Connect Europe & GSMA Europe's views on the Revised Cybersecurity Act

Telecom operators ensure strong network security and resilience through comprehensive technical, operational and organisational measures, including multi-vendor strategies included in the European Commission’s 5G Cybersecurity Toolbox to mitigate risks and avoid supply chain dependencies. The measures implemented by European telecom operators are endorsed by national authorities, fulfilling national cybersecurity obligations while ensuring national competence in security matters.  

Connect Europe and GSMA Europe share the European Commission’s goals of reinforcing cybersecurity in Europe and largely welcome some of the changes to ENISA’s mandate and the overall functioning of the European Cybersecurity Certification Framework (ECCF). However, Connect Europe and GSMA Europe are inherently concerned with the proposed ICT supply chain measures (Title IV) that go far beyond what is necessary to achieve the objectives of the regulation, and rather, risk exacerbating existing challenges faced by the telecoms sector in Europe. This includes imposing unprecedented financial, operational, and service-level burdens by mandating extensive technology removals, which overlook more proportionate assessment of risks, measures based on impacts on investment cycles, and operational implementation realities. 

With the sector undergoing unprecedented technological transformation, emerging technical risks (e.g., from AI and quantum technology), will require European telecoms operators to undertake a fundamental shift in cybersecurity strategy, committing substantial financial resources and highly specialised technical expertise over the coming years. Against this backdrop, European telecoms operators must invest in modernising their networks and managing technical risks, while also meeting obligations related to non-technical risks. Striking the right balance is essential to ensure that measures addressing non-technical concerns do not inadvertently weaken capacity to respond effectively to genuine technical and innovative challenges.

In this context, the CSA2 as proposed, risks far-reaching damage to competitiveness, security and resilience, by diverting scarce resources, both in terms of investment and skilled people, away from innovation and network upgrades. The proposal prioritises a broad “rip and replace” exercise, at a time when Europe must accelerate the deployment of new networks to support 6G, AI and the quantum safe transition. 

Connect Europe and GSMA Europe, therefore, call for the deletion of Title IV provisions from the text, ensuring that security remains an EU Member State prerogative, respecting national frameworks, safeguarding service continuity and supporting investment. In addition, Connect Europe and GSMA Europe propose a number of adjustments to the proposal on the ECCF, the mandate of ENISA, and greater simplification. 

Our key points consist of:

1. ICT supply chain security: Connect Europe and GSMA Europe call for the deletion of Title IV from the text, ensuring that national security remains a national prerogative. This allows for flexible, risk-based approaches to be taken through the prism of national realities and frameworks, while safeguarding unhindered service and investment in connectivity. The proposed Title IV, if approved, risks significantly exacerbating existing challenges faced by the sector and European industry in general. As proposed, Europe’s industry and citizens would be struck with far- reaching damage to competitiveness, by diverting scarce resources away from innovation and network upgrades towards a broad “rip and replace” exercise. 
2. The European Cybersecurity Certification Framework (ECCF): Connect Europe and GSMA Europe welcome the revision of the European Cybersecurity Certification Framework (ECCF). The revision presents an opportunity to significantly improve effectiveness, efficiency and transparency of cybersecurity certification processes. However, it is imperative that future cybersecurity certifications do not diverge from international cybersecurity standards to remain internationally coherent. It is also key that certifications remain purely ‘’voluntary’’ and ensure clear and structured involvement of industry experts in their technical drafting and development to ensure they are grounded in technical and operational realities. In addition, a coherent cybersecurity posture should be ensured by avoiding multiple layers of certification; this should be based on common ground, mutual recognition of existing national certificates, the granting of equivalence where appropriate, and flexible implementation.
3. The mandate of ENISA: Connect Europe and GSMA Europe largely welcome the expansion of ENISA’s mandate. However, ENISA’s expanded role should preserve its independence, and focus on technical guidance, standards mapping and coordination between authorities, rather than acting as a de facto supervisor or policy gatekeeper. 
4. Wider simplification/NIS2: Connect Europe and GSMA Europe believe that the proposed simplification efforts do not meaningfully reduce complexity and regulatory costs across EU cybersecurity law. The current proposal simply introduces additional layers of complexity rather than delivering the regulatory simplification and streamlining needed to support competitiveness and investment. Connect Europe and GSMA Europe ask for tangible simplification, enabling them to leverage its benefits while addressing legal uncertainty, avoiding additional costs and implementation complexity for industry and EU Member States. In addition, Connect Europe and GSMA Europe welcome the ambition of the Single-Entry Point (SEP) for incident reporting. However, clarity is still needed to ensure that incidents only need to be reported at national level and only once, avoiding burdensome procedures.