Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Bulgaria
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Building on shaky foundations: a legal critique of the supply-chain regime in the proposed Cybersecurity Act 2

06 May 2026 Europe 16 min read

When cybersecurity becomes a constitutional question

The proposed Cyber Security Act 2 (CSA2) is not simply a technical update to its predecessor. Where the original Cybersecurity Act of 2019 (CSA1) focused principally on establishing the European EU Agency for Cybersecurity (ENISA) and creating a voluntary EU-wide cybersecurity certification framework, CSA2 goes considerably further. The proposal introduces a new and highly consequential regime: a binding ICT supply-chain security framework that empowers the European Commission to designate so-called “third countries posing cybersecurity concerns”, classify suppliers as “high-risk”, and impose mitigation measures ranging from enhanced scrutiny through to outright prohibition on the use, installation, and integration of components from designated suppliers by operators across all critical sectors covered by NIS2.

The contrast with CSA1 is stark. CSA1 was, at its core, an internal market harmonisation instrument: it reduced fragmentation in certification by creating common EU-level schemes, and it consolidated ENISA’s mandate. CSA2 retains those pillars — ENISA reform, an updated European Cybersecurity Certification Framework (ECCF), and streamlining connected to NIS2 — but adds a fourth and materially distinct pillar: a geopolitically inflected supply-chain regime housed principally in Title IV of the proposal. The practical consequences of that addition are significant: operators of critical infrastructure may be compelled to phase out equipment from designated suppliers, and Member States will be required, as a matter of EU law, to honour those exclusions in their own procurement decisions and to restrict how national funding is deployed.

The legal issue examined in this article is not whether cybersecurity matters. It plainly does. Nor is it whether the EU may legitimately act to strengthen the resilience of critical networks. It may. The question is whether the EU has chosen a constitutionally lawful route for doing so under Article 114 TFEU — the internal market legal basis — and whether Title IV in particular can survive scrutiny under the principles of conferral, subsidiarity, proportionality, and the rule of law. This article argues that it cannot, at least not in its current form, and that the controversy is deepened by the fact that CSA2 appears to harden into binding legislation the logic of the earlier, non-binding 5G Toolbox, without first resolving the underlying competence problem that the Toolbox deliberately sidestepped.

Mapping CSA2: four pillars, but not all equally defensible

CSA2 rests on four legislative pillars. The first reinforces ENISA’s institutional mandate and resources. The second updates the ECCF, expanding the scope and enforceability of cybersecurity certification schemes. The third streamlines obligations connected to the NIS2 Directive, reducing duplication and administrative burden for operators. These three pillars are, broadly, a continuation of CSA1’s internal market logic. They address genuine fragmentation: divergent national certification requirements, inconsistent implementation of NIS2 across Member States, and gaps in ENISA’s coordination capacity. If CSA2 consisted only of these elements, its Article 114 TFEU legal basis would be far less contentious.

The fourth pillar is different in kind. Title IV establishes a framework for identifying “key ICT assets,” assessing suppliers and countries against non-technical risk criteria, and imposing cascading obligations — enhanced scrutiny, mitigation requirements, procurement exclusions, and phase-out obligations — on the basis of Commission implementing acts. The criteria for a “third country posing cybersecurity concerns” designation are expressly geopolitical: they include the legal and institutional framework of the third country, the degree of state control over economic actors, the country’s record of state-sponsored malicious cyber activity, and its willingness to cooperate with the EU and its Member States.

It is important to be precise about the constitutional significance of this distinction. CSA1 carried an uncontroversial Article 114 pedigree because it harmonised market-access conditions through technical standards and certification requirements. CSA2’s Title IV does something different: it subjects third-country governments and their domestic legal orders to a structured EU assessment process, and then imposes binding market consequences on the basis of that assessment. The fact that CSA1 is the legal predecessor of CSA2 does not automatically transfer the Article 114 legitimacy of the former to the latter. The question must be asked afresh for Title IV, and when it is, the answers are troubling.

