Battle lines are being drawn following the European Commission’s presentation of the so-called CSA 2. The revision of the EU Cybersecurity Act has been widely interpreted as targeting the use of Chinese tech in European communications networks. But the plan is already facing push back from telco businesses, member states and China itself — before it has even reached the European Parliament and Council chopping blocks.
On Tuesday, Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy presented the new Cybersecurity Package which updates the current law that dates from 2019. It will also formalise the current voluntary 5G security toolbox, simplify the European Cybersecurity Certification Framework (ECCF) and bolster ENISA’s role.
“Cybersecurity threats are not just technical challenges. They are strategic risks to our democracy, economy, and way of life. This is an important step in securing our European technological sovereignty and ensuring a greater safety for all,” said Ms Virkkunen.
Trusted security framework
According to the Commission, the proposed act will set out a “trusted ICT supply chain security framework” to assess high-risk, third-country suppliers. Those third countries, nor the individual suppliers, do not feature in the proposal. But Chinese telecoms suppliers Huawei and ZTE have already seen designation as high risk under the 5G toolbox and that is unlikely to change.
The origin of the 5G toolbox dates back to 2020. It was to help member states secure mobile telecommunications networks, but it was so little used that last year in the wake of the Huawei bribery scandal, 35 MEPs wrote to the Commission urging it to make the rules mandatory.
You might be interested
CSA 2 puts this toolbox into law, setting a deadline of three years for countries to phase out high risk suppliers. Ms Virkkunen said this would be based on a “harmonised, proportionate, and risk-based approach” that would enable the EU and member states to jointly identify untrustworthy actors in sectors such as telecoms, connected vehicles, solar equipment and surveillance systems. Third countries could see themselves added to the high-risk list due to prior or persistent cyber incidents, malicious activities, poor judicial oversight or lack of democratic controls.
Protectionism, counters China
“In today’s geopolitical landscape, supply chain security is no longer just about technical product or service security, but also about risks related to a supplier, particularly dependencies and foreign interference,” reads the Commission statement that could equally well allude to the US as China.
However, a spokesperson for China’s foreign ministry, Guo Jiakun responded on Wednesday: “Chinese companies have long operated in Europe in compliance with laws and regulations and have never endangered Europe’s national security,” adding that heavy measures could amount to “protectionism”.
The proposal has yet to go to the European Parliament or the Council, but is likely to face heavy revision in both. Member states in particular will want to safeguard security as a national competency and may see CSA 2 as an incursion. Others including Germany have already banned the use of Chinese components in future 6G telecoms networks.
Expect high costs: industry
The response from the tech and telecoms sector itself has been mixed.
Speaking in Davos on Wednesday, the Chairman of Telefónica Marc Murtra said: “If we are going into an era of areas of influence, Europe had better start building cybersecurity.” He underlined the need for the EU to develop its own technology: “If you don’t have technology, if you don’t have capacity, if you don’t have deep know-how, it is a big problem. If we want to have autonomy, and if we are going into an era of areas of influence, Europe must start building cybersecurity.”
Connect Europe, the leading voice of European connectivity providers representing around 70 per cent of total sector investment, was concerned about the possibility of new, costly schemes that could over-burden suppliers.
“Make EU cybersecurity certification market-relevant and proportionate,” it urged. “Ensure supply chain security measures strictly follow a risk-based approach, while respecting the competence of member states for national security matters. Measures need to be proportionate, taking into account the need for predictability when rolling out network infrastructure with modernisation cycles of at least ten years — and risk assessments need to be up-to-date, carefully considering the impact on investment, resilience, and service continuity.”
This is an important step in securing our European technological sovereignty and ensuring a greater safety for all. — Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy
CCIA Europe, the Computer & Communications Industry Association was glad to see the Commission favouring technical security benchmarks and evidence-based certification. However, it also warned against the Parliament and the Council introducing protectionist criteria during negotiations.
One magic word: simplification
“The proposal leaves the definition of ‘high-risk countries’ broad. Clarifying this concept is essential to provide certainty and clarity for ICT vendors and customers. Metrics for high-risk status should be based on demonstrated, tangible, and objective factors,” said Mitchell Rutledge, CCIA Europe’s Technology and Security Policy Manager, and not “endless debate over blunt country-of-origin market exclusion”.
Tueaday’s package attempts to assuage some business concerns by highlighting a simpler certification process to arrive within 12 months and managed by the EU Agency for Cybersecurity (ENISA) as “a practical, voluntary tool for businesses”.
There are also amendments to the NIS2 Directive to increase legal clarity that the Commission says will “ease compliance for 28,700 companies, including 6,200 micro and small-sized enterprises. They will also introduce a new category of small mid-cap enterprises to lower compliance costs for 22,500 companies.”
Next steps: CSA 2 and the accompanying NIS2 Directive amendments will face scrutiny in the European Parliament and the Council in what is already shaping up to be a contentious legislative process. The debate to come will inevitably reflect growing EU concern over economic coercion, cyber threats and over-reliance on foreign tech in a geopolitically unstable world.
