On 20 January 2026, the European Commission published a proposal to revise the Cybersecurity Act (COM(2026) 11 final; "draft CSA2"). In addition to generally strengthening the European legal framework for cybersecurity certification and granting new operational powers to the EU Agency for Cybersecurity (ENISA), the proposal addresses a sensitive issue by introducing security provisions in the ICT supply chain.
These new guidelines focus on "non-technical" risks – meaning risks that stem not (or at least not solely) from vulnerabilities in the code or hardware, but rather from dependencies, points of influence and systemic risks within ICT supply chains. One particular explicit objective of the supply chain provisions is to mitigate the risks associated with undesirable dependencies within the supply chain for critical technologies. To this end, various restrictions are envisaged in relation to companies from third countries that pose cybersecurity concerns in the European Commission’s view – ranging for example from excluding them from certification mechanisms to banning their products from being procured or used.
The draft CSA2 is the result of years of growing debate and has so far played out primarily in the context of 5G
In response to concerns about state interference, several Member States have taken initial measures to restrict the use of components from foreign manufacturers.
At EU level, this debate has been addressed through "soft law", specifically the non-binding Commission Recommendation 2019/534 ("Cybersecurity of 5G networks"), which was also addressed in the context of the coordinated risk assessment regarding the security of critical supply chains in the NIS2 Directive (see recital 91). While the European Commission explicitly endorsed the concerns regarding Huawei and ZTE in a 2023 communication (C(2023) 4049 final), hesitant Member States were urged to take action. The proposed granting of far-reaching powers of intervention to the European Commission now represents a bold step towards such harmonisation efforts at European level.
Draft CSA2: EU tightens cybersecurity rules for high-risk suppliers and 5G components
As cautious as regulations at European level were initially, they are now set to be implemented with great urgency. Specifically, Article 100 draft CSA2 grants the European Commission the power to designate third countries that pose cybersecurity concerns. This classification is based principally on a set of non-technical criteria (e.g. laws or practices regarding advance reporting of vulnerabilities; lack of legal remedies; state-tolerated or state-supported activities by threat actors). Manufacturers of ICT components with links to these countries – including links where they are subject to oversight by companies or nationals based there – are generally to be designated as high-risk suppliers by means of an implementing act (see Article 2 no. 39, Article 104 draft CSA2).
Article 105 draft CSA2 does provide for an exception, but the threshold for asserting this exception is likely to be difficult to meet: The supplier must provide clear evidence that effective actions are being taken to eliminate non-technical risks and ensure that the third country cannot exert undue influence.
Being designated as a high-risk supplier then triggers certain statutory exclusions (e.g. regarding the granting of an EU cybersecurity certificate; a ban on the use of components from such suppliers in certified "key assets") or empowers the European Commission to impose bans on use through implementing acts.
For electronic communications networks, the situation is even more concrete and immediate: Components from high-risk suppliers are even to be phased out of the key functions specified in Annex II to the draft CSA2 (e.g. from the core network in 5G networks); for mobile electronic communications networks, this is to be done within a maximum of 36 months of the publication of the relevant list. There is to be an explicit ban on their use and integration by providers of mobile, fixed and satellite networks. In practical terms, this amounts to exclusion from the market for defined product categories or components in the critical sectors concerned.
A global political perspective on cybersecurity
The shift from technical criteria – which were ultimately underrepresented in the proposal – towards non-technical criteria marks a move towards a geopolitical understanding of cybersecurity. This puts the proposal in line with recent efforts to ensure the EU’s "economic security".
To date, these considerations have played a minor role in European regulation. Rather, under the division of responsibilities between the European Union and the Member States as practised to date, it has overwhelmingly been the Member States that were responsible for restricting the EU’s characteristic open market through (national) security reservations. This is illustrated, for example, by a request from Estonia for a preliminary ruling currently pending before the CJEU (case C-354/24). The request relates to proceedings in which a network operator is taking legal action against a restriction on the use of Huawei components in the 5G network adopted on the grounds of national security and is invoking the EU legal assurances set out in the European Electronic Communications Code (Directive 2018/1972) and the EU Charter of Fundamental Rights (more on this shortly).
