Protecting the ICT Supply Chain: A Step-By-Step Guide to the New EU Security Framework

1.1 Background

On 20 January, the European Commission proposed a new cybersecurity package to further strengthen the EU’s cybersecurity resilience and capabilities. The package includes:

• A proposal for a revised Cybersecurity Act (CSA2)
• A proposal amending NIS2 and alignment with the CSA2

The package has four primary objectives:

1. Updating and reinforcing ENISA’s mandate
2. Reforming the EU Cybersecurity Certification Framework
3. Introducing EU-wide rules to increase ICT supply chain security
4. Facilitating and streamlining compliance with NIS2

This article focuses on the new supply chain security rules. It provides a step-by-step guide on how the ICT supply chain security framework will work in practice and analyses the most contentious issues that will emerge during the negotiations among EU institutions.

In essence, the framework introduces provisions to address “non-technical risks” in the ICT supply chain of NIS2 organisations, which could be prohibited from using ICT equipment supplied by foreign high-risk organisations. The proposal already makes direct references to space and connectivity operators, but its scope is likely to be extended to other NIS2 sectors in the future.

The CSA2 proposal will follow the ordinary legislative procedure. It could face resistance from some Member States due to national security concerns, while the Parliament may seek to introduce sovereignty requirements, particularly if tensions with the Trump administration continue.

1.2 The ICT Supply Chain Security Mechanism

Title IV of CSA2 defines the scope of the trusted ICT supply chain framework, including the General ICT Supply Chain Security Mechanism.

This Mechanism will work in five steps:

• Step 1 – Security risk assessments:
  • The Commission, or at least three Member States, may request the NIS Cooperation Group to conduct a Union-level coordinated security risk assessment. The assessment must be completed within 6 months.

• Step 2 – Designation of countries posing cybersecurity concerns:
  • The Commission will determine whether a third country poses a serious and structural non-technical risk to the EU ICT supply chains based on predefined criteria (i.e. cybersecurity incidents caused by actors controlled by third countries) and through an implementing act.
• Step 3 – Identification of key ICT assets:
  • Following the risk assessment in step 1, the Commission will adopt implementing acts identifying key ICT assets used in products and services by NIS2 types of entities.
  • This identification will be based on four criteria: 1) Whether the assets perform essential and sensitive functions; 2) Whether incidents could lead to serious disruptions of ICT supply chains; 3) Whether there is dependency on a limited number of suppliers; and 4) The results of the security risk assessments.
• Step 4 – Mitigation measures in the ICT supply chain:
  • The Commission may adopt implementing acts prohibiting specific NIS2 entities from using, installing or integrating in any form ICT components (or components that include ICT components) from high-risk suppliers.
  • These implementing acts will include a transition period, during which the Commission will publish the list of high-risk suppliers, and provide additional time to phase out risky ICT components.
  • The Commission may also require NIS2 entities to implement one or more technical mitigation measures to address risks to their ICT supply chains, particularly with regard to key ICT assets.
  • Before adopting these prohibitions, the Commission will consult the affected NIS2 entities.
• Step 5 – Identification of high-risk suppliers
  • The Commission will establish lists of high-risk suppliers that are either established in a country posing cybersecurity concerns or controlled by entities established in such countries.
  • The Commission, or a national competent authority, will assess the supplier’s place of establishment, ownership, and control structure. The supplier may be required to submit supporting documentation.
  • The Commission will share preliminary findings of its investigation with the supplier and give the supplier the opportunity to be heard.
  • The list of high-risk suppliers will be regularly updated, including when suppliers provide evidence of changes to the establishment, control and ownership structure.
  • Where designation is confirmed, high risk suppliers are excluded from standardisation operations, from applying for or holding European cybersecurity certifications, and from participating in public procurement procedures and EU funding programmes.

Exemptions

• An entity established in a country posing cybersecurity concerns may ask the Commission to be exempted through a reasoned request.
• The request should specify the interest in being exempted and provide evidence of implementation of mitigating measures to address non-technical risks and ensure the absence of third-country interference.
• The Commission should take a decision within 9 months of receiving the request and may levy fees for the assessment.

Competent authorities’ supervision and enforcement

• Member States’ NIS2 competent authorities will be responsible for supervising and enforcing the ICT Supply Chain Security Mechanism.
• When exercising their supervisory role, national competent authorities can request information, including information on their suppliers, data to verify compliance with the CSA2, on-site inspections and off-site supervision, and information on hardware and software products composition.
• When exercising their enforcement role, national competent authorities can 1) issue warnings; 2) adopt decisions asking entities to remedy the infringement; 3) order entities cease activities infringing this regulation; 4) impose penalties.
• The competent authorities must notify the affected entities of their preliminary findings before taking enforcement measures.

Penalties

Member States will establish national rules on penalties. However, penalties should not exceed 1%, 2% and 7% of an entity’s total worldwide annual turnover (from the preceding financial year), depending on which mitigating measures have not been implemented by the affected organisations (Step 4).

1.3 Immediate implications for connectivity and space operators

If the text is approved in its current form, the CSA2 would prohibit mobile, fixed and satellite electronic communications network providers from using, installing or integrating ICT components from high-risk suppliers in the operation of their key ICT assets. Existing ICT components sourced from high-risk suppliers would need to be phased out.

For mobile communications networks, high-risk suppliers’ components must be phased out within 36 months of the publication of the list of high-risk suppliers. The phase-out timelines for fixed and satellite networks will be specified by the Commission through an implementing act.

