China inside your infrastructure
Find Threat Talks on
China is already inside your infrastructure.
And the EU is done ignoring it.
The European Commission has recently announced a new cybersecurity package in response to what it calls the “daily cyber and hybrid attacks on essential services and democratic institutions carried out by sophisticated state and criminal groups.”
This is the response.
In his first public discussion of the upcoming EU Cybersecurity Act revision, Bart Groothuis, MEP, joins Lieuwe-Jan Koning, Co-Founder and CTO of ON2IT, to explain what changes next.
Certification is no longer just about secure code.
It is about political leverage.
About who controls updates.
Who has access.
Who can apply pressure when it matters.
Vendor risk is becoming regulatory risk.
And that lands on your desk.
Before procurement signs the PO, you need to understand what this shift means for supply chain risk and critical infrastructure security.
What you’ll learn
- Why the EU Cybersecurity Act revision changes vendor strategy
How Europe is moving from soft law guidance to enforceable vendor scrutiny. - What “high-risk vendor” really means
Why intelligence laws, state influence, and geopolitical leverage are now part of cyber certification. - Why 5G and energy grids are different
How virtualized telecom architecture and digital energy systems reduce mitigation options once dependency exists. - How supply chain risk becomes regulatory risk
Why vendor exposure is no longer just an internal assessment but a compliance issue. - What CISOs and procurement leaders should do now
How to assess vendor exposure, prioritize risk, and build a realistic roadmap before enforcement tightens.
Your cybersecurity experts
Lieuwe Jan Koning
Co-Founder and CTO
ON2IT
Bart Groothuis
Member European Parlement
(VVD)
Episode details
The revision of the EU Cybersecurity Act (CSA) is designed to strengthen Europe’s cybersecurity certification framework. But the real shift is deeper.
For the first time, non-technical risk factors – such as foreign state influence over vendors – are being formally integrated into decision-making around critical infrastructure security.
The debate has long focused on technical vulnerabilities and backdoors. But as Groothuis explains, the more decisive risk is structural dependency. If a vendor is subject to foreign intelligence legislation, the question is not whether misuse has happened – but whether leverage exists.
This becomes particularly critical in sectors like telecommunications and energy. In 5G architectures, virtualization concentrates control. In energy grids, digital inverters and remote management systems introduce centralized dependencies that cannot easily be mitigated after deployment.
The CSA revision aims to address this by tightening scrutiny around high-risk vendors and embedding geopolitical reality into certification policy.
The conversation does not argue for blanket decoupling. It argues for clarity.
Risk must be understood.
Dependency must be measured.
And critical infrastructure security must account for who ultimately holds control.
The conclusion is simple: vendor risk is no longer theoretical. It is strategic, regulatory, and operational – all at once.
Get your Hacker T-shirt
Join the treasure hunt!
Find the code within this episode and receive your own hacker t-shirt for free.
