The Cybersecurity Act V2 (CSA V2), expected to be fully implemented by 2027, will fundamentally change how European organizations manage their ICT supply chains. For CISOs, this means mandatory vendor risk assessments must include ownership structure and country-of-origin analysis, not just technical security controls.
Starting in 2027, organizations classified as essential or important under NIS2 will be prohibited from using ICT components from designated high-risk suppliers in critical infrastructure. Mobile network operators have 36 months to replace affected equipment; other sectors will follow.
The immediate impact: procurement processes need updating, existing vendor relationships require auditing, and replacement roadmaps must be developed. Organizations with significant exposure to potentially affected suppliers (currently ~32% of 5G infrastructure in the EU) face substantial transition costs.
CISOs should act now: map your supply chain exposure, implement enhanced vendor due diligence incorporating non-technical risk factors, and align replacement cycles with the transition timeline. Early preparation minimizes disruption and positions your organization ahead of mandatory compliance deadlines.
Recommended advisory: PAC Leadership Session – Cybersecurity Compliance
SHARE :
This report aims to provide an overview of how AI is being used to increase supply chain resilience. First, we will provide an overview of ...
Event Date : September 12, 2022
This document provides market volumes, growth rates and forecasts for Smart Government & Cities for the 2021-2027 period.
Event Date : October 10, 2023
This short vendor profile provides a quick overview of the local portfolio and performance of Cozumevi in Turkey. We analyze the background, top ...
Event Date : June 05, 2024
PAC has evaluated 20 service providers delivering ServiceNow-related IT services in Europe
Event Date : February 12, 2025
This Excel document positions and ranks the leading AI (Artificial Intelligence) IT Services providers in the UK.
Event Date : November 01, 2024
Europe Considers Banning High-Risk Cybersecurity Vendors in 2027 – InBrief Analysis
Market Reports February 20, 2026 NEW 
Cognizant - Figures - US – FY 31-Dec-2025
Datamart February 20, 2026 NEW
Cognizant - Vendor Profile - US
Vendor Profile February 20, 2026 NEW
IT Security by Segments - Market Figures - Germany
Datamart February 19, 2026 NEW
Google - Figures - US – FY 31-Dec-2025
Datamart February 19, 2026 NEW
Atos: Cause for Optimism, Despite the Headlines
Blog Post February 05, 2024
Stop Retrofitting the Future: Why Agentic AI Forces an Operating Model Reset
Blog Post February 20, 2026
From SaaS Sprawl to AI Control? Hexaware’s Zero License Aims to Disrupt the Economics of Software
Blog Post February 19, 2026
Thales S3NS Google Summit 2026: the trusted Cloud shifts to scale
Blog Post February 19, 2026
Part 4: From Vision to Roadmap – Creating a Strategic IAM Program
Blog Post February 17, 2026
Part 3: IAM Across Industries – Business-Specific Challenges and Priorities
Blog Post February 09, 2026
