The next link in Supply Chain regulation: EU Commission proposals on digital sovereignty and high risk vendors

In what the EU Commission identifies as an increasingly hostile threat landscape riddled with daily sophisticated state actor threats[1], it has issued a proposal for radical new supply chain requirements in the draft Cybersecurity Act 2 (“the CSA2″) that would push European enterprises to consider potential exposure to government influence when assessing their technology vendor relationships.

European businesses and third country (i.e. non-EU) suppliers should monitor the development of this regulation and start considering what they can do to mitigate its impact. The CSA2 is open for public feedback until 12 May 2026.

What do you need to know?

The proposed supply chain rules (currently Articles 98 – 117):

• aim to de-risk critical ICT supply chains from entities established in or (broadly) controlled by “high risk” entities from third countries; and
• “change the game”, by creating a framework to tackle non-technical risks affecting ICT supply chains, in comparison to existing technical certification or designation regimes that only speak to technical controls and not to risks arising from state or owner influence. Current compliance or preparation in other contexts will not mean safety from triggering the CSA2.

This follows attempts by some member states to minimise Chinese influence in supply chains[2] and has parallels with the designated vendor regime under the Telecommunications (Security Act) 2021 in the UK and the FCC’s covered list in the USA. Unsurprisingly, the CSA2 has reportedly already attracted criticism from Chinese officials.[3]

Who is affected?

The proposal would impact:

• entities (customers and suppliers) across all NIS2 sectors, who must evaluate vendor geopolitical risks and manage and/or potentially remove certain vendors them from their tech stack altogether (with a specific sub-regime for telecommunications); and
• Suppliers in countries designated as “high risk” by the Commission, who face having ICT products and services prohibited from use by their EU customers (and also face exclusion and/or withdrawal from involvement in cybersecurity standardisation certification programmes in Europe).

The changes will be felt most keenly by the whole spectrum of providers and manufacturers of ICT services, ICT processes and managed security services, who already have enhanced cybersecurity obligations under the NIS2 Implementing Regulation 2024/2690. This again signals European recognition that of the criticality of supply chains to the cybersecurity of European businesses and the economy as a whole. As the trend of digital sovereignty continues, enterprises operating across borders face the biggest challenges, particularly those that maintain operations across different geopolitical spheres, Europe, US and China.

What does the draft say?

Approval is needed from the EU Parliament and Council, so we may see changes and refinements throughout the legislative phase.

What is a designated high-risk supplier?

An entity established in (i.e. stable business presence in) a third country posing cybersecurity concerns or controlled by such third country (or by an entity established in such third country, or by a national of such third country (and entities con controlled by that entity)).

What will control mean?

The ability to exercise a decisive influence on a legal entity directly, or indirectly through one or more intermediate legal entities.

Ownership and control of suppliers of concern will be mapped, and suppliers may receive RFIs from the Commission for this purpose (Article 104(3)). As a cautionary note to suppliers, if they miss the RFI deadline, the Commission is entitled to conclude the establishment / control question against them (Article 104(4)). Given the consequences of designation, it will be important to make the most of the opportunity to be heard.

Why may a country be designated as posing cybersecurity concerns?

If it is found to pose serious and structural non-technical risks / cybersecurity concerns to ICT supply chains.

Non-technical risk is defined as the potential for loss or disruption, compromise, or exfiltration of data for espionage or revenue generation. If an assessment is triggered, the Commission would examine:

• (1) Any legal and practical mandatory proactive vulnerability reporting (and judicial and democratic oversight thereof) in the vendor’s home territory.

Accompanying materials indicate concern with a third country government being aware of (and so presumedly able to exploit) a vulnerability before European entities relying on the relevant component in their supply chain due to the presence of compulsory vulnerability reporting regimes (see page 22 Commission Impact Assessment).

• (2) Substantiated information regarding a history of state‑linked malicious cyber activity coupled with a lack of cooperation to mitigate such threats.

