Smart and reliable legal services

On 20 January 2026, the European Commission published a Proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Cybersecurity (ENISA), the European cybersecurity certification framework, and ICT supply chain security and repealing Regulation (EU) 2019/881 (“ The Cybersecurity Act 2 ”). The Cybersecurity Act 2 covers three key areas: 1) rules and organisation matters relating to ENISA; 2) the creation of European cybersecurity certification schemes to ensure an adequate cybersecurity level for ICT products, ICT services, ICT processes, managed security services and the cybersecurity posture of EU entities; and 3) rules relating to a trusted ICT supply chain framework. This Guide focuses on the trusted ICT supply chain framework and its potential impact on businesses. All references to Articles below refer to the Cybersecurity Act 2 unless stated otherwise. As this is only a proposal, the final obligations may differ. Trusted ICT supply chain framework The trusted ICT supply chain framework will offer a security mechanism at the EU level to tackle non-technical risks in sectors of high criticality and other critical sectors as referred to in Annex I and Annex II to the Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (“ NIS2 Directive ”). Non-technical risks are defined as the “ likelihood of the supplier being subject to influence by a third country with the potential to cause loss or disruption of the service provided or to compromise the product manufactured by an entity or to lead to exfiltration of data, including for the purposes of espionage or revenue generation ”. (Article 2(42)) The framework aims to protect critical sectors from third-country influence by identifying key ICT assets in critical ICT supply chains and imposing mitigation measures where necessary. Security risk assessments The European Commission or a group of three or more EU Member States may request the NIS Cooperation Group to conduct an EU coordinated security risk assessment. In the event of a significant cyber threat, the European Commission may conduct a security risk assessment taking into account the consultation with the EU Member States. (Articles 99(1) and 99(3)) The security risk assessment will encompass the proposed identification of key ICT assets, main threat actors, risks and vulnerabilities impacting such assets. It will also formulate risk scenarios and suggest mitigation measures. (Articles 99(1) and 99(3)(b)) Identification of key ICT assets Where security risk assessments identify significant cybersecurity risks in relation to an ICT supply chain, the European Commission may adopt implementing acts identifying key ICT assets used by sectors of high criticality and other critical sectors under the NIS2 Directive to manufacture products or provide services (Article 102). Mitigation measures in the ICT supply chain The European Commission may adopt implementing acts prohibiting certain types of entities in sectors of high criticality and other critical sectors from using, installing or integrating ICT components from high-risk suppliers in key ICT assets. (Article 103). A similar prohibition exists for providers of mobile, fixed and satellite electronic communications networks (Article 111(1)). The European Commission may oblige certain entities in sectors of high criticality and other critical sectors to implement mitigating measures in their ICT supply chain especially in relation to key ICT assets. These may include transparency requirements, prohibition on the transfer of data to third countries, audits, restrictions on contractual relations and diversification of ICT components supply. (Article 103(2)). Identification of high-risk suppliers and consequences of the listing The European Commission will establish lists of high-risk suppliers that could be subject to mitigation measures provided above. In assessing suppliers, the European Commission will investigate the place of establishment as well as the ownership and control structure. (Article 104(4)). Listing may result in, amongst others, exclusion from EU public procurement procedures and EU funding programmes. Designation of third countries posing cybersecurity concerns The European Commission may designate third countries posing cybersecurity concerns to ICT supply chains. In doing so, it will take into account, amongst others, laws and practices in such third country that require entities in their jurisdiction to inform the authorities of software or hardware vulnerabilities before such vulnerabilities are known to have been exploited, substantiated information concerning incidents of threat actors controlled from such third country or conducting