The EU Commission has presented a revised cybersecurity law to better fend off attacks and reduce dependencies on high-risk third countries. In particular focus: Chinese companies like Huawei and ZTE, which are to be effectively excluded from 5G rollout. This follows a recent hacker attack on the Eurail platform.
In Brussels, the EU Commission presented a revised cybersecurity law on Tuesday. The background is a recent hacker attack on the Eurail platform of the "DiscoverEU" program, where personal data of 18-year-olds leaked to unknowns. Interrail tickets are also affected. "Cybersecurity threats are not just technical challenges, but strategic risks to our democracy, our economy, and our way of life," said EU Commissioner Henna Virkkunen. "With the new cybersecurity package, we will have the means to better protect our critical IT infrastructure and decisively combat cyberattacks."
Dozens of cyberattacks occur daily in Europe on companies, government agencies, and critical infrastructure, mainly from Russia, China, and the USA. Particularly alarming are Chinese technologies in sensitive areas like airports or military, where Beijing could potentially take control. Therefore, companies like Huawei and ZTE are to be effectively excluded from 5G rollout, without a formal ban. States and services will be classified into risk categories based on past incidents, cybersecurity ratings, independent courts, and mandatory vulnerability reporting. Analyses focus on cloud services, medical devices, semiconductors, power supply, space systems, and connected vehicles. It remains open whether the USA will be considered a risk.
Germany has banned Chinese 5G infrastructure since 2024; the EU proposes a three-year phase-out. ENISA is to become a central actor, with certifications for experts to address over 300,000 vacant positions. It will provide early warnings and set up a helpdesk with Europol for ransomware attacks. "This is really a novelty and very important, as we are seeing an increase in cyberattacks due to AI," said an EU official. "We know that today already 80 percent of ransomware attacks are carried out using AI tools."
MEP Jens Geier (SPD) emphasized: "Today it's no longer just about economic damage and data theft, but about resilience against targeted sabotage of critical infrastructure like communication facilities, energy supply, and hospitals." However, the Commission refrained from introducing a network fee for platforms like Netflix and Amazon; instead, they should make agreements with network operators themselves, with an option for review.
