 The European Commission is right to insist that critical infrastructure must be secure, resilient, and protected from undue foreign influence. In an era defined by geopolitical rivalry, cyber operations below the threshold of war, and the weaponisation of economic dependencies, it would be negligent not to scrutinise who builds and maintains the systems that keep European societies running.
The Commission’s Cybersecurity Act proposal to exclude “high-risk” foreign suppliers from critical sectors reflects a long-overdue recognition that cybersecurity is not merely a technical problem but a structural and political one. Infrastructure embeds power. Supply chains encode dependency. And digital systems, once deployed, shape the limits of sovereignty far more than abstract declarations ever could. Yet while the premise is sound, the policy as currently articulated leaves too many fundamental questions unanswered. If Europe is serious about securing its infrastructure, it must confront not only who should be excluded, but how, at what cost, and with what consequences for Europe’s place in a deeply interconnected digital world. The Problem of Embedded Dependency One of the most striking gaps in the Commission’s proposal is its limited engagement with legacy infrastructure. European networks — particularly in telecommunications — are not greenfield projects. They are the product of decades of procurement decisions, commercial incentives, and regulatory fragmentation. Equipment from vendors now deemed “high risk” is already embedded deep within core and access networks across multiple member states. Once hardware is embedded, dependency becomes structural. It is not easily reversed without redesigning systems, retraining staff, renegotiating maintenance contracts, and accepting periods of operational risk. This is not an abstract concern: operators have repeatedly warned that forced and accelerated replacement carries significant financial and technical costs, potentially affecting service quality and investment capacity. The Commission’s proposal gestures toward phased implementation, but it does not yet grapple with the political economy of de-risking. Who pays for the transition? Will the EU provide financial support, or will the burden fall disproportionately on operators — and ultimately consumers — in certain member states? Without a credible funding strategy, the policy risks entrenching inequalities between markets rather than strengthening collective resilience. Who Decides What “High Risk” Means? Equally unresolved is the question of classification. The proposed framework would allow the Commission, or a group of member states, to initiate a risk assessment that could lead to supplier exclusion. But the criteria remain deliberately broad: national security concerns, foreign interference, market concentration, and geopolitical context. This ambiguity is politically convenient, but strategically dangerous. Risk is not static. Nor is it confined to adversaries of the moment. If supplier risk is fundamentally tied to state power and political leverage — as the Commission implicitly acknowledges — then today’s trusted partner could become tomorrow’s vulnerability. The uncomfortable but necessary question is this: would Europe ever apply this logic consistently beyond its current focus on China? For decades, the United States has been treated as categorically “low risk,” even as European data, cloud infrastructure, and software ecosystems have become deeply dependent on American companies and subject to U.S. law. Recent geopolitical tensions — including explicit threats tied to territory, trade, or security commitments — illustrate that alliance does not eliminate asymmetry. A credible risk-based framework must therefore be principled rather than selective. If exclusions are perceived as politically motivated rather than analytically grounded, Europe will struggle to defend them legally, diplomatically, and normatively. Security Without Strategic Isolation? There is also a deeper tension at the heart of the proposal: the trade-off between security and openness. Europe’s digital economy does not exist in isolation. Innovation, resilience, and cybersecurity itself depend on global cooperation, shared standards, and cross-border supply chains. A policy that increasingly equates foreign origin with unacceptable risk risks drifting into strategic isolation — or at least strategic fragmentation. Excluding suppliers may reduce certain categories of risk, but it can also reduce competition, slow deployment, and lock Europe into a narrower technological trajectory. In sectors where Europe lacks strong domestic alternatives, exclusion without parallel investment becomes a defensive gesture rather than a strategic one. If digital sovereignty is the goal, it cannot be achieved through restriction alone. It requires sustained investment in European capabilities, research ecosystems, and market scale — none of which can be conjured through regulatory exclusion. The Legal and Normative Dimension There is also a normative dimension that Europe cannot afford to ignore. The EU has long positioned itself as a defender of rule-based governance, proportionality, and non-discrimination in digital policy. Supplier exclusion regimes that lack transparency or objective criteria invite legal challenge — not only from affected companies, but from trading partners and international institutions. If Europe wishes to set a global precedent for responsible infrastructure security, it must show that its decisions are evidence-based, proportionate, and legally robust. Otherwise, it risks legitimising similar measures elsewhere that are far less restrained — including by authoritarian states eager to justify protectionism or technological nationalism under the banner of “security.” A Necessary Policy — Incomplete as Strategy The Commission is right to act. Doing nothing is no longer an option. The idea that Europe can indefinitely rely on globally distributed, politically neutral supply chains is an illusion that the past decade has thoroughly dismantled. But securing critical infrastructure is not merely a question of exclusion. It is a question of managing dependency, financing transition, defining risk honestly, and preserving cooperation where it remains essential. Without addressing these dimensions, the policy risks becoming symbolically powerful but strategically thin. Europe does not need less openness; it needs structured, conditional openness grounded in realism rather than nostalgia. If this initiative is to succeed, it must evolve from a defensive posture into a coherent strategy — one that acknowledges power, cost, and consequence as inseparable from security. Comments are closed.
|