EU Cybersecurity Act 2: Supply Chain Bans, Certification Overhaul, and What Product Manufacturers Should Watch

On January 20, 2026, the European Commission published COM(2026) 11 final, a proposal for what is being called the Cybersecurity Act 2. This is not a minor update. The Commission is proposing to fully repeal and replace Regulation (EU) 2019/881, the original Cybersecurity Act from 2019.

The proposal runs over 120 articles across six titles. We have read through the full text, the annexes, and the impact assessment so you do not have to. This article covers what is actually new, what matters for product manufacturers, and where this intersects with CRA compliance.

Four Pillars of the Proposal

The CSA2 is built around four areas. Two are expansions of existing frameworks, and two are entirely new.

1. ENISA Mandate Reform

ENISA, the EU Agency for Cybersecurity, is getting a significant upgrade. Since 2019, new legislation (NIS2, CRA, Cyber Solidarity Act) has piled on new tasks without updating the agency's mandate or resources.

The proposal fixes this with:

• Budget: EUR 341 million over seven years (2028-2034), an 81.5% increase over the 2025 level
• Staff: 118 new full-time positions at ENISA, plus 50 at the Commission
• Ransomware helpdesk: ENISA must now operate dedicated ransomware response and recovery capabilities
• European Vulnerability Database: Enhanced with severity scoring, product lists, and a known exploited vulnerabilities catalogue
• Post-quantum cryptography: ENISA gets an explicit mandate for evaluating post-quantum algorithms
• Cybersecurity Skills Academy: Formalized in law with EU-wide portable certifications for cybersecurity professionals, issued to EU Digital Identity Wallets

2. Certification Framework Overhaul

The European Cybersecurity Certification Framework (ECCF) is being significantly expanded.

What changed:

The most consequential change: cyber posture certification. Organizations (particularly NIS2 entities) can now certify their overall cybersecurity risk-management measures. A single certification could replace multiple compliance checks across Member States, creating a presumption of conformity with NIS2 requirements.

For product manufacturers, this means a certification obtained under the ECCF could potentially demonstrate compliance with cybersecurity requirements across CRA, NIS2, DORA, and sector-specific rules simultaneously.

3. Compliance Simplification

The Commission estimates businesses could save up to EUR 15.3 billion over five years through streamlined compliance.

The key mechanisms:

• One certification, many regulations: A European cybersecurity certification can serve as proof of compliance across multiple legal acts, including NIS2, CRA, DORA, GDPR security requirements, and sector-specific rules
• Maximum harmonisation: When the Commission adopts implementing acts under NIS2, they become maximum harmonisation, meaning Member States cannot add extra requirements on top
• Single reporting platform: ENISA must develop a single entry point for incident reporting that satisfies multiple regulations simultaneously

That last point matters. Today, a single incident can trigger reporting obligations under CRA (to ENISA), NIS2 (to national authorities), and possibly DORA or sector-specific rules, each with different forms and recipients. The single reporting platform aims to end that.

4. ICT Supply Chain Security Framework

This is the entirely new and most politically significant part of the proposal. It creates a horizontal, technology-neutral framework to address what the Commission calls "non-technical cybersecurity risks" in ICT supply chains. In practice, this is the legal mechanism for restricting high-risk suppliers from critical infrastructure.

How it works, step by step:

STEP 1: RISK ASSESSMENT
NIS Cooperation Group or Commission initiates
coordinated risk assessment of specific ICT supply chains
Timeline: 6 months to complete
                    │
                    ▼
STEP 2: COUNTRY DESIGNATION
Commission evaluates if a third country poses
"serious and structural non-technical risks"
Criteria: vulnerability disclosure laws, judicial remedies,
threat actor activity, cooperation willingness
                    │
                    ▼
STEP 3: CONSEQUENCES
Entities from designated countries BANNED from:
- Providing ICT components in key assets
- Public procurement for key ICT assets
- EU funding programs
- Certification and conformity assessment
                    │
                    ▼
STEP 4: KEY ICT ASSET IDENTIFICATION
Commission identifies, by implementing acts,
which ICT assets are "key" per sector
                    │
                    ▼
STEP 5: HIGH-RISK SUPPLIER LISTS
Commission publishes lists of high-risk suppliers
Based on ownership and control assessments

Telecom gets hit first. Annex II pre-defines key ICT assets for mobile, fixed, and satellite networks: core network functions, radio access networks, network management systems, transport networks, cryptographic products. Mobile operators face a 36-month phase-out from entry into force. The annual cost to mobile operators for phasing out high-risk equipment is estimated at EUR 3.4 to 4.3 billion.

