Executive Summary

On January 20, 2026, the European Commission proposed a significant revision to the EU's Cybersecurity Act, known as CSA 2. This legislative initiative aims to create a unified framework for identifying and mitigating security risks within the Information and Communication Technology (ICT) supply chain across 18 critical infrastructure sectors. The core of the proposal is the power to phase out and ban high-risk technology suppliers, a measure widely seen as targeting Chinese companies like Huawei and ZTE, to enhance the EU's strategic autonomy and resilience against cyber threats. The act mandates a three-year timeline for mobile operators to replace equipment from designated high-risk vendors and seeks to simplify cybersecurity certification to promote 'secure-by-design' principles across the Union. This represents a major shift from a voluntary to a more prescriptive and enforceable cybersecurity posture for the entire EU.

Regulatory Details

The proposed revision, referred to as CSA 2, significantly expands upon the original 2019 Cybersecurity Act. Its primary objective is to establish a robust legal mechanism for the EU and its member states to collectively assess and manage risks in the ICT supply chain. The regulation will apply to 18 critical sectors, including but not limited to energy, telecommunications, transportation, health, and security scanning services.

A key provision is the creation of a formal process to designate specific technology suppliers as 'high-risk'. This designation will be based on a risk assessment considering factors such as the likelihood of the supplier being subject to interference from a non-EU country, the supplier's corporate structure, and its ability to assure supply. While no countries are named, the context strongly implies that this is directed at companies from nations like China.

Once a vendor is listed as high-risk, member states will be empowered and, in some cases, mandated to restrict their products from critical systems. For mobile telecommunications, the act explicitly requires operators to phase out high-risk equipment from both core and access network infrastructure within a three-year period following the publication of the vendor list. This formalizes and strengthens the recommendations previously outlined in the EU's 5G Security Toolbox.

Affected Organizations

The regulation will have a broad impact across the European Union. The primary entities affected include:

• Technology Suppliers: ICT vendors, particularly those from non-EU countries like China, will face significant market access challenges if designated as high-risk.
• Telecommunications Operators: Mobile network operators across the EU will be legally required to audit their infrastructure and undertake potentially costly and complex projects to 'rip and replace' equipment from banned suppliers.
• Critical Infrastructure Operators: Companies in the 18 designated critical sectors will need to reassess their supply chain dependencies and adhere to new procurement and security standards.
• Small and Medium-sized Enterprises (SMEs): While the streamlined certification process is intended to help SMEs, they will still need to invest in meeting the 'cyber-secure by design' requirements to compete in the EU market.

Compliance Requirements

CSA 2 introduces more prescriptive compliance obligations compared to its predecessor. Key requirements include:

1. Supply Chain Risk Management: Critical infrastructure operators must implement formal risk management processes to assess and mitigate risks associated with their ICT suppliers.
2. Exclusion of High-Risk Vendors: Once the Commission publishes its list, affected organizations will be prohibited from procuring new equipment from these vendors for use in specified critical systems.
3. Mandatory Replacement: Mobile operators must develop and execute a plan to remove and replace existing high-risk vendor equipment within a three-year timeframe.
4. Cybersecurity Certification: The revised European Cybersecurity Certification Framework (ECCF) will become a key tool for demonstrating compliance. While the proposal aims to make certification faster (12-month default development time), achieving it will require products to be 'cyber-secure by design'. This certification can be used to presume conformity with other EU laws, such as the Cyber Resilience Act.

Implementation Timeline

• January 20, 2026: The European Commission presents the proposal.
• 2026-2027 (projected): The proposal will be debated, amended, and negotiated by the European Parliament and the Council of the EU.
• Post-Adoption: The act will enter into force, and the Commission will begin the process of identifying and listing high-risk vendors.
• 3-Year Clock: Once the high-risk vendor list is published, the three-year countdown for mobile operators to replace affected equipment will begin.

Impact Assessment

The business and operational impacts of CSA 2 will be substantial.

• Financial Costs: Telecom operators face significant capital expenditures for replacing network hardware. Estimates for replacing existing infrastructure across the EU could run into billions of euros.
• Operational Disruption: The replacement of core and access network components is a complex process that could lead to service disruptions if not managed carefully.
• Market Fragmentation: The ban could create a more fragmented global technology market, forcing companies to maintain separate supply chains for the EU and other regions.
• Competitive Landscape: The move will benefit European and other non-Chinese technology suppliers (e.g., Ericsson, Nokia, Samsung), altering the competitive dynamics of the ICT market in Europe.

Enforcement & Penalties

While specific penalties are still to be finalized, enforcement will be handled at the member state level, with coordination from the EU Agency for Cybersecurity (ENISA). Non-compliance could result in substantial fines, similar to those under GDPR, and legal orders to cease using non-compliant equipment. The strengthened mandate of ENISA will allow for more effective cross-border supervision and support for national authorities in enforcing the regulation.

Compliance Guidance

Organizations should take the following proactive steps:

1. Conduct a Supply Chain Audit: Immediately begin mapping ICT supply chains to identify dependencies on potential high-risk vendors, especially those with ties to China.
2. Engage with Legal and Compliance Teams: Assess the potential legal and financial ramifications of the proposed act and begin planning for compliance.
3. Develop a Transition Strategy: For organizations heavily reliant on at-risk suppliers, start formulating a long-term transition plan, including identifying and vetting alternative vendors.
4. Budget for Replacement Costs: Begin financial modeling and budget allocation for the potential 'rip and replace' mandates, particularly for telecom operators.
5. Monitor Legislative Progress: Stay informed on the negotiations in the European Parliament and Council, as the final text may contain important changes.