Cybersecurity Act 2: what CRA manufacturers should watch
CSA2 is still a proposal. COM(2026) 11 final would reshape cybersecurity certification, ICT supply chains and ENISA powers.
In this article
The Cybersecurity Act 2 (CSA2) is not the Cyber Resilience Act. It is a separate Commission proposal, COM(2026) 11 final, published on 20 January 2026, that repeals Regulation (EU) 2019/881 and introduces three operative blocks: a revised European cybersecurity certification framework (Title III), a new horizontal ICT supply chain framework with country-designation powers (Title IV), and a reinforced ENISA mandate (Title II). Four months after publication, as of 22 May 2026, the file is in early Parliament and Council examination, not trilogue.
Why a CRA-subject manufacturer should still read this. CSA2 could affect which certification route you can use, which suppliers your customers can keep, and which conformity assessment bodies (CABs) remain available. The CRA itself does not change, but the evidence routes and supply-chain constraints around it would become more structured.
The whole interplay between how you can use the future cyber posture scheme to demonstrate conformity with NIS2 will be an important point of discussion with the Member States.
Summary
- CSA2 is still a proposal, not law. It would replace the 2019 Cybersecurity Act and is currently in early Parliament and Council examination (COM(2026) 11 final).
- For CRA teams, the practical issue is evidence. Future certification schemes could become recognised routes for CRA, NIS2 or DORA compliance, but only after the relevant scheme exists and the legal link is settled.
- Entity-level certification is the new policy direction. CSA2 would extend the European Cybersecurity Certification Framework beyond ICT products, services and processes to managed security services and cyber posture of entities (Article 81; Recital 92).
- Scheme delivery gets a clock. ENISA would normally have 12 months to deliver a candidate scheme after a Commission request (Article 73).
- Assurance levels stay familiar.
basic,substantialandhighremain the three assurance levels; EU statements of conformity usebasiconly (Recital 101). - Supplier origin becomes a board-level risk. The Commission could designate third countries that pose serious structural supply-chain risks; entities from those countries could be excluded from key ICT assets, public procurement, EU funding, certification and conformity assessment activity (Article 100).
- Telecom is the first obvious stress test. Mobile network replacement of high-risk supplier components is capped at 36 months from entry into force; fixed and satellite timelines come later by implementing act (Article 110).
- Penalty exposure is percentage-based. Supply-chain breaches carry maximum caps of 1%, 2% or 7% of worldwide annual turnover; there is no flat EUR cap (Article 115). Certification-framework penalties are left to Member States (Article 97).
- The Commission expects compliance savings, but only if cross-regulation certification reuse works in practice: EUR 14.6 billion over five years under preferred Option C.2 (Impact Assessment §4390).
- The telecom replacement bill is material. The Impact Assessment estimates EUR 3.4 to 4.3 billion per year over three years for non-upgradeable equipment from high-risk suppliers (IA §4577, §4.4.1).
Sources: COM(2026) 11 final (article and page counts); accompanying Impact Assessment SWD(2026) 11 final, sections 4.3.3 and 4.4.1.
What CSA2 actually proposes
The Commission frames the proposal around four objectives. Three are reforms to existing instruments, one is new.
| Topic | What changes | Why CRA teams care | Anchor |
|---|---|---|---|
| Certification frameworkTitle III | Scope would expand beyond ICT products, services and processes to managed security services and entity cyber posture. | Future schemes may become part of the evidence route for CRA conformity. | Article 73; 12-month ENISA deadline. |
| ICT supply chainTitle IV | Risk assessments could lead to third-country designation and exclusions from key ICT assets, public procurement and EU funding. | CABs, suppliers or component sources can become unavailable for regulated customers. | Articles 99-100. |
| Cyber postureNIS2 simplification | A cyber posture scheme could support one certification across multiple Union acts. | Useful for planning, but the NIS2 link is still negotiation-dependent. | Policy direction, not settled law. |
| ENISA mandateTitle II | ENISA would gain clearer roles across schemes, reporting, reserve capacity, vulnerabilities and attestation. | EU reporting and vulnerability infrastructure would become more centralized. | Single Entry Point; EU Cybersecurity Reserve; EUVD. |
Scheme landscape: where the four tracks stand
CSA2 is only one part of the EU certification picture. This snapshot separates the schemes that are already live or in consultation from the cyber posture scheme, which is still a CSA2 proposal and still depends on Member State negotiation.
