On Tuesday, MEPs adopted the EU Cybersecurity Act with 586 votes to 44 and 36 abstentions. It establishes the first EU-wide cybersecurity certification scheme to ensure that certified products, processes and services sold in EU countries meet cybersecurity standards.

Parliament also adopted a resolution calling for action at EU level on the security threats linked to China’s growing technological presence in the EU.

MEPs express deep concern about recent allegations that 5G equipment may have embedded backdoors that would allow Chinese manufacturers and authorities to have unauthorised access to private and personal data and telecommunications in the EU.

Chinese state security laws a threat to EU cybersecurity

They are also concerned that third-country equipment vendors might present a security risk for the EU, due to the laws of their country of origin obliging all enterprises to cooperate with the state in safeguarding a very broad definition of national security also outside their own country. In particular, the Chinese state security laws have triggered reactions in various countries, ranging from security assessments to outright bans.

MEPs call on the Commission and the member states to provide guidance on how to tackle cyber threats and vulnerabilities when procuring 5G equipment, for example by diversifying equipment from different vendors, introducing multi-phase procurement processes and establishing a strategy to reduce Europe’s dependence on foreign cybersecurity technology.

They also urge the Commission to mandate the EU Cybersecurity Agency, ENISA, to work on a certification scheme ensuring that the rollout of 5G in the EU meets the highest security standards.

EU Cybersecurity Act to enable certification of connected devices

The EU Cybersecurity Act, which is already informally agreed with member states, underlines the importance of certifying critical infrastructure, including energy grids, water, energy supplies and banking systems in addition to products, processes and services. By 2023, the Commission shall assess whether any of the new voluntary schemes should be made mandatory.

The Cybersecurity Act also provides for a permanent mandate and more resources for the EU Cybersecurity Agency, ENISA.

Quote

After the vote on the Cybersecurity Act, rapporteur Angelika Niebler (EPP, DE) said: “This significant success will enable the EU to keep up with security risks in the digital world for years to come. The legislation is a cornerstone for Europe to become a global player in cyber security. Consumers, as well as the industry, need to be able to trust in IT-solutions."

Next steps

The Council now has to formally approve the Cybersecurity Act. The regulation will enter into force 20 days after it is published.

The resolution on Chinese IT presence in the EU will be sent to the Commission and to member states.