A strained legal basis: why Article 114 TFEU does not comfortably cover Title IV

Article 114 TFEU authorises the adoption of measures for the approximation of laws which have as their object the establishment or functioning of the internal market. The Court of Justice of the EU has consistently held that this basis requires a genuine internal market objective: it is not sufficient that a measure incidentally affects the internal market, or that diverging national rules create an abstract risk of market fragmentation. The measure must actually contribute to eliminating barriers to trade or preventing their emergence, and that contribution must be the predominant purpose of the instrument.

The defensible pillars of CSA2 satisfy this test. Harmonised certification reduces divergent national requirements that fragment the market for ICT products and services. ENISA reform supports the coordination infrastructure that underpins those harmonised standards. Title IV does not fit within this framework. When the Commission assesses whether a third country exercises undue influence over suppliers through its legal structure, its record of state involvement in cyber operations, or its willingness to cooperate with the EU, it is not primarily harmonising market conditions. It is making structured geopolitical determinations that trigger binding consequences for procurement, network operation, and investment. That is not the same exercise.

The point is reinforced when one considers the regulatory mechanics. Title IV empowers the Commission to designate countries, list suppliers, identify key assets, and impose mitigation measures — all through implementing acts. The substantive assessments driving those acts concern third-country governance quality, state-market relationships, and diplomatic posture. These are the instruments of foreign and security policy, not of internal market approximation. Once a regulatory regime begins to operate through country-risk determinations of a geopolitical character, it moves into territory that is structurally more analogous to a Common Foreign and Security Policy (CFSP) instrument or an external-security measure than to an ordinary market approximation directive. This article does not argue that CFSP is affirmatively the correct legal basis; but the observation that Title IV does not sit naturally within Article 114 is significant in itself.

There is a further dimension to this problem. The 5G Toolbox, adopted in 2020, addressed the same concerns — high-risk suppliers, country-level risk assessments — through a deliberately non-binding coordination mechanism. That choice was not accidental. It reflected political and legal sensitivity about whether the EU had the competence to impose binding supply-chain obligations of this kind. CSA2’s Title IV effectively legislates the Toolbox’s soft logic into hard law, without having resolved the underlying competence question. The transformation from political recommendation to binding implementing act does not cure the constitutional difficulty; it merely makes it more acute.

National security sovereignty and the limits of conferral

Article 4(2) TEU provides that national security remains the sole responsibility of each Member State. This is one of the clearest express reservations in the Treaties, and it reflects the political sensitivity — recognised by both the Court of Justice and the drafters of the Treaties — of EU institutions encroaching on core state prerogatives in defence and security matters. The principle of conferral, enshrined in Article 5(1) TEU, reinforces the point: the EU acts only within the limits of the competences conferred upon it by the Member States in the Treaties.

Title IV creates difficulties on both fronts. On the one hand, it fixes binding consequences for national procurement decisions, funding eligibility, and network operation on the basis of country-risk and supplier-risk judgments that are, in substance, national security assessments. A requirement that an operator of critical infrastructure phase out equipment from a designated supplier — with potential enforcement consequences under EU law — is not a neutral technical specification. It is a security determination, made at EU level, that constrains how Member States and their operators may structure their networks. On the other hand, the subsidiarity principle cannot create competence that has not been conferred. Even if one accepted that some coordination in this area would be more efficient at EU level, that observation does not resolve the prior question of whether the Treaty has conferred the necessary competence.

The institutional dynamics compound the difficulty. Title IV replaces politically sensitive coordination between Member States — a process that, under the 5G Toolbox, allowed national authorities to apply their own security judgments within a shared framework — with binding Commission-led determinations. This shift is likely to provoke both institutional and potentially judicial resistance, precisely because it substitutes the political discretion of sovereign states with the administrative authority of the Commission in an area the Treaties expressly reserve to national competence.

