I don't see any German text to translate in your message. You've only provided the English word "draft". Could you please provide the German text you'd like me to translate?

Critical Blog Post for Publication (Draft)

Blog (EN) pending

Digital "Fortress Europe" – and Others Pay the Bill

Brussels announced a major step on January 20, 2026: The EU Cybersecurity Act is to be revised, critical ICT supply chains are to become "trustworthy" – and equipment providers considered "high risk" are to disappear from critical sectors. This is geopolitically understandable. But a closer look reveals: There's a thin line between security gains, industrial policy, and symbolic politics. (Digital Strategy Europe)

First the Headline, Then the Fine Print

The debate visibly targets Huawei and ZTE – even though the EU officially doesn't name companies or countries. Reuters describes a 36-month deadline for mobile operators after publication of a high-risk list and emphasizes risk assessments and impact analyses. This isn't "everything out by tomorrow," but a process that will be politically charged, legally complex, and economically risky. (Reuters)

The public narrative ("Fortress Europe") sells determination. One can appreciate that. But one shouldn't overlook: The less concrete criteria and lists are at the beginning, the more a climate of blanket suspicion emerges in practice. And that's exactly where the problem begins.

When Origin Means "Risk," Security Quickly Becomes Protectionism

Huawei criticizes the approach as discrimination based on origin rather than technical evidence and refers to principles like non-discrimination and proportionality. You don't have to believe Huawei – but the argument hits a sore spot: Once "jurisdiction" becomes the core criterion, politics ultimately decides over technology. (Reuters)

This can be legitimate. But then the EU should be honest: It's not just cybersecurity, it's also foreign and industrial policy. And that requires transparent criteria, solid evidence, and legal remedies – otherwise it remains a governance experiment at the expense of operators and suppliers.

Certification in 12 Months: Progress – or Regulatory Sprint into Chaos?

The EU wants to accelerate certification; reporting mentions "standard 12 months." This sounds modern ("Security by Design," faster than the market). But certification is rarely an SME gift. Certification is a market access instrument – and those who don't have the resources stay out or pay disproportionately. (Innovation News Network)

Faster schemes only help if they are clear, testable, financially viable, and internationally compatible. Otherwise, the sprint creates exactly what it supposedly aims to prevent: fragmentation, uncertainty, and expensive transition phases.

And What Does This Mean for Small Swiss IT Companies?

Switzerland isn't in the EU – but Swiss IT SMEs depend on the EU market: through customers, subsidiaries, reselling, managed services, OT integrations.

Three very concrete consequences are foreseeable:

  1. Supply chain questionnaires become standard. EU customers in critical environments will pass their risks downward: Which manufacturers are in firewall, switch, camera, IoT gateway? Which updates? Which remote access? Who has admin keys? (Reuters)

  2. Certain brands become a sales risk. Even if the law is formulated as "risk-based": Procurement often makes it "blacklist by default." Small system houses that win on price lose on origin. (Reuters)

  3. Reporting and incident obligations become doubly noticeable. Switzerland has had a 24-hour reporting obligation for cyberattacks on critical infrastructures since April 1, 2025; sanctions have applied since October 1, 2025. Those operating EU-critical customers must organize incident response to serve multiple regimes – quickly, cleanly, documented. (ncsc.admin.ch)

This is doable. But it's work. And it's work that small companies can't do on the side while simultaneously managing skills shortages and price pressure.

What to Do Now (Without Brussels PR)

If you're a Swiss IT SME with EU connections, you don't need "fortress" rhetoric, but a sober to-do list:

  • SBOM/Asset Transparency: Which components, manufacturers, firmware, dependencies?
  • Supplier Classification: Where do you have potential "high-risk" exposure (hardware, cloud, managed tools)?
  • Contract Clauses & Exit Plans: Replaceability, delivery times, price adjustment clauses – before the customer escalates in an incident case.
  • Incident Runbooks: 24h reporting logic (CH) plus EU processes; communication plan, evidence preservation, responsibilities. (ncsc.admin.ch)

Conclusion: Security Yes – But Not as Political Smokescreen

The EU has every right to make its critical systems more resilient. But the crucial questions remain open: How transparent are criteria? How fair are transitions? How high are follow-up costs? Who is liable when "derisking" leads to bottlenecks and replacement chaos?

As long as this remains unclear, one should treat the buzzwords ("Cybersecurity Act 2," "Fortress Europe") with caution. And one should stop pretending that the costs mainly hit "the big players." In practice, regulatory complexity first hits those with the least buffer: small operators, small integrators, small IT service providers – also in Switzerland.

If you want, I can also adapt the blog post to a more pointed Clarus.News tone (shorter, more punchlines) or rewrite it as a LinkedIn version (max. ~1,300–1,800 characters).

Zurück zur Übersicht