The European Commission recently moved to tighten its grip on technology suppliers deemed a risk to EU security, signaling a more assertive approach to protecting critical infrastructure (EC, 2026).
“Against this background, there are four main problems that this proposed revision of the CSA aims to tackle: the misalignment between the Union’s cybersecurity policy framework and stakeholders’ needs in an increasingly hostile threat landscape; the stalled implementation of the European cybersecurity certification framework (ECCF); the complexity and diversity of the cybersecurity-related policies impacting the Union’s cyber posture; and increasing ICT supply chains security risks,” the EC said in announcing the move.
The updated framework, a revision of the 2019 Cybersecurity Act, tackles what Brussels sees as a structural vulnerability: foreign-supplied tech embedded deep in Europe’s digital backbone. Europe must reconcile speed, operational flexibility, and trust, both internally and with international partners.
The intervention has two main objectives: to increase cybersecurity capabilities and resilience, and to prevent fragmentation of the single market. It aims to equip institutions and stakeholders to respond to threats effectively while promoting common tools, such as certification schemes, to ensure trust, interoperability, and a harmonised security framework across Member States.
The scrutiny by Brussels builds on a history of uneven implementation of the EU’s 5G Security Toolbox, introduced in 2020. High-risk suppliers, particularly Chinese firms such as Huawei and ZTE, remain embedded in key networks despite repeated warnings (Euractiv). Tech Commissioner Henna Virkkunen emphasized last month that voluntary measures have proven insufficient, noting “Critical parts of Europe’s networks still depend on high-risk suppliers” (Euronews, 2026). The new rules cast a wide net, covering telecom networks, cloud platforms, data centres, connected devices, and even social media infrastructure. While the Commission does not name companies outright, Huawei and ZTE, long flagged in EU debates over 5G security, remain the implicit focus.
Implementation will be gradual. Telecom operators, for example, may have several years to phase out high-risk suppliers, acknowledging both the economic cost and operational complexity. Certification and compliance rules are being streamlined to reduce administrative burdens, particularly for companies operating across multiple member states. Although the framework is officially country-neutral, scrutiny could eventually extend beyond Chinese vendors, potentially including U.S. suppliers, as tensions around social media, cloud services, and data governance intensify. The EU is effectively signaling that cybersecurity strategy is now inseparable from industrial policy and geopolitical positioning.
Right now, there’s growing pushback on the proposal. The China Chamber of Commerce to the EU (CCCEU) warned that blanket exclusion measures risk disrupting the market, raising costs, and undermining global competitiveness in ICT sectors deeply integrated with European supply chains (Global Times, 2026).
The European Union Agency for Cybersecurity (ENISA) will gain new operational authority to coordinate early warnings, incident responses, and cross-border reporting. A single EU entry point for incident notifications is designed to accelerate action and improve situational awareness, particularly for ransomware attacks or supply-chain compromises.
As negotiations move to the European Parliament and national capitals, resistance is expected from states wary of EU overreach. Brussels is betting that a coordinated, long-term approach will define the EU’s digital sovereignty and set a benchmark for global cybersecurity governance.