How the New EU Cyber Act Protects Critical Supply Chains

Share this article
Share this article
Prioritise Us on Google
The EU's new Cybersecurity Act aims to purge high-risk vendors and simplify compliance (Credit: Getty)
The EU's new Cybersecurity Act aims to purge high-risk vendors and simplify compliance, bolstering digital sovereignty against escalating global threats

European countries represent prime targets for cybercriminals, experiencing daily cyber and hybrid attacks on essential services and democratic institutions, carried out by sophisticated state and criminal groups, according to the European Commission (EC).

Recognising this hostile cyber environment, the commission put forward a new cybersecurity package on 29 January 2025, featuring revisions to the current Cybersecurity Act (CSA). The package could help the European Union and its member states to "identify and mitigate risks across the EU's 18 critical sectors", the European Commission says.

"Cybersecurity threats are not just technical challenges," says Henna Virkkunen, Executive Vice President for Tech Sovereignty, Security and Democracy of the European Commission.

Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy of the European Commission | Credit: European Commission

"They are strategic risks to our democracy, economy and way of life. With the new Cybersecurity Package, we will have the means in place to better protect our critical ICT supply chains but also to combat cyber attacks decisively."

Removing risky third-country vendors

One significant development within the revised Cybersecurity Act involves plans to establish a trusted Information and Communication Technologies (ICT) supply chain through the removal of third-country suppliers presenting cybersecurity concerns.

While the report does not name the third countries designated as high-risk suppliers, European News Rooms reported on 30 January 2025 that this provision could allow the EU to force the exclusion of Chinese suppliers like Huawei and ZTE from critical infrastructure.

Against the backdrop of China's 27 January 2025 ban on cybersecurity firms from countries including the US and Israel, this EU initiative could signal a move towards self-reliance and sovereignty as security concerns and geopolitical tensions continue to escalate.

The revised CSA could simplify compliance by streamlining the process and risk management requirements companies must follow, focusing on a single-entry point for reporting cyber incidents.

The EU claims this will ease compliance for 28,700 companies. Through a renewed European Cybersecurity Certification Framework (ECCF), products and services reaching EU consumers could be tested more efficiently for their security.

Youtube Placeholder

Strengthening ENISA's cyber defence role

The European Union Agency for Cybersecurity, ENISA, has served as a cornerstone in the EU's cybersecurity objectives since its creation in 2004.

Under the updated rules, ENISA could be empowered to issue early alerts regarding cyber threats and incidents.

Additionally, working alongside Europol and Computer Security Incident Response Teams, ENISA could support EU companies in responding to and recovering from ransomware attacks, which according to Europol's Internet Organised Crime Threat Assessment published in October 2024 have been rising significantly.

ENISA's detailed plans also include developing a union to deliver enhanced vulnerability management services to stakeholders. Recognising that strengthening the frontline of cyber defence remains critical, ENISA could pilot a Cybersecurity Skills Academy designed to help build a skilled cybersecurity workforce and establish EU-wide cybersecurity skills attestation schemes.


All sustainability, net zero and sustainable procurement leaders should attend:

Co-located with Sustainability LIVE, these events brings together CPOs, CSCO, CSOs, ESG leaders and senior decision-makers at a moment when sustainability, supply chains and commercial performance are increasingly interconnected.

Tickets can be booked online today for The Net Zero Summit and The US Summit. Group discounts available.


Industry response to regulatory changes

Tim Pfaelzer, SVP and GM at Veeam

Tim Pfaelzer, Senior Vice-President and General Manager at Veeam, welcomes the revision, noting that the updated Act could tackle sovereignty and simplify compliance, giving organisations a clearer path to strengthen resilience.

"The proposed revisions to the EU Cybersecurity Act come at a pivotal moment, as concerns around sovereignty and compliance continue to intensify," Tim says.

"By introducing measures to restrict or even phase out third-country 'high-risk' vendors in critical sectors, these changes underscore just how central sovereignty has become to the cybersecurity agenda. Equally important are the efforts to simplify security testing and certification processes and clarify jurisdictional rules.

"For many organisations, the greatest barrier to viewing compliance as an enabler rather than an obstacle is the complexity of today's regulatory landscape. Any move to streamline this will be a welcome step forward."

Executives