Cybersecurity and ICT, the EU will comb supply chains

On 20 September 2025, three major European airports simultaneously went down: cancellations and delays crowded the departure boards of Brussels, London Heathrow and Berlin. These were not isolated technical failures, but a single attack on the external operator providing the check-in and boarding systems of the three airports, Collins Aerospace. A similar thing had already occurred in Italia, when PluService, the technology provider of platforms such as myCicero/MooneyGo and several public transport operators, was hit in April. Also in that case, the attack on the single provider had generated knock-on effects on apps and ticketing systems.

Cyber threats linked to ICT supply chains (Information and communication technologies), i.e. that set of resources and processes between economic operators made of hardware, software, networks and services, appeal to cyber attackers. It is the European Union's cybersecurity agency Enisa itself that records this in its latest annual survey: 'Cybercriminals have increasingly targeted third-party providers, such as digital services, most likely to exploit the opportunity to optimise the effectiveness of their attacks. Attackers exploit the supply chain, particularly by compromising software, repositories or browser extensions'.

And for the European Union this is a problem, especially at a time of strong geopolitical instability. Vulnerable providers, dependent on or subject to interference from third countries, are a risk that current regulations have not yet covered. In essence, it is not enough for a system to be secure: its permeability to the third country - and its laws - from which it originates must be assessed. Hence the new package of rules on cybersecurity presented at the end of January by the EU Commission to the Parliament: European ICT supply chains will be assessed on the basis of their 'non-technical' risks. That is, geopolitical and strategic.

The proposal aims to create a 'trusted ICT supply chain framework', a harmonised European framework that will cover the critical sectors already regulated by NIS2 (the directive, transposed in Italia in 2024, which ...). The Commission - or at least three member states - will be able to ask the NIS Cooperation Group - the table that brings together the national cybersecurity authorities, the Commission and the European agency Enisa - to assess the critical assets and risks of the digital supply chain, including those related to suppliers and the geopolitical context in which they operate. At that point, on the basis of the greater or lesser vulnerability, proportionate mitigation measures will be taken: transparency obligations on providers, limits on data transfers or access from third countries, up to - in the most critical cases - the restriction or exclusion of components and services deemed to be 'high risk'.

It is on this point that the geopolitical game is played, and the text of the proposal expresses this clearly: in the case of serious and structural vulnerabilities of a non-technical nature, "the Commission shall verify the risk posed by that country", taking into account the possible existence of laws obliging companies to share "information on software or hardware vulnerabilities before it is established that such vulnerabilities have been exploited", the lack of democratic controls and reporting-obligations in the event of risks, and "substantiated information regarding one or more incidents in which threat actors controlled by that country and operating outside the territory of that country have engaged in malicious cyber activities or campaigns, as well as the third country's inability or unwillingness to cooperate with the Commission or Member States to address the risk arising from the operation of such threat actors'.