The ongoing cyber attacks and espionage from China are forcing the EU to tighten the Cybersecurity Regulation. The EU’s failing approach also requires a harder line.
A new package of measures should lead to the protection of critical ICT supply chains. Another goal is to fight cyberattacks decisively, EU tech chief Henna Virkkunen said in a statement.
The proposals launched by the European Commission do not mention countries and companies. But it is clear that with a new Cybersecurity law, Brussels is aiming to ban Huawei and ZTE in particular from critical telecommunications networks.
Geopolitical landscape
Since the Cybersecurity Act was passed in 2019, the geopolitical landscape has undergone major changes. The number of cyber threats increased rapidly. Critical sectors were increasingly under siege. State actors can disrupt vital parts of the economy and society as a whole.
At the same time, there was no effective response from the EU. Five years ago, EU Member States came up with a ‘Toolbox‘ on measures to better manage the security risks associated with the rollout of 5G. But that turned out to be a paper tiger. Many countries just continued as before. Huawei was put in the way of selling 5G network equipment, including in critical networks.
Henna Virkkunen told Politico that she was not satisfied with the way these member states are implementing the 5G Toolbox. Chinese suppliers are still in the vital parts of these networks.
Stricter rules
The EU tech chief therefore wants stricter rules. These amount to legal decisions to block risky 5G suppliers. Operators will then have another three years to phase out components from these (Chinese) suppliers. For fibre optics, sea cables and satellite networks, phase-out deadlines have yet to be determined.
Such a ban is also imminent in other vital sectors. But such a blockade outside telecom is still pending, because investigations into the risks there have not yet been completed. Companies that have components made in China may also fall under the new Cybersecurity law.
The European Commission has designated eighteen critical sectors to which the new measures will apply. This includes self-driving vehicles, drones, and utility equipment. Services in the field of cloud computing, medical devices, surveillance equipment, aerospace and semiconductors are also mentioned as critical sectors.
The EU proposals also provide for a simpler cybersecurity certification process. Certification schemes will soon be able to be developed within twelve months as standard.
Tool
ENISA’s (EU Agency for Cybersecurity) certification schemes will become a practical and voluntary tool for businesses. This allows them to show that they comply with EU rules, which reduces their administrative burden and costs. Not only ICT products and services can be certified, but also processes, managed security services and even the cyber behavior of organizations, so that they better match what the market demands.
KPN has become less dependent on Huawei in recent years, but the Chinese giant still supplies antennas and radio units. Huawei is no longer in the 5G core network, but it is in the access network. Chinese suppliers are or were involved in the Dutch C2000 system.
