European Union: European Commission submitted Proposal for a Regulation on the European Union Agency for Cybersecurity (ENISA), the European cybersecurity certification framework, and ICT supply chain security (The Cybersecurity Act 2) including public procurement blacklisting

On 20 January 2026, the European Commission submitted the Proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Cybersecurity (ENISA), the European cybersecurity certification framework, and ICT supply chain security and repealing Regulation (EU) 2019/881 (The Cybersecurity Act 2). The Proposal would revise the legal framework under the current Cybersecurity Act (Regulation (EU) 2019/881) by reforming ENISA's mandate, updating the European cybersecurity certification framework, and introducing a trusted ICT supply chain framework. As part of the supply chain framework, the entities designated as high-risk suppliers would not be permitted to participate in public procurement procedures in relation to the provision of ICT components for use in key ICT assets. Entities established in or controlled by third countries posing cybersecurity concerns would be permitted to submit reasoned requests for exemption from this blacklisting.