The European Commission has taken a step that many experts have long been calling for: moving from voluntary recommendations to rules that will force the security of telecommunications networks and critical technology supply chains to be tightened. After years of 5G Security Toolbox It worked as a guide, the new legislative proposal brings to policy range measures that seek to reduce the dependence on high-risk suppliers and to improve collective capacity to deal with attacks supported by states or criminal organizations.
At the heart of the initiative is the power to organise risk assessments at European level and, on the basis of them, to support restrictions or prohibitions on equipment considered unsafe in sensitive infrastructure. The Commission proposes that Member States carry out joint assessments of 18 critical sectors, taking into account the origin of suppliers and the implications for national security, which would require the harmonisation of criteria so far applied in an unequal manner.
This line is complemented by a review of the Cybersecurity Act introducing, inter alia, the obligation to withdraw high-risk foreign suppliers from European mobile networks. The proposal does not name specific manufacturers, but it is no secret that the Commission's previous concerns included companies from certain countries which, because of their market position and their relationship with foreign governments, have been under scrutiny since the adoption of the 5G toolbox in 2020. More details on the initial implementation of this box can be found in the Commission's official communication Member States.
The Commissioner responsible for technology, Henna Virkkunen, has stressed the strategic nature of these threats: they are not only technical challenges, but risks to democracy, the economy and the European way of life. In its statement the Commission describes the proposal as a measure to strengthen technological sovereignty and the collective protection of critical infrastructure according to his public words.
A key element in this reform is the strengthening of the role of the Union Agency for Cybersecurity (ENISA). Under the new framework, ENISA will be able to issue early warnings about threats, manage a single European point for incident reporting and coordinate assistance to companies in cases such as ransomware attacks, in cooperation with Europol and the Member States' computer incident response teams. EnISA will also lead more agile voluntary certification schemes, designed to reduce regulatory burdens and operational costs for companies that submit to them. More information about the agency in your official website.
In addition to incident management and certification, the Commission proposes measures to address the lack of talent: the package provides for the creation of skills accreditation schemes and a pilot for a Academy of Skills in Cybersecurity to train the next generation of specialists across the EU. The idea is that, in addition to tightening rules, there is sufficient human capacity to apply and respond to real-time threats.
If approved, the review of the Cybersecurity Act shall enter into force immediately and the Member States shall have a period of one year to transpose the amendments into their national legislation. This schedule introduces a short window for operators, regulators and suppliers: the elimination of equipment considered high risk involves important technical and economic challenges, and will require replacement and financing plans in many cases.
The practical consequences are profound. For mobile network operators it will mean accelerating audits, technology deinvestment or replacement plans and possible investments in more expensive or less mature alternatives. For suppliers, it is an incentive to demonstrate transparency in their supply chain and corporate governance, and to provide technical guarantees for European certification. From a geopolitical point of view, the measure seeks to reduce external pressure vectors and limit the technological dependence of state actors with strategic interests compared to those of the EU.
The measure raises complex discussions: the EU will have to balance security, competition and costs. There are risks that the rapid removal of equipment will cause temporary interruptions or increase the cost of networks, with an impact on tariffs and deployments, especially in rural areas. The international trade implications and possible diplomatic replicas must also be considered. Yet ambition is clear: prioritizing resilience and security over short-term gains.
In the operational field, coordination with Europol and national CSIRT should improve the detection and response to cyber attacks, but it will also require greater confidence between Member States and a fluid exchange of sensitive information. Europol, as an agency with experience in combating cybercrime and supporting cross-border research, will be an ally in responding to serious incidents; its role and capabilities can be consulted in the its institutional website.
For companies and cybersecurity professionals the practical recommendation is clear: to be anticipated. Auditing supply chain units, accelerating certification processes where possible, and preparing continuity plans that provide for the replacement of equipment or suppliers are steps that will reduce the cost and risk of a forced transition. At the same time, taking advantage of the planned training and accreditation initiatives can make a regulatory obligation an opportunity to strengthen internal capacities.
In short, this legislative package aims to translate the political will to defend the European digital infrastructure into tangible tools: joint risk assessments, ability to restrict suppliers, faster certifications and an agency with greater operational mandate. The final effectiveness will depend on the speed of implementation, the availability of technological alternatives and the degree of cooperation between governments, regulators and the private sector. We will follow closely the approval process in the European Parliament and the Council, which will mark how security, technological sovereignty and costs will be balanced in the coming years.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...