EU Plans Cybersecurity to Remove High-Risk Foreign Suppliers

The European Union is moving to significantly tighten cybersecurity controls across its telecommunications and critical infrastructure sectors, as the European Commission unveiled a new cybersecurity legislative package aimed at removing high-risk foreign suppliers and strengthening defenses against state-backed cyber threats. The proposal reflects growing concern that fragmented national approaches have left gaps in the EU’s digital security, particularly following the uneven implementation of the voluntary 5G Security Toolbox introduced in 2020. 

Under the proposed framework, the Commission would gain expanded authority to coordinate EU-wide risk assessments and support restrictions or bans on equipment used in sensitive infrastructure. Member states will require to jointly evaluate suppliers across 18 critical sectors, factoring in country-of-origin risks and national security implications. No companies are explicitly named. Meanwhile, EU officials have previously raised concerns about Chinese technology vendors in the context of 5G security. 

A central element of the proposal is a revised Cybersecurity Act, which would mandate the removal of high-risk foreign suppliers from European mobile telecommunications networks. The updated law is designing to secure ICT supply chains while also reducing regulatory friction for businesses. It introduces streamlined certification processes through voluntary schemes managed by the European Union Agency for Cybersecurity, better known as ENISA. 

The legislation would also expand ENISA’s operational role. The agency will empower to issue early threat alerts, operate a single EU-wide incident reporting entry point, and assist companies in responding to ransomware attacks in coordination with Europol and national computer security incident response teams. In parallel, ENISA would launch cybersecurity skills attestation schemes and pilot a Cybersecurity Skills Academy to address workforce shortages. 

Key takeaways for policymakers and industry: 

• The EU plans mandatory removal of high-risk foreign suppliers from telecom networks 

• The Commission will gain stronger powers to coordinate EU-wide risk assessments 

• ENISA’s role expands to threat alerts, incident response, and workforce development 

• Certification reforms aim to strengthen security while lowering compliance costs 

If approved by the European Parliament and the Council of the EU, the Cybersecurity Act would take effect immediately. Member states have been given one year to transpose the amendments into national law. Hence, marking a decisive shift from voluntary guidance to binding EU-wide cybersecurity enforcement. 

 

Source: 

https://www.bleepingcomputer.com/news/security/eu-plans-cybersecurity-overhaul-to-block-foreign-high-risk-suppliers/