The EU Cybersecurity Act increases scrutiny on the supply chain concerns from China

The European Union is taking further steps to defend its critical technologies and digital infrastructures. With the rise of the Cyberspace Technologies and the geopolitical tensions, the EU is implementing protective measures to defend critical systems from both internal and external threats. The EU Cybersecurity Act is a significant development as it increases the scrutiny of supply chain technology, particularly in relation to Chinese companies.

This new policy is a part of an overarching shift in how Europe approaches economic security, technological sovereignty, and the management of strategic risks. The EU is aimed to reinforce critical digital infrastructures by implementing stricter measures in the defense of cyberspace and reviewing their dependencies on foreign technological systems within their supply chains.

The Context of the Cybersecurity Act

Globally, Cybersecurity has increasingly come to the forefront of governance concerns in recent years. The core of the issue is that the digital infrastructure, on which the Cybersecurity measures are based, is the backbone of almost all sectors of an economy, and therefore, the risks are significant.

Europe's concerns regarding cybersecurity tie into a broader global race for new technologies. Countries notice how their reliance on foreign technology suppliers can pose security concerns.

Most discussions center on China due to its increased involvement in global technology supply chains with state-sponsored tech companies. European politicians are concerned about the potential for foreign vendors to compromise secure systems.

The European Police and Cybersecurity Act is part of European authorities' efforts to protect the EU's technology ecosystem while facilitating free trade.

The European Cybersecurity Act Proposals

The European Cybersecurity Act creates a new framework for the oversight of cybersecurity policies across the European Union. The Act creates a structured approach to ICT (Information and Communication Technology) supply chain risk and provides a way for Member States to identify and address risks associated with specific technology providers.

Overall, the policy aims to develop a Europe-wide approach to risk, to supplant previous policies based on individual Member States' assessments, and to establish uniformity among Member States regarding the evaluation of cybersecurity risks.

The policy's aim is to create a reliable overall ICT supply chain framework. This approach identifies potential risks concerning elements of digital structure and enables authorities to undertake specific actions to alleviate them.

Possible actions included:

• Reviews of the risks of foreign technological providers

• Restrictions on high-risk providers in critical infrastructures

• Mutually accepted cybersecurity certification

• Monitoring the critical digital infrastructure dependencies

The aim of the above actions is to secure cloud services, data centers, and telecommunication networks.

Focus on Chinese Supply Chains

Although the EU does not mention specific countries in their cybersecurity policies, experts believe that the focus is on China.

China has advanced in key areas of technology, such as telecommunication equipment, cloud services, AI, and semiconductor manufacturing. European lawmakers have raised concerns that firms operating in China may be subject to government control.

China's data access and national security laws exacerbate these concerns, as there are instances where government oversight is required.

So, European governments are more closely considering whether foreign suppliers whose businesses might be politically influenced are reliable partners for key digital infrastructure.

Identifying potential critical suppliers* is key to the risk-assessment framework of the EU Cybersecurity Act.

The EU’s Bigger “De-Risking” Plan

The EU’s Cybersecurity Project is part of a more extensive “de-risking” rather than “decoupling” strategy when it comes to China.

While de-risking is generally less harmful than controlling or regulatory decoupling, it still signal[s] a negative and defensive posture toward China. China remains one of the EU’s largest trading partners. From a national economic standpoint, it is also counterproductive to completely de-risk. However, policymakers still believe that, for certain critical areas, protective measures are required.

In the last few years, the EU has established several tools for the economically protective “de-risking” of foreign investment controls, export control[s] on sensitive technologies, foreign subsidy regulation, and protective measures on critical supply chain[s]. These policies signal a change from the previously more inclusive, protective, and engagement-focused policies to a more cautious approach that balances cooperation and protection.

The Cybersecurity Act aims to protect the European economy's technological competitiveness and reduce the vulnerability to strategic threats.

Business impacts in Europe

Increasing scrutiny on supply chain ecosystems will have major effects on European businesses.

Greater scrutiny will require more detailed supply chain due diligence in the digital infrastructure and hardware/software supply chains.

Tech businesses may find it more difficult to obtain Cybersecurity Compliance certifications, including many network infrastructure providers (telcos, cloud, and network tech vendors) who will need to demonstrate EU compliant supply chain security.

On balance, European businesses should be less exposed to cyber supply chain vulnerabilities.

Impact on EU-China relations

The EU Cybersecurity Act is also impactful in geo-politics. Europe relies on China as a primary supplier of electronics and telecoms equipment and digital infrastructure components.

Tighter rules may impact how Chinese tech companies operate in the EU.

Chinese officials have concerns with policies that target Chinese companies under the guise of cyber security. Decision makers in Beijing state that technological restrictions will result in more politically driven global trade and diminished technological cooperation.

In contrast, EU leaders state that their policies focus on risk management, rather than hostility towards other countries. The EU has been clear that the remaining regulatory framework will be applied equally to all providers and focused on empirical security.

The tension between concerns of national security and economic interdependence will continue to be a significant aspect of EU-China relations.

The EU’s cybersecurity initiative is also part of a renewed global focus on technological supply chains. Countries all over the world are worried about the risks of using international vendors for critical infrastructure. Many of them are implementing policies to develop their own capabilities and search for alternate vendors.

This is especially true for:

• Telecommunications

• Semiconductors

• Artificial Intelligence

• Cloud Computing

• 
  

The EU Cybersecurity Act is an especially important example of Europe trying to tackle these issues through harmonized legislation and coordinated compliance.

To Conclude

The EU Cybersecurity Act is an important milestone for Europe in improving digital security and the protection of critical infrastructure. The Act aims to eliminate cyber and geo-political risks for the EU Digital Single Market while ensuring a coordinated approach to identifying and managing cyber risks and implementing supply chain security.

The Act is a response to supply chain vulnerabilities, particularly in a less-than-fully-satisfactory manner to the European Union’s concerns about its competitive technological reliance on China. As the importance of national and economic security grows, the EU's emerging approach to cyber security will influence global policies. In the coming years, we will learn how these changes impact the global technology supply chain and how to manage the balance of security, innovation, and international collaboration.