Public Law

European Commission publishes proposal for Cybersecurity Act revision

On 20 January 2026, the European Commission published a proposal for a recast Cybersecurity Act (“CSA2 proposal”). Given the growing severity of cyberthreats, the recast aims to deliver a measurable improvement to the EU’s cybersecurity posture and ensure that supply-chain risks are effectively addressed.

For business, this means new supply-chain governance obligations in the form of risk-mitigation measures, and potential fines of up to 7% of total worldwide annual turnover in the event of infringement.High-risk suppliers can even be excluded from critical domains. The CSA2 proposal also modernises the voluntary European cybersecurity certification framework and strengthens ENISA.

Together with the announced amendment of the NIS 2 Directive, the cybersecurity package fits into an evolving resilience compliance regulatory framework (see our article).

Key proposed changes

The 2019 Cybersecurity Act (“CSA”) established a European certification framework allowing voluntary certificates to be issued for information and communication technology (“ICT”) products, services and processes (e.g. hardware, software, cloud services, patch management). These certificates are recognised throughout the EU and aimed at avoiding duplicative certification in Member States. The CSA did not place specific obligations on companies in connection with the ICT supply chain, addressing the latter’s security only indirectly through the voluntary certification scheme.

The CSA2 proposal noticeably shifts the focus for companies by introducing a horizontal framework to ensure reliable ICT supply chains. This includes EU-wide risk assessments and the identification of “key ICT assets”, principally in energy, transport and traffic, health, finance and digital infrastructure (NIS 2 sectors). Such assets consist in components, systems or services whose failure, manipulation or compromise could have a significant impact on networks, services or critical sectors. The framework also opens up the possibility of binding risk mitigation measures, including prohibitions on the use and installation of components from “high-risk suppliers”. So while the previous approach was limited to voluntary certification and did not include any supply-chain obligations, the CSA2 proposal marks a move towards binding and harmonised intervention in critical supply chains, with a more prominent role for certification as a lever for supervisory coherence and procurement.

New regulatory framework for ICT supply chain measures

The information and communication technology supply chain (“ICT supply chain”) encompasses all actors, products and services involved in the development, making available, operation and maintenance of information and communication technologies (Article 2, point (40) CSA2 proposal). The proposal takes a new approach that no longer limits supply chain risk assessment to technical security aspects (e.g. data encryption during storage and transmission, or protective measures such as firewalls) but also explicitly includes non-technical risk factors such as legal, geopolitical or organisational dependencies.

Scope: Company size is irrelevant 

Whether a company will be deemed part of an ICT supply chain under the CSA2 regime is largely determined by its sector pursuant to Annexes I and II of Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (the “NIS 2 Directive”). This Directive distinguishes between companies in sectors of high criticality and companies in other critical sectors

  • Sectors of high criticality include the energy, transport and traffic, health, finance and digital infrastructure sectors.
  • Other critical sectors include the waste management, food, processing, digital services and research industries.

In contrast to the NIS 2 Directive, the CSA2 proposal covers all companies without reference to ceilings or thresholds, e.g. with no employee, turnover or balance sheet limits. The proposal instead takes a role and risk-based approach: the decisive factor is the company’s function within the ICT supply chain and the risk that the loss of its products or services poses to the resilience of the EU’s ICT infrastructure. The approach focuses on the company’s role in respect of key ICT assets – i.e. components, systems or services whose failure, manipulation or compromise could have a significant impact on networks, services or critical sectors.

Obligations and risks for companies 

The CSA2 proposal creates an EU-wide catalogue of obligations for affected companies, from measures to secure the ICT supply chain (horizontal framework) to specific bans and deadlines for mobile, fixed and satellite networks. These obligations will be set out in more detail and made binding in implementing acts the Commission has yet to adopt. However, companies will only need to address these requirements if they use what the Commission classifies as key ICT assets.

Three steps are involved in classifying key ICT assets:

  • Risk assessment: EU-level coordinated assessments develop risk scenarios and propose key ICT assets.
  • Identification: The European Commission adopts an implementing act identifying the key ICT assets for the affected supply chain or sectors.
  • Measures: The Commission orders specific risk mitigation measures for companies. A detailed, sector-specific catalogue including phasing-out deadlines already applies to communication networks.

