News

On 20 January 2026, the European Commission published a Proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Cybersecurity (ENISA), the European cybersecurity certification framework, and ICT supply chain security and repealing Regulation (EU) 2019/881 (“ The Cybersecurity Act 2 ”). The Cybersecurity Act 2 covers three key areas: 1) rules and organisation matters relating to ENISA; 2) the creation of European cybersecurity certification schemes to ensure an adequate cybersecurity level for ICT products, ICT services, ICT processes, managed security services and the cybersecurity posture of EU entities; and 3) rules relating to a trusted ICT supply chain framework. This Guide focuses on the trusted ICT supply chain framework and its potential impact on businesses. All references to Articles below refer to the Cybersecurity Act 2 unless stated otherwise. As this is only a proposal, the final obligations may differ. Trusted ICT supply chain framework The trusted ICT supply chain framework will offer a security mechanism at the EU level to tackle non-technical risks in sectors of high criticality and other critical sectors as referred to in Annex I and Annex II to the Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (“ NIS2 Directive ”). Non-technical risks are defined as the “ likelihood of the supplier being subject to influence by a third country with the potential to cause loss or disruption of the service provided or to compromise the product manufactured by an entity or to lead to exfiltration of data, including for the purposes of espionage or revenue generation ”. (Article 2(42)) The framework aims to protect critical sectors from third-country influence by identifying key ICT assets in critical ICT supply chains and imposing mitigation measures where necessary. Security risk assessments The European Commission or a group of three or more EU Member States may request the NIS Cooperation Group to conduct an EU coordinated security risk assessment. In the event of a significant cyber threat, the European Commission may conduct a security risk assessment taking into account the consultation with the EU Member States. (Articles 99(1) and 99(3)) The security risk assessment will encompass the proposed identification of key ICT assets, main threat actors, risks and vulnerabilities impacting such assets. It will also formulate risk scenarios and suggest mitigation measures. (Articles 99(1) and 99(3)(b)) Identification of key ICT assets Where security risk assessments identify significant cybersecurity risks in relation to an ICT supply chain, the European Commission may adopt implementing acts identifying key ICT assets used by sectors of high criticality and other critical sectors under the NIS2 Directive to manufacture products or provide services (Article 102). Mitigation measures in the ICT supply chain The European Commission may adopt implementing acts prohibiting certain types of entities in sectors of high criticality and other critical sectors from using, installing or integrating ICT components from high-risk suppliers in key ICT assets. (Article 103). A similar prohibition exists for providers of mobile, fixed and satellite electronic communications networks (Article 111(1)). The European Commission may oblige certain entities in sectors of high criticality and other critical sectors to implement mitigating measures in their ICT supply chain especially in relation to key ICT assets. These may include transparency requirements, prohibition on the transfer of data to third countries, audits, restrictions on contractual relations and diversification of ICT components supply. (Article 103(2)). Identification of high-risk suppliers and consequences of the listing The European Commission will establish lists of high-risk suppliers that could be subject to mitigation measures provided above. In assessing suppliers, the European Commission will investigate the place of establishment as well as the ownership and control structure. (Article 104(4)). Listing may result in, amongst others, exclusion from EU public procurement procedures and EU funding programmes. Designation of third countries posing cybersecurity concerns The European Commission may designate third countries posing cybersecurity concerns to ICT supply chains. In doing so, it will take into account, amongst others, laws and practices in such third country that require entities in their jurisdiction to inform the authorities of software or hardware vulnerabilities before such vulnerabilities are known to have been exploited, substantiated information concerning incidents of threat actors controlled from such third country or conducting its operations