its operations from that third country to implement malicious cyber activities. (Articles 100(1) and 100(2)) Entities established in or controlled by entities from the designated third country may request for an exemption from being subject to the prohibitions imposed on entities from sectors of high criticality and other critical sectors on the use, installation or integration of its ICT components in key ICT assets and from being subject to the prohibition on participation in public procurement procedures. (Article 105(1)) Penalties Violation of the prohibition to use, install or integrate ICT components from high-risk suppliers could result in a fine of a maximum of 7% of the total worldwide annual turnover in the preceding financial year. Violation of mitigation measures could result in a fine of a maximum of 1-2% of the total worldwide annual turnover in the preceding financial year, depending on the measure concerned. How it may impact businesses Companies operating in sectors of high criticality and other critical sectors may face disruption in their ICT supply chain and increased costs if suppliers are listed as high-risk and/or the sourcing countries are designated, particularly where alternative ICT components are limited. In some cases, product or service redesign may be required. Subject to the final text, companies should consider mapping in-scope suppliers, reviewing contractual arrangements, and assessing data transfer and remote data processing practices to prepare mitigation strategies and compliance processes. ICT components suppliers from third countries may face restrictions on access to the EU market if listed as high-risk. Although the right to be heard and exemption procedure exist, the process may be time-consuming. The operational implications are likely to follow three main lines:  Supplier risk exposure : companies active in critical sectors will need to factor jurisdictional and ownership risk into vendor selection and supply-chain design. Compliance integration : ICT due diligence will extend beyond technical assurance and certification into governance, legal-environment and control-structure assessments. Supervisory enforcement : mitigation obligations adopted through implementing acts will feed into national oversight, with associated compliance and liability consequences (likely to lead to enforcement divergence). In this sense, the trusted ICT supply chain framework illustrates how EU cybersecurity regulation is becoming structurally intertwined with questions of resilience, strategic autonomy and security of supply, a trajectory that is likely to shape both legislative negotiations and downstream compliance practice. Next steps in the legislative process and indicative adoption timing The Cybersecurity Act 2 is in the ordinary legislative procedure. As of early February 2026, the file has formally entered the Parliament’s preparatory phase, with technical examination ongoing in the Council. Adoption is currently expected in late 2026 or in 2027. Trusted ICT supply chain framework – positioning within the Cybersecurity Act 2 The trusted ICT supply chain framework introduced in the Cybersecurity Act 2 adds a distinctly geopolitical and security-policy layer to EU cybersecurity law. Whilst the original Cybersecurity Act focused primarily on technical assurance and certification, the revision moves into risk governance linked to third-country exposure, supplier influence and systemic dependency in critical sectors. From a legal-policy perspective, the framework reflects a wider evolution in EU digital legislation: cybersecurity risk is no longer treated solely as a technical or resilience question, but increasingly as a matter of economic security and systemic dependency management. The developing regime around high-risk supplier identification is particularly illustrative of this shift. Whilst the detailed listing mechanics and consequences are still being shaped legislatively, the EU’s approach makes clear that participation in sensitive ICT ecosystems may become contingent on security, governance and jurisdictional risk considerations, not only on technical performance or certification status. More broadly, the framework signals that EU cybersecurity law is moving closer to the EU’s wider economic security agenda. Legislative instruments are increasingly designed to manage exposure to external influence, strategic dependencies and systemic vulnerabilities across critical sectors. For information on how the Cybersecurity Act 2 could impact your business or economic operators in your country, please contact Yapa Thepkanjana at yapa.thepkanjana@acquislp.eu and Patrick Mascott at patrick.mascott@acquislp.eu.