So the process begins by identifying “key ICT assets”, i.e. software or hardware assets in the network and information systems of entities defined by the European Commission as “key”, after a Union-level coordinated security risk assessment. Assets are classified as “key” on the basis of functional criticality (whether the assets have essential and sensitive functions for the products or services concerned), risk of disruption (whether incidents or exploited vulnerabilities can lead to serious disruptions of ICT supply chains across the internal market or to exfiltration of data), supplier dependency (whether there is dependency on a limited number of suppliers) and the results of the EU risk assessments (Article 102 CSA2 proposal).

The Commission is then empowered to adopt implementing acts to impose the following risk mitigation measures on companies (including technical and methodological requirements) (Article 103 CSA2 proposal):

  • Transparency obligations towards competent authorities: Companies can be required to disclose supply chain information in respect of the key ICT assets concerned (e.g. manufacturers, intermediate suppliers, service providers, dependencies). The information must be up-to-date, complete and provided in the form specified by the authority.
  • Restrictions on transfers of data and remote data processing: To mitigate non-technical risks, transfers of certain types of data to third countries and remote processing from third countries may be prohibited or restricted. This measure addresses access risks from legal systems with extraterritorial access rights, for example.
  • Minimum technical and protective measures (to be audited by a third-party): Companies can be required to implement auditable controls, including the use of on device processing (processing locally where possible), specific network segmentation, the disabling of any remote or physical access to key ICT assets (where possible), disabling of non-essential features, continuous operational network monitoring and systematic testing of hard and software.
  • Restrictions on outsourcing and operational control: Outsourcing, especially to managed service providers, can be prohibited or restricted in order to reduce operational control risks. Restrictions may include on prem operation only (such that IT systems, software and data must be operated in-house on the company’s own servers), location or jurisdiction requirements, or limits on administrative rights.
  • Contractual restrictions vis-à-vis suppliers: Companies may be required to impose contractual conditions on suppliers to mitigate risk to key ICT assets.
  • Vetting requirements: The operation, management, maintenance or support of critical services can be tied to personnel vetted by the competent national authorities.
  • Diversification obligations: To avoid single-vendor risks, i.e. heavy or complete dependence on just one supplier, procurement from several suppliers can be prescribed (e.g. “at least two independent suppliers” for certain key ICT assets).

Special provisions for mobile, fixed and satellite networks

Providers of mobile, fixed and satellite electronic communication networks may not use, install or integrate components from high-risk suppliers in key ICT assets. Suppliers are considered high-risk if, following an assessment of their ownership and control structures, the European Commission determines that they are located in or controlled from a third country classified as high-risk – or if they have been explicitly designated as particularly high-risk. The Commission will establish a list of such high-risk suppliers, which it will regularly update. High-risk suppliers may request that the Commission re-assess their classification if they can demonstrate that key changes have been made to their relevant structures (Article 104 CSA2 proposal). Companies must phase out the ICT components concerned within 36 months of the entry into force of the Regulation (Articles 110-111 CSA2 proposal). However, industry associations emphasise that any measures must be coordinated with existing agreements concluded with mobile network operators at the level of individual Member States.

Supervision and enforcement by the European Commission and Member State authorities

The competent authorities in the individual Member States may adopt various measures to ensure supply chain security. The CSA2 proposal stipulates that companies falling within the scope of the NIS2 Directive must, upon request, provide up-to-date lists of their suppliers, permit inspections and provide relevant product information.

The proposal empowers the Commission – as a last resort – to exclude high-risk suppliers from the ICT supply chain. In such a case, a transition period will be set, requiring the affected companies to implement the exclusion within that timeframe. This will entail stricter supply-chain compliance requirements for these companies (Article 103(1) CSA2 proposal), and they should bear in mind that no financial compensation will be provided for any measures that may be required to reorganise the supply chain as a result of the exclusion of a high-risk supplier.