from that third country to implement malicious cyber activities. (Articles 100(1) and 100(2)) Entities established in or controlled by entities from the designated third country may request for an exemption from being subject to the prohibitions imposed on entities from sectors of high criticality and other critical sectors on the use, installation or integration of its ICT components in key ICT assets and from being subject to the prohibition on participation in public procurement procedures. (Article 105(1)) Penalties Violation of the prohibition to use, install or integrate ICT components from high-risk suppliers could result in a fine of a maximum of 7% of the total worldwide annual turnover in the preceding financial year. Violation of mitigation measures could result in a fine of a maximum of 1-2% of the total worldwide annual turnover in the preceding financial year, depending on the measure concerned. How it may impact businesses Companies operating in sectors of high criticality and other critical sectors may face disruption in their ICT supply chain and increased costs if suppliers are listed as high-risk and/or the sourcing countries are designated, particularly where alternative ICT components are limited. In some cases, product or service redesign may be required. Subject to the final text, companies should consider mapping in-scope suppliers, reviewing contractual arrangements, and assessing data transfer and remote data processing practices to prepare mitigation strategies and compliance processes. ICT components suppliers from third countries may face restrictions on access to the EU market if listed as high-risk. Although the right to be heard and exemption procedure exist, the process may be time-consuming. The operational implications are likely to follow three main lines:  Supplier risk exposure : companies active in critical sectors will need to factor jurisdictional and ownership risk into vendor selection and supply-chain design. Compliance integration : ICT due diligence will extend beyond technical assurance and certification into governance, legal-environment and control-structure assessments. Supervisory enforcement : mitigation obligations adopted through implementing acts will feed into national oversight, with associated compliance and liability consequences (likely to lead to enforcement divergence). In this sense, the trusted ICT supply chain framework illustrates how EU cybersecurity regulation is becoming structurally intertwined with questions of resilience, strategic autonomy and security of supply, a trajectory that is likely to shape both legislative negotiations and downstream compliance practice. Next steps in the legislative process and indicative adoption timing The Cybersecurity Act 2 is in the ordinary legislative procedure. As of early February 2026, the file has formally entered the Parliament’s preparatory phase, with technical examination ongoing in the Council. Adoption is currently expected in late 2026 or in 2027. Trusted ICT supply chain framework – positioning within the Cybersecurity Act 2 The trusted ICT supply chain framework introduced in the Cybersecurity Act 2 adds a distinctly geopolitical and security-policy layer to EU cybersecurity law. Whilst the original Cybersecurity Act focused primarily on technical assurance and certification, the revision moves into risk governance linked to third-country exposure, supplier influence and systemic dependency in critical sectors. From a legal-policy perspective, the framework reflects a wider evolution in EU digital legislation: cybersecurity risk is no longer treated solely as a technical or resilience question, but increasingly as a matter of economic security and systemic dependency management. The developing regime around high-risk supplier identification is particularly illustrative of this shift. Whilst the detailed listing mechanics and consequences are still being shaped legislatively, the EU’s approach makes clear that participation in sensitive ICT ecosystems may become contingent on security, governance and jurisdictional risk considerations, not only on technical performance or certification status. More broadly, the framework signals that EU cybersecurity law is moving closer to the EU’s wider economic security agenda. Legislative instruments are increasingly designed to manage exposure to external influence, strategic dependencies and systemic vulnerabilities across critical sectors. For information on how the Cybersecurity Act 2 could impact your business or economic operators in your country, please contact Yapa Thepkanjana at yapa.thepkanjana@acquislp.eu and Patrick Mascott at patrick.mascott@acquislp.eu.

