Patrick Mascott

On 20 January 2026, the European Commission published a Proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Cybersecurity (ENISA), the European cybersecurity certification framework, and ICT supply chain security and repealing Regulation (EU) 2019/881 (“ The Cybersecurity Act 2 ”). The Cybersecurity Act 2 covers three key areas: 1) rules and organisation matters relating to ENISA; 2) the creation of European cybersecurity certification schemes to ensure an adequate cybersecurity level for ICT products, ICT services, ICT processes, managed security services and the cybersecurity posture of EU entities; and 3) rules relating to a trusted ICT supply chain framework. This Guide focuses on the trusted ICT supply chain framework and its potential impact on businesses. All references to Articles below refer to the Cybersecurity Act 2 unless stated otherwise. As this is only a proposal, the final obligations may differ. Trusted ICT supply chain framework The trusted ICT supply chain framework will offer a security mechanism at the EU level to tackle non-technical risks in sectors of high criticality and other critical sectors as referred to in Annex I and Annex II to the Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (“ NIS2 Directive ”). Non-technical risks are defined as the “ likelihood of the supplier being subject to influence by a third country with the potential to cause loss or disruption of the service provided or to compromise the product manufactured by an entity or to lead to exfiltration of data, including for the purposes of espionage or revenue generation ”. (Article 2(42)) The framework aims to protect critical sectors from third-country influence by identifying key ICT assets in critical ICT supply chains and imposing mitigation measures where necessary. Security risk assessments The European Commission or a group of three or more EU Member States may request the NIS Cooperation Group to conduct an EU coordinated security risk assessment. In the event of a significant cyber threat, the European Commission may conduct a security risk assessment taking into account the consultation with the EU Member States. (Articles 99(1) and 99(3)) The security risk assessment will encompass the proposed identification of key ICT assets, main threat actors, risks and vulnerabilities impacting such assets. It will also formulate risk scenarios and suggest mitigation measures. (Articles 99(1) and 99(3)(b)) Identification of key ICT assets Where security risk assessments identify significant cybersecurity risks in relation to an ICT supply chain, the European Commission may adopt implementing acts identifying key ICT assets used by sectors of high criticality and other critical sectors under the NIS2 Directive to manufacture products or provide services (Article 102). Mitigation measures in the ICT supply chain The European Commission may adopt implementing acts prohibiting certain types of entities in sectors of high criticality and other critical sectors from using, installing or integrating ICT components from high-risk suppliers in key ICT assets. (Article 103). A similar prohibition exists for providers of mobile, fixed and satellite electronic communications networks (Article 111(1)). The European Commission may oblige certain entities in sectors of high criticality and other critical sectors to implement mitigating measures in their ICT supply chain especially in relation to key ICT assets. These may include transparency requirements, prohibition on the transfer of data to third countries, audits, restrictions on contractual relations and diversification of ICT components supply. (Article 103(2)). Identification of high-risk suppliers and consequences of the listing The European Commission will establish lists of high-risk suppliers that could be subject to mitigation measures provided above. In assessing suppliers, the European Commission will investigate the place of establishment as well as the ownership and control structure. (Article 104(4)). Listing may result in, amongst others, exclusion from EU public procurement procedures and EU funding programmes. Designation of third countries posing cybersecurity concerns The European Commission may designate third countries posing cybersecurity concerns to ICT supply chains. In doing so, it will take into account, amongst others, laws and practices in such third country that require entities in their jurisdiction to inform the authorities of software or hardware vulnerabilities before such vulnerabilities are known to have been exploited, substantiated information concerning incidents of threat actors controlled from such third country or conducting its operations from that third country to implement malicious cyber activities. (Articles 100(1) and 100(2)) Entities established in or controlled by entities from the designated third country may request for an exemption from being subject to the prohibitions imposed on entities from sectors of high criticality and other critical sectors on the use, installation or integration of its ICT components in key ICT assets and from being subject to the prohibition on participation in public procurement procedures. (Article 105(1)) Penalties Violation of the prohibition to use, install or integrate ICT components from high-risk suppliers could result in a fine of a maximum of 7% of the total worldwide annual turnover in the preceding financial year. Violation of mitigation measures could result in a fine of a maximum of 1-2% of the total worldwide annual turnover in the preceding financial year, depending on the measure concerned. How it may impact businesses Companies operating in sectors of high criticality and other critical sectors may face disruption in their ICT supply chain and increased costs if suppliers are listed as high-risk and/or the sourcing countries are designated, particularly where alternative ICT components are limited. In some cases, product or service redesign may be required. Subject to the final text, companies should consider mapping in-scope suppliers, reviewing contractual arrangements, and assessing data transfer and remote data processing practices to prepare mitigation strategies and compliance processes. ICT components suppliers from third countries may face restrictions on access to the EU market if listed as high-risk. Although the right to be heard and exemption procedure exist, the process may be time-consuming. The operational implications are likely to follow three main lines:  Supplier risk exposure : companies active in critical sectors will need to factor jurisdictional and ownership risk into vendor selection and supply-chain design. Compliance integration : ICT due diligence will extend beyond technical assurance and certification into governance, legal-environment and control-structure assessments. Supervisory enforcement : mitigation obligations adopted through implementing acts will feed into national oversight, with associated compliance and liability consequences (likely to lead to enforcement divergence). In this sense, the trusted ICT supply chain framework illustrates how EU cybersecurity regulation is becoming structurally intertwined with questions of resilience, strategic autonomy and security of supply, a trajectory that is likely to shape both legislative negotiations and downstream compliance practice. Next steps in the legislative process and indicative adoption timing The Cybersecurity Act 2 is in the ordinary legislative procedure. As of early February 2026, the file has formally entered the Parliament’s preparatory phase, with technical examination ongoing in the Council. Adoption is currently expected in late 2026 or in 2027. Trusted ICT supply chain framework – positioning within the Cybersecurity Act 2 The trusted ICT supply chain framework introduced in the Cybersecurity Act 2 adds a distinctly geopolitical and security-policy layer to EU cybersecurity law. Whilst the original Cybersecurity Act focused primarily on technical assurance and certification, the revision moves into risk governance linked to third-country exposure, supplier influence and systemic dependency in critical sectors. From a legal-policy perspective, the framework reflects a wider evolution in EU digital legislation: cybersecurity risk is no longer treated solely as a technical or resilience question, but increasingly as a matter of economic security and systemic dependency management. The developing regime around high-risk supplier identification is particularly illustrative of this shift. Whilst the detailed listing mechanics and consequences are still being shaped legislatively, the EU’s approach makes clear that participation in sensitive ICT ecosystems may become contingent on security, governance and jurisdictional risk considerations, not only on technical performance or certification status. More broadly, the framework signals that EU cybersecurity law is moving closer to the EU’s wider economic security agenda. Legislative instruments are increasingly designed to manage exposure to external influence, strategic dependencies and systemic vulnerabilities across critical sectors. For information on how the Cybersecurity Act 2 could impact your business or economic operators in your country, please contact Yapa Thepkanjana at yapa.thepkanjana@acquislp.eu and Patrick Mascott at patrick.mascott@acquislp.eu.

