The European Commission has unveiled major cybersecurity reforms that could reshape how rail networks across Europe – including the UK’s close partners and suppliers – procure and deploy digital technology. Central to the package is a new mandate allowing Brussels to investigate and even prohibit high‑risk non‑EU technology operating on critical infrastructure.
Rail manufacturers’ association UNIFE is urging EU institutions to use these powers decisively, warning that non‑European suppliers could pose strategic vulnerabilities for the continent’s transport networks. With rail increasingly intertwined with military mobility and freight supply chains, the sector’s cyber resilience is now firmly in the geopolitical spotlight.
Under the updated Cybersecurity Act, a newly introduced Title IV grants the European Commission sweeping authority to label certain third‑country ICT vendors as “high risk” and bar their technologies from critical sectors – rail included. This could have significant implications for embedded digital systems already widely used in signalling, control, rolling stock and communications.
The reforms also clarify that embedded technologies used within rail systems fall under the definition of “transport and transmission networks.” This comes as several EU Member States continue to evaluate, or have already invested in, non‑EU digital platforms for rail operations.
At the enforcement end, the European Union Agency for Cybersecurity (ENISA) now has enhanced powers to conduct market‑surveillance exercises alongside national regulators. This allows the agency to check whether digital products used on Europe’s infrastructure pose cybersecurity risks and to propose new product categories for future investigations.
Industry observers say the reforms mark a long‑awaited turning point. After years of warnings from cybersecurity experts and rail suppliers, Brussels appears ready to take a more assertive stance on technological sovereignty and supply chain security.
UNIFE argues that this momentum must now carry into the forthcoming overhaul of the EU’s Public Procurement Directives. The organisation wants rail to be formally recognised as a strategic sector, ensuring that European and national funds flow toward technologies that support both Europe’s industrial base and long‑term security.
The sector’s rapid digitalisation has already brought UNIFE into close collaboration with the Commission on cyber issues. The organisation is also represented on the Cyber Resilience Act Expert Group, which oversees a separate regulatory framework for the security of digital products placed on the EU market.
In response to the Commission’s latest actions, UNIFE Director General Enno Wiebe stated:
“With new powers and resources, the European Commission and ENISA as a matter of priority needs to assess and make specific rulings on unsuitable non-EU technology used on EU rail infrastructure.”
“This may include EU-level alerts and restrictions on high-risk non-EU suppliers producing technology for rail systems, especially considering this is critical infrastructure. Alongside changes to Public Procurement Directives, this will ensure Europe does not lose control of its rail networks.
This reform by the Commission should be lauded, as it is being proactive about protecting Europe. UNIFE is active on cybersecurity, and will continue to work with policymakers to boost cyber defences.”
For rail professionals across the UK – particularly those working closely with EU suppliers or operating cross‑border services – the developments could signal tighter alignment of cybersecurity standards and procurement rules across the European rail ecosystem. As digital systems become ever more deeply embedded in everything from signalling to rolling stock maintenance, the sector’s cyber posture is becoming as critical as its physical infrastructure.
Image credit: iStock