29 certificates, 28 CABs, all at CC-1.
Launched 3 Apr 2026. Final text expected Sep-Oct.
v4 published 9 Apr 2026. Public consultation starts in July.
Cert-to-NIS2 linkage is still open with Member States.
The supply chain framework, step by step
This is the most politically charged part of the proposal. Read it as a sequence: identify the risky supply chain, designate the country or supplier risk, then impose sector-specific measures. Citations below refer to COM(2026) 11 final.
- Trigger: coordinated risk assessment. The Commission, or at least three Member States, can request an ICT supply-chain risk assessment. The normal deadline is six months, with an emergency route where immediate intervention is justified (Article 99).
- Designation: serious structural country risk. If a third country poses serious and structural non-technical risks, the Commission can designate it. Entities established in or controlled by that country can then be excluded from key ICT assets, related public procurement, EU funding programmes, and conformity assessment activity (Article 100).
- Measures: sector-specific obligations. The Commission can require entities in highly critical sectors to apply mitigation measures, including bans on components from listed high-risk suppliers (Articles 101 to 103).
- Scope: which ICT assets count. The Commission identifies the key ICT assets per sector by implementing act. For electronic communications, Annex II already pre-defines assets for mobile, fixed and satellite networks (Articles 102 and 103).
- Supplier list: who becomes high risk. The Commission publishes high-risk supplier lists after assessing establishment, ownership and control, and after consulting the supplier and competent authorities. Exemptions and exemption decisions have their own procedure and register (Articles 104 to 107).
Mobile networks have the clearest proposed deadline: high-risk supplier components must be phased out within 36 months from entry into force. Fixed and satellite network deadlines would be set later by Commission implementing acts. The Impact Assessment estimates a replacement cost of EUR 3.4 to 4.3 billion per year over three years for non-upgradeable equipment, based on EU 5G investment levels since 2019 and a 32 to 40% high-risk asset share (Article 110; IA §4577, §4.4.1).
Penalties: percentage caps, no flat EUR figure
The point to remember is simple: for supply-chain breaches, CSA2 uses percentage caps, not fixed EUR caps. The maximum depends on the type of breach.
| What went wrong | Maximum penalty | Source |
|---|---|---|
| 1% cap: cooperation failures. Failing to cooperate with the Commission during mitigation-measure processes. | 1% of worldwide annual turnover | Article 103(2)(a); Article 115(5) |
| 2% cap: mitigation-measure failures. Breaching other mitigation-measure obligations imposed under the supply-chain framework. | 2% of worldwide annual turnover | Article 103(2)(b)-(g); Article 115(6) |
| 7% cap: primary mitigation and telecom prohibitions. Breaching primary mitigation duties or telecom-specific bans on high-risk supplier components. | 7% of worldwide annual turnover | Article 103(1); Article 111; Article 115(7) |
| Certification penalties: national rules. Certification-framework breaches do not get an EU-wide monetary cap in CSA2. | Set by each Member State; must be effective, proportionate and dissuasive | Article 97 |
The 7% tier is the practical headline for telecom operators because it covers installing or integrating ICT components from high-risk suppliers in the telecom-specific prohibition (Article 111).
Where this intersects with the CRA
The CSA2 does not modify the CRA. It does change three things around it.
Supplier origin becomes roadmap risk
CRA manufacturers already need due diligence on third-party components. CSA2 raises the cost of weak supplier-origin data: if your product includes components from a supplier later treated as high risk, regulated customers may need a replacement path. That can cascade into your product roadmap, support commitments and procurement strategy (CRA Article 13). For the practical reading of component due diligence, see the importer verification guide.
CAB selection becomes supply-chain risk
If a CAB's ownership or control structure could fall within a future designation decision, the CAB choice itself becomes part of your supply-chain risk. CSA2 would bar entities from designated third countries from carrying out conformity assessment (Article 100(2)). For module choice while CSA-anchored schemes are still being drafted, see the conformity assessment decision guide.
Incident reporting should be regulation-agnostic
If you are designing CRA incident reporting now, do not hard-code it as a CRA-only workflow. CSA2 would extend ENISA's existing Single Reporting Platform into a Single Entry Point for incident reporting across NIS2, CRA, DORA and other Union acts. This builds on the CRA reporting platform rather than replacing it (CRA Article 16(1); CSA2 proposal).
