The KSC has been passed, but what about high-risk suppliers?

European Commission presents new cybersecurity package

On January 20, 2026, the European Commission published a proposal for a new regulation, the Cybersecurity Act 2.0 (CSA2), aimed at strengthening the EU’s resilience to digital threats and streamlining and harmonizing the rules applicable in the digital single market. A key element of the package is a proposed amendment to EU cybersecurity regulations, which aims to reduce regulatory fragmentation and increase the effectiveness of EU-wide actions.

Strengthening the security of ICT supply chains

The proposed changes focus on strengthening the security of ICT supply chains, including by expanding and harmonizing the rules for high-risk suppliers. The European Commission aims to make regulations in this area more mandatory and consistent across the EU, ending national interpretation disputes and ensuring a level playing field. The European Commission’s proposal assumes that the European Commission, rather than individual countries, will determine which suppliers constitute high risk, ensuring consistency across the EU. Therefore, the designation of a high-risk supplier will be regulated at the EU level.

Sectoral Scope of the New Regulations

The amendment will cover a total of 18 key sectors, including: mobile network operators, detection systems, autonomous vehicles, power plants and energy storage, water supply, drones and anti-drone systems, medical services, semiconductor production, and cloud computing services.

High-Risk Suppliers

The European Commission is proposing the possibility of excluding companies from outside the EU or owned by non-EU entities from the ICT market. The draft European Commission regulation assumes that mobile network operators will be given a maximum of 36 months during a transitional period to remove key ICT components from suppliers deemed high-risk.

For comparison, the amendment to the Act on the National Cybersecurity System signed by the President of the Republic of Poland, Karol Nawrocki, on February 19, 2026, generally provides for a four-year deadline for such actions by electronic communications companies whose annual revenue from telecommunications activities in the previous financial year exceeded PLN 10 million.

In the case of products, services, or processes acquired through public procurement before the date of the decision’s announcement, the entity designated as a high-risk supplier will be entitled to use these products, services, or processes for no longer than 7 years from the date of the decision’s announcement in the Official Journal of the Republic of Poland, “Monitor Polski.” In the case of ICT products, ICT services, or ICT processes used to perform critical functions specified in Annex 3 to the Act, no longer than 4 years from the date of the decision’s announcement.

ENISA’s Role

The European Union Agency for Cybersecurity (ENISA) is expected to play a significant role in the new model, with its mandate strengthened, particularly in supporting Member States in managing cybersecurity risks and responding to incidents.

Source: https://digital-strategy.ec.europa.eu/en/library/proposal-regulation-eu-cybersecurity-act