European Union: European Commission submitted Proposal for a Regulation on the European Union Agency for Cybersecurity (ENISA), the European cybersecurity certification framework, and ICT supply chain security (The Cybersecurity Act 2) including prohibition of goods and services

On 20 January 2026, the European Commission submitted the Proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Cybersecurity (ENISA), the European cybersecurity certification framework, and ICT supply chain security and repealing Regulation (EU) 2019/881 (The Cybersecurity Act 2). The Proposal would revise the legal framework under the current Cybersecurity Act (Regulation (EU) 2019/881) by reforming ENISA's mandate, updating the European cybersecurity certification framework, and introducing a trusted ICT supply chain framework. As part of the supply chain framework, the Commission would be empowered to adopt implementing acts prohibiting entities in sectors of high criticality and critical sectors, as defined in the NIS 2 Directive, from using, installing, or integrating ICT components from high-risk suppliers in key ICT assets. Such implementing acts would also provide for phase-out periods for such components. For mobile electronic communications networks, the phase-out period may not exceed 36 months from the publication of the list of high-risk suppliers. Further, mobile, fixed and satellite electronic communications networks providers would also be prohibited from using, installing or integrating ICT components from high-risk suppliers in key assets, such as core network functions, network management systems, and access networks.