On 20 January 2026, the European Commission published a proposal for a Regulation to update and replace the Cybersecurity Act (Regulation 2019/881). The proposal—known as the Cybersecurity Act 2 (CSA2)—forms part of a wider package aimed at modernizing and streamlining the EU’s cybersecurity framework and is closely linked to the Commission’s parallel proposal to amend Directive (EU) 2022/2555 (NIS2). We cover that proposal in a separate blog post.

CSA2 covers two main areas that will be relevant to private companies. First, it would introduce the EU’s first horizontal framework for ICT supply chain security—this is an entirely new addition that is not contained in the Cybersecurity Act, and could have significant implications for organizations in sectors that procure components from providers located in high-risk jurisdictions (e.g., telecoms). Second, it would update and expand the existing framework for cybersecurity certifications (the European Cybersecurity Certification Framework, or ECCF). In addition, it would significantly expand the role of the EU cybersecurity agency, ENISA.

Below, we summarize the main elements of the proposal.

1.  New EU‑Level Framework for ICT Supply Chain Security

CSA2 would introduce a horizontal framework addressing “non‑technical” risks in ICT supply chains across NIS2 sectors—a first in EU law. The framework would:

  • Require the Commission to Identify “Key ICT Assets”. Based on coordinated Union‑level or Commission‑initiated risk assessments, the Commission may adopt implementing acts identifying “key ICT assets” used by essential and important entities under NIS2—a full list of the sectors in which such entities may operate is set out in our prior post here. An ICT asset may be designated as “key” in the following cases:
    • where it performs essential or sensitive functions,
    • where incidents exploiting it could cause serious ICT‑supply‑chain disruption or data exfiltration,
    • where supplier concentration creates dependency risks, and
    • in light of the results of EU‑level risk assessments.
  • Permit the Commission to Designate High‑Risk Suppliers. Where a third country appears to pose non‑technical risks to the ICT supply chain that are both serious and structural the Commission may designate that country and any entities it controls as high‑risk suppliers. Examples of such risks include laws or practices requiring early reporting of software or hardware vulnerabilities to that country’s authorities, the absence of effective judicial or democratic oversight, or credible indications of malicious cyber activity originating from actors operating from that country. High‑risk suppliers will be subject to Union‑wide restrictions, including exclusion from European standardization work, EU cybersecurity certification and conformity‑assessment functions, authorized attestation activities, and participation in public procurement or Union‑funded programs involving ICT components for key ICT assets.
  • Empower the Commission to Impose Prohibitions and Mitigation Measures. The Commission may adopt implementing acts:
    • Prohibiting specific types of NIS2 entities from using, installing or integrating ICT components from high‑risk suppliers in key ICT assets; and
    • Requiring such entities to apply targeted ICT‑supply‑chain mitigation measures, including supplier‑transparency obligations, restrictions on transfers or remote processing from third countries, third‑party‑audited technical safeguards, limits on outsourcing or supplier contracting, requirements for personnel vetting by national authorities, or diversification of supply.
  • Stricter rules for electronic communications networks. Mobile, fixed and satellite electronic communications networks are subject to a separate, more prescriptive regime: key ICT assets are pre‑defined in Annex II, and ICT components from high‑risk suppliers must be phased out. For mobile networks, the phase‑out period may not exceed 36 months from publication of the high‑risk suppliers list; for fixed and satellite networks, timelines will be set by Commission implementing acts. Providers of these networks are also prohibited from using, installing or integrating any such components in the operation of key ICT assets.
  • Jurisdiction to ensure compliance with this regime is allocated in the same way as jurisdiction under NIS2. Specifically, most covered entities are supervised by the Member State where they are established. For certain cross‑border digital service providers (such as cloud, DNS, data centres, CDNs, online marketplaces, search engines, social networks, managed service and managed security service providers), the authority in the Member State where an entity has its “main establishment” in the EU is competent. Non‑EU providers offering services in the Union must appoint an EU representative in a Member State where services are offered; as a rule, jurisdiction attaches to the Member State of that representative, except for electronic communications providers, for which jurisdiction attaches to the Member State(s) where services are provided. If no representative is designated, any Member State where services are provided may take legal action.

Infringements of the Commission’s prohibitions or mitigation measures can draw significant penalties, including fines of up to 7% of global annual turnover for the most serious violations.

2.  An Updated Cybersecurity Certification Framework

The proposed reforms to the ECCF in CSA2 include:

  • Broader Scope: Certification would continue to apply to ICT products, ICT services, ICT processes, and managed security services, and would now also extend—for the first time—to assessing an organization’s overall cybersecurity posture (i.e., its broader cybersecurity maturity and readiness).
  • Streamlined Scheme Development: ENISA would prepare certification schemes based on Commission requests, with clearer deadlines, and more organized stakeholder involvement. It also introduces a formal mechanism to keep certification schemes up to date, including mandatory maintenance strategies, regular evaluations at least every four years, and the possibility for the Commission to revise or withdraw outdated schemes.
  • Regulatory Alignment: Certification could serve as a compliance tool under other Union laws, enabling a presumption of conformity in certain cases.
  • Technical Specifications: CSA2 creates a dedicated process for ENISA to draft the technical specifications that underpin certification schemes and introduces rules on how these specifications are published—or restricted—when they contain sensitive security information.

