The European Commission launched the most ambitious EU digital-security overhaul in seven years. On January 20th Henna Virkkunen, a vice-president of the Commission, presented a revamped Cybersecurity Act that promises to harden supply chains, muscle up the EU’s cyber agency and streamline certification for every router, cloud and widget that crosses Europe’s borders.
It did not come a day too soon. War still rages in Ukraine and hostile states probe Europe’s critical networks each night. Ms Virkkunen set out the threat with blunt clarity. “We are in the middle of hybrid warfare,” she warned. “Every day, critical infrastructure in Europe is affected by cyber attacks.” The old legislative patchwork, she argued, no longer fits the danger. Russia’s disruption of rail ticketing in Poland, China’s interest in photovoltaic inverters and a rash of ransomware against hospitals have pushed security to the top of commissioners’ in-trays.
The vice-president said Brussels would no longer separate digital policy from defence. “Specifically, we are today proposing four improvements,” she told reporters. Those pillars—stronger powers for ENISA, mandatory de-risking of supply chains, a lean certification system and lighter compliance for honest firms—anchor a text that runs to 98 pages but signals one simple message: industry must secure itself or accept regulation that does it instead.
Lines of defence
The first target is hardware and software imported from what officials call “countries of concern”. “The new Cybersecurity Act aims to reduce risks in the EU’s ICT supply chain from third-country suppliers with cybersecurity concerns,” the proposal states. Member states will run common risk assessments, while Brussels will keep a blacklist. High-risk vendors will watch business evaporate.
Telecoms feel the squeeze most. “The Cybersecurity Act will enable the mandatory derisking of European mobile telecommunications networks from high-risk third-country suppliers, building on the work already carried out under the 5G security toolbox,” the text notes. National governments dragged their feet on earlier, non-binding advice; the new law removes discretion.
You might be interested
Critics fret about outright bans. Ms Virkkunen insisted Brussels prefers scalpel to axe. “Yes, now this is like our current view that we have to really now assess the risks case by case by different sectors,” she explained. Border-control tech, connected cars, solar inverters and medical devices will each get a bespoke audit before any firm faces exclusion.
A bigger watchdog
ENISA, the EU Agency for Cybersecurity in Athens, gains new teeth. Ms Virkkunen summarised the upgrade: “First, by ensuring that we have a strong EU agency for cybersecurity, ENISA.” The agency will issue early-warning bulletins, run a single incident-reporting portal and offer a help-desk that partners with Europol when ransomware strikes. Brussels will also task ENISA with a Union-wide vulnerability-disclosure platform, a job now performed haphazardly by volunteers and bug-bounty firms.
Money will follow mandates. The Commission declined to quote figures, but officials say the agency’s headcount—presently 196—could double by 2028. Ms Virkkunen framed the expense as insurance. “Resilience has its price, that’s for sure,” she conceded, before adding a jab at penny-pinchers: “If we don’t have resilience in our supply chains, the price is even much higher if the risks are realizing it.”
Member states will test that logic when they see the bill. Some will grumble; none deny the need. ENISA already co-ordinates the EU’s annual cyber-crisis exercise. Under the Act it will train hackers, accredit courses and set up an EU-wide skills attestation scheme. The aim is to keep bright graduates on this side of the Atlantic.
Trust marks for gadgets
For companies selling kit in Europe the most visible change is a refreshed European Cybersecurity Certification Framework. Today only a handful of schemes exist; each takes years to design. Under the new rules ‘Certification schemes, managed by ENISA, will become a practical, voluntary tool for businesses‘ and must be drafted within 12 months. Once approved, labels will help buyers compare vendors much as energy stickers guide fridge shoppers.
Not everyone applauds the narrow scope. France lobbied for certificates that address legal exposure to foreign surveillance laws. The Commission drew a line. “Here we have really clarified these things that when we speak about cyber certification, it’s only about technology,” Ms Virkkunen said. Strategic worries about foreign jurisdictions will reside in the supply-chain chapter, not the label on a router.
Ultimately, the renewed European Cybersecurity Certification Framework will be a competitive asset for EU businesses. — Henna Virkkunen, European Commisison Vice-President
Economists eye the cost. The proposal tweaks the NIS2 directive so that 28,700 firms—many of them micro or small—face lighter paperwork. Ms Virkkunen promised prudence. “So it’s important that we are now respecting our due process,” she said, noting that each mitigation plan will carry an “impact assessment, that what kind of impact it will have… also other kind of impacts to our internal markets”.
From blueprint to statute
Legally, the package arrives as a regulation, so most clauses take effect as soon as Council and Parliament sign them. The accompanying directive that amends NIS2 gives capitals a year to transpose it. That timetable looks tight but officials recall how swiftly governments shut borders during the pandemic or tore out Russian spyware after February 2022. Fear concentrates minds.
Lobbyists will still fight. American cloud giants dislike the hint of geopolitical vetting. Nordic telecom vendors welcome rules that freeze Chinese rivals out of 5G cores. Central European governments, keener on low prices than lofty principles, will argue for transition periods. The Commission counters that the market prize is worth the effort. “Ultimately, the renewed European Cybersecurity Certification Framework will be a competitive asset for EU businesses,” the proposal claims.
If we don’t have resilience in our supply chains, the price is even much higher if the risks come to realisation. — Henna Virkkunen
Politics matters too. National elections loom in France and Germany. Few candidates want to explain why Munich or Marseille still runs critical functions on kit that Brussels labels insecure. The Act gives them a script: blame rogue regimes, invoke European solidarity and point to ENISA’s new shield.
A moving frontier
Technology never stalls, and neither will the regulation. Brussels plans quarterly updates to its risk register and can blacklist a firm even if its home country stays off the danger list. “We are speaking also about the other risks the countries of concern they are posing,” Ms Virkkunen said. That latitude worries trade lawyers, but the Commission argues it needs flexibility when evidence emerges that a supplier siphons data or embeds back doors.
Cyber warriors on both sides of the Atlantic watch the measure’s progress. Washington, itself drafting supply-chain rules, regards Europe’s approach as a petri dish. If the Act survives without major dilution, it may become the de-facto standard for allies. Asia’s democracies, anxious about Chinese chips in their 6G trials, study the text with equal interest.
For now Europe leads. Whether it can enforce the law with the same zeal it writes them will decide if its networks stay lit when the next hybrid barrage lands. On that, Ms Virkkunen’s answer was firm: the bill for complacency, she implied, would dwarf any line in the EU’s budget.
