Supply chain and sovereignty at the heart of the new Cybersecurity Act

With cyber threats to the EU's public and critical sectors on the rise, the Commission has unveiled a new version of its Cybersecurity Act focused on supply chain security and digital asset assessment against interference risks.

Recognizing that it cannot regulate the European market in terms of legal sovereignty, the European Commission has unveiled a new cybersecurity package targeting the European IT supply chain and the the risks of foreign interference.

The new Cybersecurity Act aims to reduce cyber risks posed by third-country suppliers throughout the EU's ICT supply chain (including those related to cloud computing).

Better assessment of third-party cyber risks and key digital assets

Both European Commission and Member States will be able to launch risk assessments for specific ICT supply chains.

These assessments will aim to identify vulnerabilities and risks, including those related to non-technical factors, such as for the legal or political environment in which certain suppliers operate. This cyber package also plans to identify key ICT assets.

Following the analyses, these key assets may be defined in supply chains, such as components, equipments, or critical services considered as essential and important according to the NIS 2 terminology.

Highly targeted measures for critical assets against risks of interference.

The European Commission will be able to propose measures to reduce risks of foreign interference. These measures may include prohibiting the use of components or technology supplied by “high-risk suppliers”, in critical IT assets.

The text also provides a mechanism that allows the European Commission to designate a country that presents “cybersecurity concerns” for ICT supply chains.

Addressing the issue of sovereignty from the perspective of supply chain security.

The Commission's assessment relies not only on technical criteria but also on non-technical criteria, such as legal and institutional framework of the country concerned, including the existence of laws that may require companies to cooperate with the authorities, the risks of interference, or the absence of effective legal safeguards.

If a country is designated as such, entities established in that country or controlled by that country, may be prohibited from certain activities in critical ICT supply chains.

This legal assessment could thus be extended to cloud services and related supply chain assets (Technical Stack, servers; chips; network)

For example, an European cloud operator using a technology, a stack or network equipment classified as "Key ICT asset" and supplied by a company linked to a country targeted as High risk, may will no longer be able to purchase it from its supplier.

If the cloud operator has already such technology or equipment in service, it may be required to replace it within a period set by the Commission.

Digital sovereignty: From recommendations to legal obligations

After the failure of voluntary recommendations for technological sovereignty, the EU now wants to move to a legal obligation.

Until now, Brussels has called on member states to exclude risky suppliers without being able to compel them to do so, or laternatively by simply proposing sovereignty frameworks for public tenders.

The new Cybersecurity Act changes this approach by giving the Commission a legal framework to identify “third countries posing cybersecurity concerns,” to list entities that rely on them, and to impose their exclusion from critical ICT assets.

This regulatory proposal is coming at a time of high international tension, particularly between France and the United States.

In summary, start thinking now about checking the supply chain of your critical IT and cloud computing assets, because tomorrow they could be banned by the EU within a completely legal cybersecurity framework.