The cyber posture scheme is the headline mechanism the Commission uses to argue that "one certification, many regulations" is achievable. It is policy direction, not a settled provision. Two things are not yet agreed: whether Member States accept the cert-to-NIS2 linkage in negotiation, and how the implementing regulation for maximum harmonisation will sit on top of national NIS2 transpositions. The same question affects whether a future CRA-anchored CSA scheme would relieve manufacturers of separate Annex VIII module assessments, or merely sit alongside them. We track this in the field notes from the ENISA conference.
What is open, not on the timeline
Will CSA2 be adopted before CRA full application?
CRA full application is fixed at 11 December 2027. CSA2 was published on 20 January 2026 under the ordinary legislative procedure (2026/0011 (COD)). Four months in, as of 22 May 2026, the file is in committee and Council working-party stage. Trilogue is months away. Adoption ahead of CRA full application is possible but not assured, and the Impact Assessment does not commit to a date.
Frequently Asked Questions
Is CSA2 the same as the Cyber Resilience Act?
No. The CRA sets product cybersecurity obligations; CSA2 changes the certification and supply-chain framework around those obligations. CSA2 does not change CRA deadlines, but it could change which certification routes, CABs and suppliers are usable once adopted (Regulation (EU) 2024/2847; COM(2026) 11 final). For CRA timing, see our CRA implementation timeline 2025-2027.
When will CSA2 enter into force?
There is no adoption date yet. The proposal was published on 20 January 2026 and is still in early Parliament and Council examination under the ordinary legislative procedure. Trilogue is months away at the earliest, and the final text can still change (2026/0011 (COD)). Track the policy direction through our ENISA Certification Conference 2026 readout.
Does CSA2 change my CRA obligations or deadlines?
No. Keep planning against the CRA as it stands: reporting obligations begin in September 2026 and full application remains 11 December 2027. CSA2 could later add certification routes and supplier restrictions, but it does not move the CRA clock. For conformity route planning, see the conformity assessment decision guide.
Will a single European cybersecurity certification cover CRA, NIS2 and DORA at once?
Not today. A single-certification route across Union acts is the Commission's policy direction, but the legal links are not settled. Fohrenbach (DG CONNECT) described the cyber posture link to NIS2 as "subject to negotiation" with Member States at the ENISA conference on 15 April 2026. Treat this as a planning signal, not a compliance assumption.
What is the cyber posture scheme?
It is the proposed entity-level certification scheme. Instead of certifying a product, an organisation would certify its overall cybersecurity risk-management measures. The Commission presents it as a possible NIS2 simplification route, but the mechanics across 27 national NIS2 implementations remain open (Recitals 92 to 94 of COM(2026) 11 final).
My product uses components from a non-EU supplier. Should I act on the supply chain framework now?
Yes, but keep it practical. Map supplier country of origin in your SBOMs, then identify whether telecom or other NIS2-critical customers depend on components that could plausibly become restricted. Do not redesign your CRA conformity route around CSA2 until it is adopted. The supplier-origin work already supports CRA component due diligence (CRA Article 13). See the SBOM generation guide and the importer verification guide.
Does CSA2 affect the EUCC, and does the EUCC help with CRA?
CSA2 keeps EUCC and other adopted schemes alive. The CRA question is separate: the Commission has said it intends to specify before the end of 2026 how EUCC can be used for CRA conformity, and ENISA is running EUCC-to-CRA pilots. Until that link is formalised, EUCC is useful evidence but not a substitute CRA route by itself. For the most product-relevant scheme work so far, see our EUDI Wallet scheme breakdown.
What are the penalties under CSA2?
The headline is the 7% cap for the most serious supply-chain breaches, including primary mitigation failures and telecom-specific prohibitions. Lower caps apply to cooperation failures and other mitigation-measure failures. All three are percentages of worldwide annual turnover, not flat EUR amounts: 1%, 2% and 7% (Article 115). Certification-framework breaches are handled by Member States with no EU-wide cap (Article 97).
Related Articles
Does the CRA apply to your product?
Answer 6 simple questions to find out if your product falls under the EU Cyber Resilience Act scope. Get your result in under 2 minutes.
Ready to achieve CRA compliance?
Start managing your SBOMs and compliance documentation with CRA Evidence.