Why EU's Revised Cybersecurity Act Bans High-Risk Suppliers

European countries, being high-value targets for cybercriminals, face “daily cyber and hybrid attacks on essential services and democratic institutions, carried out by sophisticated state and criminal groups,” according to the European Commission (EC). 

The commission, acknowledging this hostile cyber reality, has proposed a new cybersecurity package that includes revisions to the current Cybersecurity Act (CSA).

The package will help the European Union and its member states to “identify and mitigate risks across the EU's 18 critical sectors”, the EC says.

“Cybersecurity threats are not just technical challenges,” says Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy of the European Commission. “They are strategic risks to our democracy, economy and way of life.

“With the new Cybersecurity Package, we will have the means in place to better protect our critical ICT supply chains but also to combat cyber attacks decisively. 

“This is an important step in securing our European technological sovereignty and ensuring a greater safety for all.” 

Eliminating high risk suppliers and easing compliance

A major development in the new Cybersecurity Act is the plan to create a trusted Information and Communication Technologies (ICT) supply chain by eliminating third-country suppliers with cybersecurity concerns.

Although the report has not identified the third countries labelled as high-risk suppliers, European News Rooms reports that this provision would allow the EU to force the exclusion of Chinese suppliers like Huawei and Zte from the critical infrastructure. 

In the context of the recent Chinese ban of cybersecurity firms from nations like the US and Israel, this move by the EU signals self-reliance and sovereignty as security concerns and geopolitical shifts intensify.

The revised CSA facilitates compliance by simplifying the process and the risk management requirements that companies need to follow, by focusing on a single-entry point for reporting cyber incidents – which the EU claims will ease compliance for 28,700 companies.

Through a renewed European Cybersecurity Certification Framework (ECCF), products and services reaching EU consumers will be efficiently tested for their security, allowing companies to certify their cyber posture to meet the EU market needs.

Empowering ENISA for EU's cyber defence

The European Union Agency for Cybersecurity, ENISA, has been a cornerstone in the EU's cybersecurity goals. Since its establishment in 2004, the agency has been supporting the EU and its Member States to understand the common threats that come its way. 

With the renewed rules, ENISA will be empowered to issue early alerts of cyber threats and incidents.

Furthermore, in cooperation with Europol and Computer Security Incident Response Teams, ENISA will support EU companies in responding to and recovering from ransomware attacks, which reports show have been significantly climbing up in numbers.

It is also in ENISA’s elaborate plans to develop a union to provide better vulnerability management services to stakeholders. 

Understanding that strengthening the frontline of cyber defence is critical to thwart these attacks, ENISA will be piloting a Cybersecurity Skills Academy that can help build a skilled cybersecurity workforce.

ENISA will also establish EU-wide cybersecurity skills attestation schemes to further develop skilled cyber teams that can protect the EU against cyber attacks. 

Tim Pfaelzer, SVP and GM at Veeam welcomes the revision, noting that the updated Act will tackle sovereignty and simplify compliance, giving organisations a clearer path to strengthen resilience.

“The proposed revisions to the EU Cybersecurity Act come at a pivotal moment, as concerns around sovereignty and compliance continue to intensify,” Tim says.

“By introducing measures to restrict or even phase out third-country ‘high-risk’ vendors in critical sectors, these changes underscore just how central sovereignty has become to the cybersecurity agenda.

“Equally important are the efforts to simplify security testing and certification processes and clarify jurisdictional rules. 

“For many organisations, the greatest barrier to viewing compliance as an enabler rather than an obstacle is the complexity of today’s regulatory landscape. Any move to streamline this will be a welcome step forward.

“Initiatives like these, which address urgent challenges while reducing complexity, are exactly what’s needed to drive meaningful progress in compliance and strengthen organisational resilience.”