The European Commission has proposed a new cybersecurity legislative package that proponents say will strengthen the security of the EU’s Information and Communication Technologies (ICT) supply chains by phasing out “high-risk” mobile and telecom network products from countries deemed to be risky.
In a statement, the Commission said the revised Cybersecurity Act “will enable the mandatory derisking of European mobile telecommunications networks from high-risk third-country suppliers, building on the work already carried out under the 5G security toolbox.”
The legislation refers to networks more broadly: “ICT components or components that include ICT components provided by high-risk suppliers shall be phased out from the key ICT assets of mobile, fixed and satellite electronic communication networks.”
Mobile networks would have 36 months to comply with the legislation. Transition periods for fixed and satellite electronic communications networks will be specified by the Commission through implementing acts.
Russia, China May Be Among ‘High-risk’ Telecom Network Suppliers
The legislation is short on specifics, leaving much of the details to be worked out after passage, but it appears that telecom network suppliers from Russia and China may be targeted under the legislation and implementing regulations.
At one point the legislation cites a 2023 European Parliament resolution on foreign interference in democratic processes. The legislation states: “The European Parliament called on the Commission to develop binding ICT supply chain security legislation that addresses non-technical risk and to ‘exclude the use of equipment and software from manufacturers based in high-risk countries, particularly China and Russia’. Members of the European Parliament also called for urgent action to secure telecommunications infrastructure against undue foreign influence and security risks.”
China’s foreign ministry and Huawei have already criticized the legislation, which would formalize a process under way since 2020 to remove network equipment perceived as high-risk. “A legislative proposal to limit or exclude non-EU suppliers based on country of origin, rather than factual evidence and technical standards, violates the EU’s basic legal principles of fairness, non-discrimination, and proportionality, as well as its WTO obligations,” a Huawei spokesperson was quoted by Reuters as saying.
The legislation will apply to 18 critical sectors, which Reuters said will include detection equipment, connected and automated vehicles, electricity supply and storage systems, water supply systems, and drones and counter‑drone systems. Cloud services, medical devices, surveillance equipment, space services and semiconductors would also be affected.
The EU’s ‘Secure by Design’ Certification Process
The legislative package and revised Cybersecurity Act is aimed at ensuring “that products reaching EU citizens are cyber-secure by design through a simpler certification process,” the Commission’s statement said.
The legislation also bolsters the EU Agency for Cybersecurity (ENISA) in its role in managing cybersecurity threats and certification processes.
“The new Cybersecurity Act aims to reduce risks in the EU’s ICT supply chain from third-country suppliers with cybersecurity concerns,” the Commission said. “It sets out a trusted ICT supply chain security framework based on a harmonised, proportionate and risk-based approach. This will enable the EU and Member States to jointly identify and mitigate risks across the EU’s 18 critical sectors, considering also economic impacts and market supply.”
The Act will ensure “that products and services reaching EU consumers are tested for security in a more efficient way,” the Commission stated.
That will be accomplished through an updated European Cybersecurity Certification Framework (ECCF), which “will bring more clarity and simpler procedures, allowing certification schemes to be developed within 12 months by default.”
Certification schemes managed by ENISA “will become a practical, voluntary tool for businesses.” In addition to ICT products, services, processes and managed security services, companies and organizations “will be able to certify their cyber posture to meet market needs. Ultimately, the renewed ECCF will be a competitive asset for EU businesses. For EU citizens, businesses and public authorities, it will ensure a high level of security and trust in complex ICT supply chains,” the Commission stated.
The legislative package also includes amendments to the NIS2 Directive “to increase legal clarity,” and also aims to lower compliance costs for 28,700 companies in keeping with the Digital Omnibus process. Amendments will “simplify jurisdictional rules, streamline the collection of data on ransomware attacks and facilitate the supervision of cross-border entities with ENISA’s reenforced coordinating role.”
The Cybersecurity Act will become effective after approval by the European Parliament and the Council of the EU, while Member States will have one year to implement NIS2 Directive amendments after adoption.
