EU threatens exclusion of US firms

Europe’s cybersecurity fight is turning into a market-access fight. That is the real news here. On May 6, Markéta Gregorová — the European Parliament’s lead negotiator on the rewrite of the EU Cybersecurity Act — said U.S. companies could be affected by the new rules if they do not comply. That matters because Brussels is no longer talking only about Chinese gear in telecom networks. It is talking about whether foreign suppliers can be trusted anywhere near Europe’s critical systems. (politico.eu) ### What actually changed? The immediate trigger was Gregorová’s public warning at POLITICO’s AI & Tech Week in Brussels. She said she could see the Cybersecurity Act having an impact on U.S. companies if they do not “oblige by the rules.” The Commission had already put its proposal on the table in January 20(politico.eu)tack that much of Europe already uses. (politico.eu) ### What is this law trying to do? Basically, the EU wants a tool for dealing with “non-technical” cyber risk. That means the danger is not just buggy code or weak encryption. It can also be political pressure, foreign legal obligations, state leverage over vendors, or hidden dependence on a supplier from a c(politico.eu)d companies from that country could then be treated as high-risk suppliers. (politico.eu) ### Why are U.S. firms suddenly in the frame? Because Europe’s concern is shifting from hardware to control. A server can sit in Europe, but the admin tools, identity layer, telemetry, support access, and legal exposure can still run through a U.S. company. That is the “kill switch” anxiety now circulating in(politico.eu)viders. Gregorová also pointed to what she sees as a weak compliance culture among big U.S. platforms under existing EU rules. (politico.eu) ### Is this already a ban? No — not yet. Gregorová explicitly said she was not trying to create a blacklist or whitelist. The point is to build a system for risk assessment that can justify restrictions later. But that still has teeth. If a supplier is tagged high-risk, the practical effect could be exclusion(politico.eu)That is why companies are treating this as commercial risk now, not abstract Brussels talk. (politico.eu) ### Why does the Netherlands matter here? Because Brussels is pushing on two fronts at once. One front is new powers over risky suppliers. The other is forcing member states to finally implement the older resilience laws they already agreed to. The Netherlands is now facing court action after missing deadline(politico.eu)he missed deadline there was October 2024, and Dutch officials have admitted implementation is still far off. (nltimes.nl) ### Which rules are being enforced? Two big ones sit in the background. NIS2 is the directive that expands cybersecurity duties across essential and important sectors. The Commission sent reasoned opinions on May 7, 2025 to 19 member states, including the Netherlands, for failing to notify full transposition. Sepa(nltimes.nl)Turns out the supplier-risk debate only gets sharper when many countries still have not finished the basics. (digital-strategy.ec.europa.eu) ### So what should companies take from this? Architecture is policy now. If your hosting, logging, identity, remote support, or privileged access depends on a provider that could be labeled high-risk, that dependence may become a procurement problem. The safest reading is not “U.S. firms are banned.” It is “Europe is building le(digital-strategy.ec.europa.eu).” (politico.eu) ### Bottom line? This is Europe moving from cyber hygiene to cyber sovereignty. The catch is that once trust becomes a regulatory category, vendor nationality and control paths matter almost as much as the technology itself. (politico.eu)