The European Commission, the executive body of the European Union (EU), has proposed new cybersecurity legislation that would require member states to remove “high-risk” foreign suppliers from critical information and communication technology (ICT) infrastructure, particularly in telecommunications networks. The overhaul aims to strengthen defences against cyber threats and secure supply chains for key infrastructure across the bloc.
Under the proposal, the EU would conduct joint risk assessments of suppliers and could impose restrictions or bans on equipment and services that pose national security concerns. The new rules would cover about 18 critical sectors, including mobile networks, cloud services, medical devices, and border security systems, and grant the Commission authority to coordinate risk evaluations across member states.
The legislation builds on earlier EU efforts such as the 5G Security Toolbox, a voluntary framework introduced in 2020 that encouraged member states to limit reliance on suppliers deemed “high-risk,” without legally binding requirements. Officials have previously voiced concerns about potential risks linked to technology products from certain third-country companies, though specific firms are not named in the draft text.
Telecommunications operators and other infrastructure providers would be given transition periods to remove or replace equipment identified as high-risk once a supplier list is established under the law. In proposals seen by news organisations, member states would have up to 36 months to phase out such equipment in mobile networks after publication of the list.
The overhaul would also revise the EU’s existing Cybersecurity Act, which sets cybersecurity certification frameworks and roles for the European Union Agency for Cybersecurity (ENISA), and would expand it to include mandatory supplier restrictions as part of broader efforts to secure ICT supply chains.
European policy makers have described the changes as part of efforts to enhance “technological sovereignty” and reduce reliance on external suppliers with potential ties to foreign governments or geopolitical risk. Supporters argue that comprehensive risk assessments and coordinated measures will improve resilience against cyber attacks and supply chain pressures.
Critics of the planned overhaul have raised concerns about potential trade and legal implications, noting that restrictions based on country of origin could be challenged under World Trade Organization rules if not grounded in technical risk evidence. The proposal must be reviewed and approved by the European Parliament and EU member states before becoming law.