EU Supplier Ban Could Weaken Cybersecurity Standards

A major European standards body has formally raised concerns that proposed EU cybersecurity legislation could inadvertently weaken the very security standards it aims to strengthen. In a position paper submitted to the European Commission today, the European Telecommunications Standards Institute (ETSI) argues that two specific provisions in the draft Cybersecurity Act 2 (CSA2) risk undermining the openness and global credibility of Europe’s standardization system.

The first contentious provision is a proposed ban on entities from designated high-risk countries participating in European standardization work. Under the draft law, the Commission could exclude these suppliers from all development, assessment, and decision-making processes for cybersecurity standards. ETSI warns that such a blanket exclusion contradicts the foundational principles of openness, consensus, and independence that govern global standards bodies. The organization points to its adherence to WTO rules and existing EU regulations, which are designed to ensure standards are developed based on the best technical input, not geopolitical boundaries.

Martin Chatel, Chief Policy Officer at ETSI, emphasized that the organization’s existing directives already provide the flexibility to address security concerns on a case-by-case basis. “Undermining these core principles would risk the proper functioning, collaborative nature, and credibility of the entire system,” he stated. The paper cites a relevant precedent from 2019, when U. S. restrictions on certain companies in 5G standardization were later softened after industry feedback highlighted that a standard’s quality depends on its development process, not the nationality of its contributors.

ETSI’s deeper fear is a strategic misstep. If a supplier is barred from European work but remains active in global forums like the ITU or ISO, Europe could lose its influence in shaping the international versions of the very same standards. This would diminish European strategic autonomy in critical technology domains. The organization advocates for any restrictions to be applied proportionately and in close coordination with standardization bodies, rather than being established as a broad legal mandate.

The second area of concern involves an expanded role for the EU Agency for Cybersecurity (ENISA). While ETSI welcomes ENISA’s advisory participation, it opposes a new clause granting the agency authority to draft technical specifications. The institute argues this could create a parallel standard-setting structure that conflicts with the established legal framework, where drafting is entrusted to independent bodies under Commission supervision. ETSI believes ENISA’s role should remain focused on providing legal and technical guidance.

As a model for effective collaboration, the paper highlights ETSI’s own Technical Committee on Lawful Interception, which successfully brings together governments, law enforcement, and industry to develop standards. This existing structure, Chatel noted, already delivers the operational blend of openness, speed, and European safeguards that the geopolitical landscape demands.

The argument is framed within the EU’s broader standardization strategy, which seeks to reduce strategic dependencies without sacrificing impartiality. ETSI underscores its dual role in responding to both market needs and EU policy, citing European-originated standards for IoT and AI cybersecurity that have gained international adoption. The institute concludes that preserving Europe’s influence requires improved coordination with the Commission to maintain transparency and avoid unintended consequences for innovation and global competitiveness.