Brussels, BELGIUM – The European Commission’s long-awaited revision of the EU Cybersecurity Act (CSA), presented today, is a welcome step towards harmonising technical security criteria across the European Union and securing Europe’s ICT supply chain.
The Computer & Communications Industry Association (CCIA Europe) applauds the Commission’s decision to focus on technical security benchmarks and evidence-based certification, rather than introducing discriminatory ‘sovereignty’ restrictions.
By avoiding politically-motivated restrictions in cybersecurity certifications – which, for example, would have barred non-EU providers from high-level certification – the Commission signals its commitment to a competitive and open Digital Single Market.
However, CCIA Europe warns there is a real risk that EU Member States and Members of the European Parliament (MEPs) may attempt to introduce protectionist criteria during negotiations.
Equally, the proposal leaves the definition of ‘high-risk countries’ broad. Clarifying this concept is essential to provide certainty and clarity for ICT vendors and customers. Metrics for high-risk status should be based on demonstrated, tangible, and objective factors; such as government interference, lack of effective judicial oversight, or the absence of security and law enforcement cooperation agreements.
As the legislative process begins, EU co-legislators must ensure the CSA revision respects its original promise: the structural harmonisation of technical cybersecurity criteria. Geopolitical supply-chain risks should instead be addressed through dedicated forums, ensuring a clear distinction between high-risk countries and essential trade partners.
The following can be attributed to CCIA Europe’s Technology and Security Policy Manager, Mitchell Rutledge:
“The Commission has taken the correct approach by anchoring the certification of digital services in technical, objective security criteria rather than bending to political intervention. The Cybersecurity Act has long needed a hard reboot that fixes fragmentation and delivers real-world certificates, not endless debate over blunt country-of-origin market exclusion.”
“We call on the EU institutions to continue to resist the protectionist urge to reinstate discriminatory restrictions that would harm the security of Europe’s digital ecosystem, instead providing a clear and predictable framework for how high-risk vendor assessments are conducted across Europe’s ICT supply chain.”
