1. Overview – What the Commission Proposes
The European Commission has launched a revision of the EU Cybersecurity Act (Initiative 14578). The proposal moves beyond voluntary measures to create a mandatory framework for restricting information and communication technology (ICT) products, services, and processes originating from “high‑risk” third countries.
Key elements:
- ENISA expansion: The EU Agency for Cybersecurity receives a budget increase of over 75% and acquires operational powers, including real‑time threat alerts and a central incident reporting platform.
- Accelerated certification: A default 12‑month timeline for European cybersecurity certification schemes.
- High‑risk country mechanism: A new legal tool to designate specific third countries as high‑risk, leading to potential exclusion of their ICT components from EU supply chains.
For the full legislative package and feedback, refer to the European Commission’s Have Your Say portal.
2. The Core Legal and Political Battleground
While the public debate focuses on geopolitical rivalry (notably with China), the real fight will be over Article 114 TFEU – the internal market legal basis. Critics argue that a measure whose primary objective is national security should not rest on internal market provisions. This opens the door to annulment actions before the Court of Justice of the European Union.
The single most contentious concept is the definition of “non‑technical risk factors.” How does the EU prove that a country’s legal system, lack of judicial independence, or data protection regime constitutes a cybersecurity threat? This is not a technical question – it is a geopolitical and legal judgment. Industry groups are already demanding objective, evidence‑based criteria, while Member States with existing dependencies on non‑EU suppliers are preparing to resist broad discretionary powers.
- Council configuration: Competitiveness Council (Internal Market and Industry).
- Parliament fault line: Likely a split between sovereignty‑focused groups (ECR, ID) and those prioritising EU‑level security (EPP, S&D, Renew).
3. Stakeholder Reactions – What Industry Is Saying
Feedback submitted to the Commission reveals deep concern from non‑EU technology vendors and their trade associations.
“The protectionist urge to reinstate discriminatory restrictions that would harm the security of Europe’s digital ecosystem”
CCIA Europe (Computer & Communications Industry Association), representing global tech companies including non‑EU vendors.
Other notable reactions:
Ibec (Irish Business and Employers Confederation) warned that the proposals could impose costs of €730 million on the Irish telecommunications sector alone, and threaten the stability of 18 critical industries.
Multiple telecom operators and digital infrastructure providers have submitted confidential position papers arguing that mandatory phase‑out periods for existing equipment would be unworkable without significant transition funding.
Consumer organisations generally support stronger ENISA powers but express concern that the high‑risk country mechanism could be used for protectionist trade purposes rather than genuine security.
4. Business Risks – Why Your Company Should Act Now
If your company relies on ICT components, software, or managed services from any third country that could be designated as high‑risk, the proposed revision poses immediate and substantial threats:
| Risk Area | Concrete Impact |
|---|---|
| Mandatory phase‑out costs | Replacing existing infrastructure with EU‑certified alternatives can run into hundreds of millions of euros for large operators. |
| Supply chain discontinuity | Short transition periods (expected to be 12‑24 months) may be impossible to meet for specialised components with no European equivalent. |
| Compliance uncertainty | The “non‑technical risk” definition is politically determined – today’s low‑risk supplier could become tomorrow’s banned country. |
| Legal challenge exposure | Even if the regulation is adopted, interim measures or annulment actions could create years of legal uncertainty, freezing investments. |
| Competitive disadvantage | European subsidiaries of non‑EU parent companies may face higher compliance burdens than local incumbents. |
Quantified example: The Irish telecom sector estimate of €730 million represents only direct phase‑out costs for one small Member State. Extrapolated across the EU27, total compliance costs could exceed €10 billion, according to preliminary industry modelling.
5. The Unlocked Angle – What Most Analysts Miss
Everyone is watching the geopolitics of high‑risk country designation. But the real lobbying war will be fought over Annex II procedures – the technical criteria for assessing non‑technical risk.
Key questions that will determine the final regulation:
- Who decides the list of risk factors? (ENISA, the Commission, or a new Member State committee?)
- What evidentiary standard applies? (Intelligence assessments? Publicly available legal analyses? Corporate due diligence reports?)
- Can a company request an individual exemption if it can prove its specific supply chain does not pose a risk, even if its home country is designated?
These procedural details are where your company’s ability to influence the final text will succeed or fail. The current proposal leaves most of these questions open – and that is where public affairs intervention is most effective.
6. How I Can Help You Navigate and Influence This File
As a Brussels‑based public affairs strategist specialising in EU digital regulation, I offer:
- Risk assessment – A confidential analysis of how the proposed high‑risk country mechanism affects your specific supply chain, including worst‑case scenario modelling.
- Stakeholder mapping – Identification of which Member States, parliamentary groups, and industry coalitions align with your interests – and which oppose them.
- Amendment drafting – Targeted changes to the definitions of “non‑technical risk,” transition periods, and exemption clauses. These are the levers that determine whether the regulation becomes manageable or catastrophic.
- Coalition building – Connection to like‑minded companies and trade associations to amplify your voice during the trilogue phase (expected late 2026 – early 2027).
- Direct representation – I can engage with the Commission, Parliament rapporteurs, and Council working parties on your behalf, ensuring your operational concerns are heard before the text is finalised.
7. Take the Next Step
Do not wait until your board is reading about a final trilogue agreement that locks in unworkable obligations. Contact me today for an initial, no‑obligation consultation on the EU Cybersecurity Act revision.
I will provide:
- A 30‑minute briefing on the specific risks to your sector.
- A preliminary mapping of where your interests sit on the political fault lines.
- A proposed engagement plan with clear milestones and budget options.
Website contact form: hyperion-tree-digital.eu/contact/
Direct calendar link: calendly.com/harold-hyperion-tree-digital/30min
Act now – because the definition of “non‑technical risk” will be written without you unless you help write it.


Harold Tor-Daenens
Managing Director
With over two decades of experience in international and EU affairs, Harold assists clients in influencing the most difficult legislative files. He possesses a business mindset and a strategic vision backed by data-driven insights. A master of communications and digital channels, he crafts policy narratives that resonate with the intended audiences. Hyperion Tree Digital works in a network of cooperatives of like-minded independent consultancies with presence throughout Europe and the rest of the world, so that our services are affordable, agile and impactful.
