Your Guide to the Proposal for the Cybersecurity Act 2: security of ICT supply chains (16 February 2026)

On 20 January 2026, the European Commission published a Proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Cybersecurity (ENISA), the European cybersecurity certification framework, and ICT supply chain security and repealing Regulation (EU) 2019/881 (“The Cybersecurity Act 2”). 

The Cybersecurity Act 2 covers three key areas: 1) rules and organisation matters relating to ENISA; 2) the creation of European cybersecurity certification schemes to ensure an adequate cybersecurity level for ICT products, ICT services, ICT processes, managed security services and the cybersecurity posture of EU entities; and 3) rules relating to a trusted ICT supply chain framework. 

This Guide focuses on the trusted ICT supply chain framework and its potential impact on businesses. All references to Articles below refer to the Cybersecurity Act 2 unless stated otherwise. As this is only a proposal, the final obligations may differ. 

Trusted ICT supply chain framework 

The trusted ICT supply chain framework will offer a security mechanism at the EU level to tackle non-technical risks in sectors of high criticality and other critical sectors as referred to in Annex I and Annex II to the Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (“NIS2 Directive”). Non-technical risks are defined as the “likelihood of the supplier being subject to influence by a third country with the potential to cause loss or disruption of the service provided or to compromise the product manufactured by an entity or to lead to exfiltration of data, including for the purposes of espionage or revenue generation”. (Article 2(42)) 

The framework aims to protect critical sectors from third-country influence by identifying key ICT assets in critical ICT supply chains and imposing mitigation measures where necessary. 

Security risk assessments 

The European Commission or a group of three or more EU Member States may request the NIS Cooperation Group to conduct an EU coordinated security risk assessment. In the event of a significant cyber threat, the European Commission may conduct a security risk assessment taking into account the consultation with the EU Member States. (Articles 99(1) and 99(3)) The security risk assessment will encompass the proposed identification of key ICT assets, main threat actors, risks and vulnerabilities impacting such assets. It will also formulate risk scenarios and suggest mitigation measures. (Articles 99(1) and 99(3)(b)) 

Identification of key ICT assets 

Where security risk assessments identify significant cybersecurity risks in relation to an ICT supply chain, the European Commission may adopt implementing acts identifying key ICT assets used by sectors of high criticality and other critical sectors under the NIS2 Directive to manufacture products or provide services (Article 102). 

Mitigation measures in the ICT supply chain   

The European Commission may adopt implementing acts prohibiting certain types of entities in sectors of high criticality and other critical sectors from using, installing or integrating ICT components from high-risk suppliers in key ICT assets. (Article 103). A similar prohibition exists for providers of mobile, fixed and satellite electronic communications networks (Article 111(1)). 

The European Commission may oblige certain entities in sectors of high criticality and other critical sectors to implement mitigating measures in their ICT supply chain especially in relation to key ICT assets. These may include transparency requirements, prohibition on the transfer of data to third countries, audits, restrictions on contractual relations and diversification of ICT components supply. (Article 103(2)). 

Identification of high-risk suppliers and consequences of the listing  

The European Commission will establish lists of high-risk suppliers that could be subject to mitigation measures provided above. In assessing suppliers, the European Commission will investigate the place of establishment as well as the ownership and control structure. (Article 104(4)). 

Listing may result in, amongst others, exclusion from EU public procurement procedures and EU funding programmes. 

Designation of third countries posing cybersecurity concerns 

The European Commission may designate third countries posing cybersecurity concerns to ICT supply chains. In doing so, it will take into account, amongst others, laws and practices in such third country that require entities in their jurisdiction to inform the authorities of software or hardware vulnerabilities before such vulnerabilities are known to have been exploited, substantiated information concerning incidents of threat actors controlled from such third country or conducting its operations from that third country to implement malicious cyber activities. (Articles 100(1) and 100(2)) 

Entities established in or controlled by entities from the designated third country may request for an exemption from being subject to the prohibitions imposed on entities from sectors of high criticality and other critical sectors on the use, installation or integration of its ICT components in key ICT assets and from being subject to the prohibition on participation in public procurement procedures. (Article 105(1)) 

Penalties 

Violation of the prohibition to use, install or integrate ICT components from high-risk suppliers could result in a fine of a maximum of 7% of the total worldwide annual turnover in the preceding financial year. Violation of mitigation measures could result in a fine of a maximum of 1-2% of the total worldwide annual turnover in the preceding financial year, depending on the measure concerned. 

How it may impact businesses 

Companies operating in sectors of high criticality and other critical sectors may face disruption in their ICT supply chain and increased costs if suppliers are listed as high-risk and/or the sourcing countries are designated, particularly where alternative ICT components are limited. In some cases, product or service redesign may be required. 

Subject to the final text, companies should consider mapping in-scope suppliers, reviewing contractual arrangements, and assessing data transfer and remote data processing practices to prepare mitigation strategies and compliance processes. 

ICT components suppliers from third countries may face restrictions on access to the EU market if listed as high-risk. Although the right to be heard and exemption procedure exist, the process may be time-consuming. 

The operational implications are likely to follow three main lines: 



1. Supplier risk exposure: companies active in critical sectors will need to factor jurisdictional and ownership risk into vendor selection and supply-chain design. 
2. Compliance integration: ICT due diligence will extend beyond technical assurance and certification into governance, legal-environment and control-structure assessments. 
3. Supervisory enforcement: mitigation obligations adopted through implementing acts will feed into national oversight, with associated compliance and liability consequences (likely to lead to enforcement divergence). 

In this sense, the trusted ICT supply chain framework illustrates how EU cybersecurity regulation is becoming structurally intertwined with questions of resilience, strategic autonomy and security of supply, a trajectory that is likely to shape both legislative negotiations and downstream compliance practice. 

Next steps in the legislative process and indicative adoption timing 

The Cybersecurity Act 2 is in the ordinary legislative procedure. As of early February 2026, the file has formally entered the Parliament’s preparatory phase, with technical examination ongoing in the Council. Adoption is currently expected in late 2026 or in 2027. 

Trusted ICT supply chain framework – positioning within the Cybersecurity Act 2 

The trusted ICT supply chain framework introduced in the Cybersecurity Act 2 adds a distinctly geopolitical and security-policy layer to EU cybersecurity law. Whilst the original Cybersecurity Act focused primarily on technical assurance and certification, the revision moves into risk governance linked to third-country exposure, supplier influence and systemic dependency in critical sectors. 

From a legal-policy perspective, the framework reflects a wider evolution in EU digital legislation: cybersecurity risk is no longer treated solely as a technical or resilience question, but increasingly as a matter of economic security and systemic dependency management. 

The developing regime around high-risk supplier identification is particularly illustrative of this shift. Whilst the detailed listing mechanics and consequences are still being shaped legislatively, the EU’s approach makes clear that participation in sensitive ICT ecosystems may become contingent on security, governance and jurisdictional risk considerations, not only on technical performance or certification status. 

More broadly, the framework signals that EU cybersecurity law is moving closer to the EU’s wider economic security agenda. Legislative instruments are increasingly designed to manage exposure to external influence, strategic dependencies and systemic vulnerabilities across critical sectors. 

For information on how the Cybersecurity Act 2 could impact your business or economic operators in your country, please contact Yapa Thepkanjana at yapa.thepkanjana@acquislp.eu and Patrick Mascott at patrick.mascott@acquislp.eu.