CSA 2.0

Proposal to amend Regulation (EU) 2019/881 (Cybersecurity Act)

COM(2026) 11Proposed — Proposed 20 January 2026

The proposed Cybersecurity Act 2.0 expands the original Cybersecurity Act with a focus on ICT supply chain security, high-risk third-country supplier restrictions, expanded EUCS certification, and enhanced ENISA powers. It introduces mandatory security assessments for key ICT assets and restricts high-risk suppliers from standardisation and certification activities.

150+

Projected Articles

50K+

Organizations Affected

27+EEA

Member States

2027-28

Expected

Implementation Timeline

20 January 2026

Commission proposes CSA 2.0 (COM(2026) 11)

Q1 2026

European Parliament and Council begin legislative procedure

2026-2027

Trilogue negotiations (projected)

2027-2028

Expected implementation phase (projected)

Who's In Scope

ICT Product/Service Manufacturers

Software vendors
Hardware manufacturers
Cloud service providers
Managed security service providers
Telecommunications equipment makers

Key ICT Asset Operators

Telecommunications operators
Energy grid operators
Financial market infrastructure
Healthcare system operators
Critical government IT systems

Certification & Conformity Bodies

Cybersecurity auditors
Notified bodies
EU standardisation bodies (CEN/CENELEC)
Authorized attestation activities

Key Requirements

Art. 98-112 (projected)

ICT Supply Chain Security

Identification of key ICT assets by Commission risk assessments, designation of high-risk supplier countries, restrictions on high-risk suppliers in key asset procurement, supplier diversification mandates.

Art. 104-108 (projected)

High-Risk Supplier Restrictions

Exclusion from EU standardisation work, cybersecurity certification functions, public procurement for key ICT assets, restrictions on sensitive data transfers.

Art. 20-40 (projected)

Certification Expansion

EUCS elevated from voluntary to compliance instrument, 5G certification scheme expansion, organizational cybersecurity posture certification, simplified SME processes.

Art. 50-65 (projected)

Secure-by-Design Requirements

Security-by-design principles for ICT products, vulnerability disclosure and patching timelines, testing and validation requirements, manufacturer liability for security design failures.

Penalties & Enforcement

Supply Chain Non-Compliance

EUR 10 million or 2-3% turnover (est.)

High-risk supplier usage, failure to implement mitigation measures

Certification Non-Conformity

EUR 5-10 million or 1-2% turnover (est.)

Inaccurate certification, false conformity declarations

Vulnerable Product Distribution

EUR 5-20 million or 2-5% turnover (est.)

Distribution with known vulnerabilities, failure to patch

How Orizon Can Help

Fractional & Virtual CISO

We provide structured preparation and compliance support for CSA 2.0.

Learn more

Official Sources

Assess Your Readiness

Schedule a consultation with our regulatory experts to assess your CSA 2.0 compliance posture and build a practical roadmap.

Get Started