The European Union (EU) has been at the forefront of the global push towards digital transformation, adopting a plethora of digital regulations aimed at fostering innovation, ensuring economic growth and competitiveness, and safeguarding fundamental rights. As we move into the next legislative cycle, the EU Council – under the leadership of the Belgian presidency – has outlined its main priorities in digital policy, emphasizing among others the importance of effective implementation, the need for a European approach to digital technologies, and alignment with sustainable objectives. Prioritizing Digital Transformation Digital transformation is a key driver of innovation, economic growth, and sustainability within the EU. But as Belgian Deputy Prime Minister Petra de Sutter stated, it must be balanced to ensure that this transformation benefits all citizens: “[it] must be grounded on a safe, inclusive, sustainable, and human-centric approach – one that upholds democracy and human rights”. Ms de Sutter highlighted the importance of every European citizen having the opportunity to develop essential digital skills and participate actively in the online world.  Mathieu Michel, Belgium’s Secretary of State for digitisation, meanwhile called for a “common European approach to innovative digital technologies striking the right balance between innovation, regulatory burden, and protection of the Union’s economic security”. He also emphasised digital skills and digital infrastructure as key components to achieving this digital transition. Key Priorities for the Legislative Cycle The Council has identified several main priorities for the upcoming legislative cycle: Effective Implementation of Digital Regulations: The primary focus is on the “effective, coherent and efficient implementation” of recently adopted digital laws with minimal administrative burden for both public and private sectors. This includes laws such as the AI Act, Digital Services Act (DSA) and the Digital Markets Act (DMA), which aim to create a safer and more open digital space in the EU​. Common European Approach: The Council advocates for a unified approach to innovative digital technologies as a crucial element for enhancing the EU’s competitiveness and protecting its economic security. This approach must balance innovation with regulatory measures to ensure a dynamic and open economy. Digital and Green Transition: The Council emphasizes the synergy between digital transformation and the green transition, advocating for ambitious sustainability objectives. This aligns with the EU’s broader goals of achieving climate neutrality and promoting sustainable development​​, as well as reducing their dependence on foreign fossil fuel imports. Building Digital Skills and Bridging the Digital Divide: The Council explicitly refers to the importance of attracting and retaining a digitally skilled workforce, with a particular focus on increasing women’s participation in the tech sector. Bridging the digital divide is critical to ensuring that all citizens can benefit from digital advancements. This also means increasing the number of cybersecurity professionals in the EU. There is already a severe lack of cybersecurity professionals to meet the current demand, and with the demand set to increase exponentially in the coming years, a tangible strategy will need to be employed. The Council fails to outline how this will be achieved. Ensuring Secure and Resilient Infrastructure: The need for secure and resilient digital infrastructure across the EU is paramount. This includes enhancing cybersecurity measures and ensuring the reliability of digital services, but also reducing dependencies on external chip manufacturers and investing in chip-producing technologies and companies with the EU. International Dimension and Digital Partnerships: Strengthening digital partnerships and digital trade agreements is vital for the EU to play a proactive role globally in digital transformation and governance. The Council calls for a coordinated approach to enhance the EU’s influence in international digital policy​​. Using its influence to promote a rights-based approach to digital policy globally will help facilitate these partnerships without compromising the EU’s stated values. Challenges and Opportunities Implementing these digital regulations presents both challenges and opportunities. The complexity of harmonizing regulations across Member States, ensuring compliance, and adapting to rapid technological changes are significant hurdles. However, successful implementation can further strengthen the position of the EU as a global leader in digital innovation, providing a robust framework that other regions may follow. By prioritizing effective implementation, the EU hopes to ensure that its digital policies not only foster economic growth but also uphold the values of democracy, human rights, and sustainability, ultimately benefiting all its citizens. The EU’s digital strategy aims to create a digital environment that fosters innovation, protects citizens’ rights, and ensures economic security. As the EU navigates the next legislative cycle, the focus on implementing these digital regulations will be crucial in achieving these goals and driving forward the digital transformation agenda. The Belgian Presidency has made clear its ambitions and focus on implementing the digital transition. However, with Hungary next in line for the Presidency, it is unclear what the focus will be under their stewardship and whether digital transformation will still be a priority.

EU agrees on AI Act and sets the first rules for AI in the world