When a journalist from Xinhua, China’s main press agency, asked about a recent report estimating the cost of supplier replacement under the proposed Cybersecurity Act 2.0, the Commission’s response was a bluntly put “not everything is about money.” The exchange at Monday’s (12 May) midday briefing neatly captures the political temperature around one of the more quietly consequential pieces of legislation currently moving through Brussels.
The report in question, published by the China Chamber of Commerce to the EU and KPMG, puts the cost of replacing suppliers under the proposed revision at up to €367.8 billion over five years. The numbers are eye-catching – and contested. The Commission’s own impact assessment gives no precise estimate of the burden on businesses and citizens, but the Chinese figure is on the high end by any measure.
Security, not economics
Spokesperson Thomas Regnier’s “not everything is about money” line landed with a thud in some quarters – particularly at a moment when the Commission has made cutting red tape and reducing administrative burdens a stated priority. Still, the broader rationale is not without substance. The revision targets supply chains in solar panels, connectivity, nuclear energy, healthcare and justice – sectors where the security case for scrutiny is hard to dismiss entirely.
That logic connects directly to the broader tech sovereignty debate. Thibaut Kleiner, the Commission official leading work on the Cloud and AI Development Act, put it plainly last week: “Unless we get our acts together, we are going to be in the mode of becoming a technological colony of some kind – where we are not able to develop our own products.” CAIDA, expected as part of the tech sovereignty package on 27 May, would restrict EU member governments’ use of non-European cloud providers for sensitive data. U.S. providers are explicitly in scope.
U.S. firms on notice
The Cybersecurity Act 2.0 is still at an early stage – Parliament and Council are each developing their positions separately, with trilogue some way off. But the Parliament’s lead negotiator, Markéta Gregorová, was direct at an event last week. “I can see the Cybersecurity Act having an impact on U.S. companies if they don’t oblige by the rules,” she said. “They will certainly be affected.” Gregorová stopped short of proposing blacklists, framing her approach as a “systemic solution” for assessing cybersecurity risk – but pointed to the Digital Services Act as a cautionary tale. “American firms don’t have a good track record in following EU rules and that should give them cause for concern.”
Enter Mythos
There is a further complication. Despina Spanou, deputy director general at DG CONNECT, the Commission’s digital department, told Parliament recently that the Act’s scope may need to be adapted to address risks posed by Anthropic’s Mythos – the superhacking AI that has rattled security establishments on both sides of the Atlantic.
It is a reminder that the Cybersecurity Act 2.0 is being written against a rapidly shifting threat landscape – one where the hazards are not only Chinese hardware in telecoms networks, but U.S. AI systems capable of breaking encryption at scale. The money matters. But so does everything else.
