(STRASBOURG) – The EU Parliament called Tuesday for action at EU level on the security threats linked to China’s growing technological presence in the EU, as it adopted a new Cybersecurity certification scheme for products, processes and services.
The EU Cybersecurity Act establishes the first EU-wide cybersecurity certification scheme to ensure that certified products, processes and services sold in EU countries meet cybersecurity standards.
Parliament also adopted a resolution calling for action at EU level on the security threats linked to China’s growing technological presence in the EU.
In the debate, MEPs expressed deep concern about recent allegations that 5G equipment may have embedded backdoors that would allow Chinese manufacturers and authorities to have unauthorised access to private and personal data and telecommunications in the EU.
MEPs are also concerned that third-country equipment vendors might present a security risk for the EU, due to the laws of their country of origin obliging all enterprises to cooperate with the state in safeguarding a very broad definition of national security also outside their own country. In particular, the Chinese state security laws have triggered reactions in various countries, ranging from security assessments to outright bans.
MEPs called on the Commission and the member states to provide guidance on how to tackle cyber threats and vulnerabilities when procuring 5G equipment, for example by diversifying equipment from different vendors, introducing multi-phase procurement processes and establishing a strategy to reduce Europe’s dependence on foreign cybersecurity technology.
They also urged the Commission to mandate the EU Cybersecurity Agency, ENISA, to work on a certification scheme ensuring that the rollout of 5G in the EU meets the highest security standards.
The EU Cybersecurity Act, which is already informally agreed with member states, underlines the importance of certifying critical infrastructure, including energy grids, water, energy supplies and banking systems in addition to products, processes and services. By 2023, the Commission shall assess whether any of the new voluntary schemes should be made mandatory.
The Cybersecurity Act also provides for a permanent mandate and more resources for the EU Cybersecurity Agency, ENISA.
The Council now has to formally approve the Cybersecurity Act. The regulation will enter into force 20 days after it is published.
The resolution on Chinese IT presence in the EU will be sent to the Commission and to member states.
Further information, European Parliament