European Union’s Cybersecurity Act 2 establishes a new framework to safeguard supply chains.

In January 2026, the European Commission introduced a significant development in the realm of EU cybersecurity with the proposal of the Cybersecurity Act 2 (CSA2). This ambitious update replaces the 2019 framework with stronger supply chain security, simplified certifications, and an expanded ENISA mandate. For Greek tech firms, this situation serves as a crucial reminder to reevaluate vendor risks.

The Supply Chain Revolution

CSA2 introduces the EU’s first horizontal ICT supply chain framework, targeting NIS2 sectors. The Commission is authorized to designate “key ICT assets” (e.g., critical network components) via coordinated risk assessments. Suppliers or third countries can be labeled as “high-risk” based on non-technical threats, such as vulnerability reporting laws or state-sponsored cyber activity.

What are the consequences of this? Union-wide restrictions include bans from standardization, certifications, public procurement, and EU funding. NIS2 entities are subject to restrictions on the use of high-risk components in critical assets, along with mandatory mitigations such as transparency audits, data transfer restrictions, supplier diversification, and personnel vetting. Telecommunications companies are particularly affected by the 36‑month phase‑out for mobile networks. The European Commission has proposed a cybersecurity act, which would establish new EU supply chain rules and certification reforms.

Simplified Binding Certifications

CSA2 streamlines the European Cybersecurity Certification Framework (ECCF) for faster rollout (within 12 months). Certifications now encompass a wider range of postures, including products, services, processes, and managed security, with the assumption of NIS2 compliance. This strategic approach transforms voluntary programs into tangible procurement benefits. For insights into the regulatory outlook for February 2026, please visit our Osborne Clark website.

ENISA’s Expanded Role

The EU Agency for Cybersecurity (ENISA) is assuming a more active role, coordinating risk assessments, supporting certifications, and advising on high-risk designations. Expect increased oversight at the union level. For insights into the regulatory outlook for February 2026, please visit our Osborne Clark website.

Business Impact

Penalties amounting to 7% of global revenue may be imposed for infractions. It is imperative that telecommunications, finance, energy, and critical infrastructure sectors conduct audits of their supply chains, with a particular focus on potential exposure to China and Russia. Procurement policies, vendor contracts, and diversification become essential components of compliance.

Info Quest Technologies is dedicated to ensuring that its clients are fully prepared for any challenges they may encounter.

Info Quest Technologies is a leading Microsoft partner that delivers solutions that can help enterprises stay ahead of CSA2. For more information, please visit our website: https://www.infoquest.gr/en/our-solutions