CSIRT-CAN – Centro de Respuesta a Incidentes de Seguridad de Canarias

Why are key infrastructures so important in the European Union?

Strategic dependence on non-European digital infrastructure and supply chains is one of the key challenges facing the European Union. On this last day of October, we want to conclude Cybersecurity Month by addressing this issue.

Why is this a key challenge?

  • Geopolitical and regulatory risk: suppliers subject to extraterritorial laws may be forced to hand over data or interrupt services outside of EU law.

  • Market concentration: a single failure or sanction impacts entire sectors.

  • Supply chain attacks: a single compromised dependency (firmware, OSS library, update) spreads throughout the EU.

  • OT/critical infrastructure: energy, transport, healthcare, and finance use foreign hardware/software that is difficult to audit or replace quickly.

What would addressing this entail?

  1. Cloud and Data Sovereignty

    • Certification schemes (legal sovereignty, localization, operational control) and multi-cloud by design in public administrations and critical sectors.

  2. Supply Chain Security

    • Mandatory and continuous SBOM, signing/verification of artifacts, attestation of reproducible compilation, support requirements for critical OSS.

  3. Diversification and Gradual Substitution

    • Vendor variety roadmaps in 5G/6G, routers, HSMs, with public procurement that rewards interoperability and open standards.

  4. Physical and Geopolitical Resilience

    • Protection and redundancy of submarine cables, alternative satellite/terrestrial routes, periodic switchover tests.

  5. Industrial Capacity and Applied Talent (excluding generic shortages)

    • Incentives for chip/secure element manufacturing and assessment laboratories (Common Criteria/EMVCo/FIPS) within the EU. 6. Post-Quantum Crypto and Lifecycle or EU Plan for coordinated migration to quantum-resistant cryptography in critical infrastructure and public services, with prior asset inventory.

The major challenge is to gain autonomy and verifiability over the digital infrastructure on which the economy and essential services depend, so that no external decision (commercial, technical, or political) leaves Europe cyber-vulnerable.