The European Commission (EC) wants a revised Cybersecurity Act to address any threats posed by IT and telecoms kit from third-country sources, potentially forcing member states to confront the thorny issue of suppliers such Huawei in their national networks.
Europe faces increasingly sophisticated hybrid attacks on every area of its infrastructure, the EC claims. The revised Cybersecurity Act looks to address this with union-level risk assessments, combined with targeted mitigation measures that will include bans on IT components from “high-risk suppliers.”
The suggested timeframe for this could leave member states with as little as three years to remove non-compliant kit.
This is seen as the Commission finally cracking down on member states that have for years declined to take any kind of action against suppliers deemed to be a potential security risk, and imposing Europe-wide rules regarding which companies and products should not be trusted.
In mid-2023, former European Commissioner Thierry Breton said telecoms equipment from firms including Huawei and ZTE should be banned throughout the EU amid fears the tech could contain backdors, allowing Beijing to remotely access it for espionage purposes or to disrupt networks. Plan were announced to remove the gear from the Commission’s internal networks.
In the same year it emerged that Huawei had supplied nearly 60 percent of the telco equipment used in Germany’s 5G networks. The megacorp hit back after EU officials labelled it as a “high-risk supplier.”
Huawei has always strongly denied its products represent a security threat, although critics counter that Chinese law requires its citizens and organizations to serve as covert operatives on behalf of the state if ordered to do so.
The EC wants several key things baked into the revised Cybersecurity Act: a framework to address the supply chain security challenges in critical infrastructure, and to simplify the Europe-wide cybersecurity certification framework.
It also wants to strengthen the European Union Agency for Cybersecurity (ENISA), and reduce “unnecessary administrative burdens” relating to implementation of the NIS2 cybersecurity directive (only two member states met the deadline to transpose it into national law.)
As for 5G networks, the EC says the legislation “provides for a phase-out of high-risk suppliers from mobile networks,” and will mean that conformity assessment bodies will not be allowed to certify products or services from these suppliers.
This isn’t just about telecoms, the new Cybersecurity Act along with the upcoming Cloud and AI development act (CADA) will address sovereignty aspects and non-technical risks, according to the EC.
The proposed legislation makes no mention of specific companies such as Huawei, but the China-based tech biz has supplied infrastructure to telecoms networks in pretty much every EU country because it was an early investor in 5G technology and standards.
A spokesperson for Huawei told The Register: “A legislative proposal to limit or exclude non-EU suppliers based on country of origin, rather than factual evidence and technical standards, violates the EU’s basic legal principles of fairness, non-discrimination, and proportionality, as