Equally convergent is a refusal to name names - e.g. to exclude explicitly Huawei, although the UK decision bans ZTE, Huawei’s main competitor, from building British 5G infrastructure, accusing the company of posing risks that "cannot be mitigated". For the UK, this may be a political decision taken in London, perhaps helped by strong-arm tactics from China, and it is a loss of face for the US. In the case of the EU, it is a wish to avoid explicit discrimination, and a realization that risks go far beyond any single supplier. What is implied however at almost each page of these reports is that Huawei is to be treated as a potential security threat.
Facing "high-risk vendors"
Indeed, both texts from the EU and the UK determine or recommend multiple risk mitigation measures, often targeted at "high-risk vendors". The texts define "high-risk vendors" in terms that are not purely technical. The EU toolbox makes clear that "technical measures alone would not allow to address non-technical vulnerabilities". It includes access points - and especially base stations, a strong selling point of Huawei - as "high risk" if not "critical". The EU toolbox also lists in its "strategic measures" the importance of "assessing the risk profile of suppliers and applying restrictions for suppliers considered to be high risk, including necessary exclusions to effectively mitigate risks, for key assets". Exclusion is suggested as a response, but for "key assets" - this is the Commission’s recommendation to the Member States, and the minimal common denominator endorsed by the Member States.
As a new security blueprint by the National Cyber Security Centre (NCSC) of the British Government Communication Headquarters (GCHQ), the EU report questions the risk distinction between the core and the periphery of 5G systems, which is also is likely to evolve quickly. Many technical experts insist that this distinction will vanish during the transition from non-standalone 5G (essentially a 4G+ currently being built on top of existing 4G infrastructure) to standalone 5G.