, ,

G7 cyber declaration sharpens Europe’s resilience agenda

Europe is linking telecoms resilience, AI security, post-quantum migration, and SME protection into a wider G7 framework for digital infrastructure risk.

G7 cyber declaration sharpens Europe’s resilience agenda
Summary
  • The European Commission has welcomed a G7 cybersecurity declaration covering post-quantum cryptography, AI cyber risks, telecoms resilience, and SME security.
  • The declaration aligns with existing EU frameworks, including NIS2, the Cyber Resilience Act, and planned work on AI and cybersecurity.
  • Telecoms operators, software suppliers, and smaller businesses face rising expectations around secure products, resilient infrastructure, and supply-chain assurance.

The European Commission has backed a G7 cybersecurity declaration that brings telecoms resilience, post-quantum cryptography, AI security risks, and SME protection into a wider framework for digital resilience.

The declaration was adopted by the G7 Cybersecurity Working Group under France’s presidency, with leadership from the French national cyber agency ANSSI. Brussels says the priorities align with European rules and policy work already moving through implementation, including the NIS2 Directive, the Cyber Resilience Act, and proposals to strengthen ICT supply-chain security in telecoms.

Four areas carry direct weight for European organisations. The declaration covers migration to post-quantum cryptography, cybersecurity risks created by and directed at AI systems, telecoms security, and support for SMEs. Together, they point to a cyber agenda that treats resilience as a property of whole markets and supply chains, rather than a set of controls inside individual IT departments.

Post-quantum cryptography is moving out of specialist security debate and into infrastructure planning. Advances in quantum computing could weaken widely used encryption, and the G7 declaration calls for coordinated action across industry and government. The EU adopted a roadmap in 2025 intended to give critical use cases clear deadlines for migration.

AI adds a second layer of pressure. Generative models and large language models can support attackers through code generation, phishing, vulnerability discovery, and automation, while AI systems themselves can become targets through model poisoning, data breaches, and manipulation. The G7’s work on minimum elements for an AI software bill of materials is intended to give organisations a better way to assess cyber risks inside AI supply chains.

Telecoms security sits at the centre of the European agenda because communications networks now support payment systems, emergency services, public administration, enterprise cloud, logistics, transport, and remote work. As networks become more software-defined and dependent on complex suppliers, resilience depends on architecture, vendor assurance, patching discipline, and operational readiness.

NIS2 already raises security expectations for telecoms and other essential entities, while the EU’s Cyber Resilience Act embeds cybersecurity obligations across digital products. The G7 declaration reinforces that direction by connecting secure-by-design principles with the smaller companies that often sit inside larger supply chains.

SMEs remain a hard policy problem. They are expected to raise standards, but many lack specialist teams, mature procurement processes, and the budget to absorb new compliance demands. The Commission says it is working with ENISA on support measures, including accessible cybersecurity guidance and tools designed to reduce burdens on smaller companies.

The commercial effect is likely to be felt through procurement as much as direct regulation. Larger organisations will expect clearer assurance from suppliers, software vendors will face more questions about security across the product lifecycle, and telecoms operators will have to show how they manage systemic risk across increasingly interconnected networks.

International declarations do not rewrite European law by themselves, but they do harden the policy direction behind rules already in force or close to implementation. European cyber resilience is being framed around infrastructure, product design, AI governance, cryptographic transition, and supplier risk in one connected agenda. Organisations that treat those obligations as separate compliance projects will find the boundaries between them narrowing.