ENISA Releases 5G Threat Landscape 2023 Report — January 23, 2024

On 23 January 2024, the European Union Agency for Cybersecurity (ENISA) published its 5G threat environment 2023, a 150-page analysis of how adversaries are targeting European fifth-generation (5G) networks. The report catalogs vulnerabilities across radio access networks (RAN), 5G core, supply chains, and operational processes, providing telecom operators and national regulators with a roadmap for implementing the EU 5G Toolbox and preparing for NIS2 enforcement. For boards overseeing communications providers, the study sets expectations for governance, investment, and assurance as 5G becomes critical infrastructure for industry, energy, health, and smart city services.

Evolving threat environment. ENISA observes that geopolitical tensions, the spread of advanced persistent threat (APT) actors, and the expansion of 5G into industrial control use cases have elevated the stakes for telecom security. Attackers are refining techniques against service-based architecture interfaces (for example, Nsmf_PDUSession, Nnrf_NFDiscovery), exploiting vendor management gaps to implant backdoors, and targeting virtualized infrastructure with ransomware. The adoption of open RAN and cloud-native network functions introduces new software supply chains and accelerates release cycles, increasing the risk of misconfigurations and unpatched components. ENISA also highlights insider threats, fraudulent provisioning, and weaknesses in lawful intercept setups as rising areas of concern.

Supply chain assurance. The report dedicates significant attention to third-party risk, noting that 5G networks rely on complex ecosystems of hardware suppliers, software developers, integrators, and managed service providers. ENISA recommends rigorous vendor onboarding, including threat intelligence-informed risk assessments, contractual requirements for secure development lifecycle practices, and continuous monitoring of firmware and software bill of materials. Operators should align with ETSI TS 103 645 for IoT components, use Common Criteria or EUCC certification where available, and require tamper-evident logging on maintenance interfaces. Boards should demand an enterprise-wide supplier assurance program that maps dependencies, tracks vulnerability disclosures, and documents mitigation responses for regulators.

Network slicing and edge computing controls. As operators monetise 5G network slicing for enterprise customers, ENISA warns that inadequate isolation between slices could allow lateral movement or traffic sniffing. The report advises implementing strict admission control policies, per-slice telemetry, micro-segmentation, and authentication of slice management APIs. For mobile edge computing environments, operators must ensure that workload orchestration, hardware root of trust, and secure boot mechanisms are consistent with centralized cloud security standards. Governance teams should maintain risk registers for each high-value slice (for example, emergency services, industrial automation) and conduct joint exercises with customers to validate failover and incident response processes.

Open RAN governance. ENISA acknowledges the innovation benefits of open RAN but stresses the need for rigorous certification and integration testing. Operators should verify conformance with the O-RAN Alliance’s security specifications, implement mutual authentication between network functions, and monitor the RAN Intelligent Controller (RIC) for anomalous xApps or rApps. Change management processes must cover the lifecycle of third-party applications deployed in the RIC, including code reviews, penetration testing, and rollback plans. Boards should require procurement decisions for open RAN components include independent security assessments and that deviations from baseline configurations receive executive approval.

Alignment with EU policy instruments. The report reiterates the link between ENISA guidance and the EU 5G Toolbox, which outlines strategic, technical, and supporting measures for member states. Operators should document how each Toolbox recommendation—such as enforcing strict access controls, limiting suppliers per network, and performing regular security audits—is implemented within their networks. The study also connects 5G risk management to the forthcoming application of the NIS2 Directive, which will impose stricter incident reporting timelines, supply chain oversight, and accountability for essential entities. Governance teams must ensure they can produce evidence of compliance, including security policy documents, third-party contracts, and incident response playbooks mapped to NIS2 obligations.

Operational resilience priorities. ENISA emphasizes detection and response capabilities, recommending continuous monitoring of signaling traffic, anomaly detection for control-plane messages, and deployment of deception technologies to spot rogue base stations. Operators should maintain cross-functional security operations centers (SOCs) with expertise in telecommunications protocols such as Diameter, GTP, and HTTP/2 used by service-based architectures. Incident response plans must address coordinated attacks that span physical sites, virtual infrastructure, and customer-facing services. Boards should review resilience metrics—mean time to detect, mean time to restore, number of zero-day mitigations implemented—to ensure investment aligns with risk appetite.

Data protection and lawful intercept. The report notes that privacy regulators expect strong controls over subscriber data in 5G core functions, especially when data is distributed across edge nodes. Operators should enforce encryption for data at rest and in transit, implement strict key management practices, and audit access to subscriber identity information (SUCI/SUPI). ENISA also calls for improved oversight of lawful intercept systems, including segregation of duties, immutable logging, and independent audits to prevent abuse. Compliance teams must coordinate with data protection officers to align 5G deployments with the General Data Protection Regulation (GDPR) and forthcoming EU electronic communications regulations.

