The European Commission delivered on 20 January 2026 a legislative package aimed at further strengthening the security and resilience of the EU’s critical sectors.

The package includes proposals:

• repealing and replacing the Cybersecurity Act (CSA, Tracker), including a dedicated section (Title IV) on the security of ICT supply chains in electronic communication networks and other sectors in scope of the Directive on measures for a high common level of cybersecurity across the EU (NIS2, Tracker); and
• amending the NIS2 Directive, aimed at simplifying compliance with security risk-management requirements.

The draft CSA2 would require the phase-out of ICT components supplied by high-risk suppliers in key assets in 5G networks listed in annex II to the proposal.

It would make mandatory one of the core measures of the non-binding 5G security toolbox, which recommends that EU member states restrict or prohibit the use of 5G equipment from high-risk suppliers.

The Commission had expressed dissatisfaction with member states’ uneven implementation of the toolbox, and had announced that it would explore ways to speed up its application.

“We need to finalise what many member states have done when it comes to de-risking 5G networks from high-risk suppliers”, Henna Virkkunen, Commission executive vice-president for Tech Sovereignty, Security and Democracy, said at the European Parliament plenary.

The CSA2 would remain a regulation and thus be directly applicable across EU member states.

The proposals will now be discussed by the EU co-legislators, the European Parliament and the Council.

This is an extract from Cullen International's initial report on the European Commission's proposal for a revised Cybersecurity Act (CSA2). A more in-depth analysis will follow shortly.

For more information and to read the full report, please click on “Access the full content” - or on “Request full report”, in case you are not subscribed to our European Digital Economy service.