As digital rights groups warn of risks to net neutrality and regulatory overreach, while cybersecurity experts argue the update is critical to strengthening Europe’s fragmented supply chains.

Unveiled earlier this month, the reforms are designed to boost cybersecurity capabilities, improve resilience and prevent fragmentation across the EU’s digital single market.

The Commission has framed the proposals as a response to mounting geopolitical tensions, rising cyber threats and growing interdependence across digital infrastructure.

But critics argue the package goes far beyond cybersecurity, potentially reshaping how Europe’s internet, interconnection and regulatory frameworks operate.

Civil society group epicenter.works has emerged as one of the most vocal opponents, warning that the reforms could weaken long-standing net neutrality protections and concentrate excessive power within the European Commission. The organisation says the proposals risk reopening debates settled more than a decade ago, when net neutrality rules were enshrined in EU law to ensure equal treatment of internet traffic.

“We are deeply disappointed by this proposal from Commissioner Henna Virkkunen,” said Thomas Lohninger of epicenter.works. “It would have been the opportunity of her term to show independence from the telecom industry and propose a balanced reform. Instead, citizens now have to defend net neutrality protections enshrined in EU law a decade ago.”

A central concern is the Commission’s expanded role under the revised framework. Critics point to provisions that would give the Commission a seat in confidential working groups traditionally led by independent national regulators, as well as the power to propose rules related to paid prioritisation, often described as “fast lanes” that could conflict with existing regulatory guidance.

Lohninger described the move as a “power grab”, warning it risks blurring the boundary between political oversight and independent regulation. He also criticised the proposals for introducing new bureaucracy at a time when the Commission has pledged deregulation and simplification.

“In a mandate that is driven by deregulation and simplification, the Commission proposes new regulation with an extensive bureaucracy for the interconnection market,” he said. “According to EU’s top telecom regulators this market works well and needed no regulation.”

The interconnection market has long been a sensitive area of European telecoms policy, sitting at the intersection of network investment, competition and internet openness. Regulators have historically taken a light-touch approach, arguing that commercial agreements between operators, content providers and cloud platforms have delivered efficient outcomes without heavy-handed oversight.

Critics now warn that new rules could upset that balance, creating barriers within the single market and making it harder for companies, particularly smaller digital service providers, to reach users across Europe on equal terms.

“This could even create new barriers within the single market, making it harder for companies to offer online services to all Europeans,” Lohninger said.

However, others argue the proposed update addresses long-standing weaknesses in how cybersecurity and supply chain risk are managed across the bloc.

Katharina Sommer, hroup head of government affairs at NCC Group, said the reform is an important step towards tackling fragmentation, one of the biggest practical challenges in securing digital supply chains.

She said the proposals align requirements for organisations covered by NIS2 with expectations placed on their suppliers, while also seeking to harmonise obligations across the Cyber Resilience Act and EU-wide certification schemes.

“This will help organisations better understand their obligations and focus their resources on managing real risk rather than navigating overlapping requirements,” Sommer said. “The update will build trust and raise the baseline level of security across Europe’s digital ecosystem.”

According to Sommer, the introduction of outcome-focused minimum standards and EU-wide technical criteria for supply chain security could provide a more coherent framework for managing risk. She also highlighted the importance of promised European Commission guidance on supply chain requirements, saying it offers an opportunity to clarify responsibilities and create greater consistency in what organisations ask of their suppliers.

Crucially, Sommer argued the update reflects a broader understanding that cyber risk cannot be treated in isolation.

“Recent incidents have shown how supplier failure, concentration risk and operational dependencies can create systemic disruption, even where cyber security controls are strong,” she said, adding that closer alignment with wider digital resilience frameworks, such as DORA, is essential.

Yet even supporters of the reforms caution that stronger EU rules alone will not be enough. Sommer stressed that modern supply chains are inherently cross-border, with cyber incidents frequently spanning multiple jurisdictions.

“Without close cross-border cooperation, regulatory improvements risk being undermined by misaligned standards, weaker incident response and gaps in preparedness and skills,” she said, pointing to the importance of collaboration with partners such as the UK.

The contrasting reactions underline the complexity facing EU policymakers as they attempt to strengthen cybersecurity while preserving openness, competition and regulatory balance.

Industry groups, including the GSMA, have already warned that aspects of the reforms could increase costs and divert investment from network upgrades, while technology vendors have raised concerns about parallel EU efforts to restrict so-called high-risk suppliers.

As the proposed revisions move through the European Parliament and EU member states, amendments are expected and the final shape of the legislation remains uncertain.

RELATED STORIES

GSMA warns EU Cybersecurity Act revisions could slow network upgrades

EU overhauls EuroHPC to power AI gigafactories and quantum build-out