Cyber Security Act 2

Seven years after the original Cybersecurity Act, the EU is ready for version 2.0. CSA2 brings mandatory supply chain security measures, stronger ENISA capabilities, and the ability to force the removal of high-risk components from critical infrastructure — even retroactively.

CSA2 is here, and it's not just an update — it's a reset. The European Commission's January 2026 proposal tackles supply chain risks head-on, with new powers to ban high-risk vendors from 5G networks and critical sectors, a reinforced ENISA, and a certification framework that finally moves beyond voluntary adoption.