Decoding the world of cybersecurity

G7 sets cyber resilience priorities

The European Commission has backed a G7 cybersecurity declaration focused on post-quantum migration, AI security, telecoms resilience, SMEs, and software supply chain transparency.

G7 sets cyber resilience priorities
Summary
  • The European Commission welcomed a G7 cybersecurity declaration under France’s presidency and ANSSI leadership.
  • The priorities include post-quantum cryptography, AI security, telecoms resilience, SMEs, and software supply chain transparency.
  • The declaration aligns with EU regulatory work under NIS2, the Cyber Resilience Act, and wider digital resilience policy.

The European Commission has backed a G7 cybersecurity declaration that places post-quantum cryptography, AI-related cyber risks, telecoms resilience, small business protection, and software supply chain transparency inside a shared resilience agenda.

The declaration was adopted under France’s G7 presidency, with leadership from ANSSI, France’s national cybersecurity agency. The Commission said the work supports coordinated action against evolving digital threats and aligns with the EU’s cybersecurity strategy, including its roadmap for post-quantum migration and existing regulatory work under NIS2 and the Cyber Resilience Act.

ANSSI said national cybersecurity agencies from G7 members met in Paris on 27 May and reaffirmed their commitment to closer coordination in an open, stable, and secure cyberspace. The group discussed post-quantum transition, artificial intelligence, cybersecurity for small and medium-sized enterprises, and telecoms-sector security. It also welcomed work on minimum elements for a software bill of materials for AI and a statement on post-quantum cryptography migration.

The European Commission’s response to the declaration shows cyber diplomacy moving into the operational territory of procurement, cryptographic transition, AI governance, and infrastructure resilience. Each area creates practical work for governments and enterprises that depend on long-lived systems, global suppliers, and cross-border digital services.

Post-quantum migration is the clearest example. Cryptographic transition takes years because organisations need to identify vulnerable cryptographic use, understand dependencies, replace protocols, manage certificates, test interoperability, and avoid breaking systems that support payments, identity, healthcare, transport, public administration, and industrial operations. The risk is not only the arrival of a capable quantum computer, but the persistence of encrypted data that can be collected now and decrypted later.

AI security adds a newer governance challenge. The G7 work on minimum SBOM elements for AI suggests that transparency expectations are starting to extend beyond conventional software into models, datasets, components, and AI-enabled products. That overlaps with the EU’s own AI and product security regimes, while raising procurement questions for organisations buying AI systems from global vendors.

Telecoms resilience brings the agenda back to critical infrastructure. Communications networks underpin emergency services, government operations, cloud access, financial services, logistics, and industrial monitoring. The security of those networks depends not only on operators, but also on equipment vendors, software suppliers, managed services, and cross-border incident coordination.

The SME element is also tied to supply chain exposure. Large organisations and public bodies depend on smaller suppliers, integrators, software providers, and service partners. Weaknesses in those organisations can become exposure for regulated operators and public institutions, particularly where smaller providers hold access, maintain systems, or supply software components.

Although the declaration is not binding regulation, it aligns political priorities across major economies while reinforcing policy that is already becoming enforceable in Europe. NIS2, the Cyber Resilience Act, telecoms security initiatives, and AI governance are turning shared resilience language into obligations, procurement tests, and supervisory expectations.

The practical work now sits with governments, vendors, and operators that must translate those themes into inventories, migration plans, assurance evidence, supplier controls, and incident playbooks. International coordination is becoming less abstract as cryptography, AI, telecoms, and software supply chains move deeper into regulatory and operational resilience programmes.

×