EU's Cybersecurity Act 2 Proposes New Supply Chain Security Measures
Introduction
On January 20, 2026, the European Commission unveiled the Cybersecurity Act 2 (CSA2), a proposed regulation aimed at enhancing the European Union's cybersecurity framework. This proposal introduces significant measures to bolster supply chain security and reform existing certification processes, reflecting the EU's commitment to strengthening its digital infrastructure against emerging threats.
Key Provisions of the Cybersecurity Act 2
The CSA2 proposal encompasses several critical areas:
- ICT Supply Chain Security Framework: The Commission seeks to establish a horizontal framework to address risks associated with information and communication technology (ICT) supply chains. This includes the authority to designate third countries as posing serious cybersecurity risks and to classify suppliers from these countries as high-risk, potentially restricting the use of their components and certain data transfers. Source
- Enhanced Cybersecurity Certification Framework: The proposal aims to simplify the existing European Cybersecurity Certification Framework by clarifying its scope, streamlining governance, and setting a default 12-month timeline for developing certification schemes. Organizations would have the opportunity to obtain a "cyber posture certification," serving as evidence of compliance with the NIS2 Directive obligations. Source
- Individual Cybersecurity Skills Attestation: CSA2 proposes voluntary EU-level schemes for attesting individual cybersecurity skills, based on the European Cybersecurity Skills Framework (ECSF) role profiles, to be delivered by authorized attestation providers. Source
- Strengthening ENISA's Role: The European Union Agency for Cybersecurity (ENISA) would see its budget increased by over 75% and its responsibilities expanded to include early threat alerts, ransomware response support, and improved vulnerability management services. Source
Implications for Organizations
The proposed CSA2 regulation carries several implications for organizations operating within the EU:
- Supply Chain Scrutiny: Organizations will need to conduct thorough assessments of their supply chains to identify and mitigate risks associated with high-risk suppliers, especially those from designated third countries. This may involve diversifying suppliers and implementing stricter vetting processes.
- Certification Requirements: The introduction of a streamlined certification framework means organizations must stay abreast of new certification schemes and timelines to ensure compliance. Obtaining cyber posture certifications could become a standard requirement for demonstrating adherence to NIS2 obligations.
- Skills Attestation: The voluntary attestation schemes for individual cybersecurity skills may influence hiring practices and professional development, encouraging organizations to invest in staff certifications aligned with the ECSF role profiles.
- Enhanced Collaboration with ENISA: With ENISA's expanded role, organizations might experience increased engagement with the agency, particularly concerning threat intelligence sharing and incident response coordination.
Stakeholder Responses
Various stakeholders have responded to the CSA2 proposal:
- European Data Protection Authorities: The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have expressed support for strengthening the EU's cybersecurity framework while emphasizing the need to protect individuals' personal data. They highlight the interconnectedness of data protection and cybersecurity, advocating for measures that uphold fundamental rights and freedoms. Source
- Industry Associations: Organizations such as ISC2 have provided feedback on the CSA2 proposal, noting the importance of clear guidelines and the potential impact on existing compliance programs. They emphasize the need for alignment with international standards to facilitate smoother implementation. Source
Next Steps and Compliance Strategies
As the CSA2 proposal progresses through the legislative process, organizations should consider the following strategies to prepare for potential compliance requirements:
- Supply Chain Risk Management: Develop and implement comprehensive supply chain risk management policies that include due diligence processes for assessing supplier cybersecurity practices and contingency plans for mitigating risks associated with high-risk suppliers.
- Certification Preparedness: Monitor developments in the EU cybersecurity certification landscape to understand new requirements and timelines. Engage with certification bodies early to plan for obtaining necessary certifications.
- Workforce Development: Invest in training and development programs to align staff skills with the ECSF role profiles, ensuring readiness for potential attestation schemes and enhancing overall cybersecurity capabilities.
- Engagement with Regulatory Bodies: Establish channels for ongoing communication with ENISA and other relevant authorities to stay informed about emerging threats, regulatory updates, and best practices.
Conclusion
The European Commission's Cybersecurity Act 2 proposal represents a significant step toward enhancing the EU's cybersecurity posture, particularly concerning supply chain security and certification processes. Organizations operating within the EU must proactively assess and adapt their cybersecurity strategies to align with these proposed measures, ensuring resilience against evolving cyber threats and compliance with forthcoming regulations.