EU’s New Cybersecurity Act Could Ban High-Risk Suppliers
The European Commission has dropped an ambitious cybersecurity proposal, targeting “high-risk” suppliers while promising faster certification processes.
Behind the bureaucratic language lies a regulatory matter that could force companies to rethink their entire digital infrastructure strategy.
Yesterday (Jan. 20), the Commission unveiled its revised Cybersecurity Act proposal after months of behind-the-scenes negotiations that reportedly caused substantial friction between officials and member states. This sweeping update introduces measures to identify and potentially exclude “high-risk” third countries and companies from Europe’s critical digital infrastructure across 18 essential sectors, including energy systems.
As cybersecurity threats continue rising since the original Act took effect seven years ago, the EU is essentially drawing new battle lines in the global tech landscape. The proposal’s focus on “non-technical” risks—particularly concerns about suppliers being “subject to influence by a third country”—signals a fundamental shift toward viewing cybersecurity through a geopolitical lens.
The China question everyone’s avoiding
While the proposal carefully avoids naming specific countries, the elephant in the room is impossible to ignore. Chinese companies have become dominant suppliers of solar inverters to the EU market over the past several months, raising considerable cybersecurity concerns in Brussels and across the industry.
The implications extend far beyond solar panels. Many of these digital inverters connect directly to cloud servers, creating potential entry points into Europe’s energy grid. The EU already flagged solar inverters as a “high-risk” supply dependency in its Economic Security Doctrine published in late 2025, while data shows Huawei leading inverter supply—the same company already restricted from EU 5G networks on security grounds.
Perhaps most notably, the proposal includes provisions to potentially recall and phase out products already deployed in EU infrastructure if suppliers are later deemed high-risk. This retroactive enforcement capability represents unprecedented regulatory reach that could force massive infrastructure overhauls.
The certification revolution
Beyond supply chain restrictions, the revised Act promises to fix what many consider the original legislation’s biggest failure: a certification system that’s been painfully slow to deliver. Only one EU certification scheme has been adopted since the original CSA entered force seven years ago—the European cybersecurity scheme on common criteria.
The new proposal introduces substantial streamlining measures, including allowing some certifications to be “developed within 12 months” and enabling businesses to voluntarily submit to compliance frameworks as a “competitive asset.” These changes could transform EU cybersecurity certification from a bureaucratic bottleneck into a genuine market advantage.
The European Agency for Cybersecurity (ENISA) receives enhanced powers and resources to better coordinate responses to common threats. However, stakeholders remain divided on whether ENISA should gain authority to issue binding opinions, highlighting ongoing tensions between national sovereignty and EU-wide coordination.
What this means for your business
The regulatory landscape is shifting faster than many organizations can adapt. With multiple major frameworks converging in 2026—including NIS2, EU AI Act amendments, and these Cybersecurity Act revisions—compliance teams face a challenge.
Companies should immediately assess their current supplier relationships, particularly those involving critical digital infrastructure components. The proposal’s emphasis on “non-technical” risks means traditional security audits may no longer be sufficient—organizations need to evaluate the geopolitical risk profile of their entire supply chain.
Since the original Cybersecurity Act came into force seven years ago, the threat landscape has evolved dramatically. What started as a technical framework now encompasses fundamental questions about digital sovereignty and supply chain resilience. Organizations that successfully protected sensitive content in 2025 share characteristics such as unified governance, third-party visibility, defense in depth, automation, and continuous improvement—capabilities that become even more crucial under the new regulatory framework in 2026.
The European Parliament and Council will now debate these proposals before they can be applied EU-wide. However, given the momentum behind cybersecurity regulation and the geopolitical tensions driving these changes, businesses should prepare for a future where digital sovereignty becomes as important as technical security in vendor selection decisions.
This glossary explains the terminology behind the most common cybersecurity attacks.
About Author
