EU Cybersecurity Act 2.0: When good regulation goes bad

Over recent years we’ve witnessed the EU becoming increasingly serious about cybersecurity. After years of watching high profile breaches, many resulting from supply chain attacks targeting our critical infrastructure, that seriousness is welcome. But good intentions and good policy are not the same thing, and the proposed EU Cybersecurity Act 2.0 is starting to look a lot more like the former than the latter.

The problem with CSA 2.0

The original EU Cybersecurity Act, which came into force in 2019, was a solid foundation. CSA 2.0 was supposed to be a measured evolution to deal with the current threat landscape. What has emerged instead is something more ambitious and more troubling: For the first time, the European Commission would gain the power to designate certain countries as “high-risk,” with vendors from those countries automatically inheriting that label and facing strict restrictions across the EU.

The consequences of this are potentially enormous and could cause more harm than good. The old saying “the road to hell is paved with good intentions” is starting to ring true for CSA 2.0.

The Irish Business and Employers Confederation (IBEC) has warned that the proposed changes could threaten stability across 18 critical sectors in Ireland alone, and land the Irish telecoms industry with a bill of approximately €730 million for ripping out and replacing equipment.

Research prepared by my firm, BH Consulting, for Digital Business Ireland, found that companies well outside the direct regulatory scope of CSA 2.0 will still be hit hard through tighter supply-chain requirements, procurement rules, and investor caution.

But the question I think too few people are asking publicly is “who exactly ends up on that “high-risk” list, and how?”

The honest answer is that nobody knows yet. The current framing ties high-risk status primarily to geopolitical origin rather than to verifiable technical failings. A vendor could find itself shut out of the EU market not because its code is insecure or its patch management is weak, but because of the physical address of its corporate headquarters.

Potential for costly disruption

The obvious targets are the ones western governments have discussed for years such as China, Russia, North Korea, Iran. But the mechanism being created is not written narrowly to focus on those countries. Rather, it is a general power that is applicable to any third country, and the current geopolitical environment should give every European policymaker serious pause.

A prime example is how the relationship between the EU and the United States has shifted measurably over the past two years. Trade disputes, disagreements over defence spending, threats to invade Greenland, pushback against EU regulations, and broader tensions around technology policy have introduced a level of friction that would have seemed implausible not too long ago. Under the CSA 2.0’s proposed new framework, there is nothing in principle to prevent the European Commission from designating the United States as a high-risk country at some future point.

Consider what that would mean in practice. Large parts of European critical infrastructure, cloud platforms, cybersecurity tooling, and enterprise software originate from US-headquartered vendors. A designation, even a partial or conditional one, would trigger mandatory migration obligations, procurement exclusions, and supply-chain reassessments across thousands of organisations. The disruption would dwarf anything currently being discussed in the context of Chinese telecoms vendors.

One estimate cited in European media suggests that applying hard restrictions to Chinese vendors across 18 sectors alone could cost the EU approximately €368 billion over five years once direct and indirect effects are counted. Extend that logic to any other major technology-supplying nation and the numbers become difficult to absorb.

The deeper problem is that this approach inverts good security practice. Sound risk management starts with evidence: what are the actual technical vulnerabilities, what are the realistic threat vectors, what do independent audits and certifications tell us? Geopolitical context is a legitimate input into that assessment, but it should not replace it.

CSA 2.0 could destroy SMEs

Where genuine systemic risk exists, proportionate responses are available: segmentation, monitoring, conditional use in less sensitive environments, phased transition plans with realistic timelines and financial support. Blanket bans and compressed rip-and-replace mandates, triggered not by technical evidence but by political geography, are the least targeted and most disruptive option available. They should be the last resort, not the starting point.

There are also serious concerns on how CSA 2.0 will impact small and medium enterprises (SMEs). While large organisations such as multinationals can absorb sudden regulatory upheaval, a regional managed service provider, a small med-tech company, or an industrial automation specialist operating on thin margins cannot.

SMEs do not have the same reserves, in cash, people, or expertise, that larger organisations do. If a core component they depend on is suddenly reclassified as coming from a high-risk supplier, they face a stark choice between an expensive re-architecting and refitting or losing key customers.

Don’t get me wrong: I am not arguing that we ignore supply chain risk. The EU is right to want more coherence and discipline in this space. But CSA 2.0 needs to be anchored in objective, verifiable criteria such as technical risk assessments, secure development practices, vulnerability management, independent certification, and transparency. The passport held by a vendor’s executives is not a security control.

There is still time to rebalance this legislation. The question is whether there is the political will to do so.