The European Commission has proposed sweeping revisions to its Cybersecurity Act, aiming to bolster oversight of high-risk technology suppliers operating within the EU. This move comes amid escalating cyberattacks and longstanding concerns about reliance on vendors from countries perceived to pose national security risks—most notably Chinese firms like Huawei and ZTE.
Rising Cyber Threats Fuel Action
Cyberattacks across the EU are increasing in frequency and sophistication. Recent data indicates around 150 reported incidents in the past week alone, encompassing ransomware, espionage, and attacks targeting critical infrastructure. This surge in activity underscores the urgency for a more coordinated approach to supply chain security.
For years, Brussels has expressed frustration with the voluntary nature of the 2020 5G Security Toolbox, which encouraged but did not mandate member states to limit high-risk vendors. Tech Commissioner Henna Virkkunen has repeatedly emphasized that voluntary measures are insufficient, given that high-risk suppliers remain embedded in Europe’s 5G networks.
New Powers for the Commission and ENISA
Under the revised framework, the Commission would gain the authority to conduct EU-level risk assessments, potentially leading to restrictions or bans on equipment used in sensitive infrastructure. Assessments will consider a supplier’s country of origin and its impact on national security, though the process is intended to be country-neutral in principle—meaning U.S. firms could also face scrutiny under certain conditions.
The EU Agency for Cybersecurity (ENISA) will also see its role significantly expanded. ENISA will issue early warnings on emerging threats, coordinate responses to major incidents (such as ransomware attacks) in collaboration with Europol and national authorities, and oversee a centralized EU incident reporting system.
Transition and Compliance Costs
The Commission acknowledges that phasing out high-risk suppliers will come with economic costs. Telecom operators will be given several years to transition away from these vendors, while the Commission promises to streamline certification procedures and reduce compliance burdens for companies operating across multiple member states. This simplification agenda aims to balance security concerns with economic realities.
Political Hurdles and Implementation Delays
The proposal now faces negotiations with the European Parliament and EU governments, where resistance is expected from capitals hesitant to cede control over national security decisions to Brussels. Given this opposition and the complexity of implementation, the revised Cybersecurity Act is unlikely to be fully operational for several years.
This delay raises questions about the EU’s ability to effectively counter existing foreign interference in critical infrastructure. While the new framework represents a significant step toward strengthening cybersecurity oversight, its long-term effectiveness will depend on swift and unified action from member states.
