EU Cybersecurity Act 2.0 proposal: new trade controls targeting high‑risk suppliers across 18 critical sectors under cybersecurity law

1 - Background on the Cybersecurity Act

Regulation (EU) 2019/881, aka Cybersecurity 1.0, which entered into force in June 2019, granted the European Union Agency for Cybersecurity (ENISA) a permanent mandate and established an EU-wide cybersecurity certification framework for ICT products, services, and processes.

The CSA 1.0 was purely focused on technical cybersecurity risks.

2 - Overview of the “non-technical risks” aspects of the proposal

The proposed revision (accessible here) addresses two distinct categories of risk:

• Geopolitical and national security risks ("non‑technical risks") affecting ICT supply chains; and
• Cybersecurity risks ("technical risks"), addressed through an expanded and strengthened EU cybersecurity certification framework.

This overview focuses on the non‑technical risks.

The proposal for CSA 2.0 establishes a mechanism aimed at identifying non-technical risks affecting key ICT assets of the EU’s 18 critical sectors, and mitigating these risks. Most importantly, the mechanism would grant significant powers to the European Union, including the authority to ban certain suppliers from accessing specific sectors of the EU’s internal market.

This mechanism is built on a 3-step process:

Step 1: Identification of non‑technical risks

The EU would assess non‑technical risks affecting key ICT assets used in the EU’s 18 critical sectors, as defined by reference to the NIS2 Directive. These include:

• High criticality sectors: Energy; Transport; Banking; Financial market infrastructures; Health; Drinking water; Waste water; Digital infrastructure; ICT service management (managed services); Public administration; Space; and
• Other critical sectors: Postal and courier services; Waste management; Manufacture, production and distribution of chemicals; Production, processing and distribution of food; Manufacturing; Digital providers; and Research.

A "non‑technical risk" is defined as the likelihood that a supplier may be subject to influence by a third country, with the potential to disrupt services, compromise ICT products, or enable data exfiltration, including for espionage or revenue‑generation purposes. The assessment considers factors such as the third country’s legal framework regarding access to data and supply chain components, the country’s cybersecurity policies, and history of cyberattacks attributed to the country or its actors.

Step 2: Designation of high‑risk suppliers

On the basis of these assessments, the Commission would be empowered to designate countries or individual companies as "high‑risk suppliers".

A supplier may fall within this category if it is:

• Established in a country designated by the EU as posing cybersecurity concerns; or
• Individually designated due to the cybersecurity or geopolitical risks it poses.

Entities that are "controlled" by a designated country or entity would automatically be considered high‑risk suppliers. Article 2(37) defines “control” as “the ability to exercise a decisive influence on a legal entity directly, or indirectly through one or more intermediate legal entities.” Interestingly, this definition does not fully align with the control test used in EU international sanctions law.

At this stage, no country or company has been formally designated. However, the Commission has indicated that the telecommunications sector assessment will be fast‑tracked, building on the EU’s 5G Security Toolbox adopted in 2020. The Impact Assessment notes that approximately 32% of 5G radio access network equipment in the EU is currently supplied by vendors that could be affected by designations.

Step 3: EU‑level mitigating measures

Where high‑risk suppliers are identified, CSA 2.0 would allow the EU to impose a broad range of mitigating measures at EU level.

• Measures applicable to entities operating in critical sectors (Article 103 of the proposal). These could include:
  • Supplier transparency obligations. Regulated operators will be subject to an obligation to disclose information about their suppliers for key ICT assets to competent authorities;
  • Prohibition to transfer data to third countries and remote data processing from a third country;
  • Technical measures aimed at reducing operational risk, e.g. specific segmentation of network systems, disabling of non-essential features;
  • Restrictions relating to outsourcing of certain functions;
  • Contractual restrictions;
  • Vetting requirements on personnel; or
  • Obligation to diversify an ICT supply chain.

Focus: Envisaged Data transfer restrictions

Amongst these measures, the proposed restrictions on transfers and remote processing may have significant operational implications.

Unlike existing EU data protection rules under the GDPR, which are limited to personal data, the CSA 2.0 proposal would potentially apply to all categories of data processed within key ICT assets, including operational, industrial and commercial data. Companies operating in critical sectors could therefore face previously non-existent data localisation requirements or restrictions relating to remote access, support and data processing from third countries. These aspects should be monitored closely by the concerned entities, in particular for cloud environments, group IT structures, outsourcing arrangements and remote maintenance models.