EU–US trade tensions and the anti-coercion instrument: a new risk scenario for economic operators

Your Guide to CBAM: Implications for EU importers and non-EU producers (12 January 2026) The EU’s Carbon Border Adjustment Mechanism (“CBAM”) has entered its definitive phase, fundamentally reshaping the regulatory framework governing imports of carbon-intensive goods into the European Union (“EU”). CBAM was established by Regulation (EU) 2023/956 of the European Parliament and of the Council of 10 May 2023 establishing a carbon border adjustment mechanism (“Regulation (EU) 2023/956”) and constitutes a central pillar of the EU’s climate policy under the European Green Deal. Its objectives are to prevent carbon leakage, incentivise decarbonisation in third countries, and ensure fair competition with EU producers subject to the EU Emissions Trading System (“ETS”). Unless otherwise stated, all references to Articles and Annexes below are to Regulation (EU) 2023/956. Timeline and recent simplifications CBAM entered into force on 17 May 2023. There was a transitional period from 1 October 2023 until 31 December 2025 during which EU importer’s obligations were limited to reporting requirements. The definitive CBAM regime, under which financial obligations, including the purchase and surrender of CBAM certificates come into effect, applies from 1 January 2026 (Articles 32-35). In October 2025, the EU adopted targeted amendments aimed at simplifying the implementation of CBAM. In particular, a single de minimis mass-based threshold of 50 tonnes of CBAM-covered goods per importer per calendar year was introduced. Importers below this threshold are exempt from CBAM obligations. However, this exemption does not apply to imports of electricity or hydrogen, which remain fully subject to CBAM regardless of volume (Article 2a). Products covered and possible future expansion CBAM currently applies to imports of goods listed in Annex I from six sectors namely: cement; iron and steel; aluminium; fertilisers; electricity; and hydrogen. On 17 December 2025, the European Commission proposed an expansion of the list of goods subject to CBAM, to include approximately 180 specific steel- and aluminium-intensive downstream products, such as industrial supply-chain components used in heavy machinery, as well as certain household goods as from 2028. Additional anti-circumvention measures to enhance CBAM effectiveness were also proposed by the European Commission, including targeted additional reporting obligations and requirements to provide additional evidence where there is a high risk of abusive practices. Key legal obligations EU importers must: apply for and obtain the status of “authorised CBAM declarant” before importing CBAM-covered goods where: imports exceed 50 tonnes per calendar year; or any quantity of electricity or hydrogen is imported (Article 5). Under certain conditions, an indirect customs representative may act as an authorised CBAM declarant for an EU importer and will be subject to the obligations under Regulation (EU) 2023/956 applicable to that EU importer: calculate and declare embedded greenhouse gas emissions. The first annual CBAM declaration must be submitted in 2027 for the calendar year 2026, and must be submitted by 30 September of each year for the preceding calendar year. (Articles 6 and 7) If applicable, the declared total embedded emissions must be verified by an accredited verifier (Article 8); maintain records of information required for the calculation of embedded emissions, including, if applicable, any reduction in the number of CBAM certificates claimed due to carbon price paid in a third country, for four years after the calendar year in which the CBAM declaration was submitted (Articles 7(5) and 9 and Annex V); and purchase and surrender CBAM certificates corresponding to declared emissions. EU Importers must surrender CBAM certificates via the CBAM registry by 30 September of each year, starting for the first time in 2027 for the year 2026. EU Member States will sell CBAM certificates through a common central platform as from 1 February 2027 (Articles 20 and 22). Non-EU producers, whilst not directly subject to CBAM obligations, are essential to effective CBAM compliance in practice. They must calculate embedded emissions using EU-prescribed methodologies and provide accurate, complete and verifiable emissions data to EU importers. Suggested actions for business operators EU importers should: identify whether imported goods fall within Annex I and the relevant CN codes; determine whether imports exceed the 50-tonne threshold or involve electricity or hydrogen, triggering mandatory CBAM authorisation; apply for CBAM authorisation via the CBAM Registry (Article 5(3)); engage suppliers early to secure CBAM-compliant and verifiable emissions data; establish internal processes for reporting, record-keeping, and financial planning relating to CBAM certificate costs; and closely monitor CBAM-related developments, including legislative amendments and any potential future extension of scope under Regulation (EU) 2023/956. Non-EU producers should: identify EU-bound products within the CBAM scope; implement systems to measure and document embedded emissions in line with EU rules; ensure emissions data are verifiable; and assess decarbonisation measures to reduce CBAM exposure and maintain EU market access. For more information on how CBAM could impact your business or economic operators in your country, please contact Yapa Thepkanjana at yapa.thepkanjana@acquislp.eu .

Banks and other FIs must continuously refine their compliance measures to effectively detect and prevent any potential breaches.

