EU Cybersecurity Act review presents concerns for Irish business – new Ibec report

Share this:

Copied

Ibec, the group that represents Irish business, has warned that proposed changes to the EU Cybersecurity Act (known as ‘CSA2’) could threaten the stability of 18 critical industries and impose a €730 million cost on the Irish telecommunications sector alone.

In a position paper published today, Ibec highlights that the European Commission’s proposal introduces "high-risk supplier" designations based on geopolitical origin rather than technical security flaws, overriding national security competencies. This proposed shift risks forcing sectors – including health, energy, and finance – to remove deeply integrated ICT components that have supported business operations for decades. According to the paper, the proposals lack a technical evidence base, as industry was not consulted.

Ibec is calling for the supply chain proposals to be withdrawn pending a comprehensive impact assessment that involves meaningful consultation with affected sectors, quantifies replacement costs, and evaluates the capacity of remaining suppliers to meet market demand.

Áine Clarke, Digital & AI Policy Executive and paper author said:

"The importance of cybersecurity for our economy and society is not being questioned. Our position paper highlights that proposing rules driven by geopolitical developments, rather than evidence-based technical criteria, creates an unpredictable business environment and threatens the stability of essential services. Mandatory ‘rip-and-replace’ laws will create unforeseen contractual liabilities and run contrary to the EU’s competitiveness, digitalisation, and environmental ambitions. EU cyber resilience depends on an open, globally focused market and a predictable regulatory and investment environment."

The group also notes that proposals to overhaul the EU’s framework for certifying the cybersecurity of products, services and processes are positive in their aim for swifter delivery, but the removal of certain existing mechanisms for industry engagement is a major concern. To remain operationally viable, certification schemes must be developed in consultation with industry, ensuring they remain voluntary, affordable, and inclusive of businesses looking to scale within the Single Market and globally.

Ibec urges the European Commission to maintain a proportionate approach to cybersecurity regulation that is grounded in evidence and promotes EU competitiveness. The group supports strengthening the capacities of the EU Cybersecurity Agency, ENISA, in its role as a coordinator and provider of non-binding technical guidance to the EU and its Member States.