Cullen International published an analysis of the proposed provisions to restrict high-risk suppliers (HRS) under the revised Cybersecurity Act (CSA2) delivered by the European Commission on 20 January 2026.

The draft CSA2 would repeal and replace the current CSA, which establishes an EU framework for the voluntary cybersecurity certification of ICT products, services, processes and managed security services. In addition to amending the certification framework, the draft CSA2 would also address non-technical security risks of ICT supply chains in EU critical sectors.

Non-technical risks would include the likelihood of the supplier being subject to influence by a third country in ways that can disrupt the service provided or compromise the product manufactured to include concealed vulnerabilities. It would also include instances linked to technological lock-in or supplier dependency, potentially affecting the availability of communication networks and electricity grids.

The proposal would establish a mechanism for the Commission to designate and restrict the use of ICT components from HRS in the sectors in scope of the Directive on measures for a high common level of cybersecurity across the EU (NIS2). The sectors include, for example, energy, transport and cloud computing.

The Commission could then restrict the use of ICT components from suppliers established in, owned or controlled by a designated high-risk country.

Under the draft CSA2, control would mean “the ability to exercise a decisive influence on a legal entity directly, or indirectly through one or more intermediate legal entities”. Control would also be established if the concerned entity has executive management structures in that country.

For mobile communication networks, the draft CSA2 sets out concrete measures requiring the phase out of ICT components from HRS in key 5G network assets listed in annex II to the proposal (e.g. the core network) within three years of the Commission designating an HRS. The same obligation would also apply to fixed and satellite electronic communication networks, although no specific phase-out timing has been set for these networks yet.

Annex II could be amended through delegated acts to adapt it to technological developments. Hence, restrictions on HRS may potentially also apply to future mobile technologies such as 6G.

The draft CSA2 would also include a broader set of ICT supply chain risk-mitigating measures applicable to NIS2 entities (including telecoms operators) beyond HRS restrictions. For example, diversifying ICT supply chain components to address risks of technological lock-in or supplier dependency, restricting data transfers to third countries (including remote data processing).

NIS2 competent authorities would be tasked with overseeing compliance by entities subject to the ICT supply chain security measures and could impose fines of up to 7% of the entity’s total annual turnover for non-compliance with the ban on using ICT components from HRS.

The above is an extract from Cullen International's series of analyses on the European Commission's proposal for a revised Cybersecurity Act (CSA2). 

For more information and to read the full report, please click on “Access the full content” - or on “Request full report”, in case you are not subscribed to our European Digital Economy service.