EU–US trade tensions and the anti-coercion instrument: a new risk scenario for economic operators

Your Guide to CBAM: Implications for EU importers and non-EU producers (12 January 2026) The EU’s Carbon Border Adjustment Mechanism (“CBAM”) has entered its definitive phase, fundamentally reshaping the regulatory framework governing imports of carbon-intensive goods into the European Union (“EU”). CBAM was established by Regulation (EU) 2023/956 of the European Parliament and of the Council of 10 May 2023 establishing a carbon border adjustment mechanism (“Regulation (EU) 2023/956”) and constitutes a central pillar of the EU’s climate policy under the European Green Deal. Its objectives are to prevent carbon leakage, incentivise decarbonisation in third countries, and ensure fair competition with EU producers subject to the EU Emissions Trading System (“ETS”). Unless otherwise stated, all references to Articles and Annexes below are to Regulation (EU) 2023/956. Timeline and recent simplifications CBAM entered into force on 17 May 2023. There was a transitional period from 1 October 2023 until 31 December 2025 during which EU importer’s obligations were limited to reporting requirements. The definitive CBAM regime, under which financial obligations, including the purchase and surrender of CBAM certificates come into effect, applies from 1 January 2026 (Articles 32-35). In October 2025, the EU adopted targeted amendments aimed at simplifying the implementation of CBAM. In particular, a single de minimis mass-based threshold of 50 tonnes of CBAM-covered goods per importer per calendar year was introduced. Importers below this threshold are exempt from CBAM obligations. However, this exemption does not apply to imports of electricity or hydrogen, which remain fully subject to CBAM regardless of volume (Article 2a). Products covered and possible future expansion CBAM currently applies to imports of goods listed in Annex I from six sectors namely: cement; iron and steel; aluminium; fertilisers; electricity; and hydrogen. On 17 December 2025, the European Commission proposed an expansion of the list of goods subject to CBAM, to include approximately 180 specific steel- and aluminium-intensive downstream products, such as industrial supply-chain components used in heavy machinery, as well as certain household goods as from 2028. Additional anti-circumvention measures to enhance CBAM effectiveness were also proposed by the European Commission, including targeted additional reporting obligations and requirements to provide additional evidence where there is a high risk of abusive practices. Key legal obligations EU importers must: apply for and obtain the status of “authorised CBAM declarant” before importing CBAM-covered goods where: imports exceed 50 tonnes per calendar year; or any quantity of electricity or hydrogen is imported (Article 5). Under certain conditions, an indirect customs representative may act as an authorised CBAM declarant for an EU importer and will be subject to the obligations under Regulation (EU) 2023/956 applicable to that EU importer: calculate and declare embedded greenhouse gas emissions. The first annual CBAM declaration must be submitted in 2027 for the calendar year 2026, and must be submitted by 30 September of each year for the preceding calendar year. (Articles 6 and 7) If applicable, the declared total embedded emissions must be verified by an accredited verifier (Article 8); maintain records of information required for the calculation of embedded emissions, including, if applicable, any reduction in the number of CBAM certificates claimed due to carbon price paid in a third country, for four years after the calendar year in which the CBAM declaration was submitted (Articles 7(5) and 9 and Annex V); and purchase and surrender CBAM certificates corresponding to declared emissions. EU Importers must surrender CBAM certificates via the CBAM registry by 30 September of each year, starting for the first time in 2027 for the year 2026. EU Member States will sell CBAM certificates through a common central platform as from 1 February 2027 (Articles 20 and 22). Non-EU producers, whilst not directly subject to CBAM obligations, are essential to effective CBAM compliance in practice. They must calculate embedded emissions using EU-prescribed methodologies and provide accurate, complete and verifiable emissions data to EU importers. Suggested actions for business operators EU importers should: identify whether imported goods fall within Annex I and the relevant CN codes; determine whether imports exceed the 50-tonne threshold or involve electricity or hydrogen, triggering mandatory CBAM authorisation; apply for CBAM authorisation via the CBAM Registry (Article 5(3)); engage suppliers early to secure CBAM-compliant and verifiable emissions data; establish internal processes for reporting, record-keeping, and financial planning relating to CBAM certificate costs; and closely monitor CBAM-related developments, including legislative amendments and any potential future extension of scope under Regulation (EU) 2023/956. Non-EU producers should: identify EU-bound products within the CBAM scope; implement systems to measure and document embedded emissions in line with EU rules; ensure emissions data are verifiable; and assess decarbonisation measures to reduce CBAM exposure and maintain EU market access. For more information on how CBAM could impact your business or economic operators in your country, please contact Yapa Thepkanjana at yapa.thepkanjana@acquislp.eu .