This proposition is an interesting example of where the EU is intertwining international trade law and data protection law mechanisms. Restrictions on the transfer or export of data is one the main elements of export controls. However, such restrictions would generally not apply to the type of data or data processing operations that the proposal suggests the EU should regulate moving forward.

• Measures against high-risk suppliers (Article 100 of the proposal):
  • Mandatory phase‑out obligations affecting ICT supply chains across critical sectors;
  • Restrictions or bans on access to public funding or public procurement; and
  • Exclusion from EU cybersecurity certification schemes and standard‑setting activities.

It is worth noting that the CSA 2.0 proposal covers all companies operating or supplying the 18 critical sectors. The proposal does not carve out companies based on turnover or employee thresholds. The proposal approaches the question only from a risk-based perspective.

3 – Specific measures affecting electronic communications networks (Articles 110/111)

Step 1 of the 3-step mechanism has already been carried out. The key ICT assets for this sector have been identified by the Commission and listed in Annex II to the proposal.

The Commission is already proposing the following measures:

• Mandatory phase out of already installed ICT components or components that include ICT components provided by high-risk suppliers; and
• Providers of mobile, fixed and satellite electronic communications networks shall not use, install or integrate, components or from high-risk suppliers in the operation of key ICT assets.

The Commission will be empowered to specify the time periods for phasing out each type of ICT component. As an example, for mobile networks, these periods shall not exceed 36 months from the publication of the high-risk supplier list (Article 110(3) of the proposal).

4 – Penalties and enforcement

As is common in EU law, enforcement remains with Member States, meaning that the procedures and decisions to impose penalties will vary across jurisdictions.

The European Commission is proposing harmonising the framework with the following measures (Article 115):

• The penalties provided for shall be effective, proportionate and dissuasive;
• Infringements of Article 103 measures shall be subject to a tiered penalty framework: up to 1% of total worldwide annual turnover for certain disclosure-related violations; up to 2% for other non-compliance; and up to 7% for the most serious infractions. The penalties shall be imposed in addition to any warning, corrective order, or cease-and-desist instruction issued by competent authorities.

Under the proposal, regulated companies shall, upon request, provide lists of their suppliers, permit inspections and provide relevant product information.

5 – Exceptions, administrative review and right of a defence

Entities and countries designated as high-risk suppliers would have the right to request the Commission to reconsider its decision (Article 105). The Commission must assess such requests through a “fair and transparent process” and may grant exemptions subject to conditions, including third-party audits and reporting obligations.

6 – CSA 2.0 within the wider EU cybersecurity framework

The CSA 2.0 proposal adds to the growing body of EU cybersecurity and digital resilience legislation, alongside instruments such as the NIS2 Directive, the Digital Operational Resilience Act (DORA), the Cyber Resilience Act (CRA), and the new cybersecurity requirements applicable to connected products under the Radio Equipment Directive (RED).

Companies subject to NIS2 should therefore assess not only their existing cybersecurity obligations, but also whether they could additionally fall within the scope of the CSA 2.0 mechanism and related restrictions affecting ICT suppliers, supply chain arrangements and data localization.

7 – A UK perspective: the Cyber Security and Resilience (Network and Information Systems) Bill

The UK is pursuing a parallel initiative through the Cyber Security and Resilience (Network and Information Systems) Bill, currently progressing through Parliament. Like CSA 2.0, this Bill would grant the Secretary of State broad powers to regulate essential activities and critical suppliers from a cybersecurity perspective, including powers to issue binding directions for national security purposes. However, unlike the EU proposal, the UK Bill does not prescribe a detailed list of specific mitigation measures akin to Article 103 CSA 2.0, nor does it establish a formal mechanism for designating “high-risk suppliers” at the legislative level. Instead, it relies on a more flexible framework of regulations and codes of practice to be developed over time. Companies operating across both jurisdictions should monitor developments in both regimes to ensure coordinated compliance strategies.

Authored by Aline Doussin, Dan Whitehead, Pierre Estrabaud, Olga Kurochkina, and Kate Mosley.