European Union: NIS2 Cooperation Group adopted ICT Supply Chain Security Toolbox

On 13 February 2026, the NIS2 Cooperation Group, comprising European Union Member States, the European Commission, and the European Union Agency for Cybersecurity (ENISA), published the ICT Supply Chain Security Toolbox to provide a common framework for identifying, assessing, and mitigating cybersecurity risks across information and communication technology supply chains. The instrument establishes a horizontal and non-binding approach based on an all-hazards methodology, defining important concepts and outlining risk scenarios that impact the EU digital ecosystem. It recommends several mitigation measures for public and private actors, including the creation of frameworks for the assessment of critical suppliers and the promotion of multi-vendor strategies to reduce dependencies on high-risk providers. This initiative aligns with the NIS2 Directive on securing network and information systems (Directive 2022/2555) and supports the coordinated security risk assessments of critical supply chains required under Article 22 NIS2. The toolbox is designed to be actor-agnostic, ensuring that security measures are applied consistently across various sectors. Member States can adapt these voluntary measures to their specific national contexts and priorities to enhance overall digital resilience. Following its introduction, the NIS2 Cooperation Group plans to conduct a review of the application of the toolbox after one year to assess progress, share best practices, and identify necessary adjustments. By offering a structured set of resources, the instrument aims to empower both public and private entities in managing the complex risks associated with ICT services, systems, and products within the internal market.