EC to crack down on ‘high-risk suppliers’

• The EC has unveiled its revised Cybersecurity Act
• It includes mandatory measures to remove technology supplied by “high-risk third-country suppliers” from networks within three years of the Act being passed as law
• But the approach does not signal a blanket ban and there will be lots of variables, though the EC’s assessments will now also include fixed and mobile networks as well as mobile infrastructure

As expected, the European Commission (EC)’s revised Cybersecurity Act includes measures that look set to force network operators to remove technology supplied by “high-risk third-country suppliers” from communications networks in European Union member states: The move, which will require telcos to remove designated technologies from high-risk vendors within three years of the Act coming into force, signals a stronger clampdown on Chinese vendors Huawei and ZTE in the region, though exactly which suppliers are deemed to be high risk is yet to be specified by the EC. 

Since 2020, mobile operators in EU countries have been asked to comply with recommended measures outlined in the EU toolbox for 5G security that was first introduced in 2020, but those measures have been voluntary and have not been uniformly implemented.

Now, though, the measures in the new Act are mandatory.

Henna Virkkunen, the EC’s executive vice president for tech-sovereignty, security and democracy, noted in her prepared remarks on the revised Act that the EC has “highlighted a number of areas where dependencies on a single or a limited number of suppliers could pose a significant security risk. We are turning the 5G cybersecurity toolbox into a mandatory approach to ensure a level-playing field and non-fragmentation of the EU market. Together with member states, we will identify which specific components of the ICT supply chain of our critical sectors would require targeted mitigating measures. We propose a range of possible derisking measures, including restrictions for high-risk suppliers.”

Virkkunen said a risk assessment process would take place that would identify the countries of concern (and relevant suppliers from those countries), identify the elements of critical infrastructure that need to be addressed, and specify how any security risks should be mitigated. She noted also that the Act could also cover individual suppliers even if they are not from “countries of concern”. 

She stressed during a press conference that the long-standing 5G toolbox measures haven’t been implemented by all member states so now they need to be mandatory, and that the EC will provide a catalogue of high-risk suppliers. Once the Act comes into force (which won’t be any time soon), member states will have three years to ensure they don’t have technology from high-risk vendors in their networks and be held to account by an Implementation Act that will be drafted once the EC has made its assessments. 

She also noted that while the 5G toolbox has focused on mobile network infrastructure, the new Act also covers fixed and satellite networks.   

But it also sounds like the implementation of the measures won’t be very clear cut and there will be lots of caveats and loopholes that could result in the ongoing deployment of technology deemed to pose some security risk. Answering questions during a press conference, Virkkunen noted that in some cases, certain technology from certain suppliers will be banned outright but that others will be subject only to certain restrictions, such as the localisation of data storage or other “safeguards” and that each situation will need to be assessed.

In addition, she noted that the EC’s assessments will also need to consider the economic implications of outlawing certain suppliers and technologies as the cost (and potential) or replacing certain systems might be overburdening. But she added that while “resilience has its price, if we don’t have resilience the risks can be higher.” 

Of course, the matters related to communications networks is only a small part of the overall new Cybersecurity Act, which comprises four main improvements, stated Virkkunen:

• Ensuring the EU has “a strong EU Agency for Cybersecurity, ENISA”; 
• Ensuring the EU has “processes in place for derisking our ICT supply chain, while strengthening European critical infrastructure” – this applies also to border control and healthcare system technology, for example, as well as communications networks; 
• Ensuring the EU has “a lean and efficient certification system that will make sure businesses operating in the EU market and our consumers can trust that they have access to products they use are secure by design”;
• Simplifying the “compliance with our cybersecurity rules for businesses” with proposals that amend the Network and Information Security Directive 2 (NIS 2). 

Now the details of the Act need to be discussed and agreed with member states and could be subject to amendments, after which it needs to be approved by the European Parliament and the Council of the EU. Then, member states will have one year to implement the Act into national law and communicate the relevant texts to the EC, so it’s going to be a few years before the revised Cybersecurity Act becomes enforceable. 

- Ray Le Maistre, Editorial Director, TelecomTV