Penalties of up to 7% of total worldwide annual turnover

Infringements of these measures and any reporting obligations are subject to administrative fines, with the amount set by the Member States. However, the CSA2 proposal introduces a standardised, tiered penalty system based on turnover: a maximum of 1% of total worldwide annual turnover for infringements of transparency obligations, a maximum of 2% for infringements of other risk mitigation measures and a maximum of 7% for infringements of the prohibitions on the use, installation and integration of components from high-risk suppliers in key ICT assets and of the sector-specific prohibitions applicable to electronic communications networks (Article 115(5) to (7) CSA2 proposal).

Voluntary European cybersecurity certification to continue 

The EU Cybersecurity Certification Framework (“ECCF”) will continue to operate as a voluntary instrument for companies to certify their ICT products, services and processes (including managed security services). In a new development, it will also serve company-wide cyber resilience. Cybersecurity certificates and EU declarations of conformity are already valid across the EU1 and may – where stipulated – establish a presumption of conformity with other EU legislation. Schemes under the ECCF are competent to specify an assurance level of “basic”, “substantial” or “high” for an ICT product, service or process depending on the level of risk associated with the intended use (Article 82(1) CSA2 proposal). They also deal with ongoing conformity, recertification, and vulnerability management. The Commission’s plan is for the CSA2 proposal to boost certification take-up by companies.

Who can be certified or have their products certified? 

All companies that develop, provide or operate ICT products, ICT services or ICT processes can be certified under the ECCF if an EU certification scheme exists for the item in question. Such companies primarily include manufacturers and providers of hardware, software and components (e.g. via the existing EU cybersecurity certification scheme on Common Criteria (“EUCC”) for ICT products), service companies such as cloud providers and providers of other ICT services (for which EU schemes are being prepared), as well as providers of managed security services (scheme also under development).

New: Potential certification of a company’s cybersecurity risk management

The Commission’s plan also envisages the possibility of using European cybersecurity certification to enable companies to demonstrate compliance with their obligations in respect of company-wide cybersecurity risk management. The CSA2 proposal therefore also provides for a scheme under the ECCF for the certification of a company’s cyber security risk management. In the Commission’s view, this should make it easier for companies that face different cybersecurity and data security-related obligations under horizontal instruments to demonstrate their compliance. Such a scheme is not yet in preparation, however, and is listed as a “future” measure. It would have to be adopted by the Commission after the CSA2 proposal comes into force. In practical terms, this means that companies do not currently have a functioning option for certifying their overall cybersecurity risk management and must await future developments.

Outlook: Presumption of conformity and speeding up the procedure

Industry associations have welcomed the presumption of conformity (e.g. with NIS 2 requirements) that cybersecurity certificates can confer.2 In the long term, this could contribute to legal certainty and minimise duplicative certification.3

The CSA2 proposal also seeks to accelerate the procedure for establishing European cybersecurity certification schemes. The procedure to date has proven inefficient, with only one scheme being established over the last six years. In future, ENISA will have 12 months to prepare each scheme upon request by the European Commission. Some industry associations, however, are concerned that even this schedule will do little or nothing to make the ECCF less cumbersome.

Comprehensive reform of ENISA’s mandate

The CSA2 proposal significantly broadens ENISA’s remit, giving it a greater role in certifications. The proposal also assigns ENISA an expanded operational support role covering situational awareness, early warning and vulnerability analysis. 

  • For companies in the ICT supply chain, that means a structural shift in compliance requirements: Compliance with regulatory requirements will no longer be limited to downstream documentation and audit processes, but will require early integration of technical and organisational security requirements developed by ENISA into product and service development – that is, security by design will become mandatory (Article 80(1), letter (a) CSA2 proposal). ENISA guidelines and technical specifications effectively set the standard for certification decisions, market surveillance and subsequent supply-chain measures by the Commission and national authorities.4 So companies will have to align their internal compliance structures, development processes and supplier management to ensure regulatory conformity at architecture and design stage in order to maintain long-term market access and legal use of their ICT products and services throughout the single market.
  • Central digital entry point for cyber incident reports (“single entry point”): Businesses should also note that – in line with the Digital Omnibus – a central reporting point under ENISA supervision will be established under the CSA2 proposal. Companies will be able to meet their reporting obligations under various pieces of legislation by making a single report using the one-incident, one-report principle. However, industry associations argue that this measure is unlikely to meet its objective of simplifying reporting procedures. In practice, the existence of numerous uncoordinated reporting obligations and deadlines means that there will still be parallel reporting tracks.

