Full Report
A draft proposal released on Tuesday, revising the EU’s Cybersecurity Act and its Network Information Systems Directive, would see member states phase out the use of high-risk suppliers within their critical national infrastructure.
Analysis Summary
# Regulation/Compliance: Revision to EU Cybersecurity Act and NIS Directive (Focus on High-Risk Suppliers)
## Overview
This proposal, revising the EU’s existing Cybersecurity Act and Network Information Systems Directive (NIS Directive), mandates that Member States phase out the use of suppliers deemed "high-risk" within their critical national infrastructure (CNI). The primary driver is to significantly reduce supply chain vulnerabilities stemming from geopolitical tensions, state-sponsored cyber threats, and espionage risks.
## Key Details
- **Issuing Authority:** European Commission (Draft Proposal)
- **Effective Date:** Not specified in the excerpt, but the phase-out timeline is explicitly set for three years post-adoption.
- **Jurisdiction:** European Union (EU) Member States.
- **Status:** Proposed
## Requirements
### Mandatory Requirements
1. **Phase-Out of High-Risk Suppliers:** Member States must completely phase out components supplied by vendors deemed to pose a significant cybersecurity risk (identified as "high-risk suppliers") within their critical national infrastructure.
2. **Component Removal Timeline:** Telecommunication network operators must complete the phase-out of high-risk components **within three years** of the measure taking effect.
3. **Certification and Testing:** IT suppliers seeking to sell products/services in the EU must adhere to newly established, clearer testing and certification requirements designed to establish a framework for identifying "trusted companies."
### Recommended Practices
1. **Supply Chain Security Assessment:** Organizations should proactively assess their existing IT supply chain dependencies, looking beyond mere technical product security to evaluate risks related to foreign interference and supplier control/ownership.
2. **Diversification:** Reduce reliance on single-source or potentially high-risk foreign suppliers, especially in CNI components.
## Affected Organizations
- **Industries:** Entities operating within **Critical National Infrastructure (CNI)**, particularly **Telecommunication Network Operators**.
- **Organization Size:** Not specified; applies based on operational sector (CNI).
- **Geographic Scope:** All European Union Member States.
## Compliance Timeline
- **Phase-Out Initiation:** Upon finalization and entry into force of the revised directives.
- **Final deadline:** **Up to three years** from the effective date for telecommunication network operators to completely phase out high-risk supplier components.
## Implementation Guidance
### Assessment Phase
- **Risk Identification:** Conduct a comprehensive audit of all technology and service providers utilized in CNI, specifically flagging any suppliers identified as potentially high-risk concerning foreign interference or non-EU state influence.
### Implementation Phase
- **Remediation Planning:** Develop detailed migration plans for replacing high-risk components within the three-year window. This includes procurement and integration of certified, trusted alternatives.
### Validation Phase
- **Certification Compliance:** Ensure all new or existing products/services that remain in use meet the stricter new testing and certification standards established under the revised Cybersecurity Act to prove they are "trusted."
## Technical Requirements
- **Adherence to New Certification:** Compliance hinges on meeting the new, clearer testing and certification requirements imposed on IT suppliers before their products can be legally sold within the EU market.
## Penalties & Enforcement
*The excerpt does not detail specific fines or penalty structures, but the implication of non-compliance in CNI is severe.*
- **Fines:** Not explicitly detailed in the source material.
- **Other Consequences:** For sectors like telecommunications, failure to phase out high-risk components within the mandated three years will result in being barred from operating critical services using those vendors/components, potentially leading to operational shutdown or mandated replacement.
- **Enforcement:** Enforcement will involve EU Member States compelling their national CNI operators to comply with the phase-out mandates.
## Related Standards
- **Existing Frameworks (Cybersecurity Act / NIS Directive):** The proposal builds upon and revises these existing EU-wide legislative frameworks.
- **WTO Obligations:** The proposal’s design, particularly regarding exclusion based on country of origin, is noted as potentially conflicting with EU's World Trade Organization (WTO) obligations (as alleged by some stakeholders).
## Resources
- **Official Documentation:** Draft proposal revising the EU’s Cybersecurity Act and its Network Information Systems Directive (Specific reference documents not provided in text).
- **Guidance Documents:** Anticipated issuance of detailed guidance on the new testing and certification framework by relevant EU bodies.
- **Tools:** None specified, but compliance will necessitate detailed vendor risk management/supply chain mapping tools.
## Practical Recommendations
1. **Monitor Legal Status:** Organizations must immediately track the finalization and effective date of the revised Cybersecurity Act and NIS Directive.
2. **Inventory Critical Components:** Catalogue all hardware and software in CNI environments, noting the originating country and supplier (especially for telecom infrastructure).
3. **Engage Suppliers Early:** Proactively discuss new certification requirements with existing non-EU suppliers to assess their readiness to comply with stricter EU standards.
4. **Budget for Replacement:** Allocate financial resources immediately for the expedited replacement and decommissioning of components sourced from suppliers likely to be designated as "high-risk."