Business group Ibec has raised concerns that proposed reforms to the EU Cybersecurity Act could place major strain on Ireland’s digital infrastructure and add significant costs to key industries, particularly telecommunications.
In a new position paper, the organisation warned that the European Commission’s planned changes could result in an estimated €730 million burden on the Irish telecoms sector alone. It also said the reforms may destabilise up to 18 critical industries, including health, energy, and financial services, which rely heavily on existing ICT systems.
At the centre of the concern is a proposal to introduce “high-risk supplier” classifications based on geopolitical considerations rather than specific technical vulnerabilities. Ibec argues that this approach would override national security competencies and could force companies to remove or replace long-established technology components embedded in essential systems.
The group said the proposal lacks a sufficient technical evidence base and criticised the absence of meaningful consultation with industry stakeholders before the policy direction was set. It has called for the supply chain measures to be withdrawn until a full impact assessment is completed in collaboration with affected sectors.
Áine Clarke, Digital & AI Policy Executive at Ibec and author of the report, said the proposed rules could create instability across essential services. She said policies driven by geopolitical factors rather than technical assessments risk undermining business certainty and operational continuity.
Clarke also warned that mandatory “rip-and-replace” requirements could trigger unexpected contractual liabilities for companies and conflict with broader European Union objectives around competitiveness, digital transformation, and environmental sustainability. She said such measures could force organisations to discard functioning systems prematurely, adding unnecessary cost and disruption.
Ibec has urged the European Commission to adopt a more proportionate regulatory framework that prioritises evidence-based decision-making. The group argues that cybersecurity policy should strengthen resilience without undermining the technological foundations of critical infrastructure.
The warning comes as EU policymakers continue to debate how to secure supply chains for digital systems amid rising geopolitical tensions and increasing concerns about cyber threats. Industry groups across Europe have expressed differing views on how far security rules should extend into procurement and vendor selection.
For now, Ibec is calling for a reassessment of the proposals, stressing that cybersecurity measures must balance risk management with economic stability and long-term investment certainty across the EU digital economy.