Amendments to the NIS 2 Directive and the REACH Regulation

Also on 20 January 2026, the European Commission published a proposal for the amendment of the NIS 2 Directive, including changes to its scope. Small DNS providers – that is, service providers who translate domain names such as gleisslutz.com into the corresponding IP addresses (e.g. 192.0.2.1) to ensure internet service accessibility – will be excluded from the Directive’s scope. Conversely, the following providers will be brought into scope, irrespective of their size: providers of EUDI wallets (digital wallets that allow individuals to securely store their state-verified identity data and credentials and use them online and offline to identify themselves) and providers of dual-use goods (products, software or technologies intended for civilian purposes that can also be used for military or other security-critical applications).

Another modification to the scope concerns the way that NIS 2 makes reference to the REACH Regulation. This reference is to be made more precise, since it currently brings more companies into scope than intended. To reduce compliance costs for companies, the proposal introduces the new “small mid-caps” category. Reporting obligations for ransomware incidents are also to be made more stringent: The amended NIS 2 would introduce a clear reporting obligation and a standardised reporting procedure that specifies the information to be disclosed. 

Conclusion and outlook

The CSA2 proposal and the amendment of the NIS 2 Directive further strengthen the European regulatory framework for cybersecurity. Both initiatives are still in trilogue negotiations, with the aim of reaching a political agreement by early 2027. Once adopted, the CSA2 will apply directly as a regulation, whereas the NIS 2 amendments will need to be transposed into national law within one year.

Although European cybersecurity certification remains formally voluntary, it is becoming increasingly relevant from a compliance perspective. The planned presumption of conformity – particularly in relation to NIS 2 – should enhance legal certainty and avoid duplicative certification. Companies should therefore assess at an early stage whether certifications make strategic sense and ensure that robust compliance and risk management systems are in place.

The new obligations relating to ICT supply chain compliance are of particular importance. The inclusion of non-technical risk factors and the potential exclusion mechanism for high-risk suppliers significantly increase transparency and documentation requirements. Companies must be able to map their supply chains in a structured manner, identify high-risk suppliers and respond quickly where necessary – not only to meet reporting obligations, but also to avoid fines and operational risks.

The planned “single entry point” for reports is intended to simplify procedures, although it remains to be seen how effective this will be in practice. Regardless, clearly defined internal reporting and escalation processes are becoming increasingly critical.

With ENISA assuming a stronger role as a central supervisory body, more intensive monitoring and additional guidelines can be expected. Cybersecurity compliance is already an ongoing governance issue and this looks set to continue.

Overall, the CSA2 proposal marks a shift in cybersecurity from a predominantly technical matter to a strategic compliance obligation. An early, structured approach to supply chains, reporting systems and risk management will be key to mitigating regulatory risks and capitalising on the opportunities created by the new legal framework.

 

1 Article 71(4) CSA2 proposal

2 Article 78, point (1) CSA2 proposal; CSA2 proposal, p. 40, point 80

3 EU stellt Revision des Cybersecurity Act vor | Presseinformation | Bitkom e. V. (German only)

4 Article 18 CSA2 proposal

5 EU stellt Revision des Cybersecurity Act vor | Presseinformation | Bitkom e. V. (German only)

 

Forward
Expertise
Public Law Digital Economy Digital Future Energy & Infrastructure Defense & Security
Experts
Dr. Marc Ruttloff Prof. Dr. Eric Wagner Dr. Friederike Niemann Dr. Pauline Grotz Dr. Manuel Berthold Bucher Dr. Dipl.-Kfm. Christoph Patrick Goller
Keep in Touch

Keep in Touch
Gleiss Lutz keeps you informed

We would be pleased to add you to our mailing list so that we can keep you informed about current legal developments and events.

Subscribe now