The European Union has moved towards a sweeping overhaul of its cybersecurity framework, proposing new legislation that would mandate the removal of high-risk foreign suppliers from telecommunications networks and sensitive digital infrastructure. The initiative aims to strengthen defences against state-backed cyber threats and organised cybercrime groups increasingly targeting critical sectors across Europe.
The proposal, unveiled by the European Commission, follows years of dissatisfaction over the inconsistent implementation of the EU’s 5G Security Toolbox, introduced in January 2020. The toolbox was designed as a voluntary framework encouraging member states to limit dependence on vendors deemed high-risk. However, uneven adoption across countries has raised concerns within the Commission about persistent vulnerabilities in Europe’s digital backbone.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
While the proposed legislation does not explicitly name any companies, EU officials have previously flagged Chinese technology firms, particularly Huawei and ZTE, as sources of concern during discussions surrounding the 5G Security Toolbox. These concerns have centred on supply-chain security, national security implications, and geopolitical risk.
Under the newly proposed Cybersecurity Package, the European Commission would gain enhanced authority to coordinate EU-wide risk assessments and support restrictions or bans on specific equipment used in sensitive infrastructure. In parallel, EU member states would jointly assess supplier-related risks across 18 critical sectors, factoring in suppliers’ countries of origin, national security considerations, and broader geopolitical implications.
“Cybersecurity threats are not just technical challenges. They are strategic risks to our democracy, economy and way of life,” EU Tech Commissioner Henna Virkkunen said while announcing the proposal. “With the new Cybersecurity Package, we will be better equipped to protect our critical ICT supply chains and to respond decisively to cyber attacks. This is a key step towards safeguarding Europe’s technological sovereignty.”
A central element of the proposal is a revised Cybersecurity Act, aimed at securing information and communication technology (ICT) supply chains across the bloc. The revised law would make it mandatory to remove high-risk foreign suppliers from European mobile telecommunications networks, replacing the current patchwork of national approaches with a more uniform regulatory framework.
Another major focus of the revision is the simplification of cybersecurity certification procedures. Companies would be able to reduce regulatory burden and compliance costs through voluntary certification schemes managed by the EU Agency for Cybersecurity (ENISA), promoting harmonised standards across the single market.
According to the Commission, the legislation would also significantly expand ENISA’s operational role. The agency would be empowered to issue early threat alerts, operate a single entry point for cyber incident reporting, and assist organisations in responding to ransomware attacks, in coordination with Europol and national computer security incident response teams (CSIRTs).
In addition, ENISA would be tasked with establishing EU-wide cybersecurity skills attestation schemes and piloting a Cybersecurity Skills Academy, aimed at addressing the growing shortage of qualified cybersecurity professionals across Europe.
Once approved by the European Parliament and the Council of the EU, the revised Cybersecurity Act would take effect immediately. Member states would then be given one year to incorporate the new provisions into national law, ensuring alignment across jurisdictions.
Experts say the move goes beyond technical risk mitigation and reflects a broader strategic recalibration. By tightening controls over ICT supply chains, the EU is seeking to reinforce its technological autonomy and reduce systemic dependencies amid rising geopolitical tensions.
Sectors such as telecommunications, energy, transport and financial infrastructure are expected to see the most immediate impact as compliance requirements tighten and supplier relationships are reassessed.
As cyber threats escalate and digital infrastructure becomes increasingly intertwined with national security, the EU’s proposal underscores a growing consensus in Europe that cybersecurity is no longer merely a technical concern, but a core pillar of policy, economic stability and strategic resilience.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
