EU proposes new cybersecurity law to ban high-risk suppliers

As reported by Bleeping Computer, the European Commission has proposed new cybersecurity legislation aimed at securing telecommunications networks by mandating the removal of high-risk suppliers and strengthening defenses against state-backed and cybercrime groups targeting critical infrastructure.

While not naming specific companies, the new package grants the Commission authority for EU-wide risk assessments and to support restrictions or bans on equipment in sensitive infrastructure. Member states will jointly assess risks across 18 critical sectors, considering suppliers' countries of origin and national security implications. The legislation revises the Cybersecurity Act to secure ICT supply chains, mandating the removal of high-risk foreign suppliers from European mobile networks. It also streamlines certification procedures for companies. This initiative follows the EU's voluntary 5G Security Toolbox, introduced in 2020, which faced uneven application.

The new legislation empowers ENISA to issue threat alerts, manage incident reporting, and assist companies with ransomware attacks in cooperation with Europol and national CSIRTs. It also establishes skills attestation schemes and a pilot academy to build a European cybersecurity workforce. The act takes effect immediately upon approval by the European Parliament and Council, with member states having one year for national implementation.

Source: Bleeping Computer