Published on
The European Commission on Tuesday presented a revision of the Cybersecurity Act aimed at reducing risks linked to so-called “high-risk” suppliers in the EU’s information and communication technology supply chains.
The scope is broad, covering companies providing equipment and services for telecom networks, data centers, cloud services, connected devices and social media platforms. Although the proposal does not name specific firms, EU officials acknowledge that it builds on longstanding concerns over Chinese technology groups, particularly Huawei and ZTE, particularly in mobile networks.
The move follows years of frustration in Brussels over the uneven application of the EU’s voluntary 5G Security Toolbox, introduced in 2020 to encourage member states to limit reliance on high-risk vendors.
Cyberattacks are becoming increasingly frequent across the EU, ranging from ransomware and espionage to attempts to destabilize critical infrastructure. The Commission says the number of reported incidents is rising, with around 150 attacks reported across the bloc in the last week alone.
Tech Commissioner Henna Virkkunen has repeatedly warned that voluntary measures have not gone far enough. Addressing the European Parliament last month, she argued that stricter and more coordinated action was needed, stressing that high-risk suppliers remain present in critical parts of Europe’s 5G infrastructure.
Reining in risk
Under the revised framework, the Commission would be able to organize EU-level risk assessments and, where justified, support restrictions or bans on certain equipment used in sensitive infrastructure.
Member states would jointly assess risks based on a supplier’s country of origin and its implications for national security. While telecoms is the most advanced sector in terms of risk assessment, the approach could later be extended to other areas, from energy systems and transport to connected vehicles and security equipment.
The Commission has also signaled that the framework would remain country-neutral in principle, meaning suppliers from other partners – including the United States – could theoretically be scrutinized in future as regulatory tensions grow, particularly around social media and data governance.
The Commission insists the process will be gradual. In the telecom sector, operators would be given a transition period of several years to phase out high-risk suppliers, with Brussels acknowledging the significant economic cost involved.
Beyond supply-chain security, the proposal significantly strengthens the role of the EU Agency for Cybersecurity, ENISA. The agency would gain a more operational mandate, including issuing early warnings on emerging cyber threats and coordinating responses to major incidents such as ransomware attacks, in cooperation with Europol and national authorities.
ENISA would also oversee a single EU entry point for incident reporting, designed to accelerate responses and improve cross-border situational awareness.
Finally, the Commission is pursuing its goal broader simplification agendapromising lighter administrative burdens for companies. Certification procedures would be streamlined, and targeted changes to existing legislation aim to reduce compliance costs, particularly for firms operating across multiple member states.
The proposal will now be negotiated by the European Parliament and EU governments, where resistance is expected from some capitals wary of increased EU involvement in national security decisions.
The revised cybersecurity act will most likely not be implemented for a few years’ time, raising questions about the EU’s capacity to fight against already active foreign interference.