EU Cyber Resilience Will Reshape Global Product Security Standards
Subsea cables crossing into Europe now fall under same security rules as power grids, says European Commission's cybersecurity chief.
SAN FRANCISCO, March 24, 2026 — Artificial intelligence now drives virtually every social engineering attack targeting organizations across Europe, the EU's chief cybersecurity agency said Tuesday at the RSA Conference here, as the bloc moves to impose sweeping new product security requirements on any company selling products into its market by September.
The remarks came as two major pieces of EU legislation rewrite the rules for any company selling products into European markets.
The Cyber Resilience Act, which sets mandatory security standards for any product with a digital component sold in the EU, takes effect in September 2026.
A proposed Cybersecurity Act revision would impose legally binding supply chain requirements, forcing companies to identify and remove high-risk suppliers from critical systems across all 27 member states.
Hans De Vries, chief cybersecurity and operational officer at ENISA, the European Union Agency for Cybersecurity, said AI-assisted attacks had grown from roughly 80 percent of social engineering attempts in early 2025 to effectively 100 percent today. He said threats now morphed faster than existing certification and detection frameworks could respond.
De Vries spoke alongside Despina Spanou, deputy director general for cybersecurity and trust at the European Commission, at this annual gathering of cybersecurity professionals and policymakers.
New product security deadline
De Vries said ENISA held primary responsibility for implementing the Cyber Resilience Act and described compliance as mandatory for any company seeking to sell into European markets.
Spanou identified supply chain security as the EU's most pressing near-term challenge, saying high-risk suppliers had embedded themselves across 70 to 80 percent of certain critical sectors, naming detection equipment, electricity and energy systems, and connected vehicle components as the most exposed.
Huawei and the high-risk supplier problem
The proposed Cybersecurity Act revision would classify suppliers originating from listed high-risk countries as high-risk automatically, with narrow exceptions. Companies would face legally binding timelines to remove those suppliers from critical systems.
Huawei, the Chinese telecommunications equipment manufacturer, emerged as the clearest example of how deeply high-risk suppliers had penetrated European systems. Spanou said mobile network derisking had moved faster than other sectors because alternative vendors existed, but warned that comparable transitions would be far harder in markets where substitutes remain scarce.
Spanou added that in port and airport detection equipment alone, where all cross-border trade data flows, suppliers from a single high-risk country had penetrated seven to eight percent of total infrastructure.
"This is an opportunity for the like-minded to work together," Spanou said.
Critical infrastructure under attack
De Vries offered concrete examples of the damage supply chain vulnerabilities had already inflicted. A cyberattack on Jaguar Land Rover, the British automotive manufacturer, left the company offline for three weeks and pushed some of its parts vendors toward insolvency.
A breach at a biomedical testing facility in the Netherlands exposed breast cancer patient records across a system used nationally. The attackers published the data after the facility declined to pay a ransom, a tactic De Vries said reflected a broader shift in criminal posture.
He described cybercrime as the second-largest criminal industry globally, generating billions in annual revenue.
Subsea cables and the new infrastructure perimeter
Spanou said the definition of critical infrastructure had expanded well beyond traditional sectors. The European Commission adopted a plan last year to protect subsea cables, the underwater fiber optic links carrying 99 percent of intercontinental data traffic, built around prevention, detection, and response.
The Commission extended the same framework to counter-drone policy after incidents disrupted airspace across multiple EU member states. Both areas are included as priority sectors in the proposed Cybersecurity Act revision.
"This is the new critical infrastructure," Spanou said.
Sovereign tech and what it means for American companies
A technology sovereignty package covering cloud, artificial intelligence, and semiconductors is expected later this year. Spanou said it would give American companies a single, predictable compliance framework across all 27 member states rather than 27 separate national regimes, an advantage she described as unique to the European single market.
Transatlantic cooperation remained active despite broader geopolitical tensions, De Vries said, citing contact with CISA, the US Cybersecurity and Infrastructure Security Agency, earlier that morning.
He said ENISA was working to align a new European vulnerability database, a centralized registry tracking security flaws in software and hardware, with existing US processes.
Still, Spanou said the broader direction of EU policy reflected a fundamental shift in how Europe viewed its relationship with outside technology providers. "The age of innocence is over," Spanou said, paraphrasing European Commission President Ursula von der Leyen.
Member discussion