The proposal also limits Member States’ ability to add national certification requirements where a topic has been addressed by an EU certification scheme.

3.  Clarifying ENISA’s Role and Strengthening EU‑Level Capacity

The proposal would significantly expand ENISA’s role in improving cyber resilience. ENISA would have the power to provide targeted technical guidance to Member States and the Commission covering cybersecurity risk‑management, maturity assessments, incident‑response playbooks, and secure‑by‑design principles for digital products. It would also help carry out EU‑level coordinated security risk assessments of specific critical ICT services, ICT systems or ICT products supply chains, support the development of cybersecurity sandboxes, issue early alerts of major or cross‑border cyber threats, and provide analysis on emerging risks, including those related to products regulated under the EU’s cybersecurity framework. ENISA would further maintain the European Vulnerability Database established under Art. 12 NIS2—the EU’s central database of publicly reported software and hardware vulnerabilities.

In parallel, ENISA would take on several new operational functions. It would operate the EU Cybersecurity Reserve, an EU‑level pool of incident‑response providers established under the Cyber Solidarity Act that can be deployed to support Member States during major or large‑scale cyber incidents. ENISA would also support and coordinate responses at the request of the EU‑CyCLONe—the European Cyber Crisis Liaison Organisation Network, which brings together national authorities to manage cross‑border cyber crises. In addition, ENISA would help essential and important entities to respond to ransomware incidents through a dedicated helpdesk, run key Union‑level reporting platforms (including the single cybersecurity reporting platform introduced by the Digital Omnibus Package), support conformity‑assessment processes, contribute to European and international standardization work, and develop EU‑wide cybersecurity skills attestation schemes.

Next Steps

The proposal will now proceed through the ordinary legislative procedure, with negotiations in the European Parliament and Council expected throughout 2026. Once adopted, the Regulation will apply immediately and directly in all Member States. For the new trusted ICT supply‑chain rules, the Commission’s implementing acts will set sector‑specific transition periods (e.g., for phasing out components from high‑risk suppliers).

*              *              *

Covington’s Privacy and Cybersecurity team will continue to monitor legislative developments, including trilogue negotiations and implementing acts. If you would like support assessing how these changes may affect your organization—particularly in relation to NIS2 compliance strategies, ICT supply chain risk management, or upcoming certification obligations—please let us know.

Tags: critical infrastructure, cybersecurity, DATA, data security, Privacy & Data Security, technology
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” has “great insight into the regulators;” and “is technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 20 years of experience, Mark specializes in:

Providing practical guidance and advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services.
Handling complex regulatory investigations and enforcement actions involving data privacy regulators in the UK, EU and globally, and advising on follow-on litigation risk.
Helping clients respond to cybersecurity incidents, including ransomware, supply chain incidents, state-sponsored attacks, insider threats, personal data breaches, and IP and trade secret theft.
Advising various clients on the EU NIS2 Directive, Cyber Resilience Act (CRA), and other emerging EU, UK, and global cybersecurity laws and regulations.
Advising life sciences companies on industry-specific data privacy issues, including clinical trials, pharmacovigilance, and digital health products and services.
Advising on data privacy compliance in relation to employees and international transfers of data in connection with white collar investigations.
Providing strategic advice and advocacy on a range of UK and EU technology law reform issues relating to data privacy, cybersecurity, eIDs, and software.
Representing clients in connection with references to the Court of Justice of the EU.

Read more about Mark YoungEmail
Show more Show less
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Read more about Dan CooperEmail
Show more Show less
Photo of Paul Maynard Paul Maynard

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.

Read more about Paul MaynardEmail
Show more Show less
Photo of David Brazil David Brazil

David Brazil is an associate in the Data Privacy and Cybersecurity Practice Group. He advises clients on emerging European regulations related to technology, consumer protection and cybersecurity law (such as the Digital Services Act, AI Act, DORA, Cyber Resilience Act and NIS-2). David…

David Brazil is an associate in the Data Privacy and Cybersecurity Practice Group. He advises clients on emerging European regulations related to technology, consumer protection and cybersecurity law (such as the Digital Services Act, AI Act, DORA, Cyber Resilience Act and NIS-2). David has experience advising clients on their general compliance with these rules, as well as in the context of regulatory investigations for alleged non-compliance. He has experience advising companies in various sectors, including online retail, financial services and software and cloud service providers.

Read more about David BrazilEmail
Show more Show less
Photo of Anna Sophia Oberschelp de Meneses Anna Sophia Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is special counsel in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is special counsel in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Read more about Anna Sophia Oberschelp de MenesesEmailAnna Sophia's Linkedin Profile
Show more Show less