Accompanying materials refer to economic espionage or “irresponsible state behaviour in cyberspace”, or malicious cyber activities or campaigns against the Union and its Member States. Again, in conjunction with legislation that allows arbitrary and possibly extraterritorial governmental access to any kind of company operations or data (see page 323 Commission Impact Assessment).

The Commission may draw on credible international or Member State reporting to determine whether the country presents a systemic security concern (Article 100). Suppliers are unlikely to be able to influence or control this aspect – but exemption requests will be crucial (see below).

What triggers a security risk assessment?

An assessment must be completed within 6 months.

The trigger may be a request from the Commission or a group of at least three Member States OR if triggered by the Commission (including potentially due to public statements on behalf of Member States) (Article 99, 100).

Will a supplier be heard in the designation process?

Yes – they have a right of defence under Article 106. Although, the CSA2 recognises that in some cases, an urgency procedure may be needed.

How do we know who is designated?

Designation occurs by implementing act and a register of names will be maintained (Article 107).

This list should be monitored, and whilst organisations may be alerted at the triggering of an assessment, designation could occur very quickly.

Can a third country supplier request exemption from its country’s designation?

Yes, if it establishes clear evidence that effective mitigating measures will be put in place to address non-technical risks and ensure the absence of any possible exercise of undue interference by the third country (Article 105).

Evidenced governance processes and ring-fenced operations will be needed. The Commission will assess the effectiveness of those mechanisms (and has 9 months to consider the request). An exemption, if granted, can be conditional and/or withdrawn, updated or revoked if facts change or the entity acts contrary to its commitments to the Commission. This leaves exempt suppliers (and their European supply chain) in a precarious position.

Can a supplier be un-designated?

In welcome news for suppliers, it is possible to be removed from the list.

A supplier could request a re-assessment (provided they can evidence change in their establishment, control or ownership structure) (Article 104).

Why may an ICT asset be designated?

The Commission will consider cybersecurity risks for ICT supply chains and identify key ICT assets used by essential and important NIS2 entities.

This will involve considering whether incidents or exploited vulnerabilities affecting them could cause major supply‑chain disruption or data exfiltration (particularly in light of any supplier concentration risks identified in any CSA2 risk assessment) (Article 102). Key ICT assets in telecoms supply chains have been identified in Annex II to the CSA2.

What are the consequences of designation?

Prohibition of high risk suppliers for key ICT assets:

Entities in scope of NIS2 and European public bodies and agencies may be prohibited to use, install or integrate in any form ICT components (products, services or processes that may be used in the operation of ICT assets) or components that include ICT components from high-risk suppliers in key ICT assets (Article 103(7)). The relevant implementing acts shall provide for appropriate transition period and periods for phasing out (and may be limited to NIS2 entities reaching a certain size threshold).

Other mandated mitigation measures in relation to ICT supply chains or particular key ICT assets:

These may include (supported by technical and methodological requirements):

• transparency requirements (provision of information to competent authority regarding supply chain for key ICT assets);
• technical measures to be audited by a third party (including network segmentation and monitoring etc);
• restrictions around outsourcing, procurement and contracting (including offshore prohibitions);
• vetting and security clearance requirements; and
• requirements for diversification of ICT components.

A separate sub‑regime targets electronic communications networks. For mobile networks, public reports indicate a phase‑out clock (e.g. 36 months) could apply after publication of an official high risk supplier list, with fixed and satellite timelines defined separately.

What supervision can NIS2 entities expect?

Information requests and requests to access data, documents and information to verify compliance; onsite inspections and off-site supervision including random spot checks; and requests for technical information.

What enforcement can NIS2 entities expect?

Enforcement regime including warnings, binding orders to remedy infringements or deficiencies, and the possibility of financial penalties.

Note, the CSA2 contains various updates to the role of ENISA, among other things, that are unlikely to have a direct impact on businesses and are beyond the scope of this summary.

How do the proposed supply chain rules fit into the existing regulatory landscape?

