EU Proposes Cybersecurity Overhaul to Counter Supply Chain Risks

The European Commission proposed a sweeping revision to its cybersecurity framework on January 20, aiming to reduce reliance on technology suppliers that pose national security concerns. The package—which includes amendments to the 2019 Cybersecurity Act and the NIS2 Directive—gives EU agencies new authority to coordinate ransomware responses and assess risks from third-country vendors.

While the proposal avoids naming specific companies, officials acknowledged it builds on longstanding concerns about Chinese technology firms, particularly Huawei and ZTE in telecommunications networks.

What's Changing

The revised framework addresses three major gaps in EU cyber defenses:

Supply Chain Security: The Commission gains authority to conduct EU-wide risk assessments of technology suppliers and "support restrictions or bans on certain equipment used in sensitive infrastructure." Individual member states currently make these decisions independently, leading to inconsistent security postures across the bloc.

ENISA Expansion: The EU Agency for Cybersecurity receives a 75% budget increase and a broader operational mandate. ENISA will issue early warnings about emerging threats, coordinate cross-border incident response, and help companies recover from ransomware attacks—working alongside Europol and national CSIRTs.

Certification Streamlining: The European Cybersecurity Certification Framework gets clearer rules and faster timelines, with 12 months becoming the default for developing new certification schemes. The framework will also expand beyond ICT products to assess companies' risk management postures.

The China Question

Years of frustration preceded this proposal. The EU's 5G Security Toolbox, adopted in 2020, let member states voluntarily restrict high-risk vendors from critical network components. But adoption was uneven. Some countries banned Huawei equipment outright; others continued deploying it.

The Commission's press release maintains that the new framework "would remain country-neutral in principle." In practice, the criteria for identifying high-risk suppliers—including ties to foreign governments and legal obligations to assist state intelligence—point directly at Chinese manufacturers operating under Beijing's national security laws.

Telecom operators will receive multi-year transition periods to phase out equipment from designated high-risk suppliers. The Commission acknowledged "substantial economic costs" but framed the changes as necessary for protecting critical infrastructure from state-backed cyber operations.

Ransomware Response Coordination

Beyond supply chain concerns, the package creates unified mechanisms for responding to large-scale cyber incidents. ENISA will oversee a single EU entry point for incident reporting, replacing the fragmented system where companies report to different national authorities depending on which directives apply to them.

The amendments also simplify data collection on ransomware attacks, enabling better tracking of criminal groups operating across borders. This addresses a persistent gap: ransomware gangs exploit jurisdictional boundaries to evade coordinated law enforcement responses.

Why This Matters

The proposal arrives as Chinese APT groups continue targeting European and North American critical infrastructure. Salt Typhoon's recent compromise of a U.S. congressional email platform underscored how state-linked actors exploit supply chain access.

For security teams at EU organizations, the practical impact depends on implementation timelines. The proposal moves next to the European Parliament and Council for negotiation—a process that typically takes years. But companies using equipment from suppliers likely to face scrutiny should begin assessing alternative vendors now.

The certification changes may prove more immediately useful. Clearer standards for evaluating cybersecurity products could help procurement teams make faster decisions, particularly for organizations navigating the growing landscape of EU digital regulations.

What Happens Next

The legislative process will determine which provisions survive political negotiation. Telecom equipment manufacturers and their government supporters will push back on supply chain restrictions. Member states with closer economic ties to China may seek exemptions or longer transition periods.

ENISA's expanded role faces fewer obstacles. The agency has earned credibility through steady work on threat intelligence and incident coordination. Additional resources and authority should accelerate efforts already underway.

For organizations tracking EU cybersecurity requirements, this package signals the direction of travel: tighter supplier controls, mandatory certification for more product categories, and increased expectations for incident reporting. The timeline remains uncertain, but the trajectory is clear.