Cybersecurity Act 2 (CSA2) - How the EU Is Reshaping Digital Security and Controlling High-Risk Suppliers

CSA2 and the Cybersecurity Act: How the EU Is Strengthening Control Over Digital Infrastructure

In 2026, the European Union enters a new phase of its digital and cybersecurity strategy with the proposed Cybersecurity Act 2 (CSA2). Together with the Digital Networks Act, this new legislative package reflects the EU’s ambition to strengthen the resilience, security, and strategic autonomy of its digital infrastructure in an increasingly complex geopolitical environment.

The updated Cybersecurity Act goes far beyond its 2019 predecessor. It introduces stricter controls over technology supply chains, expands the role of EU institutions in managing cyber risk, and provides new legal tools to limit the participation of suppliers deemed to pose security risks to the Union.

Why a New Cybersecurity Act?

Since the adoption of the original Cybersecurity Act, the threat landscape has changed dramatically. Cyberattacks have become more frequent, more sophisticated, and increasingly linked to geopolitical tensions. At the same time, Europe’s dependence on global technology supply chains—often involving suppliers from outside the EU—has grown significantly.

Cybersecurity Act 2 (CSA2) is designed to address these challenges by strengthening EU-level oversight and coordination. The objective is clear: to ensure that Europe’s digital networks, critical infrastructure, and essential services are built and maintained using secure, trusted, and resilient technologies.

Key Elements of Cybersecurity Act 2 (CSA2)

The new Cybersecurity Act introduces several important changes that will directly affect technology providers, operators of digital infrastructure, and public authorities across the EU:

1. A stronger mandate for ENISA

CSA2 significantly reinforces the role of the European Union Agency for Cybersecurity (ENISA). The agency will receive additional resources and expanded responsibilities, including enhanced threat monitoring, incident response coordination, and strategic risk assessment at EU level. ENISA is expected to become a central hub for cybersecurity expertise and early warning across Member States.

2. Expanded cybersecurity certification schemes

One of the pillars of the Cybersecurity Act remains the EU-wide cybersecurity certification framework. Under Cybersecurity Act 2, these schemes will be expanded and adapted to cover a broader range of products, services, and technologies, including network equipment, cloud services, software solutions, and emerging technologies such as artificial intelligence.

Certification under CSA2 is likely to become a key prerequisite for market access, especially in regulated and security-sensitive sectors.

3. Identification of high-risk suppliers

Perhaps the most far-reaching aspect of CSA2 is the introduction of a formal mechanism allowing the European Commission to identify third countries as posing cybersecurity risks to the EU’s ICT supply chains.

Suppliers originating from, or controlled by entities linked to, such countries may be designated as high-risk suppliers. This designation can lead to serious consequences, including:

exclusion from public procurement procedures,
denial of EU cybersecurity certification,
restrictions on participation in critical digital infrastructure projects.

While the legislation does not name specific countries, the mechanism creates a clear legal basis for limiting the role of suppliers considered incompatible with the EU’s security interests.

The Broader Context: Reducing Dependence on Risky Suppliers

The CSA2 proposal aligns with broader EU efforts to reduce strategic dependencies in critical sectors. In recent policy discussions, the European Commission has made clear its intention to tighten rules for suppliers involved in telecommunications, energy systems, transport networks, healthcare technologies, and other critical infrastructures.

These discussions often focus on Chinese technology suppliers, particularly in the context of 5G and future digital networks. Although Cybersecurity Act 2 remains country-neutral in its legal wording, it provides the tools needed to operationalize supplier restrictions across the entire digital ecosystem, not just in telecommunications.

In this sense, the new Cybersecurity Act marks a shift from voluntary risk mitigation guidelines toward binding, enforceable measures at EU level.

Digital Networks Act: Completing the Picture

Alongside CSA2, the European Commission has proposed the Digital Networks Act, which aims to modernize and harmonize the regulatory framework for electronic communications across the EU.

Key objectives of the Digital Networks Act include:

creating a more integrated single market for telecom and network services,
facilitating cross-border investments in 5G and future 6G networks,
simplifying spectrum management and licensing procedures,
encouraging the deployment of secure, high-performance digital infrastructure.

Together, Cybersecurity Act 2 and the Digital Networks Act reflect a comprehensive EU approach: security, connectivity, and competitiveness are treated as interdependent priorities.

What Does CSA2 Mean for Businesses?

For companies operating in or with the EU market, the new Cybersecurity Act will have tangible implications. Organizations will need to:

reassess their supply chains and technology partners,
prepare for stricter compliance and certification requirements,
integrate cybersecurity risk management into procurement and investment decisions.

At the same time, CSA2 creates opportunities for European and trusted international providers to position themselves as reliable partners in a more security-focused digital market.

What Comes Next?

Both Cybersecurity Act 2 (CSA2) and the Digital Networks Act are now entering the legislative negotiation phase between the European Parliament and the Council. While details may still evolve, the direction is clear: cybersecurity is becoming a central pillar of EU digital policy.

For policymakers, businesses, and technology providers alike, CSA2 signals a future in which digital security, trust, and strategic autonomy will define success in the European digital economy.

Velislav Nikiforov
January 28, 2026

Cybersecurity Act 2 (CSA2): How the EU Is Reshaping Digital Security and Controlling High-Risk Suppliers

CSA2 and the Cybersecurity Act: How the EU Is Strengthening Control Over Digital Infrastructure

Why a New Cybersecurity Act?

Key Elements of Cybersecurity Act 2 (CSA2)

1. A stronger mandate for ENISA

2. Expanded cybersecurity certification schemes

3. Identification of high-risk suppliers

The Broader Context: Reducing Dependence on Risky Suppliers

Digital Networks Act: Completing the Picture

What Does CSA2 Mean for Businesses?

What Comes Next?

Find us in Sofia!in Varna!in London!

57 Cherni Vrah Blvd., Energy Tower, floor 7, 1407, Sofia

87 Prilep St., Business Center BeeGarden, Office 20 9000, Varna

Flat 12, Woodland court, 12 Penn hill avenue, Poole, BH14 9LZ

Открий ни в София!във Варна!в Лондон!

бул. Черни връх 57, Energy Tower, етаж 7, 1407, гр. София

ул. Прилеп 87, Бизнес център BeeGarden, офис 20, 9000, гр. Варна

Flat 12, Woodland court, 12 Penn hill avenue, Poole, BH14 9LZ

С какво да Ви помогнем?

споделете вашата идея и ние ще се свържем с вас

More about us

Find us in Sofia!Varna!London!

57 Cherni Vrah Blvd., Energy Tower, floor 7, 1407, Sofia

87 Prilep St., Business Center BeeGarden, Office 20 9000, Varna

Flat 12, Woodland court, 12 Penn hill avenue, Poole, BH14 9LZ

ул. Прилеп 87, Бизнес център BeeGarden, офис 20, 9000,
гр. Варна

57 Cherni Vrah Blvd., Energy Tower,
floor 7, 1407, Sofia

87 Prilep St., Business Center BeeGarden,
Office 20 9000, Varna