EU Strengthens Cybersecurity Rules for Tech Supply Chains
▼ Summary
– The European Commission has proposed a revised Cybersecurity Act to secure ICT supply chains and mandate the derisking of EU mobile networks from high-risk third-country suppliers.
– A renewed European Cybersecurity Certification Framework will enable faster, voluntary certification of ICT products and services to demonstrate compliance and build trust.
– The package includes measures to simplify compliance with EU cybersecurity rules and introduces targeted amendments to the NIS2 Directive for clearer jurisdiction and ransomware data collection.
– ENISA’s role is strengthened to coordinate threat understanding, issue early warnings, and operate a single-entry point for incident reporting in collaboration with other agencies.
– ENISA will also pilot a Cybersecurity Skills Academy and support EU-wide skills attestation schemes to develop a skilled cybersecurity workforce.
The European Commission has introduced a comprehensive new cybersecurity strategy designed to bolster the digital resilience of the European Union. This initiative centers on an updated EU Cybersecurity Act, which focuses on securing information and communications technology supply chains. The core objective is to ensure that products available to EU consumers are inherently secure, achieved through a more efficient and standardized certification process.
The revised Cybersecurity Act establishes a foundational security framework for ICT supply chains, adopting a risk-based methodology. This system will empower both the EU and its individual member states to pinpoint and address vulnerabilities within critical industries. It carefully balances security needs with economic considerations and market availability. A significant provision mandates the reduction of risk in European mobile networks from suppliers based in high-risk countries outside the EU, expanding upon existing 5G security measures.
Product security verification will be managed through the European Cybersecurity Certification Framework (ECCF). This framework is being reformed to allow for the faster creation of certification schemes, typically within a year, and introduces a more flexible and open governance model. This new model ensures greater involvement from industry stakeholders through public consultations and transparent information sharing. These certification schemes will serve as a voluntary mechanism for businesses to show they meet EU standards, which can lower the cost and complexity of regulatory compliance. Organizations will have the option to certify a wide range of elements, including ICT products, services, processes, and their overall cybersecurity readiness, aligning with market demands. The revitalized ECCF is expected to significantly increase trust and safety within intricate ICT supply chains for citizens, companies, and public bodies alike.
Additional measures in the package aim to simplify how companies follow EU cybersecurity and risk-management rules. These steps work alongside the single reporting portal established by broader digital legislation. Furthermore, specific amendments to the NIS2 Directive seek to provide greater legal clarity. The changes will simplify rules regarding jurisdiction, make the gathering of ransomware attack data more efficient, and ease the supervision of organizations that operate across borders. The European Union Agency for Cybersecurity, ENISA, will see its coordinating function expanded to support these adjustments.
The updated Act also enhances the role of ENISA, charging it with a greater responsibility in helping the EU and member states comprehend shared cyber threats and boost preparedness and response capabilities. The agency will continue to provide early warnings about new threats and incidents while developing a unified European strategy for managing software vulnerabilities. ENISA will operate the centralized incident reporting portal and, working with Europol and national CSIRTs, assist companies in responding to and recovering from ransomware attacks. To address the workforce shortage, ENISA will pilot a Cybersecurity Skills Academy and support the creation of EU-wide skills attestation programs, helping to cultivate a highly skilled cybersecurity talent pool across Europe.
(Source: HelpNet Security)
