In January 2026, the European Commission published its revision of the Cybersecurity Act, known as Cybersecurity Act 2 (CSA2). This is not merely a technical update: the proposal introduces a horizontal security mechanism for the Information and Communications Technology (ICT) supply chain, radically shifting the focus from technical vulnerability assessments to a geopolitical understanding of risk. The goal: to incorporate “technological sovereignty” into European cybersecurity law.
For the first time, the EU is introducing a horizontal mechanism through which the Commission can designate third countries as “posing cybersecurity concerns” and compile lists of “high-risk suppliers”, with immediate consequences of exclusion from markets, certifications, and public procurement contracts. And the criteria are not technical.
This debate is not new. The presence of third-country manufacturers in telecommunications networks has been a topic of broader dialogue at the European level for years, as reflected in the EU’s 5G Security Toolbox of the NIS Cooperation Group. CSA2 is the most ambitious effort to translate these concerns into a binding regulatory framework—a framework that, however, raises questions of legality and proportionality that require careful consideration.
Click here for the GR version – Πατήστε εδώ για το ελληνικό κείμενο
Who is “high-risk”? The criteria behind the blacklist
At the core of CSA2 lies a multi-tiered assessment mechanism. In a nutshell: First, a coordinated security risk assessment is conducted regarding the ICT supply chain through the NIS Cooperation Group. Crucially, however, the Commission is not dependent on the NIS Cooperation Group: where it has sufficient reason to believe that a significant cyber threat exists in relation to a critical ICT supply chain, it may bypass the Group and conduct its own security risk assessment unilaterally. Second, if it appears that a third country poses “serious and structural non-technical risks” to ICT supply chains, the Commission designates it accordingly. Third—and this is a point of particular significance—the designation of a country, automatically and without further individual assessment, captures all entities established in or controlled by that country: they are classified as "high-risk suppliers", regardless of the specific products or services they offer.
The criteria examined by the Commission at this stage do not concern technical vulnerabilities. CSA2 introduces five categories of “non-technical” elements: mandatory reporting of vulnerabilities to third-country authorities prior to their public disclosure, corresponding practices in those countries, the absence of judicial remedies and democratic control mechanisms, documented instances of state-controlled cyberattacks, and information from international assessments. To some extent, these are general and evaluative concepts which, at least for the time being, do not ensure a satisfactory degree of predictability regarding their further specification.
The consequences are far-reaching: exclusion from public procurement contracts, European funding programmes, cybersecurity certificates, and even the process of developing European standards. In mobile electronic communications networks, ICT components from high-risk suppliers must be phased out within 36 months. For other sectors, the Commission may decide unilaterally to exclude high-risk suppliers or to impose other potentially severe mitigating measures, including prohibitions on transfers of data to third countries, restrictions on contractual relations with suppliers, mandatory diversification of supply, or requirements that the relevant service be operated only by personnel vetted by the competent national authorities.
From product security to national security
The criticism does not stem from the premise that there is no risk. On the contrary: security is a central issue, especially in an era of hybrid threats, where communications networks form the backbone of critical services.
When the “high-risk” designation is based not on the technical characteristics of the equipment but on the legal framework of the manufacturer’s country of origin or control, two companies with identical products may be treated differently due to nationality. This potentially raises issues of technology neutrality, equal treatment, and the free movement of goods and services—fundamental principles of the internal market.
The link between a country and risk is, by its very nature, indirect and discretionary. A supplier has no control over the choices made by its country’s government, yet may be excluded because those choices are deemed risky. Particularly problematic is the Commission’s ability to trigger the assessment mechanism based on “public statements” by a Member State, an element that is primarily political rather than technical in nature.
CSA2 between the internal market and foreign policy
Perhaps the most controversial aspect of CSA2 is the institutionalisation of “non-technical risk”. This shift signals a geopolitical understanding of cybersecurity and simultaneously raises the critical question: to what extent can internal market law “accommodate” foreign policy objectives?
CSA2 is grounded in Article 114 TFEU, the provision on the harmonisation of the internal market. On this basis, CSA2 seeks to establish a unified and directly applicable approach to addressing so-called “non-technical risks” in cybersecurity, which are attributed to third countries within the supply chain.
Given that CSA2 is explicitly part of the EU’s strategy for “technological sovereignty”, and taking into account that the Commission may take measures not only based on risk assessments but also on public statements regarding third countries, as well as the, to some extent, limited predictability of the risk assessment criteria, certain legal concerns arise. First, the measures in question (excluding entire countries' industries from European markets, public procurement, and funding) resemble a coordinated foreign policy instrument, which, by its nature, requires consensus among Member States, rather than a qualified majority vote under an internal market procedure. Second, and relatedly, the internal market legal basis of Article 114 TFEU appears questionable: where the focus of a measure is national security rather than the harmonisation of market rules, it falls within the exclusive competence of each Member State under Article 4 TEU, not within the Union's internal market competence.
Needless to say, even if the legal basis of Article 114 TFEU is accepted, the measures must comply with the Charter of Fundamental Rights of the European Union (in particular the principles of freedom to conduct a business and the right to property).
From “general suspicion” to “genuine risk”: the Ćapeta Opinion
Crucial is the Opinion of Advocate General Ćapeta in Case C-354/24 (March 2026), concerning Estonian restrictions on 5G equipment.
In particular, according to the Advocate General, although Member States may, in principle, exclude hardware and software from their telecommunications infrastructure if the manufacturer poses a risk to national security, any such decision must be subject to judicial review, including a proportionality test. Crucial is her position that such a restriction may be imposed only if the risk to the interest in question is “genuine, present and sufficiently serious” in the specific case. According to the Advocate General, a Member State cannot justify such a restriction merely by invoking reasons of national security, and the relevant assessment cannot be based on “general suspicion”; rather, it must involve a specific assessment of the use for which that equipment is intended and the risks associated therewith. The Opinion clarifies that the competent national authorities must assess whether a specific piece of hardware or software, the use of which is requested, presents a genuine risk to the security of the network, an assessment that may include the intended use of the equipment, whether the risks associated with the country in which the manufacturer is established are projected onto the manufacturer, and whether the risks associated with the manufacturer are projected onto the specific hardware and software.
The Opinion constitutes a first test case for CSA2, as it defines the conditions under which the exclusion of equipment based on non-technical risks may be compatible with EU law. Measured against that test, the CSA2 mechanism in its current form appears difficult to defend. The Advocate General’s requirement of a specific, case-by-case assessment of genuine risk is difficult to reconcile with CSA2's automatic and blanket mechanism: once a third country is designated as posing cybersecurity concerns, every entity established in or controlled by that country is classified as a high-risk supplier by operation of law, with no individual assessment of the specific product, its intended use, or the actual risk it poses. It is difficult to see how this mechanism can satisfy the legal standard articulated by the Advocate General.
The Union against itself
As CSA2 rightly points out, persistent cybersecurity threats are not just technical challenges, but strategic risks to our democracy, economy, and way of life. CSA2 aims to protect the Union’s infrastructure, but the real test is not technical. It is “constitutional”.
European cybersecurity is at a crossroads. The choices made in the coming months will not only determine our relationship with specific manufacturers and suppliers, but will shape the very nature of the Union itself. And history has shown that democracies that sacrifice their principles in the name of security often end up losing both.