On January 20, 2026, the European Commission introduced a significant legislative package designed to overhaul the European Union’s cybersecurity framework. This move responds to an increasingly volatile geopolitical landscape and the rise of sophisticated cyber threats from both criminal syndicates and state-sponsored actors. The proposal includes a revised Cybersecurity Act and specific amendments to the NIS2 Directive, aiming to create a more agile defense for essential services and democratic institutions.
Addressing Non-Technical Risks in ICT Supply Chains
A cornerstone of the new proposal is the introduction of a horizontal framework dedicated to information and communications technology (ICT) supply chain security. Unlike previous regulations that focused primarily on technical vulnerabilities, this new framework addresses “non-technical” risks. This includes the potential for undue foreign interference and critical dependencies on entities outside the European Union. By targeting these strategic vulnerabilities, the Commission seeks to protect critical infrastructure sectors covered under the NIS2 Directive from external political or economic leverage.
New Powers to Designate High-Risk Suppliers
Under the proposed revisions, the European Commission would gain the authority to issue implementing acts that identify specific threats to the Union’s digital integrity. This includes the power to designate third countries that pose a significant cybersecurity concern and to identify high-risk suppliers based on their relationships with those nations. Additionally, the Commission can define key ICT assets that must be protected or restricted within organizations subject to NIS2 compliance.
Suppliers labeled as high-risk will face a rigorous set of limitations to prevent them from compromising European networks. These restrictions include:
- Total exclusion from public procurement procedures for critical ICT components.
- A ban on receiving any EU-related funding programs.
- Ineligibility for European cybersecurity certifications.
- Prohibitions for electronic communications network operators regarding the use of high-risk assets.
Enforcement and the Expanded Certification Framework
To ensure compliance, the proposal introduces heavy financial penalties for organizations that fail to adhere to the new supply chain measures. Companies found in breach could face fines reaching up to 7% of their total worldwide annual turnover, depending on the severity of the violation. This high threshold underscores the Commission’s commitment to enforcing a secure digital environment across the single market.
Furthermore, the proposal seeks to simplify and expand the European Cybersecurity Certification Framework (ECCF). By clarifying the scope of certification, the Commission aims to make it easier for entities to verify the security of their digital products and services while maintaining a unified standard across Member States.
Conclusion
This comprehensive update to the EU’s cybersecurity strategy signals a shift toward a more proactive and defensive posture. By integrating supply chain security with regulatory oversight and steep penalties, the European Commission is working to ensure that the Union’s critical sectors remain resilient against the evolving tactics of modern cyber adversaries.