Third-party ecosystem coordination. ENISA recommends that operators collaborate with equipment vendors, cloud providers, and enterprise customers through threat intelligence sharing, joint red-teaming, and coordinated vulnerability disclosure. Service level agreements should require response times for security patches, participation in emergency exercises, and access to forensic data during incidents. Operators should also engage with national cybersecurity agencies, adhering to information-sharing protocols and ensuring readiness for coordinated responses under the EU’s Joint Cyber Unit frameworks.

Implementation roadmap. Telecom governance teams can translate the report into a phased program. Phase 1 focuses on assessing current maturity: perform gap analyzes against ENISA’s recommendations, catalog critical assets, and prioritize remediation for high-risk vulnerabilities. Phase 2 emphasizes control deployment: strengthen supply chain vetting, harden network slicing policies, integrate open RAN security controls, and upgrade SOC analytics for 5G protocols. Phase 3 delivers assurance: conduct independent audits, run crisis exercises involving regulators and key customers, and produce transparent board reporting that connects investment to risk reduction. Documenting progress and residual risk will be essential as NIS2 introduces administrative fines for inadequate governance.

Metrics and board reporting. Boards should expect regular dashboards tracking compliance with EU 5G Toolbox measures, number of suppliers certified under recognized schemes, coverage of security testing across network functions, and incident response performance. Additional indicators include percentage of network slices with dedicated security baselines, time to deploy patches for critical vulnerabilities, and results from red-team or purple-team exercises. Internal audit should schedule reviews of supply chain management, configuration hardening, and incident response readiness, providing assurance that ENISA’s guidance is embedded into operational processes.

ENISA’s 5G threat environment underscores that 5G security is no longer a purely technical concern but a board-level governance challenge. Operators that invest in complete supply chain assurance, disciplined network slicing controls, open RAN governance, and transparent reporting will be better positioned to meet regulatory expectations, protect customers, and sustain trust as 5G underpins critical services across Europe.

Rollout plan

If you are affected, develop setup roadmaps that account for resource constraints, dependencies, and risk priorities. Phased approaches typically provide better outcomes than attempting full changes simultaneously. Early wins build momentum and show value to teams.

Progress monitoring should track setup activities against planned timelines and identify potential issues requiring intervention. Regular reporting keeps teams informed and maintains organizational focus on setup priorities.

Stakeholder communication

Effective stakeholder engagement ensures alignment on objectives, expectations, and setup approaches. Communication should be tailored to different audiences, providing appropriate levels of detail for technical and executive teams.

Change management processes should address organizational readiness and potential resistance to new requirements or practices. Training and support resources help ensure successful adoption of required changes.

Sustaining progress

Continuous improvement processes should incorporate lessons learned and feedback from setup experiences. Regular reviews help identify improvement opportunities and ensure approaches remain aligned with evolving requirements.

Documentation of setup activities and outcomes provides evidence of due diligence and supports ongoing maintenance. Knowledge capture ensures institutional learning is preserved for future reference.

More on this topic

Further reading from our research library.

Cybersecurity · Credibility 91/100 · January 23, 2024

UK Launches Cyber Governance Code of Practice Consultation — January 23, 2024

The UK’s draft Cyber Governance Code of Practice outlines five principles for directors, pushing companies to embed board-level accountability, resilience exercises, and supplier assurance ahead of the March 2024…

Cybersecurity · Credibility 90/100 · January 22, 2024

Cybersecurity — Joint advisory

CISA updated Ivanti guidance after discovering the vulnerabilities were worse than first thought. The 'factory reset plus patch' remediation was not enough—check for persistence mechanisms.

Cybersecurity · Credibility 93/100 · January 19, 2024

CISA Issues Emergency Directive 24-01 on Ivanti Exploitation — January 19, 2024

CISA issued Emergency Directive 24-01 for Ivanti Connect Secure and Policy Secure zero-days. Federal agencies had 48 hours to disconnect vulnerable devices. If you run Ivanti VPN, assume compromise.

Cybersecurity · Credibility 87/100 · January 31, 2024

EU Adopts EUCC Cybersecurity Certification Scheme — January 31, 2024

The European Commission’s EUCC certification scheme introduces EU-wide Common Criteria assurance for ICT products, requiring manufacturers and buyers to align procurement, vulnerability management, and lifecycle…

Cybersecurity · Credibility 92/100 · January 9, 2024

Androxgh0st Botnet Exploits Cloud Credentials — January 9, 2024

CISA and FBI dropped a joint advisory on the Androxgh0st botnet targeting SMTP credentials and web shells. It exploits known vulnerabilities in Laravel, PHPUnit, and Apache—patch and check for.env file exposure.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

January 23, 2024

Coverage pillar

Cybersecurity

Source credibility

89/100 — high confidence

Topics

5G security · ENISA guidance · Telecom governance · NIS2 readiness

Sources cited

3 sources (enisa.europa.eu, iso.org)

Reading time

7 min

Source material

1. ENISA 5G Threat Landscape 2023
2. ENISA Press Release — ENISA Publishes the 5G Threat Landscape 2023
3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization