IBEC warns on EU cybersecurity overhaul
Business group IBEC has called on the EU to withdraw some elements of its Cybersecurity Act (CSA2), warning that they could threaten the stability of 18 critical industries.
In a position paper published today (15 April), the organisation says that the proposals could impose costs of €730 million on the Irish telecommunications sector alone.
IBEC’s paper highlights that the European Commission’s proposal introduces ‘high-risk supplier’ designations based, it says, on geopolitical origin rather than technical security flaws, and overriding national security competencies.
Industry ‘not consulted’
It argues that this shift risks forcing sectors – including health, energy, and finance – to remove “deeply integrated” communications and technology components that have supported business operations for decades.
The business group says that industry was not consulted on the proposals.
It wants the supply-chain proposals to be withdrawn pending “a comprehensive impact assessment that involves meaningful consultation with affected sectors, quantifies replacement costs, and evaluates the capacity of remaining suppliers to meet market demand”.
‘Rip-and-replace’ laws
The paper’s author Áine Clarke (digital and AI policy executive) stresses that businesses are not questioning the importance of cybersecurity for the economy and society.
“Our position paper highlights that proposing rules driven by geopolitical developments, rather than evidence-based technical criteria, creates an unpredictable business environment and threatens the stability of essential services.
“Mandatory ‘rip-and-replace’ laws will create unforeseen contractual liabilities and run contrary to the EU’s competitiveness, digitalisation, and environmental ambitions,” she states.
Certification
IBEC has also expressed concern about proposals to overhaul the EU’s framework for certifying the cybersecurity of products, services, and processes.
While it backs their aim for swifter delivery, it says that the removal of certain existing mechanisms for industry engagement is “a major concern”.
Overall, the paper urges the European Commission to maintain what it describes as “a proportionate approach to cybersecurity regulation that is grounded in evidence and promotes EU competitiveness”.