EU Proposes Cybersecurity Crackdown on High-Risk Foreign Suppliers

Key Takeaways

• The European Commission has proposed new cybersecurity legislation to secure telecommunications networks and strengthen defenses against state-backed and cybercrime groups.
• The legislation would grant the Commission authority to organize EU-wide risk assessments and support restrictions or bans on certain equipment used in sensitive infrastructure.
• The revised Cybersecurity Act would mandate the removal of high-risk foreign suppliers from European mobile telecommunications networks and streamline certification procedures for companies.
• The EU Agency for Cybersecurity (ENISA) would be empowered to issue early threat alerts, operate a single entry point for incident reporting, and help companies respond to ransomware attacks.
• The legislation aims to secure information and communication technology (ICT) supply chains and ensure a greater safety for all.

Introduction to the New Cybersecurity Legislation
The European Commission has proposed new cybersecurity legislation aimed at securing telecommunications networks and strengthening defenses against state-backed and cybercrime groups targeting critical infrastructure. This move follows years of frustration over the uneven application of the EU’s voluntary 5G Security Toolbox, introduced in January 2020 to encourage member states to limit reliance on high-risk vendors. The new proposal is a significant step towards securing the EU’s critical infrastructure and ensuring the safety of its citizens.

Background and Context
The EU’s 5G Security Toolbox was introduced in 2020 to encourage member states to limit their reliance on high-risk vendors, particularly Chinese tech companies such as Huawei and ZTE. However, the voluntary nature of the toolbox led to uneven implementation across member states, prompting the Commission to propose more stringent measures. The new cybersecurity package would grant the Commission authority to organize EU-wide risk assessments and support restrictions or bans on certain equipment used in sensitive infrastructure. EU member states would also jointly assess risks across the EU’s 18 critical sectors based on the suppliers’ countries of origin and national security implications.

The Revised Cybersecurity Act
The revised Cybersecurity Act is a key component of the new cybersecurity package. It would mandate the removal of high-risk foreign suppliers from European mobile telecommunications networks and streamline certification procedures for companies. The Act would also empower the EU Agency for Cybersecurity (ENISA) to issue early threat alerts, operate a single entry point for incident reporting, and help companies respond to ransomware attacks, in cooperation with Europol and computer security incident response teams. ENISA would also establish EU-wide cybersecurity skills attestation schemes and pilot a Cybersecurity Skills Academy to build a European cybersecurity workforce.

Implementation and Timeline
The Cybersecurity Act would take effect immediately upon approval by the European Parliament and the Council of the EU, with member states having one year to implement cybersecurity amendments into national law. This would provide a clear timeline for member states to adapt to the new legislation and ensure a coordinated approach to cybersecurity across the EU. The Commission’s proposal is a significant step towards securing the EU’s critical infrastructure and ensuring the safety of its citizens. As EU tech commissioner Henna Virkkunen stated, "Cybersecurity threats are not just technical challenges. They are strategic risks to our democracy, economy, and way of life."

Conclusion and Future Implications
The proposed cybersecurity legislation is a significant development in the EU’s efforts to secure its critical infrastructure and protect its citizens from cyber threats. The revised Cybersecurity Act would provide a framework for the removal of high-risk foreign suppliers, streamline certification procedures, and empower ENISA to play a more active role in cybersecurity. As the EU continues to navigate the complexities of cybersecurity, this legislation is an important step towards ensuring a greater safety for all. The EU’s approach to cybersecurity will likely have implications for other regions and countries, and it will be interesting to see how this legislation evolves and is implemented in the coming years.