Warning on ‘sanctions-like’ EU cyber rules
Philip Lee partner Sean McElligott has expressed concern about proposed changes to EU legislation on cybersecurity.
He warns that the cumulative effect of EU measures in the area is that “substantive decisions about who may supply Ireland’s critical national infrastructure are progressively migrating toward EU bodies over which Ireland holds no unilateral control”.
In an analysis on the firm’s website, McElligott examines the proposed Cybersecurity Act 2 (CSA2), which gives the European Commission powers to adopt implementing acts identifying key technology assets and imposing mitigation measures that include prohibitions on components from high-risk suppliers.
Third country
The Philip Lee partner explains that, under CSA2, the commission can, based on a risk assessment and verification, designate a third country as posing cybersecurity concerns by implementing act.
He adds that the criteria for verification include laws or practices requiring pre-patch vulnerability reporting to third-country authorities, the absence of democratic checks and judicial remedies, substantiated information on threat-actor activity or unwillingness to co-operate, and relevant information drawn from coordinated risk assessments or international organisations.
Once designation occurs, McElligott says, the proposal contemplates lists of ‘high-risk suppliers’ linked to establishment, ownership and control, “subject to consultation and rights of defence mechanisms that nevertheless remain embedded within the implementing-act framework”.
‘Systemic exclusion toolkit’
He points out that high-risk suppliers may be excluded from participation in standardisation processes, prevented from obtaining or holding European cybersecurity certificates, barred from accreditation as conformity-assessment bodies, restricted from issuing certain cybersecurity attestations, and excluded from procurement and EU funding activities.
“This amounts to a systemic exclusion toolkit, with effects capable of cascading across supply chains and market segments far beyond any individual sector or product,” the lawyer states.
“CSA2 risks importing sanctions-like effects into internal market legislation,” McElligott argues.
Potential effect ‘devastating’
He adds that a member state such as Ireland, which has historically served as the European hub for many of the world’s largest US technology companies, “has no effective veto over a commission decision to designate a third country or list an individual supplier as ‘high-risk'”.
“In the context of some future geopolitical trade war, one hypothetical, albeit remote scenario, might be if the commission were to designate the United States as a country posing cybersecurity concerns (even partially, in respect of specific legal provisions) the downstream effect on Ireland’s technology sector would be devastating,” the Philip Lee partner states.
He concludes by saying that Ireland is uniquely placed to advocate for a better-calibrated framework, in which the European Union Agency for Cybersecurity (ENISA) has only an advisory role and commission designation powers are subject to “genuine procedural and evidential constraints”.