EU proposes ICT supply chain security framework under CSA2

The European Commission proposed a new cybersecurity package on 20 January, including a revised Cybersecurity Act (CSA2) and amendments aligning NIS2; this article focuses on the CSA2 ICT supply chain security mechanism and how it would operate in practice.

• Main announcement/action: The Commission introduces a five-step General ICT Supply Chain Security Mechanism (security risk assessments, country designation, key ICT assets identification, mitigation/prohibitions, and high-risk supplier lists) with concrete timelines: risk assessments completed within 6 months, exemption decisions within 9 months, and 36 months phase-out for high-risk components in mobile networks; Member States’ NIS2 competent authorities will supervise and enforce measures, and penalties may reach 1%, 2% and 7% of total worldwide annual turnover depending on non-compliance.
• Background and implementation details: The mechanism applies to NIS2 entities (Commission to specify specific entity types by implementing acts); the Commission will designate countries posing cybersecurity concerns and then identify high-risk suppliers by establishment/ownership/control, allow suppliers to be heard, offer transition periods, permit reasoned exemption requests, and exclude confirmed high-risk suppliers from standardisation, EU certifications, public procurement and EU funding programmes.