Summary
The EU Commission has initiated a turning point for the European IT market with the Cybersecurity Act 2. The legislative package aims to displace providers with critical risk profiles such as Huawei and ZTE from Chinese infrastructure. Regulation is being expanded from previous 5G networks to 18 critical sectors. Core principle: Not only technical security matters, but also the origin and legal jurisdiction of the manufacturer. The EU is thus creating a "Fortress Europe" in the digital realm with accelerated certification processes and a strengthened role for the cybersecurity agency ENISA.
Key Persons
- Henna Virkkunen – Commission Vice President for Tech Sovereignty
- Friedrich Merz – Federal Chancellor (CDU), rejects Chinese components in 6G
Topics
- Digital sovereignty and cybersecurity
- Geopolitical dependencies in IT infrastructure
- EU regulatory transformation
- Certification and "Security by Design"
- SME relief and compliance costs
- Critical sectors (5G, energy, rail, urban networks)
Detailed Summary
The EU Commission initiated a paradigmatic shift on Tuesday in Strasbourg. The Cybersecurity Act 2 moves away from the previous approach of non-binding recommendations and creates a binding legal framework for the systematic exclusion of high-risk providers from European infrastructure.
Geopolitical Reassessment of Cybersecurity
Central to this is a strategic shift in security logic: The assessment is not limited to technical backdoors or product features, but explicitly considers the jurisdiction of origin of the manufacturer. Who builds a router, under what laws this manufacturer operates, and how its government could potentially use it as an "extended arm" – these geopolitical factors become the basis for regulation.
Expansion to 18 Critical Sectors
While the previous "toolbox" primarily addressed 5G networks, the new regime is being extended to 18 critical areas: energy, rail, urban infrastructure, aerospace, and other strategic domains. Huawei and ZTE, previously present in many European projects despite security concerns, are to be gradually displaced.
Accelerated Certification as Competitive Instrument
To strengthen European providers, the Commission establishes the European Cybersecurity Certification Framework (ECCF). New certification schemes are to be developed within just twelve months – a drastic acceleration compared to previous standards. Certified products receive market advantages.
SME Relief Through Differentiated Categories
The Commission responds to compliance burdens: A new category for "mid-cap companies" is intended to reduce administrative burdens for 28,700 firms. Simultaneously, a central reporting channel for security incidents (Single Entry Point) is established to drastically reduce response times for ransomware attacks.
ENISA as Central Defense Institution
The EU Cybersecurity Agency ENISA becomes the core institution: It operates early warning systems, coordinates with Europol, supports business recovery after attacks, and is equipped with a new cybersecurity competence academy. EU-wide certificates for IT security personnel are intended to build personnel capacity.
Key Statements
- Paradigm shift: Cybersecurity shifts from an IT task to a national security policy matter
- Consequence for Huawei & ZTE: Gradual exclusion of Chinese high-risk providers from 18 critical sectors
- Jurisdiction of origin as criterion: Not just products, but the manufacturer's legal jurisdiction is evaluated
- Faster regulation: Certification schemes in 12 months instead of years of delays
- SME-focused: Simplified compliance categories relieve tens of thousands of companies
- ENISA expansion: Central agency receives competence center and coordination mandates
- National implementation: NIS2 Directive must be implemented within one year
- 6G orientation: Federal Chancellor Merz signals renouncement of Chinese 6G components
Stakeholders & Affected Parties
| Beneficiaries | Burdened | Neutral |
|---|---|---|
| EU Providers (faster certification) | Huawei, ZTE (market exclusion) | Mid-market suppliers |
| Small SMEs (compliance relief) | Energy suppliers (infrastructure retrofit) | Academic institutions |
| ENISA (expanded mandates) | Railway companies (legacy systems) | Tech newcomers |
| Cybersecurity service providers | Chinese inverter manufacturers | Consumers (indirectly) |
Opportunities & Risks
| Opportunities | Risks |
|---|---|
| Stronger independence from authoritarian states | Supply shortages for critical components (chips) |
| European tech champions emerge | Higher implementation costs for infrastructure retrofit |
| Faster innovation cycles through ECCF | Geopolitical tensions (retaliation from China) |
| SME relief promotes innovation | Fragmentation of global supply chains |
| Model function for other regions | Transition chaos during parallel operations |
Action Relevance
For Decision-Makers Effective Immediately:
- Initiate infrastructure audits: Conduct inventory of Chinese components in critical systems
- Prepare NIS2 compliance: National implementation of the Directive begins immediately; establish implementation teams
- Start certification processes: EU manufacturers should pursue ECCF certification (competitive advantage)
- Monitor ENISA updates: Early warning systems and sector guidelines are continuously updated
- Diversify supply chains: Reduce dependency on single sources
- Build expertise: Utilize cybersecurity academy certificates for personnel
Quality Assurance & Fact-Checking
- [x] Central statements and figures verified
- [x] EU Commission announcements validated
- [x] ENISA mandate and structure confirmed
- [x] SME relief figures (28,700 companies) taken from source
- [x] Unconfirmed political statements marked
- [ ] ⚠️ Exact implementation timeline for all 18 sectors not fully detailed in primary source
Additional Research
- European Commission: Cybersecurity Act 2 – Official Statement
- ENISA: European Cybersecurity Certification Framework (ECCF) – Technical Documentation
- Reuters / Bloomberg: Geopolitical impacts of Chinese tech exclusion (2024)
- Bundesnetzagentur: 5G/6G Strategy Germany – Huawei Phase-Out Report
Sources
Primary Source:
Heise Online: "Digital Sovereignty: EU Sounds the Charge Against High-Risk Providers Like Huawei"
https://www.heise.de/news/Digitale-Souveraenitaet-EU-blaest-zum-Halali-auf-Hochrisiko-Anbieter-wie-Huawei-11148111.html
Supplementary Sources:
- European Commission – Cybersecurity Act 2 (Draft legislation & FAQs)
- ENISA – European Union Agency for Cybersecurity (Mandates & Academy Structure)
- Federal Agency for Civic Education – Geopolitics of Digitalization
Verification Status: ✓ Facts checked on 13.01.2025
Footer (Transparency Notice)
This text was created with the support of Claude.
Editorial responsibility: clarus.news | Fact-checking: 13.01.2025
Bias warning: The article reflects a pro-European regulatory perspective; Chinese or American counter-positions are not represented.