The European framework for identifying strategic assets and high-risk suppliers in information and communication technology (ICT) supply chains, proposed by the European Commission as part of the Cybersecurity Act 2 (see EUROPE 13790/1), remains the most sensitive and controversial point in the dossier and will require further discussions, several European telecommunications ministers stressed during the debate on the text on Tuesday 9 June.
While the Member States broadly support the overall objective of strengthening the mandate of the European Union Agency for Cybersecurity (ENISA), several of them, notably Hungary, Finland and Estonia, insisted that it should above all focus on supporting the Member States, given their national prerogatives in security matters.
During the debate, Spain clearly indicated that the Member States “must play a role in defining” the risks linked to supply chains. France, for its part, stressed the need to protect those supply chains “in a proportionate manner”, by jointly assessing the “technical and non-technical risks”. Portugal considered that the national cybersecurity certification authorities should also play a greater role in drawing up and maintaining the future European certification scheme, adding that the Member States had to retain “a central role” in decisions relating to cybersecurity risk assessments as well as risk-management measures in ICT supply chains. Estonia also argued that “the Member States should play a consistent role in the process of identifying third countries raising cybersecurity concerns and in the management of technical and non-technical risks linked to ICT supply chains”, while insisting on the need to “preserve flexibility for the Member States in defining risk-management measures”.
Finland, for its part, welcomed the fact that they could adopt measures going beyond the European framework, notably in order to “preserve the security of communications networks”. Sweden supported European regulation in this area, considering that the application of the 5G Toolbox, based on a more voluntary approach, had led to fragmentation within the Union. The Netherlands considered that the measures had to “remain based on a risk-based approach, targeted and predictable, focusing on the most significant risks to critical infrastructure”, while stressing, like France, the need to ensure clear articulation with the Cloud and AI Development Act (CADA) in order to guarantee a coherent and robust cybersecurity framework. (Original version in French by Ana Pisonero Hernández)