The long-awaited revision of the European cybersecurity legislative framework (Cybersecurity Act, CSA) was presented by the European Commission in Strasbourg on Tuesday 20 January. The text was intended to respond to European concerns about the risks posed by certain operators and suppliers from third countries, deemed to pose a potential risk to the Union’s sovereignty and integrity (see EUROPE 13786/14).
China in the crosshairs
In practice, the revised text effectively proposes a framework to enable the European Commission and the Member States to impose restrictions (access to public procurement, certain European programmes, standardisation bodies or cybersecurity certifications) or even a de facto exclusion on certain suppliers or equipment manufacturers who are integrated into the EU’s information and communication technologies (ICT) supply chain or its telecommunications sector.
Although no third country, supplier, equipment manufacturer or operator is named in the text, the idea is to build a legal framework to legitimise the exclusion of certain players from the EU market on the grounds of national and transnational security.
China is the ‘usual suspect’ in this case, but the ban could potentially be extended to any actor or country ticking one or more of the criteria detailed in the text and designated by the Commission.
This designation would come at the end of the legislative process, after several dedicated risk analyses in each priority sector, such as water supply systems, cloud services or surveillance equipment. These analyses could be initiated at the request of the Commission alone or of at least three Member States.
If, after six months, the suspected risk is proven, the Commission will have the power, through an implementing act, to include the country concerned on the list of ‘high-risk’ countries for the cybersecurity of EU ICT supply chains.
As a result, any entity from, or controlled by, that country could face restrictions, or even exclusion in cases deemed the most dangerous for European cybersecurity.
In terms of telecommunications in particular, the text is based on the ‘5G toolbox’, which dates from 2020 (see EUROPE 13202/3). At the time, the European Commission endorsed the voluntary eviction of Huawei and ZTE from the European telecoms sector by around 10 Member States. Both companies had been designated as ‘high-risk suppliers’ due to their exposure to “highly intrusive third-country national intelligence and data security laws”.
However, there is still a long way to go: Spain recently signed a contract with Huawei “for the supply of servers to store telephone tapping authorised by the Spanish courts”, a decision which provoked a rather harsh reaction from the Commissioner for Technological Sovereignty, Henna Virkkunen, who expressed her fear of “the increased risk of foreign interference” (see EUROPE 13711/12) - and which played a role in the review of the CSA.
“The ‘5G toolbox’ was essential and recommended excluding high-risk suppliers, but this does not work on a voluntary basis, which is why we are proposing this legislation”, the European Commissioner detailed.
European cybersecurity certification
The revision of the text also revives another old European project, that of ‘Cybersecurity Certification Schemes’, with a ‘Renewed European Cybersecurity Certification Framework’ (ECCF).
In detail, these schemes should “protect against accidental or unauthorised storage, processing, access or leakage”, against “any unauthorised manipulation or modification”, and ensure that ICT products, services and processes “do not contain known exploitable vulnerabilities”.
The new text broadens the scope of these plans, which will now cover the entire ICT chain. This resurgence foreshadows a resumption of the debate surrounding the ambition of the schemes and the specific and technical requirements for obtaining them, such as data localisation or protection against the extraterritoriality of certain foreign laws (see EUROPE 13394/9).
Finally, as we have already reported, ENISA has been given a much more important role in overseeing and harmonising European cybersecurity.
This designation of countries posing a ‘high risk’ to the EU’s cybersecurity and the potential for exclusion on the grounds of internal security are a first for the Union.
See the revised CSA: https://aeur.eu/f/kbk (Original version in French by Isalia Stieffatre)