1.4 Analysis

Supply chain security and third countries

The current text places the bulk of the risk assessment on the threats posed by third countries rather than on individual high-risk suppliers. This is illustrated by the fact that the current mechanism first identifies countries of concern (Art. 100) and only subsequently identifies high risk suppliers (Art. 104), rather than the other way around. Moreover, the identification of high-risk suppliers in art. 104 is based on place of establishment, ownership and control structure, rather than specific cybersecurity concerns. While cybersecurity threats stemming from high-risk suppliers directly could, in principle, be assessed during the initial security assessment phase (although not clearly specified in the current text), EU stakeholders may need to introduce additional criteria requiring the Commission, or national competent authorities, to provide evidence of concrete risk. These could include evidence of high-risk suppliers sending sensitive data to third countries or preparing the groundwork (i.e. target reconnaissance) supporting third countries’ cyber operations. Going forward, the absence of risk criteria demonstrating the actual cybersecurity risks posed directly by suppliers (rather than the country of origin), could lead to an unclear designation process, lengthy designation disputes and accusations of erecting trade barriers.

Despite not explicitly naming countries, the proposal is seen as a strong, mandatory push to operationalize the EU’s 5G toolbox, whose implementation by member states has reportedly left EVP Virkkunen unsatisfied. The Commission has stated that Europe has allowed high-risk vendors in strategic sectors for “far too long” and that the EU “cannot be naive anymore.” As a result, many have argued that Chinese companies such as Huawei and ZTE are likely to be named high risk suppliers.

Will the supply chain mechanism name the US as a country posing a cybersecurity concern? There is no evidence as of now. However, strained EU-US relations, following the release of the US National Security Strategy and threats over Greenland’s annexation, could influence future threat assessments by the EU or its Member States in the medium to long term. The proposal’s recitals mention cloud, space services and semiconductors, sectors dominated by US firms, as areas where “risks related to dependency on high-risk suppliers may be observed.”

Digital Sovereignty

Is “digital sovereignty” addressed in the CSA2? Some stakeholders had hoped (or feared) for non-technical risk factors to uphold EU digital sovereignty through the European Cybersecurity Certification Framework, where sovereignty considerations previously emerged during discussions on the EU Cloud Scheme. However, the current text does not incorporate sovereignty considerations into cybersecurity certification, and the “non-technical risk” provisions in the supply chain security chapter are not designed, as they stand, to promote EU digital sovereignty, but rather to protect EU ICT supply chain.

This was confirmed by the Commission, which has stated that CSA2 gaps related to sovereignty considerations and non-technical risks will instead be addressed in the upcoming Cloud and AI Development Act. The proposal will ensure that highly critical use cases in the public sector are provided by secure EU-based cloud and AI computing services.

CSA2 and NIS2 overlay

While the supply chain chapter makes continuous reference to NIS2 entities, the proposal is ambiguous on the remit of the law. It refers to “sectors of high criticality and other critical sectors as referred to in Directive (EU) 2022/2555” (Art. 98), but also “entities of the types referred to” in NIS2 annexes. This seems to allude that the Commission could prohibit the use of high-risk suppliers in sectors beyond NIS2 scope.

Nonetheless, the Commission has confirmed that the mechanism should apply only to NIS2 entities and that it will rely on implementing acts to specify which “specific type of entities referred to in Annex I and II” of NIS2 may be prohibited from using high risk suppliers. Yet, the current wording could be amended during the negotiations to avoid misinterpretations by national authorities when exercising their authority.

Finally, the supply chain mechanism represents an absolute novelty vis-à-vis the former CSA text. While one could argue that this chapter would be better placed directly in the NIS2 text, the Commission thought that using a regulation like the CSA could avoid the same fragmentation that is currently plaguing the implementation of NIS2 nationally. If national fragmentation ought to be avoided then, which is what many businesses across multiple member states are hoping for, future negotiations should consider carefully whether Art. 98, which allows Member States to adopt or maintain rules “ensuring a higher level of cybersecurity in ICT supply chains” (art. 98), should be kept as is and potentially undermine the intrinsic harmonization objective of the current text.

1.5 How the Negotiations Will Unfold

Negotiations have a bumpy road ahead.

In the Council, Member States are uneasy about the prospects of giving Brussels power to lead on a policy that resembles more a broader security policy rather than a purely technical cybersecurity law. A Spanish official has already declared that the CSA2 contains elements that “could encroach on national prerogatives,” which was echoed by their Czech counterparts.

In the Parliament, political groups showed initial strong cross-party support. However, the Parliament’s increasingly hard stance against the Trump’s administration – exemplified by recent failure to reach an agreement on the EU-US trade deal – could push lawmakers to introduce sovereignty-related requirements aimed at mitigating perceived “non-technical risks” posed by American providers to the EU ICT supply chain.

Other key actors in the process will include telecommunication, space and tech companies, firms operating in sectors where Chinese competition and presence are intensifying (energy and transport) as well as foreign administrations, notably China and the United States, whose companies are directly or indirectly affected by CSA2.

1.6 Next Steps

The proposal will follow the ordinary legislative procedure.

The European Parliament is expected to select the Committee responsible for the file in the coming weeks, most likely the Industry, Research and Energy Committee (ITRE). Czech MEP Markéta Gregorová (Pirate Party) is expected to play a prominent role in the parliamentary negotiations.

In the meantime, the Council’s Horizontal Working Party on Cyber Issues (HWPCI) will meet over the coming months to conduct technical discussions. Following this, the Council’s COREPER and national Ministers might provide further input.

Depending on the negotiating position of the EP and the Council’s negotiating mandate, trilogues between the institutions would then begin.