Client Alert: EU General Court Judgments in Cases T-635/22 and T-644/22

The European Union (EU) has been at the forefront of the global push towards digital transformation, adopting a plethora of digital regulations aimed at fostering innovation, ensuring economic growth and competitiveness, and safeguarding fundamental rights. As we move into the next legislative cycle, the EU Council – under the leadership of the Belgian presidency – has outlined its main priorities in digital policy, emphasizing among others the importance of effective implementation, the need for a European approach to digital technologies, and alignment with sustainable objectives. Prioritizing Digital Transformation Digital transformation is a key driver of innovation, economic growth, and sustainability within the EU. But as Belgian Deputy Prime Minister Petra de Sutter stated, it must be balanced to ensure that this transformation benefits all citizens: “[it] must be grounded on a safe, inclusive, sustainable, and human-centric approach – one that upholds democracy and human rights”. Ms de Sutter highlighted the importance of every European citizen having the opportunity to develop essential digital skills and participate actively in the online world.  Mathieu Michel, Belgium’s Secretary of State for digitisation, meanwhile called for a “common European approach to innovative digital technologies striking the right balance between innovation, regulatory burden, and protection of the Union’s economic security”. He also emphasised digital skills and digital infrastructure as key components to achieving this digital transition. Key Priorities for the Legislative Cycle The Council has identified several main priorities for the upcoming legislative cycle: Effective Implementation of Digital Regulations: The primary focus is on the “effective, coherent and efficient implementation” of recently adopted digital laws with minimal administrative burden for both public and private sectors. This includes laws such as the AI Act, Digital Services Act (DSA) and the Digital Markets Act (DMA), which aim to create a safer and more open digital space in the EU​. Common European Approach: The Council advocates for a unified approach to innovative digital technologies as a crucial element for enhancing the EU’s competitiveness and protecting its economic security. This approach must balance innovation with regulatory measures to ensure a dynamic and open economy. Digital and Green Transition: The Council emphasizes the synergy between digital transformation and the green transition, advocating for ambitious sustainability objectives. This aligns with the EU’s broader goals of achieving climate neutrality and promoting sustainable development​​, as well as reducing their dependence on foreign fossil fuel imports. Building Digital Skills and Bridging the Digital Divide: The Council explicitly refers to the importance of attracting and retaining a digitally skilled workforce, with a particular focus on increasing women’s participation in the tech sector. Bridging the digital divide is critical to ensuring that all citizens can benefit from digital advancements. This also means increasing the number of cybersecurity professionals in the EU. There is already a severe lack of cybersecurity professionals to meet the current demand, and with the demand set to increase exponentially in the coming years, a tangible strategy will need to be employed. The Council fails to outline how this will be achieved. Ensuring Secure and Resilient Infrastructure: The need for secure and resilient digital infrastructure across the EU is paramount. This includes enhancing cybersecurity measures and ensuring the reliability of digital services, but also reducing dependencies on external chip manufacturers and investing in chip-producing technologies and companies with the EU. International Dimension and Digital Partnerships: Strengthening digital partnerships and digital trade agreements is vital for the EU to play a proactive role globally in digital transformation and governance. The Council calls for a coordinated approach to enhance the EU’s influence in international digital policy​​. Using its influence to promote a rights-based approach to digital policy globally will help facilitate these partnerships without compromising the EU’s stated values. Challenges and Opportunities Implementing these digital regulations presents both challenges and opportunities. The complexity of harmonizing regulations across Member States, ensuring compliance, and adapting to rapid technological changes are significant hurdles. However, successful implementation can further strengthen the position of the EU as a global leader in digital innovation, providing a robust framework that other regions may follow. By prioritizing effective implementation, the EU hopes to ensure that its digital policies not only foster economic growth but also uphold the values of democracy, human rights, and sustainability, ultimately benefiting all its citizens. The EU’s digital strategy aims to create a digital environment that fosters innovation, protects citizens’ rights, and ensures economic security. As the EU navigates the next legislative cycle, the focus on implementing these digital regulations will be crucial in achieving these goals and driving forward the digital transformation agenda. The Belgian Presidency has made clear its ambitions and focus on implementing the digital transition. However, with Hungary next in line for the Presidency, it is unclear what the focus will be under their stewardship and whether digital transformation will still be a priority.

