Cybersecurity blog header

The EU may ban high-risk foreign suppliers to protect critical ICT supply chains

- Ciber 4 All Team
Protecting critical ICT supply chains is essential for Europe's productive fabric

The Commission has drawn up a proposal for a regulation that includes measures to protect critical ICT supply chains from cyber threats

The world is not a bed of roses. You only have to glance at the news to see that the geopolitical context is at one of its most complex and turbulent moments in the last half-century. Armed conflicts, tariff wars, growing tensions between major powers…

Cybersecurity is not immune to this scenario. On the contrary, it is a key element. In recent years, there has been an increase in cyberattacks perpetrated by state-sponsored advanced persistent threat (APT) groups against critical sectors such as defense, aviation, and telecommunications. In many cases, the risk lies not only in the specific attack, but also in the structural dependence on technologies developed or controlled from legal and political environments outside European standards.

In this context, cybersecurity has ceased to be a purely technical field and has become an instrument of strategic policy. The protection of digital infrastructures, data, and supply chains has been fully integrated into the European Union’s national security agendas and strategic autonomy policies, on a par with energy and raw materials.

It should therefore come as no surprise that the European Commission has published a proposal for a regulation which, among other objectives, seeks to protect critical ICT supply chains, i.e., hardware and software supply chains in sectors such as transport, electricity, and banking.

To this end, among other measures, it considers restricting the procurement of software and hardware from suppliers in countries with cybersecurity issues.

This new cybersecurity regulation still has to be negotiated with the European Parliament and the European Council, so it will undergo numerous changes. However, its initial version makes it clear that the EU is determined to protect critical ICT supply chains, going so far as to ban the contracting of high-risk foreign suppliers in order to ensure the operability of sectors critical to the European economy and society.

Below, we review key points of the Trust Framework for the ICT Supply Chain, which will be implemented once the regulation is approved.

1. What the Trust Framework for the ICT Supply Chain aims to achieve

This new regulation will become part of an increasingly demanding regulatory framework for cybersecurity in critical sectors. In recent years, the European Union has approved several fundamental regulations to strengthen the cybersecurity of European companies and institutions, such as the DORA regulation on cyber resilience in the financial sector and the NIS2 directive on cybersecurity in critical sectors.

This new regulation is directly linked to the NIS2 directive, which is already in force, although Spain has not yet transposed it. Thus, the ICT supply chain is now conceived not only as a set of commercial relationships, but also as a critical security element. The concentration of suppliers, the opacity of ownership of certain technologies, and dependence on third countries are identified as risk factors in their own right.

Thus, the Trust Framework for the ICT Supply Chain seeks to:

  • Create an EU-wide security mechanism to address “non-technical risks in highly critical sectors and other critical sectors,” as defined by the NIS2 directive. This is where the objective of protecting critical ICT supply chains from high-risk suppliers comes in.
  • Use this mechanism to identify key assets in critical ICT supply chains.
  • Establish risk mitigation measures for entities operating in critical sectors.

2. Conducting security risk assessments

Under the current version of the regulation, the Commission or three member states may request the NIS Cooperation Group, established by the NIS2 directive, to conduct security risk assessments at the European Union level.

These security risk assessments will seek to identify:

  • Key assets in the ICT supply chain are being assessed.
  • Main threat actors.
  • Vulnerabilities affecting key assets.

To this end, risk scenarios will be developed and, once implemented, measures will be proposed to mitigate the identified risks.

The deadline for carrying out these assessments will be six months from the date of submission of the request, although a shorter deadline may be agreed.

3. Emergency action by the Commission to protect the ICT supply chain in critical sectors

In addition, the proposed regulation empowers the European Commission to act when it believes that “there is a significant cyber threat to the security of the Union in relation to an ICT supply chain” and that “measures need to be taken to preserve the proper functioning of the internal market.” What can the Commission do in such cases?

  1. Consult with states to adopt mitigation measures.
  2. Carry out the security risk assessments described above without waiting for the NIS Cooperation Group to do so.

4. How will key ICT assets in critical sectors be identified?

Based on the results of the security risk assessments of an ICT supply chain, the Commission may adopt implementing acts identifying the ICT assets that are essential for the manufacture of products or the provision of services by entities in highly critical sectors or other critical sectors, in accordance with the NIS2 Directive.

To identify key ICT assets, the European Commission must take into account the results of the assessments and whether:

  • The assets have essential and sensitive functions for the operation of the products manufactured or services provided by the entities.
  • Incidents caused by the exploitation of vulnerabilities in these assets may lead to:
    • Disruptions in ICT supply chains throughout the internal market.
    • Data leaks.
  • Companies depend on a limited number of suppliers for these assets.

5. Designation of foreign countries posing cybersecurity problems

As we pointed out at the beginning, one of the most relevant measures attracting the most attention in future regulation is the EU’s intention to protect critical ICT supply chains from high-risk foreign suppliers.

In fact, in the presentation of the proposal, Henna Virkkunen, Executive Vice President of the Commission for Technological Sovereignty, Security, and Democracy, pointed out that:

Cybersecurity threats are not just technical challenges. They are strategic risks to our democracy, our economy, and our way of life. With the new cybersecurity package, we will have the necessary means to better protect our critical ICT supply chains and decisively combat cyberattacks.