At the same time, legal precision requires acknowledging that telecom-security measures are not categorically outside EU law. The recent opinion of the Advocate-General of the Court of Justice in the ‘Elisa Eesti’ case treated restrictions on telecom operators imposed on security grounds as reviewable under EU law and subject to proportionality standards. The question, therefore, is not whether the EU has any role in this space, but whether the specific model adopted by Title IV — binding country designations, supplier lists, and phase-out obligations through implementing acts — is consistent with what the Treaty permits. The answer, for the reasons developed in this article, is that it is not.

Proportionality in substance: risks of overreach in the supply-chain framework

Even if one were to accept, for argument’s sake, that Article 114 TFEU can accommodate Title IV, the proportionality objection remains and operates as a meaningful legal constraint. The proportionality principle requires that measures restricting rights or market freedoms be suitable, necessary, and proportionate in the strict sense. In the context of restrictions on network equipment suppliers, this means that the measure must be grounded in a genuine and sufficiently specific risk assessment.

The Elisa Eesti line of authority is instructive here. It makes clear that a restriction on a supplier cannot rest on generic concerns about a country’s legal environment or geopolitical alignment. The analysis must identify the specific use for which the equipment is intended, trace the projection of risk from the state level through to the manufacturer, and then from the manufacturer to the particular hardware or software at issue. Blanket designations, or designations that aggregate risk at the country or corporate level without this level of granularity, are vulnerable to challenge on this ground.

Title IV’s framework, in its current form, does not consistently meet this standard. It is important to note at the outset that Title IV’s reach extends well beyond the telecommunications industry: it applies across the full range of entities covered by NIS2, including energy, transport, health, water, digital infrastructure, financial market operators, manufacturing, food production and distribution, etc. A regime that applies proportionality analysis uniformly across such a diverse set of sectors, each with its own risk profile, dependency structure, and supplier ecosystem, is inherently vulnerable to challenge on granularity grounds. Even within a single sector, the proposal draws a distinction between core and edge network functions, but the criteria for treating certain elements as “key ICT assets” — and therefore subject to the full force of the supply-chain regime — are not sufficiently differentiated. The difference in risk profile between core network software, radio access hardware, and ancillary management systems is significant, and a regime that treats them identically, or that fails to calibrate its obligations to genuine criticality, goes further than is necessary to achieve its stated objective.

The market-structure consequences of the proposed regime also bear on the proportionality analysis. The ICT supply chains that underpin NIS2-regulated sectors — from telecommunications and energy to transport and healthcare — are already characterised by a relatively limited number of specialised suppliers and long capital investment cycles. Exclusions imposed on the basis of country-risk designations risk making already concentrated markets even more so: removing one or more major suppliers from an eligible vendor pool does not automatically generate new entrants. It more plausibly entrenches the position of the remaining approved suppliers, to the detriment of competition, resilience, and ultimately the consumers and users who depend on those networks and services. A framework that, in the name of security, produces a less competitive and less resilient supply-base is vulnerable on suitability grounds precisely because it may undermine the objective it claims to serve. These effects are not merely economic externalities: they are legally relevant to both the suitability and necessity limbs of the proportionality test.

A related and underappreciated dimension of the proportionality problem concerns what might be termed the regulatory chilling effect. Even before the Commission has formally designated a single country or listed a single supplier, the mere existence of Title IV’s framework is likely to alter purchasing behaviour across the many sectors covered by NIS2. Procurement officers, risk managers, and boards of NIS2-regulated entities — in telecommunications, energy, transport, finance, and beyond — will rationally seek to avoid the operational and reputational exposure of depending on equipment or software that may be blacklisted in the future. The practical result is that suppliers from countries perceived as potential candidates for designation face de facto exclusion from European markets well before any formal act is adopted. This pre-emptive market withdrawal is not a proportionate, calibrated response to a specific identified risk; it is an uncontrolled side-effect of regulatory uncertainty.

