Key Takeaways
- The European Commission has proposed a revision to the Cybersecurity Act to reduce risks from "high-risk" suppliers in the EU’s information and communication technology supply chains.
- The proposal aims to address concerns over Chinese technology groups, such as Huawei and ZTE, and their potential impact on the EU’s 5G infrastructure.
- The revised framework would allow for EU-level risk assessments and potential restrictions or bans on certain equipment used in sensitive infrastructure.
- The EU Agency for Cybersecurity, ENISA, would gain a more operational mandate, including issuing early warnings on emerging cyber threats and coordinating responses to major incidents.
- The proposal would also simplify administrative burdens for companies, streamlining certification procedures and reducing compliance costs.
Introduction to the Revised Cybersecurity Act
The European Commission has presented a revision of the Cybersecurity Act, aimed at reducing risks linked to "high-risk" suppliers in the EU’s information and communication technology supply chains. The scope of the proposal is broad, covering companies providing equipment and services for telecom networks, data centres, cloud services, connected devices, and social media platforms. Although the proposal does not specifically name any firms, EU officials acknowledge that it builds on longstanding concerns over Chinese technology groups, notably Huawei and ZTE, particularly in mobile networks. The move follows years of frustration in Brussels over the uneven application of the EU’s voluntary 5G Security Toolbox, introduced in 2020 to encourage member states to limit reliance on high-risk vendors.
The Need for Stricter Measures
Cyberattacks are becoming increasingly frequent across the EU, ranging from ransomware and espionage to attempts to destabilise critical infrastructure. The Commission says the number of reported incidents is rising, with around 150 attacks reported across the bloc in the last week alone. Tech Commissioner Henna Virkkunen has repeatedly warned that voluntary measures have not gone far enough, and that stricter and more coordinated action is needed to address the risks posed by high-risk suppliers. Addressing the European Parliament last month, she argued that high-risk suppliers remain present in critical parts of Europe’s 5G infrastructure, and that more needs to be done to mitigate these risks.
Reining in Risk
Under the revised framework, the Commission would be able to organise EU-level risk assessments and, where justified, support restrictions or bans on certain equipment used in sensitive infrastructure. Member states would jointly assess risks based on a supplier’s country of origin and its implications for national security. While telecoms is the most advanced sector in terms of risk assessment, the approach could later be extended to other areas, from energy systems and transport to connected vehicles and security equipment. The Commission has also signalled that the framework would remain country-neutral in principle, meaning suppliers from other partners – including the United States – could theoretically be scrutinised in future as regulatory tensions grow, particularly around social media and data governance.
The Role of ENISA
The proposal significantly strengthens the role of the EU Agency for Cybersecurity, ENISA. The agency would gain a more operational mandate, including issuing early warnings on emerging cyber threats and coordinating responses to major incidents such as ransomware attacks, in cooperation with Europol and national authorities. ENISA would also oversee a single EU entry point for incident reporting, designed to accelerate responses and improve cross-border situational awareness. This would enable the EU to respond more quickly and effectively to cyber threats, and to improve its overall cybersecurity posture.
Simplification and Implementation
The Commission is pursuing its broader simplification agenda, promising lighter administrative burdens for companies. Certification procedures would be streamlined, and targeted changes to existing legislation aim to reduce compliance costs, particularly for firms operating across multiple member states. The proposal will now be negotiated by the European Parliament and EU governments, where resistance is expected from some capitals wary of increased EU involvement in national security decisions. The revised cybersecurity act will most likely not be implemented for a few years’ time, raising questions about the EU’s capacity to fight against already active foreign interference.
Conclusion and Future Directions
In conclusion, the revised Cybersecurity Act proposes a significant overhaul of the EU’s approach to cybersecurity, with a focus on reducing risks from "high-risk" suppliers and strengthening the role of ENISA. While the proposal is likely to face resistance from some member states, it is a necessary step towards improving the EU’s cybersecurity posture and protecting its critical infrastructure from cyber threats. As the EU continues to navigate the complex and evolving cybersecurity landscape, it is essential that it takes a proactive and coordinated approach to addressing these risks, and that it works closely with member states and other stakeholders to implement the revised Cybersecurity Act effectively.
