EU Cyber Regulation, Part II: The Soon-to-Be-Updated Cybersecurity Act Is Linked to Geopolitics

Authors: Maria Aholainen, Pauli Takki Read time: 6 min

CSA2 obliges companies to map their supply chains more thoroughly than before. The European Commission’s new proposal for a Cybersecurity Act was published in January 2026. The original regulation, which entered into force in 2019, focused on the certification framework and the tasks of the EU Agency for Cybersecurity, ENISA. The newly published CSA2 proposal significantly expands this framework. For the first time, it creates a legal basis against which supply chain security is also assessed from a geopolitical perspective.

– Other cyber regulation has focused on what a product or company does and whether the associated risks are under control. CSA2 looks more closely at who the supplier is — that is, whether the supplier can be trusted, taking into account its ownership structure, affiliations, and the third countries behind it, explains Maria Aholainen.

Supplier Risk Assessment and Management

CSA2 creates two mechanisms through which the Commission can intervene in supply chain risks. The first targets the state level. The Commission can determine that a particular country poses a serious and structural risk to the EU’s ICT supply chains and place it on a list of countries of concern. ICT suppliers with ties to such a country would then be classified as high-risk suppliers. The second mechanism is more targeted and enables restrictions to be imposed on the components of an individual operator without naming any country.

The effect of the mechanisms is similar. The use of components from high-risk suppliers can be prohibited for organisations within the scope of NIS2. Suppliers can also be excluded from European standardisation work, public procurement, and EU funding.

Components from High-Risk Suppliers Must Be Phased Out

The significance of the classification becomes concrete in how CSA2 addresses electronic communications networks. The proposal requires that mobile networks phase out components from high-risk suppliers within 36 months of the publication of the list of suppliers concerned. Three years may sound like a long transition period, but replacing critical network infrastructure is a demanding operation.

However, the effects also extend to other business sectors. If an organisation’s key supplier ends up on the high-risk supplier list and the use of its components is restricted, the consequences ripple widely — from procurement decisions to contractual terms and throughout the entire subcontracting chain. Structured mapping of supply chains, developing exit strategies and broadening the supplier base are tools worth deploying before any such lists are published.

The most significant practical impact of CSA2 is, in fact, that a more comprehensive mapping of supply chains becomes essential. Companies must be able to systematically identify their suppliers, their ownership structures, and any risk-prone dependencies on individual suppliers or their components. This requires documentation that many organisations do not yet carry out to a sufficient level.

Certification of Cybersecurity Posture as a Competitive Advantage

CSA2 is not solely restrictive, however. The reform of the European certification framework also creates new opportunities for companies. A particularly interesting change is the so-called cyber posture certification, which means that instead of certifying an individual product or process, an organisation can certify its overall cybersecurity posture.

In practice, this could accelerate procurement processes and create a presumption of compliance with NIS2 requirements. Certification formally remains voluntary, but its strategic significance is growing. A company that can demonstrate its cybersecurity posture through certification is in a stronger position with both customers and authorities.

New Supply Chain Management Requirements Are Also Emerging from Other Quarters

Supply chains have long been the subject of the Commission’s legislative proposals. Transparency and risk assessment obligations for supply chains can also be found in sustainability and data regulation, among other areas. The GDPR has long required that data requirements extend to the supply chain, and the Ecodesign Regulation adopted in the EU will require more transparent information from companies about their products’ supply chains and environmental impacts.

– Perhaps the most important strategic conclusion from the entire regulatory development is that supply chain management should be built as a unified whole that transcends individual regulatory frameworks, says Pauli Takki.

As a regulation, CSA2 will be directly applicable once adopted. The proposal proceeds through the ordinary legislative procedure, with a political agreement targeted by early 2027. However, companies should not delay their readiness assessments until then.