The revised Cybersecurity Act proposes to make adoption of measures in the 5G security toolkit mandatory and, for the first time, they will apply to fixed infrastructure
The European Commission has proposed a new cybersecurity package to strengthen the European Union’s (EU) cybersecurity resilience and capabilities, including a revised Cybersecurity Act. It is intended to improve resilience and avoid fragmentation of the EU’s single digital market.
However, it lacks crucial details and potential loopholes and caveats remains, despite talking up the urgency of the situation and the need for the revised Act.
EU’s evolving security landscape
To recap, the EU Cybersecurity Act (CSA) came into force in 2019, but the EU is revising the Act which as been complemented by new or other updated legislation. The proposed revisions to the Cybersecurity Act published now are intended to address evolving threats, improve supply chain security and expand certification to managed services.
The other Acts are NIS2 and the Cyber Resilience Act and they have already been adopted (see below). The three together are the designed to provide “an evolving regulatory landscape” rather than a single Act encompasses all regulatory aspects of cybersecurity.
The NIS2 Directive sets up a unified legal framework to uphold cybersecurity in 18 critical sectors* across the EU and calls on Member States to define national cybersecurity strategies and collaborate with the EU for cross-border reaction and enforcement.
The Cyber Resilience Act is in effect a rulebook, designed to ensure all digital products are safe from cyber threats. It requires devices and software to be designed, updated and maintained to protect users.
What it means to telecoms
The Commission states that the revised Cybersecurity Act “will enable the mandatory derisking of European mobile telecommunications networks from high-risk third-country suppliers, building on the work already carried out under the 5G security toolbox“. The toolbox was introduced in 2020, is adopted on a voluntary basis and its take up has been piecemeal.
Now the 5G toolbox will be turned into “a mandatory approach”, the Commissioner, Henna Virkkunen, who is Executive VP for Tech-sovereignty, Security and Democracy, said. Adding that she will work with member states to identify the specific elements of the ICT supply chains for critical sectors need targeted measures, including restrictions on high-risk suppliers.
Note that as well as the toolkit’s approach becoming mandatory, for the first time, the revised Act will apply to fixed as well as mobile infrastructure. Tech supplied by still unnamed foreign high-risk suppliers (generally understood to mean Huawei and ZTE) are to be removed EU’s member states’ communications networks within three years of the updated Act passing into law.
Certification as a practical, voluntary tool?
The updated Act is intended to make it easier to comply with EU cybersecurity rules and will strengthen the powers of the EU Agency for Cybersecurity (ENISA). The Commissions says will enable the EU and Member States jointly to identify and mitigate risks across the EU’s designated 18 critical sectors, considering also economic impacts and market supply.
It goes so far as to claim that certification schemes, managed by ENISA, will “become a practical, voluntary tool for businesses,” enabling businesses to show compliance with EU legislation while reducing the burden and costs, while the ECCF “will be a competitive asset for EU businesses”.
According to the Commission, the Act will also introduce better governance with greater involvement of stakeholders through public information and consultation. However, this is not how the proposals have been interpreted universally; there are complaints that the proposals would give the Commission too much power, that the Commission has bowed too much to telcos and that it threatens net neutrality – see this report on the Capacity website.
* The 18 critical sectors are those covered by NIS 1 (which NIS 2 replaces) – energy, transport, healthcare, finance, water management and digital infrastructure. NIS 2’s rules also apply to providers of public electronic communications, more digital services (like social platforms), waste and wastewater management, critical product manufacturing, postal and courier services, public administration at central and regional levels, and the space sector.
As a rule, medium-sized and large entities in these critical sectors, will have to take appropriate cybersecurity risk-management measures and notify relevant national authorities of significant incidents. These are incidents that could cause significant disruption or damage.
