Digital Sovereignty: EU Blows the Horn Against "High-Risk Providers" like Huawei

Contents

In Strasbourg, the EU Commission initiated a turning point for the European IT market on Tuesday. Its draft for the Cybersecurity Act 2 seeks solutions for an era in which digital infrastructures have become the scene of geopolitical power struggles. The Commission is thus abandoning the path of non-binding recommendations and wants to create a legal basis to consistently displace providers with a critical risk profile, such as Huawei or ZTE from China, from European infrastructure.

"Fortress Europe"

The direction of the legislative package is unmistakable: the EU wants to end its dependence on third-country suppliers who could act as an extended arm of foreign governments in an emergency. What has so far primarily applied to 5G networks within the framework of a "toolbox", is now to be extended to a total of 18 critical sectors. The Commission makes it clear: it is no longer just about whether a router has a backdoor. Rather, it is important to consider who built such a device and what laws this manufacturer is subject to in their home country. The goal is a "Fortress Europe" in the digital space.

"Security is not an optional extra, but the foundation of our digital sovereignty and the prerequisite for crisis-resilient competitiveness in an unstable world," said Henna Virkkunen, Vice-President of the Commission responsible for technological sovereignty, on Tuesday. IT security must be elevated from a purely IT task to a central element of national security policy.

As expected, the draft does not contain a list of countries or companies that the Commission considers to be at increased risk. This assessment can change rapidly. Instead, the EU member states are to jointly identify and minimize risks in supply chains. In doing so, they are to explicitly consider economic impacts to prevent supply bottlenecks for components such as chips.

Accelerated Certification as a Competitive Advantage

To economically cushion the exclusion of problematic providers, the Commission is focusing on expanding certification. The new European Cybersecurity Certification Framework (ECCF) is intended to ensure that products are developed according to the principle of "Security by Design". And with speed: new certification schemes are to be developed as standard within just twelve months in the future. Previously, regulation often lagged technical development. For companies in the EU, this is intended to become a competitive advantage: those who are certified prove that they meet the strict EU security requirements.

The focus is on small and medium-sized enterprises (SMEs), which often groan under the burden of bureaucracy. Here, the Commission is intervening with corrective measures: around 28,700 companies are to be relieved through simplifications. A new category for "Midcap companies" is intended to reduce compliance costs for tens of thousands of companies without compromising security. This is complemented by a central reporting channel for security incidents (Single Entry Point), which is expected to increase response speed significantly in the event of ransomware attacks.

Enisa as the Hub of Defense

A central pillar of the new security architecture is the EU Cybersecurity Agency Enisa. Its mandate is not only to be continued but also expanded. The agency is moving to the center of the European defense line: it is to operate early warning systems, coordinate cooperation with Europol, and actively support companies in recovering after attacks. With a new academy for cybersecurity skills, located at Enisa, and EU-wide certificates for IT security personnel, the Commission aims to create the human resources base for operating secure networks.

With this proposal, the legislative process begins in the Parliament and the Council of the EU. If they approve, the regulation will enter into force immediately. For national governments, the package also means that they must implement flanking changes to the NIS2 Directive within one year.

For giants like Huawei, whose mobile network technology is already being phased out in Germany, the clock is ticking: the time when they could play a leading role in European infrastructure despite security concerns is coming to an end. Chancellor Friedrich Merz (CDU) has already clearly positioned himself against allowing any components from Chinese manufacturers in German 6G networks.

However, the EU's initiative goes far beyond mobile communications: technology from Chinese manufacturers has also been in use for years in other critical areas such as railways, the energy sector, and urban networks. And Huawei is the world market leader in inverters for solar power plants.

(ds)