In January 2026, the European Commission proposed one of the most far-reaching restructurings of Europe’s digital governance since the original Cybersecurity Act in 2019. Presented together, the proposed Cybersecurity Act 2 (CSA2) and the Digital Networks Act (DNA) propose a decisive shift in how the EU thinks about cyber risk, digital infrastructure and geopolitical dependence.
Taken together, CSA2 and the DNA reshape the boundaries between cybersecurity, industrial policy and national security, with direct consequences for how organisations select suppliers, certify technology, design networks and report incidents. The proposals represent a move away from narrow technical controls toward a broader concept of digital trust that extends across entire supply chains.
A single digital agenda, two complementary laws
The Commission’s intent is explicit. CSA2 and the DNA are designed to operate as a single framework governing Europe’s digital infrastructure, from the security of ICT components to the resilience of networks that carry data, AI workloads and critical services. Where the original Cybersecurity Act focused on certification and coordination, CSA2 adds enforcement teeth and geopolitical context. Where telecom and spectrum rules have historically sat in fragmented national regimes, the DNA pulls them into a unified market structure.
The most consequential innovation in CSA2 is the creation of the EU’s first horizontal framework for ICT supply chain security. For the first time, EU law directly addresses non-technical risks embedded in technology supply chains, including political influence, legal obligations imposed by third countries and systemic dependency on a narrow group of vendors.
Under CSA2, the Commission can initiate EU-level coordinated risk assessments to identify “key ICT assets” used by entities covered by NIS2. These assessments can be launched at the Commission’s discretion or at the request of Member States, and can be fast-tracked where a significant threat to the internal market is identified. Once an asset is designated as key, the regulatory consequences become immediate and far-reaching.
Most notably, CSA2 empowers the Commission to designate a third country as a “country posing cybersecurity concerns to ICT supply chains”. Suppliers established in, controlled by, or linked to such countries are automatically classified as high-risk suppliers. This designation carries concrete legal effects. High-risk suppliers may be excluded from public procurement, barred from holding European cybersecurity certificates and prevented from participating in standardisation or conformity assessment activities.
This could represent a significant change. Supplier risk would no longer be assessed solely through contractual due diligence or technical assurance. It would become a matter of EU-level designation, with binding consequences that can invalidate existing vendor relationships overnight.
Telecommunications, networks and mandatory phase-outs
The supply chain regime is even more prescriptive for electronic communications networks. Mobile, fixed and satellite networks fall under a dedicated framework aligned between CSA2 and the DNA. Certain network components are pre-defined as key ICT assets, and components sourced from high-risk suppliers must be phased out entirely.
For mobile networks, the maximum phase-out period is 36 months from the publication of a high-risk supplier list. For fixed and satellite networks, the timelines will be set through Commission implementing acts. Network operators are also prohibited from deploying new components from high-risk suppliers once a designation is in force.
This alignment between cybersecurity law and network regulation underscores the Commission’s intent. Digital resilience is treated as an infrastructure issue, not simply a security function.
Certification as a proxy for trust
European cybersecurity certification has expanded rapidly in recent years, driven by the AI Act, the Cyber Resilience Act and NIS2. CSA2 acknowledges that reality and attempts to make certification workable at scale.
The revised framework extends certification beyond products and services to include ICT processes, managed security services and, for the first time, an organisation’s overall cybersecurity posture. This signals a shift toward assessing maturity, governance and operational readiness alongside technical specifications.
At the same time, CSA2 streamlines how certification schemes are developed and maintained. ENISA will prepare schemes at the Commission’s request under defined timelines, with mandatory review cycles and clear mechanisms for withdrawing obsolete schemes. Member States will be limited in their ability to introduce parallel national requirements once an EU scheme exists.
Certification remains formally voluntary. In practice, procurement rules, sector regulation and market expectations are likely to make it unavoidable for organisations operating in critical or regulated environments.
ENISA moves from coordinator to operator
CSA2 also transforms the role of the European Union Agency for Cybersecurity. The agency’s mandate expands significantly, supported by increased funding and staffing.
ENISA will operate EU-level threat intelligence repositories, issue early warnings of major cyber threats and manage the single incident reporting platform introduced across EU digital legislation. It will also maintain the European Vulnerability Database established under NIS2 and provide targeted guidance on secure-by-design principles, risk management and incident response.
Operationally, ENISA will play a central role in crisis response. It will help manage the EU Cybersecurity Reserve under the Cyber Solidarity Act and support coordinated responses through EU-CyCLONe. For organisations, this means greater centralisation of reporting, oversight and technical guidance at EU level.
The Digital Networks Act and the end of regulatory fragmentation
Running in parallel, the DNA consolidates telecom, spectrum and network rules into a single regulation. Its objectives are explicitly economic as well as technical. The DNA seeks to accelerate investment in fibre, high-quality 5G and future 6G networks while enabling cloud-based infrastructures that support AI development.
A core feature is a passporting regime for network and service providers. Once authorised by a national regulator, providers can operate across multiple Member States under a single general authorisation. Spectrum management is similarly harmonised through EU-wide procedures for allocation, renewal and sharing, including specific regimes for satellite networks.
The DNA also addresses practical barriers to connectivity, including access to land and rights of way for fibre deployment, and strengthens end-user rights such as access to affordable internet services. Notably absent is the proposed network levy on large content providers, which has been dropped following intense opposition.
What this means for compliance and cyber teams
CSA2 and the DNA will collectively push organisations toward a new compliance reality. Cybersecurity governance is no longer confined to IT controls or incident response playbooks. It extends into procurement strategy, geopolitical risk assessment, certification planning and long-term infrastructure investment.
Organisations will need to demonstrate cybersecurity maturity at an organisational level, not just compliance at a technical one. Supply chain monitoring will need to account for EU-level designations and potential forced migrations. Incident reporting will become more centralised, structured and visible to regulators.
While the Commission emphasises simplification and harmonisation, the transition will demand substantial legal, technical and operational adaptation. Documentation, contracts and risk frameworks will need to be updated to reflect substitution scenarios, certification dependencies and cross-border supervision models.
What are the next steps?
Both proposals now move to the EU’s co-legislators, the European Parliament and the Council of the European Union. Negotiations throughout 2026 are expected to be intense, particularly around high-risk supplier designations, enforcement thresholds and transition periods.
For complex policy areas of this scale, negotiations typically take 12 to 24 months. We can expect formal adoption sometime in late 2027 or early 2028 if talks move steadily. Contentious issues like high-risk supplier designations and mandatory phase-outs could stretch this longer. Once adopted, CSA2 and the DNA will apply directly across all Member States.
