The EC aims to make vendor restrictions in the mobile industry binding across all Member States, with an eye towards also derisking fixed and satellite supply chains
The EC seeks to reduce fragmentation and complexity through a revised Cybersecurity Act and NIS2 Directive
On 20 January 2026, the EC set out a package of reforms on cybersecurity, including its proposal to revise the EU’s Cybersecurity Act (CSA) to increase resilience and reduce fragmentation among Member States. The package also includes targeted amendments to the NIS2 Directive, aimed at providing greater legal clarity, as well as measures that respond to changes in cybersecurity reporting processes proposed in the Digital Omnibus. In introducing its proposed legislative changes, the EC describes how the cybersecurity landscape has changed vastly since the CSA was first passed in 2019. The EC also points to the recommendations made in the Draghi Report on reducing dependencies on foreign firms in key sectors as a cause for action. Both the amendments to the act and the NIS2 Directive are subject to approval from the Council of the EU and the European Parliament, after which Member States will have one year to implement any new measures.
In three of four areas, the EC has settled for a moderate legislative intervention that respected Member States' national authorities
The EC grounds its proposals in four core problems that have arisen or worsened in the years since the adoption of the CSA:
Misalignment between EU cybersecurity policy and stakeholders’ needs in an increasingly hostile threat landscape;
Lack of progress in the implementation of the European Cybersecurity Certification Framework (ECCF);
Complexity in the EU’s overlapping cybersecurity framework; and
Increasing risks in ICT supply chains.
For each issue, the EC offers a series of proposals of varying levels of intervention to address the overarching concerns of fragmentation and worsening threats. For each of the first three problems identified, the moderate intervention was identified as the preferred option, including: reforming the mandate of European Union Agency for Cybersecurity (ENISA) without centralising NIS2 enforcement at the EU level; reforming the ECCF without introducing mandatory certification; and making targeted amendments to relevant legislation without overruling all sectoral legislation with cybersecurity measures.
Frustration with a lack of action on the 5G Security Toolbox could bring EU-wide binding vendor restrictions
The EC’s proposed path to derisking ICT supply chains, however, reflects a frustration with the slow pace of implementation of recommendations made via the 5G Cybersecurity Toolbox in 2020. Under the revised CSA, exclusions of so-called “high-risk suppliers” (as laid out in the toolbox) would become mandatory across the bloc and extend beyond the mobile sector through a “horizontal, technology and sector-neutral” regulatory framework. As Henna Virkkunen (EVP for Tech Sovereignty, Security and Democracy, EC) laid out in a press conference introducing the package, the EC was compelled to consider binding vendor restrictions after Member States failed to act in response to the toolbox. Operators would be required to ‘rip and replace’ network components from high-risk vendors, likely to include Huawei and ZTE (though they are not named explicitly in the proposal), within three years of the revised CSA entering into force. The EC will also make risk assessments for the fixed and satellite sectors, which could lead to vendor restrictions or other security-focused interventions. According to our Cybersecurity Tracker, 17 EU Member States have already implemented some form of vendor restriction, meaning a further 10 would be required to follow suit. No Member State has so far offered public funding to support operators in weathering the costs of rip and replace programmes, unlike the US Government, which has made nearly $5bn (£3.7bn) available to operators to effect its chosen restrictions.