It is, therefore, significant that the proposal itself acknowledges that the Commission must assess lifecycle impact, economic and societal consequences, the availability of alternative suppliers, and the risk of disrupting cross-border activity before imposing mitigation measures. The existence of these criteria in the legislative text reflects an awareness of the proportionality problem; the question is whether the procedural safeguards built around those criteria are sufficient to ensure they are genuinely applied — and, crucially, whether they are applied early enough to prevent the chilling effects described above from hardening into permanent market distortions before any formal designation has been made.

Rule-of-law concerns: vague concepts, implementing acts, and the limits of executive power

Separate from the legal basis and proportionality arguments, Title IV raises significant rule-of-law concerns rooted in legal certainty and the requirements of meaningful judicial review. The operative concepts of the regime — “serious and structural non-technical risks,” “countries posing cybersecurity concerns,” and “high-risk suppliers” — are broad and imprecisely defined. Standing alone, that might be acceptable as a matter of legislative technique, if the framework provided robust procedural and substantive constraints on how those concepts are operationalised. Title IV does not do so to a sufficient degree.

The concern is compounded by the governance model. Title IV builds a cascading executive system: country designation, supplier listing, key-asset identification, mitigation measures, and prohibitions are all effectuated through Commission implementing acts. This creates a regulatory architecture in which the Commission exercises extensive discretionary judgment — including assessments of third-country governance, state-market relationships, and diplomatic conduct — through a mechanism that is, by design, shielded from the full legislative process. The European Parliament’s role is limited, and the substantive grounds on which a court could review a country designation or supplier listing are not clearly articulated in the proposal.

The duty to state reasons under Article 296 TFEU requires that the Commission identify, with sufficient precision, the factual and legal basis for each determination. Where the grounds of designation include assessments of a country’s legal order, its intelligence services’ conduct, or its diplomatic cooperation with the EU, those reasons will be difficult to articulate publicly without engaging sensitive intelligence and diplomatic considerations. The result is that affected parties — suppliers, operators, and potentially third-country governments — face legal effects of considerable severity without a practically effective avenue for judicial redress. This tension between executive efficiency and individual legal protection is not merely theoretical: it is precisely the kind of rule-of-law problem that the Court of Justice has, in other contexts, been willing to engage with seriously.

Conclusion: a narrower and constitutionally sustainable path

The EU has legitimate and pressing reasons to strengthen cybersecurity across its critical infrastructure. CSA2’s first three pillars — ENISA reform, ECCF development, and NIS2 streamlining — are a defensible and constitutionally coherent response to that imperative. They address genuine fragmentation and operate within the internal market harmonisation logic that Article 114 TFEU supports. This article does not challenge those elements.

Title IV is different in kind, and it is constitutionally vulnerable on several overlapping grounds. It uses Article 114 to transform a soft security coordination mechanism into a binding regime of country-risk and supplier-exclusion decisions. Those decisions are geopolitical in substance, weakly differentiated in their operational criteria, and heavily executive in their implementation model. They sit uncomfortably with Article 4(2) TEU’s reservation of national security to Member States, with the demands of genuine proportionality analysis, and with the rule-of-law requirements of legal certainty and effective judicial protection.

A constitutionally safer path exists. The EU could retain the binding technical harmonisation elements while returning the country-risk and supplier-designation functions to a strengthened, better-resourced, but non-binding coordination framework — one that supports Member States in making their own security determinations without substituting Commission implementing acts for national judgment. 

More insights
Banking & Finance Life Sciences & Healthcare Renewables Energy & Climate Change Public Procurement TMC - Technology, Media & Communications Consumer Products Gambling Data Protection Law

Explore more

Publication Bulgaria

Signing with e-signature in CEE 2026

05 Jan 2026 2 min read
Event Bulgaria

IP Insights webinar series 2026

03 Jun 2026
Expert Guide International

CMS Expert Guide to Crypto Regulation in Bulgaria

10 min read

Related expertise

TMC - Technology, Media & Communications

Banking & Finance

Energy & Climate Change

Consumer Products

Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.