An exemption mechanism exists. Entities from designated countries can apply to demonstrate they have effective measures addressing non-technical risks. The Commission maintains a public register of exemption decisions.

What This Means for CRA-Covered Products

The CSA2 does not modify the Cyber Resilience Act directly, but it creates new dynamics that CRA-covered manufacturers should understand.

Supply Chain Due Diligence Becomes Harder

CRA already requires manufacturers to exercise due diligence when integrating third-party components. The CSA2 adds a new layer: if your product incorporates components from a supplier later designated as high-risk, and your product is used in critical infrastructure, your customers may be forced to replace those components.

This creates a practical pressure to:

• Map your component supply chain now, including the country of origin of key components
• Track which of your customers operate in highly critical sectors (energy, transport, banking, health, digital infrastructure)
• Evaluate alternative suppliers for components originating from countries that may face designation

Certification Could Simplify Your CRA Compliance

The expanded ECCF means that a European cybersecurity certification for your product could serve as evidence of CRA conformity. This is particularly relevant for Important Class I and Class II products that face third-party conformity assessment requirements.

The three assurance levels remain: Basic (self-assessment at this level), Substantial, and High. If a cybersecurity certification scheme is adopted that covers the essential requirements of the CRA, manufacturers could use that certification instead of going through a separate CRA conformity assessment process.

Incident Reporting Gets Consolidated

The single reporting platform is good news. CRA requires reporting actively exploited vulnerabilities to ENISA within 24 hours. NIS2 requires reporting significant incidents to national authorities. The CSA2's single entry point would let you file once and route to all required recipients.

Conformity Assessment Bodies Face New Rules

If you rely on notified bodies for CRA conformity assessment, note that the CSA2 adds requirements for these bodies. Annex I of the proposal specifies that conformity assessment bodies must not be high-risk suppliers themselves and cannot use ICT components from high-risk suppliers in their assessment activities.

Key Numbers at a Glance

What Happens Next

This is a legislative proposal. It still needs to go through the European Parliament and Council under the ordinary legislative procedure. The timeline is not set, but given the political significance of the supply chain provisions, expect debate.

Key milestones to watch:

• European Parliament committee assignment, likely ITRE (Industry, Research and Energy)
• Council working party discussions, where Member State positions will shape the final text
• Trilogue negotiations, where Parliament, Council, and Commission find compromise
• Entry into force, typically 20 days after publication in the Official Journal
• Mobile phase-out clock starts, 36 months from entry into force

For CRA compliance, the CSA2 does not change your current obligations or timeline. The CRA reporting obligations still begin in September 2026 and full compliance remains required by December 2027. But the CSA2 may create new tools, particularly around certification, that could make demonstrating CRA compliance easier once it enters into force.

What You Should Do Now

You do not need to take immediate action on CSA2 since it is still a proposal, not law. But there are practical steps that make sense regardless of when or how it is adopted:

1. Audit your component supply chain. Know where your key components come from. This is already good CRA practice and becomes critical if the supply chain framework is adopted.

2. Track the certification landscape. If a European cybersecurity certification scheme is adopted that covers CRA essential requirements, it could significantly simplify your conformity assessment process.

3. Prepare for consolidated reporting. If you are subject to both CRA and NIS2, the single reporting platform will eventually consolidate your obligations. Design your incident response processes to be regulation-agnostic.

4. Monitor your customer base. If your products are used in highly critical sectors (energy, transport, health, banking, digital infrastructure), the supply chain provisions may create additional pressures on your component choices.

Related Guides

• CRA Implementation Timeline 2025-2027
• CRA Product Classification Guide

How CRA Evidence Helps

CRA Evidence already tracks the supply chain elements that the CSA2 will make more important:

• SBOM management maps your component dependencies, including supplier origins
• Vulnerability monitoring tracks known exploited vulnerabilities across your product portfolio
• Compliance dashboard shows your CRA readiness status and gaps
• Incident reporting supports the 24-hour notification workflow required by CRA
• Documentation maintains your technical file and declaration of conformity

Start building your compliance evidence at craevidence.com.

The full text of the proposal (COM(2026) 11 final), its annexes, and the impact assessment are available on the European Commission Digital Strategy library. This article is for informational purposes only and does not constitute legal advice. For specific compliance guidance, consult with qualified legal counsel.