On 12 April 2024, the Council adopted two key directives enhancing sanctions enforcement and implementation across the EU. The first directive on sanctions violations criminalisation (Directive (EU) 2018/1673) establishes an EU-wide definition of sanctions violation as a crime, setting minimum administrative and criminal penalties, while the second directive on asset recovery and confiscation lays down the minimum standards for tracing, identifying, freezing, confiscating, and managing criminal assets, applicable to various crimes, including EU sanctions violations.  In our latest policy update, we provide an overview of the EU legislative process related to these directives, the most important measures they introduce, and outline key next steps regarding their implementation. Background & Context Following Russia’s full-scale invasion of Ukraine in February 2022, the EU imposed an unprecedented array of sectoral and individual sanctions against Russian individuals and entities. However, the implementation and the enforcement of these sanctions have posed great challenges for Member States, and for National Competent Authorities (NCAs). As of date, EU sanctions regulations mandate Member States to enforce penalties deemed “effective, proportionate, and dissuasive” for infractions of restrictive measures and enforcement is mostly left in the hands of NCAs. While most of the Member States (including France, the Netherlands and Cyprus) treat sanctions violations as criminal offenses, two countries (Estonia and Slovakia) still consider them administrative offenses, and fourteen countries (including Germany, Austria and Belgium) allow for categorization depending on severity. Prison sentences and maximum fines for the violation of restrictive measures also vary widely from one Member State to another. This inconsistent framework has triggered the need for the harmonization at EU level brought forward by the new directive. Regarding asset freeze and recovery in the EU, the high number of individuals and entities sanctioned in the past two years has put a strain on NCAs to trace and identify the assets belonging to listed persons. The 2018 adoption of the regulation concerning mutual recognition of freezing and confiscation orders laid the foundation for cross-border asset recovery within the EU, facilitating the freezing and confiscation of criminal assets across Member States. Building upon this framework, the new directive establishes minimum standards and aims to enhance the effectiveness of asset recovery efforts and strengthen enforcement measures across the EU. Below we outline the key measures introduced by the above-described EU directives. Directive On the Definition of Criminal Offences and Penalties for the Violation of Union Restrictive Measures The main elements of the EU Directive on Sanctions Violation Criminalization are the following: Definition of Criminal Offenses: Deliberate breaches of EU restrictive measures are defined as criminal offenses. Such breaches include making funds available to sanctioned individuals and entities, failing to freeze assets of designated parties, enabling designated parties to enter or transit through EU territory, engaging in sanctioned transactions with third states, trading in sanctioned goods or services, conducting sanctioned financial transactions, circumventing EU restrictions, failing by a designated party to disclose funds to NCAs, and violating conditions of authorizations granted by NCAs. Incitement, aiding, and abetting also constitute offenses, while offenses committed with “serious negligence,” particularly those related to military or dual-use items listed by the EU, are criminalized as well. Exemptions: Some breaches involving values under €10,000 are not defined as criminal offenses. These actions include making funds available to sanctioned parties, failing to freeze their assets, circumventing restrictions, transacting with third states, providing sanctioned services, or breaching conditions of an NCA-granted authorization for specific goods, services, or transactions. Criminal Penalties for Natural Persons: The penalties introduced by the directive include imprisonment and fines, with specified minimum terms for serious offenses (e.g., a minimum of five years for severe violations involving substantial amounts or values). Penalties for Legal Persons: Penalties for legal persons include both criminal and non-criminal fines. The fines are substantial, with a minimum level set at either a percentage of the legal person’s total worldwide turnover (up to 5%) or fixed amounts (up to EUR 40 million), depending on the severity of the offense. Aggravating and Mitigating Circumstances: Circumstances that can aggravate (organised crimes, forging documents), or mitigate (cooperation with authorities) the penalties for offenses have also been defined by the directive. Jurisdiction and Enforcement: Member States must establish jurisdiction over these offenses, including cases with cross-border elements. They are also expected to equip their authorities with effective tools for investigating violations, similar to those used against organized crime, and to collect and share statistical data on offenses to monitor and adjust enforcement practices as necessary. Protection for Whistleblowers: Provides for the protection of individuals reporting violations of EU sanctions. EU-Level Cooperation: Enhances the collaborative role of EU bodies in enforcing Union restrictive measures together with Member States’s NCAs. The Commission is expected to coordinate implementation and data exchange, Eurojust and Europol will support cross-border investigations and prosecutions, while the European Public Prosecutor’s Office (EPPO) will prosecute crimes affecting the EU’s financial interests. Directive on Asset Recovery and Confiscation The key provisions of the Directive are the following: Tracing and Identification: The Directive establishes procedures for the tracing, identification, freezing, confiscation, and management of assets connected to a wide range of crimes, include the violation of EU sanctions. Freezing and Confiscation: Authorizes the freezing and confiscation of assets derived from criminal activities. Asset Recovery Offices: Mandates the establishment of asset recovery offices in Member States to facilitate cross-border cooperation and asset management. Asset Management: Requires the management of frozen and confiscated assets to preserve their value until they can be legally disposed of. Cross-Border Cooperation: Enhances the mechanisms for cross-border cooperation among Member States and with third countries to improve the tracing, freezing, and confiscation of assets. Legal Framework: Updates and expands the existing legal framework to cover a wider range of crimes and integrates new procedures for asset recovery. Victims’ Rights: Ensures that victims’ rights to compensation and restitution are considered in asset recovery processes. Use of Confiscated Assets: Encourages Member States to use confiscated assets for social or public interest purposes, enhancing the societal impact of confiscation measures. How the Directives will change the existing EU policy framework? Once implemented by Member States, the directive on the criminalisation of sanctions violation will ensure that offences are met with appropriate and harmonized penalties across the EU, while enhancing the investigative powers of NCAs, and improving supranational collaboration and the prosecution of cross-border offences. The rules on asset recovery and confiscation measures will also contribute to the effective implementation of EU sanctions, as they will apply to sanctions violations offences which will be harmoniously criminalized across EU Member States, and boost NCAs’ capacities to trace and identify the criminal assets of sanctioned parties. Next Steps Both Directives will enter into force on the twentieth day following their publication in the Official Journal of the EU. To incorporate the provisions into their national legislation, Member States will have 12 months for the Directive on criminalisation of sanctions violations, and 30 months for the Directive on asset recovery and confiscation.

EU & US Sanctions Alert: new and expected measures

Commission Proposes New FDI Regulation