The European Commission has introduced a comprehensive cybersecurity legislative package aimed at enhancing the safety of Information and Communication Technologies (ICT) supply chains within the European Union. This initiative seeks to phase out “high-risk” products from mobile and telecom networks sourced from countries labeled as risky. Advocates of the legislation argue that these measures are vital for bolstering the security framework across Europe.
According to the Commission, the revised Cybersecurity Act is designed to mandate the derisking of mobile telecommunications networks from suppliers that pose significant risks. This approach builds on prior efforts established in the 5G security toolbox, representing a vital step towards a safer digital infrastructure.
Scope of the Legislation
The new legislation casts a wide net, targeting not just mobile networks but all ICT components integrated into the core assets of mobile, fixed, and satellite communication networks that are supplied by high-risk vendors. Mobile network operators will be granted a transitional period of 36 months to comply with the new regulations, while the timelines for fixed and satellite communication networks will be determined later by the Commission.
Identifying High-risk Suppliers
While the proposed legislation lacks in detailed specifics, it is widely believed that telecom suppliers from countries such as Russia and China will fall under scrutiny. The legislation references a 2023 resolution by the European Parliament, which highlighted foreign interference in democratic processes. It encourages the Commission to develop binding legislation to secure ICT supply chains and specifically calls for the exclusion of equipment and software from manufacturers based in high-risk nations, predominantly targeting China and Russia.
Reactions to the proposed changes have been mixed, with Chinese officials and Huawei opposing the measure. A spokesperson for Huawei expressed concerns that the legislation, which aims to eliminate high-risk suppliers based on their country of origin, undermines fundamental legal principles within the EU that promote fairness and equality.
Impact on Critical Sectors
The implications of this legislation stretch across 18 critical sectors including detection equipment, connected vehicles, electricity supply systems, and even drone technology. Notably, this legislation will impact essential services such as medical devices, cloud services, surveillance technology, space resources, and semiconductors, which are crucial to the EU’s technological landscape.
Secure by Design: A New Certification Approach
The revised Cybersecurity Act aims to ensure that products delivered to EU consumers are “cyber-secure by design.” This will be facilitated through a streamlined certification process intended to verify the security of products efficiently. The legislative package also seeks to empower the EU Agency for Cybersecurity (ENISA) with enhanced responsibilities in managing cybersecurity threats and overseeing certification efforts.
The new framework aims to establish a trusted security environment within the ICT supply chain, offering a risk-based, harmonized approach. This initiative will enable the EU and its Member States to collectively assess and mitigate risks across various critical sectors while taking economic considerations into account.
Additionally, the introduction of an updated European Cybersecurity Certification Framework (ECCF) is positioned to simplify the procedures for certifying products and services, allowing certification schemes to be established within a year. These schemes are intended to serve as practical, voluntary tools for businesses wishing to demonstrate their cybersecurity posture to meet market demands.
The legislative package also includes amendments to the NIS2 Directive, aiming to clarify legal frameworks and reduce compliance costs for a substantial number of companies. Streamlining jurisdictional rules and improving data collection on ransomware incidents are also among the objectives, with an emphasis on ENISA’s enhanced coordinating function across Member States.
Following approval from the European Parliament and the Council of the EU, the Cybersecurity Act will take effect. Member States will then have a year to implement the NIS2 Directive amendments as stipulated by the new regulations.
