The European Commission has proposed new cybersecurity legislation mandating the removal of high-risk suppliers to secure telecommunications networks and strengthening defenses against state-backed and cybercrime groups targeting critical infrastructure.
This move follows years of frustration over the uneven application of the EU’s voluntary 5G Security Toolbox, introduced in January 2020 to encourage member states to limit reliance on high-risk vendors.
Although the proposal does not name specific companies, EU officials have expressed concerns about Chinese tech companies (such as Huawei and ZTE) when the 5G Security Toolbox was implemented.
The new cybersecurity package would grant the Commission authority to organize EU-wide risk assessments and to support restrictions or bans on certain equipment used in sensitive infrastructure. EU member states would also jointly assess risks across the EU’s 18 critical sectors based onthe suppliers’ countries of origin and national security implications.
“Cybersecurity threats are not just technical challenges. They are strategic risks to our democracy, economy, and way of life,” EU tech commissioner Henna Virkkunen said today.
“With the new Cybersecurity Package, we will have the means in place to better protect our critical ICT supply chains but also to combat cyber attacks decisively. This is an important step in securing our European technological sovereignty and ensuring a greater safety for all.”
The legislation also includes a revised Cybersecurity Act, designed to secure information and communication technology (ICT) supply chains, that mandates removing high-risk foreign suppliers from European mobile telecommunications networks.
The revised Cybersecurity Act will also streamline certification procedures for companies, allowing them to reduce regulatory burdens and costs through voluntary certification schemes managed by the EU Agency for Cybersecurity (ENISA).
As the Commission further explained, the new legislation empowers ENISA to issue early threat alerts, operate a single entry point for incident reporting, and help companies in responding to ransomware attacks, in cooperation with Europol and computer security incident response teams.
ENISA will also establish EU-wide cybersecurity skills attestation schemes and pilot a Cybersecurity Skills Academy to build a European cybersecurity workforce.
The Cybersecurity Act will take effect immediately upon approval by the European Parliament and the Council of the EU, with member states having one year to implement cybersecurity amendments into national law.
It’s budget season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.