Position paper on revised Cybersecurity Act

The revision of the Cybersecurity Act is a key step towards addressing non-technical cybersecurity risks and protecting Europe’s critical infrastructure against third-country vendor dependencies.

In its position paper, ESMIG highlights the need to ensure the trusted ICT supply chain framework is fully effective for electricity grid digitalisation and advanced metering infrastructure (AMI) — given their role in managing energy flows, sensitive data, and remote system access.

Key recommendations:

• Explicit inclusion of electricity grid digitalisation technologies
Clarify that electricity supply systems include electricity grid technologies and technologies to digitalise the grid which are part of the critical smart grid infrastructure.

• Accountability for delays in security risk assessments
Introduce obligations and safeguards where coordinated assessments are not completed within the established timeframe, preventing that administrative delays become an opportunity for potential high-risk suppliers to expand their foothold in EU critical infrastructure.

• Additional criterion for designating third countries posing cybersecurity concerns
Include situations where a third country exercises decisive influence over an entity, including control over or access to critical data and systems.

• Differentiated treatment of new procurement and installed equipment
Apply immediate measures to new procurement, while ensuring risk-based mitigation and phased replacement of existing systems.

• Strengthened supervisory powers for procurement and operational compliance
Enable competent authorities to assess dependency, control, and exposure to non-technical risks across procurement and operation.

With large-scale smart meter deployment underway, procurement decisions taken today will shape Europe’s long-term cybersecurity and infrastructure resilience. ESMIG has consistently called for the identification – and where necessary the exclusion – of high-risk suppliers from EU critical energy infrastructure tenders.

The revised Cybersecurity Act’s trusted ICT supply chain framework is a strong regulatory response to address non-technical cybersecurity risks in the geopolitical context, strengthening Europe’s strategic autonomy and economic security.

Twitter
LinkedIn

Publications

Filters