EU Commission publishes Cybersecurity Act revision proposal

The Cybersecurity Act, adopted back in 2019, was meant to establish a high level of cybersecurity, cyber resilience, and trust across the EU. However, the cybersecurity landscape has significantly evolved since then with a surge of more sophisticated cyberattacks targeting critical infrastructure, businesses and the general public. Following calls by Mario Draghi in his “future of European Competitiveness” report in 2024 the EU Commission has worked to put cybersecurity at the center of its resilience agenda. The culmination of this work is now embodied by this new Cybersecurity legislative proposal which seeks to achieve two main goals:

What’s in the proposal?

Clarifying the role of ENISA

The proposal clarifies and expands the role of the EU’s cybersecurity agency (ENISA) by giving it capacity building responsibilities to aid and assist member states, especially in the awareness raising activities. Additionally, the agency will contribute to promoting international cooperation.

ENISA would seek to achieve these goals by developing repositories of cyber threats and incidents (performing analysis and issuing early alerts), operating the “EU Cybersecurity reserve” and work alongside Europol, CSIRT and other competent authorities. It would also compile an annual rolling programme of EU level cybersecurity exercises, and provide a single reporting platform reporting cybersecurity incidents (as announced previously in the EU’s Digital Omnibus)

ENISA would also play a role in the development and implementation of the EU’s Cybersecurity Certification Framework.

The EU Cybersecurity Certification Framework

This act aims to establish a cybersecurity certification framework which would seek to harmonise approaches across the EU when it comes to certifying ICT products, services, processes, managed security services or cyber posture of entities. ENISA, under certain conditions will be in charge of developing a submitting a framework (which would need to be adopted by the EU Commission), and would support its development and maintenance by drawing up technical specifications

Trusted ICT supply chain framework

Most importantly, the legislative proposal establishes a mechanism to identify key ICT assets in critical ICT supply chains and sets out “appropriate and proportionate mitigation measures”.

The proposal also foresees the possibility of an emergency procedure if “an immediate intervention is justified to preserve the proper functioning of the internal market and where the Commission has sufficient reason to consider that there is a significant cyber threat for the security of the Union in relation to critical ICT supply chains”.

The proposal will allow for the EU Commission to designate whether certain “third countries” pose “serious and structural non-technical risks to ICT supply chains”. Entities established in such third countries, “or controlled by such third country, by an entity established in such third country, or by a national of such third country will not be allowed to carry out a number of activities”.

Additionally, the EU Commission, through implementing acts can decide that entities operating in sectors of high criticality and other critical sectors have to be subject to specific mitigating measures. It will also be given the power, through further implementing acts, the establishment of a list of “high-risk suppliers” which will be relevant for prohibitions and mitigation practices mentioned above.

The proposed act goes even further by seeking bolder action on the ICT supply chain framework for communication networks. Indeed, the legislation would force EU Member States to phase out ICT components from high-risk suppliers for key ICT assets in a period of time that should not exceed 36 months following the entry into force of the legislation.

What does this mean?

The proposal is of consequence as it was expected by some that the EU Commission would seek to reintroduce certification frameworks similar to the ones previously suggested under the EU’s Cloud Certification Schemes, which initially sought to embed degrees of sovereignty requirements as seen in France’s national SecNumCloud certification for cloud service providers. While this is not the case, we can expect that as the proposal undergoes the next legislative steps, the issue will likely resurface.

The proposal, through its annexes also makes clear that its assessments of critical sectors could covers areas such as semiconductors, cloud services, and medical devices. However the field of telecoms would likely be hit the hardest by the current proposal. Annex II indicates that all mobile and fixed network assets would be covered and would need to be replaced should they be considered to come from “high risk vendors”. This means that many EU Member States who still rely on Huawei and ZTE equipment would likely need to force network operators to phase out their equipment within a relatively short time frame.

Next steps

The proposal will now be sent to EU Member States and the European Parliament, where both sides will need to establish their negotiating positions before beginning interinstitutional negotiations and agreeing on a final version of the text. Do not hesitate to reach out to techUK should you have any questions on the proposal.

techUK International Policy and Trade Programme activities

techUK supports members with their international trade plans and aspirations. We help members to understand market opportunities, tackle market access barriers, and build partnerships in their target market. Visit the programme page here.