On 20 January, the European Commission unveiled a proposal for the new Cybersecurity Act, signaling a switch in how the Union views the digital component of its economy. While the original 2019 Cybersecurity Act was characterised by a focus on softer measures, including voluntary certification schemes and the institutional strengthening of European Agency for Cybersecurity, this revised version is a far more assertive legislative instrument. It marks the moment where the European Union will formally transition its view of cybersecurity as a fundamental part of its sovereignty. 

The logic behind the new CSA proposal is rooted in the structural shifts identified in the Mario Draghi’s 2024 report on European competitiveness. The central premise is that, in a fragmented geopolitical reality of today, cybersecurity is a primary component of economic security and industrial policy rather than a mere technical requirement for the internal market. By repealing Regulation 2019/881 and introducing a more rigorous framework, the Commission will try to address the security-dependency paradox – the reality that Europe cannot be technologically competitive if its critical infrastructure remains in a dependent relationship to high-risk foreign vendors. 

The Failure of Voluntary Rules 

Since 2019, the EU had a “5G toolbox” created to help countries identify and exclude high-risk vendors. However, by late 2025, only about a third of Member States had actually taken significant steps to restrict high-risk hardware. 

The Commission has realised that as long as security is left in its entirety to individual nations, the single market remains a collection of 27 different weak links. This fragmentation is the problem the proposal wants to solve. If it’s passed, the act will centralise power in Brussels to ensure that a ban in Paris is also a ban in Warsaw and Lisbon. 

ENISA Gets More Authority 

The most immediate change is the structural change of the EU Agency for Cybersecurity. In the past, ENISA was a helpful in providing advice and expertise. Under this proposed legislation, it becomes a centralised watchtower. 

ENISA is being granted the authority to conduct strategic reviews of supply chains. This means the agency will proactively search for vulnerabilities not in the corporate structure of the vendors themselves. If a company is too close to a third country government or lacks transparency in its ownership, ENISA will provide the technical evidence for the Commission to make a decision. 

Who Should Watch Out? 

The impact of this Act will be felt most acutely in three sectors. 

Telecom: The CSA II codifies a mandatory phase-out of high-risk equipment. For operators heavily invested in Chinese legacy hardware, this is a problem worth several billion euros. The transition window (likely 3–5 years) will be a race against time to replace core infrastructure without crashing the network. 

Solar and energy: Solar inverters are increasingly involved with the high-risk suppliers. The new Cybersecurity Act nudges that energy security is now also a part of cybersecurity. 

Cloud providers: To get the highest security certification, services will possibly need to be operated and maintained within the EU, which could lock out major American players from some critical contracts. 

The Battle for Sovereignty 

This is where the Act might face the biggest political resistance. The Commission is using Article 114 of the Treaty (internal market) as its legal base. By framing cybersecurity as a trade and market issue, they are trying to limit Member States’ their traditional right to set their own national security rules. 

The proposal also includes a maximum harmonisation clause. This effectively says that once the Commission issues a security rule, a Member State cannot add its own extra requirements (as was the case in the past). It is likely that some countries will regard this as a power grab. Serious debates in the European Council are expected, where nations may resist losing control over their infrastructure choices. 

What Happens Next? 

With the Commission’s release of the Cybersecurity Act II, the proposal now enters the legislative procedure. This means that the Act will be subject to public political debate that will last for approximately 12-18 months. 

First of all, the law moves to the European Parliament where a designed MEP (rapporteur) will be leading the drafting of amendments. At the same time, the national experts in the Council of the EU will also examine the text. The maximum harmonisation clause is expected to be a point of disagreement here, as Member States will weigh the benefit of having a unified market against the risk of losing control over their country’s security infrastructure. 

Once both the Council and the Parliament reach their own general approach, they will enter the trilogue. This is a series of negotiations between the Commission, the Council, and the Parliament. The specific articles and timelines might be changed in this process. If the political deal is struck in the trilogue, the law needs to be officially confirmed by the plenary vote in the Parliament and the vote in the Council. Since this is a Regulation, it will apply directly to all Member States, with no need for internal implementation, securing the unified approach to the issues addressed in the Act across the board. 

For vendors and other companies involved, the advice is simple – the time to audit the supply chain is now. Waiting for the official high-risk list might be too big of a risk. If the company’s tech backbone relies on vendors from non-democratic jurisdictions, the vendor is in all likelihood at risk of being forced to change the infrastructure. Another thing to keep in mind is that it’s important to watch out for the amendments to the other cybersecurity-related Acts in the immediate future, such as the NIS II act.