Therefore, the regulation establishes that if, following a security assessment or otherwise, a country “appears to pose a serious and structural non-technical risk to ICT supply chains,” the Commission must verify this. To do so, it must take into account elements such as:

  • The legal requirements for cybersecurity in the country under review.
  • The existence of good practices when reporting discovered software and hardware vulnerabilities.
  • The absence of judicial mechanisms and democratic controls to identify and correct cybersecurity problems.
  • Information on security incidents caused by malicious actors in the country being assessed, and on the country’s lack of capacity or willingness to cooperate with the EU in combating them.
  • Any information obtained through security assessments and reports from the EU, states, or international organizations.

If the Commission concludes that the country poses a serious and structural risk to ICT supply chains, it may designate it as a country posing cybersecurity concerns.

This designation will directly affect high-risk suppliers in the country in question. They will not be able to:

  • Participate in the development of European standards in the field of cybersecurity.
  • Apply for a European cybersecurity certificate, another measure included in this regulation.
  • Apply for authorization to be an authorized provider of European cybersecurity certificates.
  • Participate in public procurement procedures related to the supply of ICT components for use in key assets, as well as in EU-funded activities with the same objective.

6. The EU may prohibit critical entities from contracting high-risk suppliers

However, the most relevant aspect in terms of protecting critical ICT supply chains from high-risk foreign suppliers is that the Commission may adopt implementing acts to prohibit critical entities from:

Using, installing, or integrating in any form ICT components or components that include ICT components from high-risk suppliers in key ICT assets.

In other words, if the regulation is approved, the European Commission may prohibit companies operating in the 18 critical sectors established in the NIS2 directive from using hardware or software from high-risk suppliers.

Given the significance of this measure, the proposed regulation establishes that in the implementing acts:

  • A transitional period will be set for the Commission to publish the list of high-risk suppliers.
  • Periods will be established for companies to phase out ICT components from high-risk suppliers embedded in key assets.

Similarly, the Commission may also prohibit specific groups of entities operating in critical sectors from using, installing, and integrating ICT components from a specific third-country supplier if this poses a non-technical cybersecurity risk to at least three EU states.

In addition, the regulation also prohibits European providers of electronic communications networks from using ICT components from high-risk suppliers in the operation of key ICT assets.

The EU seeks to protect critical sectors from suppliers in countries with cybersecurity issues

7. What other measures may the Commission adopt to protect critical ICT supply chains?

Beyond prohibiting the use of hardware and software from high-risk suppliers in key assets, the Commission may establish measures aimed at entities in critical sectors:

  • Require transparency regarding their ICT supply chain suppliers.
  • Prohibit the transfer of data to third countries and the remote processing of data from outside the EU.
  • Require them to implement technical measures audited by a third party, such as segmentation of network systems, deactivation of any remote or physical access to key ICT assets, or performance of hardware and software security tests.
  • Establish operational control restrictions, such as prohibiting the outsourcing of organizational functions to managed service providers.
  • Implement restrictions on contractual relationships between companies and their suppliers.
  • Require that the service be operated by personnel authorized by the competent national cybersecurity authorities.
  • Require companies to diversify the supply of ICT components.

8. How will high-risk suppliers be determined?

The Commission must draw up lists of high-risk suppliers affected by the prohibitions detailed above.

To this end, the Commission must map suppliers of ICT components and identify those that are potentially established in countries designated as cybersecurity problem states.

The lists of high-risk suppliers must be updated periodically to add and remove suppliers based on the assessments carried out.

High-risk suppliers may request that the Commission reassess their establishment, controls, and structure to verify that there have been significant changes that disassociate them from countries with cybersecurity issues.

In addition, the future regulation contemplates the possibility of establishing exceptions for certain ICT suppliers established or controlled by companies from countries with cybersecurity issues.

To do so, suppliers must demonstrate that they have implemented mitigation measures to address non-technical security risks and prevent interference from the country listed as having cybersecurity problems.

9. What will be the penalties for entities that do not comply with the regulation?

The proposed regulation provides for infringements for companies that violate the prohibitions and the obligation to implement mitigation measures. How much can the penalties amount to?

  • Up to 1% of annual turnover for failing to comply with transparency requirements regarding ICT supply chains.
  • Up to 2% of annual turnover for failing to implement other mitigation measures that may be established by the Commission.
  • Up to 7% of annual turnover for violating prohibitions on using components from high-risk suppliers in key assets.

We are therefore talking about penalties that could run into millions. Hence, companies in critical sectors will have to comply scrupulously with the regulation when it is approved and enters into force.

Beyond the immediate economic impact, this penalty regime reinforces the message that ICT supply chain management is becoming a strategic responsibility for entities operating in critical sectors, rather than a mere regulatory compliance requirement.

In short, this proposed regulation strengthens the Commission’s ability to protect critical ICT supply chains and establishes essential obligations and prohibitions for entities operating in critical sectors in the EU.

It will therefore be essential for companies to have advanced cybersecurity services in place to address threats and manage vulnerabilities. In addition, companies will have to replace ICT components in their key assets if their suppliers are classified as high-risk.

In short, this proposed regulation reflects a clear trend. The European Union is moving towards a model in which the protection of critical ICT supply chains is part of its security and resilience strategy in an increasingly tense international environment. Understanding this evolution will be key for both entities in critical sectors and technology providers operating in the European market.