Full Report
Still dominant in Germany's networks, among others The European Commission (EC) wants a revised Cybersecurity Act to address any threats posed by IT and telecoms kit from third-country sources, potentially forcing member states to confront the thorny issue of suppliers such Huawei in their national networks.…
Analysis Summary
# Regulation/Compliance: Revised EU Cybersecurity Act - Third-Country Supply Chain Risk Mitigation
## Overview
This regulatory initiative, driven by the European Commission (EC), proposes revisions to the Cybersecurity Act to address security threats posed by IT and telecommunications equipment sourced from "third-country suppliers," specifically focusing on dependencies and risks arising from entities deemed "high-risk," such as certain non-EU vendors. The goal is to enforce union-level risk assessments and mandate specific mitigation measures, including potential bans or phase-outs of equipment in critical national networks.
## Key Details
- Issuing Authority: European Commission (EC)
- Effective Date: Associated with the final publication and listing of high-risk suppliers under the revised Act cycle (specific date not finalized in the article, but action is imminent).
- Jurisdiction: European Union Member States, particularly concerning Critical Infrastructure and telecommunications networks.
- Status: Proposed (Revision of the Cybersecurity Act)
## Requirements
### Mandatory Requirements
1. **Risk Assessment:** Union-level risk assessments must be conducted to identify threats posed by IT and telecoms kit from third-country sources.
2. **Mitigation Measures:** Targeted mitigation measures, including the exclusion or banning of IT components from identified "high-risk suppliers," must be implemented by Member States.
3. **Certification Prohibition:** Conformity assessment bodies will be prohibited from certifying products or services originating from designated high-risk suppliers.
4. **Network Phase-Out (Telecoms):** A mandatory phase-out of equipment provided by high-risk suppliers from mobile (5G) networks must be executed.
### Recommended Practices
1. **Harmonization:** Simplify the Europe-wide cybersecurity certification framework as part of the Act's objectives.
2. **Agency Strengthening:** Support the strengthening of the European Union Agency for Cybersecurity (ENISA).
3. **Administrative Reduction:** Reduce "unnecessary administrative burdens" related to the implementation of the NIS2 cybersecurity directive (though compliance with NIS2 enforcement itself is mandatory, reducing burden is an objective).
## Affected Organizations
- Industries: Telecommunications providers, operators of Critical Infrastructure, and suppliers providing IT/telecoms kit within the EU.
- Organization Size: Not specified, but impacts entities operating critical networks regardless of size.
- Geographic Scope: All European Union Member States.
## Compliance Timeline
- **Mid-2023:** Commission initiated action by announcing removal of gear from its internal networks and raising concerns regarding specific suppliers (e.g., Huawei).
- **Upon Listing:** Once the list of "high-risk suppliers" is published under the revised Act.
- **Final deadline (Maximum):** Equipment provided by high-risk suppliers from communication networks **shall not exceed 36 months** from the publication of the high-risk supplier list.
## Implementation Guidance
### Assessment Phase
- Identify all IT and telecommunications equipment currently deployed within national critical infrastructure and mobile networks, tracing the origin (supplier) of the hardware/software.
- Await and utilize the official union-level risk assessments published by the EC or designated bodies regarding "high-risk suppliers."
### Implementation Phase
- Develop a strategic plan for the proactive removal or replacement of all components supplied by entities designated as "high-risk suppliers" from sensitive networks.
- For 5G networks, a structured phase-out strategy must be established to meet the 36-month deadline.
### Validation Phase
- Obtain new certifications for replacement technologies based on the simplified EU-wide framework.
- Prove to national competent authorities that all residual components from high-risk suppliers have been removed according to the mandated schedule.
## Technical Requirements
- **Supply Chain Visibility:** Detailed mapping of the entire technology supply chain for critical infrastructure components.
- **Component Removal/Replacement:** Technical migration plans to substitute non-compliant hardware and software infrastructure.
- **Certification Adherence:** Ensure all new or replacement products/services carry the required EU cybersecurity certifications, excluding those implicitly or explicitly barred.
## Penalties & Enforcement
- Fines: (Not explicitly detailed in the text regarding *fines* for non-compliance with the revised Act, but significant mandates imply severe regulatory action.)
- Other Consequences: Exclusion from use in national critical networks and mobile infrastructure. Denial of certification capabilities for assessment bodies dealing with high-risk suppliers. Potential legal challenges from affected suppliers (e.g., concerning fairness and WTO obligations).
- Enforcement: Imposition of Europe-wide rules enforced by national competent authorities, likely coordinated by EC oversight and strengthened ENISA.
## Related Standards
- **Cybersecurity Act (Revised):** The primary legal instrument governing this action.
- **NIS2 Directive:** Mentioned in context regarding administrative burdens, suggesting existing compliance structures will be leveraged and potentially streamlined.
- **WTO Obligations:** The EC's actions may be scrutinized regarding compliance with international trade agreements concerning discrimination based on country of origin (a potential legal implication raised by Huawei).
## Resources
- Official Documentation: Proposal for a Regulation on the Cybersecurity Act (URL provided in the source article is a reference point for the initial Act structure).
- Guidance Documents: Specific guidance documents detailing the definition of a "high-risk supplier" and precise phase-out procedures will follow the final adoption of the revised Act.
- Tools: Potential reliance on EU-recognized cybersecurity certification tools and risk management platforms.
## Practical Recommendations
1. **Risk Inventory:** Immediately audit all current telecommunications and critical infrastructure assets to document all third-country suppliers.
2. **Contingency Planning:** Develop immediate technical and financial contingency plans for replacing equipment from potential high-risk suppliers (e.g., factoring in the 36-month phase-out window).
3. **Legal Monitoring:** Track the final legislative text of the revised Cybersecurity Act and any related implementing acts to understand the exact definition of "high-risk supplier" to avoid legal non-compliance or unnecessary replacement costs.
4. **Diversification:** Begin proactive efforts to diversify critical supply chains to mitigate future regulatory exposure and fragmentation risks.