Likewise in the field of commercial policy, reservations to mitigate risks associated with third countries have so far been made primarily at national level, rather than in contradiction to the EU’s principle of an open market, for example in the context of oversight of foreign direct investment, where the general openness to direct investment is limited by the need to safeguard public safety and order. The relevant FDI Regulation (see Article 4 (2) Regulation 2019/452) lists criteria such as oversight over the potential investor by the government of a third country. The power to implement these standards generally lies with the Member States; the CJEU has traditionally emphasised a restrictive approach to safeguard the fundamental principle of market openness. Although the current efforts towards greater harmonisation in this area (COM(2024) 23 final) aim to introduce mandatory investment controls, they do not affect the underlying mechanism or national powers.
The draft CSA2 significantly shifts the balance here. It explicitly links cybersecurity with geopolitical security and, to this end, establishes a set of instruments that effectively extend into areas which, in practice, fall within the remit of national security (core telecommunications networks, critical sectors, key components) and, as such, are the responsibility of the Member States.
Questions of competence between cybersecurity and geopolitics
The move towards taking into account geopolitical risks in cybersecurity regulation raises complex competence issues. Under the principle of limited individual authorisation, the European Union’s legislative power requires an explicit legal basis.
Traditionally, (technical) cybersecurity regulations, as internal harmonisation measures, are based on the harmonisation powers set out in Article 114 TFEU. According to CJEU case law, these apply where existing differences between Member States are capable in more than just the abstract of affecting fundamental freedoms and thus have a direct impact on the functioning of the internal market or lead to significant distortions of competition. By contrast, the European Union’s external powers are primarily concentrated in the field of commercial policy (in particular in Article 207 (2) TFEU). The EU’s foreign and security policy is generally governed by the Common Foreign and Security Policy of the European Union (CFSP), which provides for a high degree of institutional involvement of the Member States – namely by generally requiring decisions to be made unanimously, see Article 31 (1) TFEU – and excludes ordinary legislative acts (Article 24 (1) TFEU). According to CJEU case law, the main purpose of a measure is generally the decisive factor in determining how competence is divided. In addition to this (horizontal) division of competence within the EU, the area of national security ultimately serves to limit competence in the (vertical) relationship between the EU and the Member States (see Article 4 (2), sentence 3, TFEU).
The draft CSA2 is clearly caught in a legal dilemma regarding competence, which it attempts to resolve unilaterally solely by citing Article 114 TFEU. On this topic, the draft says the following:
In the area of the cybersecurity of ICT supply chain security, the fragmentation of national frameworks addressing non-technical risk factors brings negative effects to the functioning of the internal market as the divergence in national approaches might ultimately lead to higher vulnerability of some Member States, with potential spill-over effects across the Union, impacting overall resilience and also trustworthiness.
This extremely vague justification of the link to the single market illustrates the European Commission’s seemingly uncertain attempt to internalise external (geopolitical) risks. The fact that the focus is overwhelmingly on external geopolitical risks at present is reflected in the assessment relating to third countries under Article 100 draft CSA2, as well as in the weak link to specific vulnerabilities and their impact on the internal market, which arises from the imbalance between the rule and the exception in the relationship between third-country exposure and manufacturer risk. Under the draft CSA2, the focus on third countries is even more pronounced than in instruments explicitly designed for foreign trade, such as the current proposal for a reform of the FDI Regulation, in which the criteria for assessing a threat to public security and order are linked to the investor (see Article 13 (2) of the Commission’s proposal). Ultimately, this can be attributed to the geopolitical approach underpinning these new regulations – although this is not the primary focus of Article 114 TFEU, which requires a primary link to the internal market.
It is also telling that, as part of the current revision of the FDI Regulation – which is based primarily on Article 207 (2) TFEU and, to a lesser extent, on Article 114 TFEU – the European Commission appears to justify this inclusion on the one hand by citing the need to combat fragmentation of the legal framework for the benefit of foreign direct investment. On the other hand, Article 114 TFEU is cited here to better address circumvention scenarios within the internal market, with security considerations also coming into play. Under the draft CSA2, however, the closure of a market is to be justified on the basis of a provision that favours the market. On top of this there is the conflict of competence with the area of national security mentioned above. In principle, the proposed legal framework is not supposed to affect the Member States’ competence in matters of national security (see Article 1 (4) draft CSA2). Nevertheless, it remains unclear how competences can be meaningfully delineated in individual cases, given that even the availability – and hence the non-prohibition – of components can constitute an aspect of national security. This risks creating an opaque and, in some cases, redundant regulatory framework. Admittedly, not all areas of application covered by the draft CSA2 are likely to be relevant to national security, particularly as the CJEU tends to interpret the term narrowly and the scope of the supply chains potentially affected is broad. However, the key point is that the material basis for justifying non-technical risks posed by third countries has a structural security dimension, since the criteria used to identify high-risk third countries boil down to classifying such states as aggressors, participants or at the very least as unable to prevent such actions.
