EU Advances Digital Sovereignty with New Cybersecurity Package

- The proposed Cybersecurity Act 2 (CSA2) introduces for the first time a horizontal framework for ICT supply chain security, moving beyond purely technical risks to include non-technical factors like political influence and legal obligations imposed by third countries. This new framework allows for EU-wide risk assessments and the identification of "key ICT assets" in critical sectors outlined in the NIS 2 Directive. - A significant change in the CSA2 proposal is the power granted to the European Commission to designate a non-EU country as a "country posing cybersecurity concerns to ICT supply chains." Suppliers linked to such a country would be automatically classified as high-risk, potentially excluding them from public procurement and participation in standardization activities. - The European Union Agency for Cybersecurity (ENISA) will see its role significantly strengthened, taking on more operational tasks. ENISA will manage cybersecurity certification schemes, develop technical guidance for companies, issue early warnings for major threats, and support cross-border supervision and incident response. - The European Cybersecurity Certification Framework (ECCF) is being streamlined to accelerate the development of new certification schemes, with a general goal of completion within one year. These voluntary certifications, which can cover ICT products, services, and an organization's overall cybersecurity posture, will create a presumption of conformity with relevant EU regulations like NIS2. - This legislative package is part of a broader "all-hazards" approach to resilience, connecting cybersecurity with industrial policy and national security. It complements other key regulations such as the NIS2 Directive, which sets cybersecurity risk management and reporting obligations for essential entities, and the Cyber Resilience Act (CRA), which mandates security-by-design for products with digital elements. - The push for these regulations is a core component of the EU's strategic goal to achieve "digital sovereignty," reducing its dependency on foreign technology and infrastructure, particularly from the U.S. and China. This ambition is championed by figures like Thierry Breton, the European Commissioner for Internal Market, who advocates for building sovereign infrastructure and resisting external pressures that could weaken EU digital laws. - The CSA2 proposal and related amendments to the NIS 2 Directive are currently in trilogue negotiations, with a political agreement anticipated by early 2027. Once adopted, the CSA2 will be a directly applicable regulation, while member states will have one year to transpose the NIS 2 amendments into their national laws.