The proposed CSA2 regime builds on earlier narrower ones such as the 2019 EU Cybersecurity Act’s voluntary, product certification model and the UK’s sector-specific high risk vendor rules under the Telecommunications (Security) Act 2021. It will sit alongside the existing – largely principles-based – GDPR, NIS2, DORA, AI Act and Cyber Resilience Act supply chain controls, that already require a plethora of risk assessments, due diligence and contract terms when engaging suppliers in different contexts. It is the CSA2’s prescriptive nature that sets it apart, and the mandatory phase‑outs and centrally-coordinated risk assessments could have a significant impact on supply chains and procurement processes for businesses operating in the EU.

This is yet another example of supply chain as a key area of focus across the EU and UK. All organisations in-scope of NIS2 should already be considering how they can manage operational and security risks in their supply chain. This will involve mapping dependencies against plausible risks – including those that may be geopolitically driven – and making sure these are taken into account as part of any procurement exercise, as well as in wider cyber risk planning and scenario testing activities.

What steps do affected organisations need to take?

European customers should:

• develop a framework for assessing geopolitical risk profiles in their technology stacks recognising that the Commission’s focus on non‑technical risk factors means traditional security audits and certifications are no longer sufficient;
• map dependence on third-country‑controlled vendors and identify any key ICT assets likely to fall within upcoming EU designations;
• establish a proactive re‑procurement strategy (including review current contracts for helpful / necessary mechanisms such as regulatory‑triggered termination rights, change‑in‑law cost‑sharing mechanisms, mandatory asset‑level switchover provisions, software escrow, and step‑in rights for managed services supporting key ICT assets and embedding of the CSA2 compliance into performance obligations); and
• be prepared to demonstrate asset level compliance and ready to rapidly pivot if an exclusion decision is issued.

Telecoms customers should also:

• consider inventory baseline as above (to avoid distressed swaps); and
• prepare structured phase‑out plans for any vendor that may be designated high risk (the expected 36‑month mobile network window, and forthcoming fixed and satellite timelines may assist in workplans, but this is not a long period for any network replacement).

Third country suppliers should:

• consider current security compliance posture (under NIS2, CRA etc) in the context of the shifting geopolitical environment in the hopes of mitigating the risk of, or seeking to avoid, a high-risk vendor designation noting that reliance on current regulatory compliance or certification schemes will not be sufficient, and it is likely that new frameworks will be needed to mitigate the risk;
• be ready to demonstrate non-technical mitigations and safeguards addressing ownership and control; and
• consider isolating or ringfencing options for EU operations, in line with the CSA2 definitions and concerns.

How Fieldfisher can help:

We are working with international business concerned about this and similar legislation.

• Applicability assessments and advice
• Regulatory horizon scanning and Board briefings on the interplay between the various regulations including in different territories (CSA2, NIS2, DORA, GDPR, AI Act, Cyber Resilience Act and the UK and international equivalents)
• Vendor portfolio mapping, triage and assessment (ownership/control, jurisdictional risk, asset criticality)
• Supply chain due diligence and advice on technical measures
• Cyber risk planning and scenario testing
• Supply chain contract terms and playbook upgrades
• Phaseout planning and procurement support

[1] Referred to by the European Commission in the press release accompanying the proposal, available here: Commission strengthens EU cybersecurity resilience and capabilities | Shaping Europe’s digital future and extensively in the Explanatory Memorandum available here: COM_2026_11_1_EN_ACT_part1_v81_gVB5aSbD9VXgCvXjk9kiarOw9Q_123727 (1).pdf.

[2] For example, Germany has indicated Chinese components won’t be permitted in future 6G networks: Germany to Ban Huawei From Future 6G Network in Sovereignty Push – Bloomberg and the Netherlands took action against Chinese-owned Nexperia: In rare move, Dutch government takes control of China-owned chipmaker Nexperia | Reuters.

[3] See Ministry of Foreign Affairs: Urges the EU to avoid going further and further down the wrong path of protectionism – Xinhuanet as reported in China urges EU against protectionist path in cybersecurity law | Euractiv.

Source: fieldfisher.com