EU’s revised cybersecurity law targets ‘high risk’ suppliers

The proposal outlines measures to identify high-risk “third countries” and companies supplying digital equipment or components to the EU and exclude them from key digital infrastructure.

The Commission said the proposal aims to enable “the EU and Member States to jointly identify and mitigate risks across the EU’s 18 critical sectors”, which includes energy. Though a press statement by the Commission only outlines the “mandatory derisking” of the telecommunications sector.

For renewable energy, particularly solar PV and energy storage, the major “third country” of risk is China, though the Commission’s proposal does not mention the country at all. Chinese companies have supplied the majority of the EU’s solar inverters in recent months, which has raised cybersecurity concerns in the industry and in Brussels. The EU has already identified solar inverters as a “high-risk” supply dependency in its Economic Security Doctrine published late last year.

For example, data from European PV wholesaler Sun.store says that Huawei has been a leading supplier of solar inverters – many of which are digital and connected to cloud servers – despite the fact that the company has been restricted from the EU’s 5G network on security grounds.

The proposal includes provisions to potentially recall and phase out products that are already deployed in EU infrastructure if the supplier is found to be high-risk. PV Tech Premium analysed the implications of a phaseout of Chinese technology for the solar sector last week.

The supply chain restrictions focus on “non-technical” risks, which the Commission says refers to the risk that a supplier is “subject to influence by a third country” that could disrupt an essential service or “the exfiltration of data, “including for the purposes of espionage or revenue generation”.

“Cybersecurity threats are not just technical challenges. They are strategic risks to our democracy, economy, and way of life,” said Henna Virkkunen, the Commission executive vice-president for tech sovereignty, security and democracy. “With the new Cybersecurity Package, we will have the means in place to better protect our critical ICT supply chains but also to combat cyber attacks decisively. This is an important step in securing our European technological sovereignty and ensuring a greater safety for all.”

The proposal also introduced clarifications for the European Cybersecurity Certification Framework (ECCF) which it said would “bring more clarity and simpler procedures” and allow some certifications to be “developed within 12 months”. Businesses will also be able to voluntarily submit to ECCF compliance, which it said would be a “competitive asset for EU businesses”. This seems to avoid a mandatory certification process, which was discussed during the CSA review process.

It also brought in measures to bolster the EU’s Agency for Cybersecurity (ENISA), which was introduced with the first passage of the CSA in 2019.

In response to the proposal, Dries Acke, deputy CEO of SolarPower Europe, said: “It is very good that the European Commission takes cybersecurity topics seriously.

“The key remains to have robust EU-wide standards and protocols for cybersecurity that apply to all digital components and companies active on the European energy market. Europe needs to be resilient to all types of attacks from all sides. 

“As the solar-specific risk and impact assessment on cybersecurity is ongoing, we look forward to continuing the constructive cooperation with the Commission, and engage with the renewed mandate of ENISA, as well as through the streamlined European Cybersecurity Certification Framework.”

PV Tech has contacted the Commission for clarification on the Act’s implications for renewable energy.