EU cybersecurity standards are at risk if supplier ban passes
Today, the European standards body ETSI sent a formal position paper to the European Commission, calling for changes to the proposed Cybersecurity Act 2 (CSA2), the EU’s planned revision to its existing cybersecurity certification framework.
The paper focuses on two provisions: a proposed expansion of ENISA’s role in developing technical specifications, and a clause in Article 100(4)(a) that would bar entities from countries designated as posing cybersecurity concerns from participating in European standardization work tied to Commission requests.
ETSI is one of three European Standardization Organizations (ESOs) recognized under EU law to develop harmonized standards. Its membership includes over 900 organizations across 64 countries.
The “high-risk supplier” exclusion
Under the CSA2 proposal, the European Commission would designate “high-risk suppliers” based on EU-level security risk assessments, including structural non-technical risks. Entities receiving that designation would be excluded from development, assessment, consultation, and decision-making on cybersecurity standards developed by ESOs under Article 10(1) of Regulation (EU) No 1025/2012.
Contributions to European standardization should not be subject to prohibitions established in Union legal acts. The organization points to WTO Agreement on Technical Barriers to Trade principles, which it adheres to, along with Regulation (EU) No 1025/2012, both of which require openness, consensus, and independence from special interests in standards development.
“ETSI’s Directives provide flexibility to address security-related needs on a case-by-case basis. The 2022 European Standardisation Strategy and related governance reforms were designed to mitigate undue influence from outside the EU, preserving openness, transparency, inclusiveness, impartiality, and independence from special interests. Undermining these principles would risk the proper functioning, collaborative nature, and credibility of the system, Martin Chatel, Chief Policy Officer at ETSI, told Help Net Security.
The paper draws on a recent parallel. In 2019, the U.S. Commerce Department’s Entity List imposed restrictions on certain companies’ participation in 5G and telecommunications standardization. ANSI responded by noting that a standard’s global relevance depends on how it was developed, not which entity developed it. NIST stated that standardization should enable U.S., EU, and Chinese companies to collaborate in a voluntary, industry-led environment where market forces and the best technical contributions prevail. The Bureau of Industry and Security eventually softened the restrictions.
ETSI’s concern is that a similar dynamic could play out at the ITU, ISO, and IEC, where suppliers designated “high-risk” by the Commission may still be permitted to contribute. A supplier excluded from European standardization work could remain active in shaping the international versions of the same standards, reducing European influence in those forums.
Any restrictions should be assessed on a case-by-case basis, coordinated with ETSI and the other ESOs, and applied proportionately, rather than established as a general legal basis in EU legislation.
ENISA’s proposed role in drafting specifications
Article 18 of the CSA2 grants ENISA authority to draft technical specifications and technical guidance to support the implementation of Union legislation, in addition to contributing to standardization activities and assisting the Commission in assessing harmonized standards.
ETSI welcomes ENISA’s participation in standardization work and supports an expanded advisory role for the agency. The concern is specifically with the drafting authority. ETSI’s position is that ENISA’s role should be limited to advising on the legal framework and providing technical guidance. Extending it to drafting technical specifications risks creating a parallel standard-setting structure inconsistent with the existing legal framework, under which drafting is entrusted to bodies governed by private law, with the Commission retaining a supervisory role.
As a model for what appropriate agency participation looks like, the paper points to ETSI’s Technical Committee on Lawful Interception (TC LI), which brings together governments, law enforcement agencies, mobile network operators, and equipment vendors to develop standards supporting common requirements. Chatel noted that ETSI’s existing structure already provides operational answers combining openness, speed, global impact, and European safeguards, and that this is precisely the capability Europe should preserve and reinforce in the current geopolitical environment.
Standards as a policy instrument
ETSI’s paper sets the argument in the context of Europe’s broader standardization strategy. The 2022 EU Strategy on Standardization sought to reduce strategic dependencies and prevent undue influence from non-European actors in cybersecurity standards, without compromising openness and impartiality. Regulation (EU) No 2022/2480 subsequently gave EU/EEA National Standardization Bodies exclusive authority over certain decisions, including the adoption of Commission standardization requests and final approval of harmonized standards.
ETSI describes its role as serving two complementary functions: responding to market needs from its membership and developing standards in direct support of EU legislation. The organization operates without subordination to other standardization bodies and is not bound by an “international-first” approach. Standards it has developed, including EN 303 645 for consumer IoT security and EN 304 223 for cybersecurity in AI systems, have been adopted internationally after originating from European processes.
The paper closes by recommending improved coordination between the Commission and ETSI to preserve transparency, legitimacy, and trust in the European standardization system, and to avoid unintended consequences for innovation, competitiveness, and European industry’s standing in international standardization.