The danger of losing objective criteria
The level of abstraction in justifying competence is an indication of the shift from technical to non-technical assessment criteria and also raises a crucial issue: the erosion of criteria that can be assessed on technical and objective grounds and that are therefore predictable. The draft risks replacing or undermining the technically obvious objective approach of "component safety" with a blanket concept of "country safety". At the same time, the institutional guarantees that come with integration in political procedures (namely the requirement for unanimity in the CFSP) are to be dispensed with. This problem of competence therefore comes with a question of substantive legitimacy, which tends to be exacerbated by the European Commission’s authority to determine matters through implementing regulations.
The broadly anecdotal attempt in the proposal to render the basis for information objective by citing "independent sources" (Art. 100 (1) (b) draft CSA2) – or at least to make it transparent by citing examples of public sources – highlights the dilemma. It also reveals a fundamental structural problem with the Commission’s remit: National decisions regarding high-risk providers are often based on classified intelligence held by security agencies at national level, which is only available to a limited extent at EU level. However, based on publicly available information, risks can also be assessed by private entities that are routinely required to ensure security – for example, under the NIS2 Directive or national implementing legislation; in some such cases, a reduction in dependencies on specific providers may also be required (see no. 5.1.2. d) of the Annex to the NIS2 Implementing Regulation 2024/2690). Incidentally, a framework to this effect was recently made available to these entities in the form of the EU ICT Supply Chain Security Toolbox developed by the NIS Cooperation Group. The pressure to justify regulatory measures, which is substantially influenced by geopolitical tensions, is also likely to make it more difficult to strike the right balance on issues of proportionality and legal protection. In particular, network operators in the telecommunications sector that are explicitly affected have complained that the estimated costs are unrealistic. The core problem, however, remains that regulatory objectives such as economic sovereignty are difficult to quantify and can therefore only be loosely aligned with the specific individual interests of those directly affected (such as telecommunications providers). In any case, these aspects are likely to be better addressed in areas of foreign and security policy that are more directly relevant.
Outlook: A paradigm shift in the field of cybersecurity?
With this initiative, the European Commission has presented a paradigm shift in the field of cybersecurity and has now opened it up for initial discussions at European level. In doing so, it is making a contribution to the concept of digital sovereignty in cybersecurity regulations. The starting point here is market foreclosure, which stands in tension with the EU’s open-market approach and regulatory framework. The extent to which this fundamental change can be reflected in current legislation is yet to be discussed. The draft shifts highly sensitive geopolitical assessment decisions away from the Member States and foreign policy decision-making process towards an instrument of the internal market dominated by the Commission and using implementing acts.
In terms of procedure, the ball is now in the European Parliament's and European Council's court. The interplay between cybersecurity, geopolitics and in some cases commercial policy suggests that further developments in many different respects are likely on the cards. In any case, a lively debate on this topic is already emerging.
Until the final version is settled, companies with critical supply chains should keep a close eye on the ongoing CJEU proceedings – the judgment could serve as an indirect test case for the draft CSA2. For example, one of the questions referred for a preliminary ruling concerns whether a time-limited licence to use components that have already been lawfully installed can constitute deprivation of property within the meaning of Article 17 of the Charter of Fundamental Rights. This is particularly significant in the telecommunications sector, which is subject to potential obligations to expand. On 19 March 2026, Advocate-General Ćapeta’s opinion was published in these CJEU proceedings: In her opinion, the advocate-general makes it clear that a risk assessment concerning third countries or their suppliers must not be based on mere general suspicion. Rather, it is essential to assess the specific functionality, exact location and concrete significance that the hardware and software in question actually have for the provision of the communications service (opinion in case C-354/24, margin no. 110). A blanket exclusion that fails to take the actual network architecture into account is therefore insufficient. Furthermore, she considers that in the event of a disproportionate burden – even if the burden was necessary in principle – there may be a right to appropriate compensation (opinion in case C-354/24, margin no. 137).
