On January 20, 2026, the European Commission published a proposal for a new Regulation, the "Cybersecurity Act 2" (CSA2), intended to replace the 2019 Cybersecurity Act. This proposal is a cornerstone of the EU’s strategy to secure its Digital Single Market against increasingly sophisticated state-sponsored threats. The CSA2 introduces a robust, Union-wide legal framework for ICT supply chain security, directly linking compliance to the recently implemented NIS2 Directive.
A critical innovation of the CSA2 is the mandatory assessment of "non-technical risks" in the supply chain. While previous regulations focused on technical vulnerabilities (software bugs or encryption flaws), the new law requires entities to evaluate the geopolitical profile of their suppliers. This includes assessing the likelihood of a supplier being subject to interference by a foreign government. This legal provision empowers EU authorities to restrict or ban the use of components from "high-risk" vendors in critical infrastructure sectors—such as telecommunications, energy, and transport—based on national security concerns.
The CSA2 also proposes a major overhaul of the European Cybersecurity Certification Framework (ECCF). The existing system was criticized for its slow pace and fragmentation. The new regulation aims to streamline the process by empowering the European Commission to identify and designate "Key ICT Assets." These critical technologies will be subject to mandatory security certifications. Additionally, the proposal enhances the powers of ENISA, the EU's cybersecurity agency, allowing it to proactively develop certification schemes and manage vulnerability disclosures. The regulation also introduces a mechanism for the automatic recognition of cybersecurity certificates across all Member States, reducing regulatory friction for compliant businesses while raising the barrier to entry for non-secure vendors.
Source: Covington