Cybersecurity Act 2: A new framework for EU certification and supply chain security

On 20 January 2026, the European Commission presented a draft proposal aimed at fundamentally overhauling the existing Cybersecurity Act of 2019. 

A look back: The Cybersecurity Act of 2019 established, for the first time, an EU-wide framework for the voluntary cybersecurity certification of ICT products, services and processes. At the same time, the EU agency ENISA was given a permanent mandate and was significantly strengthened as the central coordinating body for European cybersecurity. Since then, however, the European regulatory landscape has evolved considerably – for example through NIS2, DORA, the Cyber Resilience Act and the RED. The 2019 CSA is thus now itself part of an increasingly fragmented regulatory framework.

With this reform, the Commission aims to substantially strengthen the cybersecurity architecture of the digital single market and to bring the fragmented regulatory landscape closer together and interlink it more effectively.

The revision of the Cybersecurity Act: From a voluntary certification framework to mandatory supply chain governance

The previous Cybersecurity Act of 2019 was essentially limited to the creation of a European certification framework for ICT products, services and processes. Certification was voluntary, and the Act did not impose specific corporate obligations in the supply chain.

The CSA-2 draft fundamentally shifts this focus. At its core is a new horizontal framework for trustworthy ICT supply chains, aimed at binding, EU-wide harmonised interventions in critical supply chains. Key elements of this new framework include EU-wide coordinated risk analyses, the identification of so-called ‘key ICT assets’ – that is, components, systems or services whose failure, manipulation or compromise could have a significant impact on critical sectors – as well as the possibility of binding risk mitigation measures, including bans on use and installation.

It is particularly noteworthy that the CSA2 draft no longer limits risk assessment exclusively to technical security aspects, but explicitly includes non-technical risk factors such as legal, geopolitical or organisational dependencies. Whether a company falls within the scope in future depends largely on the relevant sector as set out in the annexes to the NIS 2 Directive; however, no thresholds apply to determine whether a company is affected – rather, a role- and risk-based approach is decisive.

New obligations for affected organisations

For affected organisations, the CSA-2 draft provides for a comprehensive catalogue of obligations, which will be specified in detail by Commission implementing acts. The envisaged risk mitigation measures include, in particular, transparency obligations towards supervisory authorities, which require organisations to disclose their supply chain for affected key ICT assets, as well as restrictions on data transfers and remote processing in third countries.

In addition, minimum technical and protective measures may be prescribed, subject to third-party auditing, including on-device processing, specific network segmentation and continuous operational network monitoring. Outsourcing and operational restrictions may prohibit or limit outsourcing to managed service providers. In addition, there are contractual restrictions on suppliers and diversification requirements to avoid single-vendor risks.

A special provision applies to providers of electronic communications networks: in the case of critical ICT assets, they must not use, install or integrate components from high-risk suppliers. Components already installed must be removed within 36 months of the Regulation coming into force. Associations emphasise that, in this context, existing national phase-out and transition plans for components must be taken into account appropriately, particularly in the telecommunications sector.

A supplier is classified as high-risk if it is based in or controlled from a third country classified as risky – with the European Commission maintaining and regularly updating a corresponding list. Third countries are classified on the basis of a catalogue of non-technical criteria, such as laws on the prior reporting of vulnerabilities, a lack of legal remedies, or state-tolerated threat actor activities.

Violations are subject to severe penalties: fines of up to 1% of global annual turnover may be imposed for breaches of transparency obligations, up to 2% for breaches of other risk mitigation measures, and up to 7% for breaches of usage and integration bans regarding high-risk suppliers.

Geopolitical dimension and jurisdictional issues

The CSA2 draft goes far beyond traditional cybersecurity regulation and introduces the concept of “digital sovereignty” into European cybersecurity regulation. The shift from technical to non-technical assessment criteria marks a move towards a geopolitical understanding of cybersecurity and represents a paradigm shift.

This approach raises complex jurisdictional questions. The draft relies solely on Article 114 TFEU – the internal market competence – but in fact addresses geopolitical security considerations that traditionally fall within the realm of national security. The weak argumentative link to the internal market points to a fragile construction of the internalisation of external geopolitical threats. There is also a risk of losing technically and objectively assessable standards: there is a risk of moving away from objectifiable technical assessment criteria, insofar as component security is replaced by an abstract assessment based on countries of origin.

In this context, proceedings pending before the ECJ in Case C-354/24 – Elisa Eesti AS – concerning the exclusion of 5G technology providers on security grounds are of particular significance. On 19 March 2026, Advocate General Ćapeta published her Opinion, in which she clarified that a risk assessment concerning third countries or their suppliers must not be based on a mere general suspicion. Rather, it is essential to assess the specific functionality, exact location and concrete significance that the hardware and software in question actually have for the provision of the communications service. A blanket exclusion without regard to the actual network architecture therefore falls short.

Strengthening certification and ENISA reform

European cybersecurity certification remains formally voluntary but is being significantly enhanced. Industry associations welcome the fact that cybersecurity certificates will in future be able to establish a presumption of conformity, particularly with regard to the requirements of the NIS 2 Directive. This may contribute to legal certainty in the long term and reduce duplicate checks. In the long term, it should also be possible to demonstrate company-wide cybersecurity risk management through a European certificate – although no such scheme is currently in the pipeline.

The ENISA mandate is significantly expanded by the CSA-2 draft. The agency will be developed into the central coordinating body for certification, supervision and support of Member States and will in future also be responsible for expanded operational activities such as situation assessments, early warnings and vulnerability analyses. For businesses, this represents a structural shift in compliance requirements: compliance with regulatory requirements necessitates the early integration of the security requirements developed by ENISA in the spirit of a mandatory ‘Security by Design’ approach.

Conclusion and recommendations

Cybersecurity is evolving from a technical issue into a strategic compliance obligation with a geopolitical dimension. The draft CSA-2 is still undergoing the trilogue procedure; a political agreement is sought for early 2027.

Companies should assess at an early stage whether and to what extent they are affected, and establish a robust compliance and risk management system. Particular attention must be paid to supply chain compliance: the consideration of non-technical risk factors and the potential exclusion rule for high-risk suppliers significantly increase the requirements for transparency and documentation. At the same time, affected companies should closely monitor the ongoing ECJ proceedings in Case C-354/24 – Elisa Eesti AS, the outcome of which could serve as an indirect test case for the CSA-2 draft.