The GSMA, on behalf of Europe’s mobile operators, notes the European Commission’s proposed revision of the Cybersecurity Act.
Mobile networks are essential societal infrastructure. They represent both a frontline defence and a clear target for disruption.
In times of geopolitical friction and an ever-evolving risk landscape, substantial investment has been and continues to be made by operators to ensure Europe’s digital infrastructure remains secure and resilient. Strengthening security and resilience remains a top priority given how citizens, businesses and public services depend on this digital ecosystem.
Doing this comes with substantial costs that now risk reducing the resources available for network upgrades and the connectivity improvements users rely on.
We share the Commission’s objective of reinforcing Europe’s cybersecurity. However, these measures must be strictly risk-based and operationally workable, strengthening cybersecurity risk management while sustaining high-quality connectivity and continued network evolution. The proposed Cybersecurity Act revisions make this challenging and may ultimately undermine European operators’ ability to upgrade networks at pace and meet the continent’s connectivity ambitions.
Legislative measures on supply chain security should be targeted, risk-based and provide long-term predictability for all affected industries, based on a comprehensive impact assessment, thereby taking into account operational realities and fully respecting that national security matters remain under the competence of EU Member States. Not all equipment elements are equally sensitive, making blanket approaches unnecessary and disproportionate. Beyond the lack of proportionality of the proposed measures, the unrealistic timelines risk significant disruption to services for users as well as high additional expense.
Europe’s security and resilience is essential, now more than ever. The mobile industry takes its responsibilities seriously and will continue to comply and invest to uphold these high standards. However, EU legislators must recognise that this crucial role requires sustained investment, and the Cybersecurity Act proposal will add significant costs.