidents. Operators should also engage with national cybersecurity agencies, adhering to information-sharing protocols and ensuring readiness for coordinated responses under the EU’s Joint Cyber Unit frameworks.
Implementation roadmap. Telecom governance teams can translate the report into a phased programme. Phase 1 focuses on assessing current maturity: perform gap analyses against ENISA’s recommendations, catalogue critical assets, and prioritise remediation for high-risk vulnerabilities. Phase 2 emphasises control deployment: strengthen supply chain vetting, harden network slicing policies, integrate open RAN security controls, and upgrade SOC analytics for 5G protocols. Phase 3 delivers assurance: conduct independent audits, run crisis exercises involving regulators and key customers, and produce transparent board reporting that connects investment to risk reduction. Documenting progress and residual risk will be essential as NIS2 introduces administrative fines for inadequate governance.
Metrics and board reporting. Boards should expect regular dashboards tracking compliance with EU 5G Toolbox measures, number of suppliers certified under recognised schemes, coverage of security testing across network functions, and incident response performance. Additional indicators include percentage of network slices with dedicated security baselines, time to deploy patches for critical vulnerabilities, and results from red-team or purple-team exercises. Internal audit should schedule reviews of supply chain management, configuration hardening, and incident response readiness, providing assurance that ENISA’s guidance is embedded into operational processes.
ENISA’s 5G Threat Landscape underscores that 5G security is no longer a purely technical concern but a board-level governance challenge. Operators that invest in holistic supply chain assurance, disciplined network slicing controls, open RAN governance, and transparent reporting will be better positioned to meet regulatory expectations, protect customers, and sustain trust as 5G underpins critical services across Europe.
Continue in the Cybersecurity pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Cybersecurity Operations Playbook — Zeph Tech
Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.