The European Commission proposes a revision of the Cybersecurity Act and amendments to the NIS2 Directive to strengthen the EU’s cyber resilience, particularly with regard to the assessment of suppliers.

The European Commission has proposed a new package of measures to strengthen the cyber resilience of the European Union. Central to this is a revision of the 2019 Cybersecurity Act, which imposes stricter rules on ICT suppliers from outside the EU and simplifies the certification process for cybersecurity. The commission notes that cybersecurity concerns not only technical aspects, but also geopolitical dependencies.

Risks from third countries

The reworked Cybersecurity Act should limit risks in the supply chain of ICT products and services, with specific attention to suppliers from third countries. A common framework will help member states to identify and address risks within eighteen critical sectors. The proposal allows suppliers from so-called high-risk countries to be excluded from mobile networks in Europe.

A renewed certification framework, the European Cybersecurity Certification Framework (ECCF), should ensure faster and more transparent certification of ICT products, services and processes. Certifications must now be developed within twelve months. Certification remains voluntary for companies, but it will be easier to demonstrate that they comply with European regulations.

NIS2 and ENISA

In addition, existing rules from the NIS2-richtlijn are being adjusted. This will increase legal clarity and reduce compliance costs, especially for small and medium-sized enterprises. The obligation to report incidents will also be simplified via a central reporting point, in line with the Digital Omnibus proposal.

The European cybersecurity watchdog ENISA will receive additional powers. The organisation will, among other things, warn companies of threats, assist with incident response, and provide support in the management of vulnerabilities. ENISA will also continue to focus on training and certification through a European Cybersecurity Skills Academy.

Follow-up to toolbox

The proposed rules build on the so-called Toolbox for 5G security die de EU in 2020 uitrolde. That toolbox was intended to exclude high-risk suppliers, particularly in the rollout of the 5G network. In practice, however, the toolbox opened the door to a relatively arbitrary application of the rules across the member states.

The new approach enables EU-wide risk analyses. This will level the playing field, so that a supplier is either designated as high-risk throughout the EU or not. Member states will jointly conduct risk assessments across eighteen critical sectors.

Officially, the EU does not target companies with the regulations. However, the toolbox was introduced at the time because of concerns about the role of Chinese companies in critical infrastructure. In particular, ZTE and Huawei saw their role in the rollout of 5G evaporate.

Fast implementation

The new Cybersecurity Act and the amendments to the NIS2 Directive will be submitted to the European Parliament and the Council for approval. After approval, member states have one year to transpose the directive into national law.