Cybersecurity Act 2: How the EU Plans to Extend the 5G Toolbox and Ban High-Risk ICT Vendors Across Critical Infrastructure

The European Commission intends to ban high-risk vendors, based on the « 5G Toolbox » exclusions tool that ousted Huawei & ZTE from the European 5G Market in 2020

Executive summary

On January 20, 2026 (exactly 1 year after Donald Trump was sworn in as the 47th President of the United States of America), the European Commission published its proposal for the Cybersecurity Act 2, marking a significant shift from voluntary guidance to binding EU-wide restrictions on foreign vendors deemed cybersecurity risks. This regulation extends the logic of the 2020 5G Toolbox to all critical infrastructure sectors under NIS2, creating a comprehensive exclusion mechanism for « high-risk suppliers ». If not named directly, Chinese suppliers, as well as any unnamed country, are targeted by this proposed ban.

This ban option raises questions about the European industry’s latent capacity to meet the cybersecurity market with adapted and agile capacity as an alternative, and about the legality of such a ban.

Thus, the proposed ban must go through the political adoption process, which may take several months before it is applicable. It will also raise questions from the European Parliament and the EU Council regarding non-technical exclusion criteria, such as extraterritorial legal reach and digital dependency.

10 points to understand & act

1. Political context and trigger

The CSA2 proposal follows the precedent set by the 5G Toolbox (2020), which addressed concerns that Chinese vendors could pose security risks due to home-country laws and state influence. According to the document, the 2023 Commission progress report stated that “Huawei and ZTE pose a ‘materially higher risk’ than other 5G suppliers according to the Toolbox risk criteria”. In 2019, many European telcos had to remove Huawei and ZTE from their early 5G Radio Access Network deployments, creating strong pressure for large-scale deliveries from European vendors such as Nokia and Ericsson.

2. Who designates high-risk vendors ?

CSA2 sets up a two-tier system at EU level:

• Tier A — Third countries (Article 100): Countries are deemed ‘posing cybersecurity concerns’ if the Commission assesses issues like laws requiring vulnerability disclosures before public release, lack of judicial remedies, incidents involving state-controlled threat actors, or no cooperation with EU/States.
• Tier B — Individual suppliers (Article 104): High-risk suppliers are identified if they are in a designated third country, controlled by such a country, have an ownership structure assessed by the Commission, or fail to comply with information requests, which creates a ‘presumption of high-risk status’.

> Key difference from the 5G toolbox: Decision authority shifts from Member States to the Commission via implementing acts.

3. What will be considered by the suggested ban ?

The prohibitions apply to ICT components from high-risk suppliers in “key ICT assets”:

• For NIS2 essential and important entities :
  • Prohibition to use, install, or integrate ICT components from high-risk suppliers
• For telecommunications networks:
  • Absolute prohibition for mobile, fixed, and satellite network providers
  • Providers cannot be granted general or individual authorization if using high-risk components
• Additional exclusions:
  • EU public procurement for key ICT assets
  • All EU funding programmes (including next Multiannual Financial Framework)
  • EU cybersecurity certification (ECCF)
  • Becoming conformity assessment bodies
  • Providing EU cybersecurity skills attestations

The extraterritorial legal considerations from the USA, China and Russia that apply to European data (Cloud Act, Patriot Act, Fisa) do not appear clearly as a criterion for exclusion. They will soon emerge in the debate with the political construction during the CSA2 construction.

4. Geographic scope of the suggested ban

The suggested ban may apply across all 27 EU Member States uniformly. This is a fundamental shift from the 5G Toolbox, which allowed national discretion.

Sectoral scope covers all NIS2 critical sectors:

• Energy
• Transport
• Suggested banking
• Healthcare
• Digital infrastructure
• Water supply
• Space
• Public administration
• And other sectors listed in NIS2 Annexes I & II

Some member states have extended the NIS2 Scope to broader verticals.

The document notes that approximately 29,000 companies under NIS2 face new supply-chain security obligations.

5. Enterprise applicability

Enterprises are subject to the suggested suggested ban if they fall under NIS2 essential or important entity classifications.

According to the document, NIS2 entities must:

• Assess and mitigate ICT supply-chain risks
• Conduct vendor audits and diversification
• Implement personnel vetting

The practical impact: enterprises in covered sectors must budget for mandatory phase-out of high-risk vendor equipment and factor certification requirements into procurement strategies.

6. When will the suggested ban apply ?

Legislative timeline (projected):

• Commission proposal: January 2026 ✓
• Council position: Expected Q1 2026
• Parliamentary amendments: Q1 2026
• Trilogues: Q2 2026
• Compromise text adoption: Expected end Q2 2026
• Entry into force: Likely late 2026/early 2027

7. Political process for adoption

CSA2 follows the Ordinary Legislative Procedure:

• Commission proposal (completed January 20, 2026)
• European Parliament first reading and amendments
• Council of the EU position
• Trilogue negotiations between Parliament, Council, and Commission
• Final adoption by both co-legislators
• Publication in Official Journal
• Entry into force (typically 20 days after publication)

As a Regulation, CSA2 will be directly applicable in all Member States without national transposition.

8. Has the 5G Toolbox triggered WTO legal action? Will the CSA2 open WTO rules discussion ?

The 5G Toolbox (2020) is a soft-law coordination instrument; it recommends that Member States restrict “high-risk vendors” but does not itself impose bans, making it harder to attack directly at the WTO. Several Member States’ national bans or exclusions of Chinese 5G vendors have triggered political protests and threats of legal action from China and affected companies, but there is no public record of a formal WTO dispute settlement case specifically against the EU over the Toolbox or related 5G measures as of early 2026.

Cybersecurity Act 2 would centralise power at EU level: the Commission could designate high-risk suppliers Union-wide and impose mandatory phase-out and procurement exclusions for “key ICT assets”. Once such binding, EU-wide restrictions are adopted, China (or affected firms via state-to-state support) would have a clearer target if it decides to bring a WTO case, so the EU will need to keep measures tightly framed as proportional, risk-based security regulations to defend them under WTO rules.

9. Market implications

• Demand shift: The document explicitly states that the binding exclusion “opens market share for European, US, and other ‘trusted’ equipment makers »
• Compliance costs: Increased demand for compliance tools, audits, and managed security services across 29,000 NIS2 entities.
• Future scope: Cloud services and satellite technology may face similar risk assessments, “potentially affecting investments involving US hyperscalers (Microsoft, Google, Amazon).”

Given the current deportation of US-based investments in Europe (AWS & Google data centres built under local laws & certified in Germany BSI C5 standard), it is clear that the main players in cybersecurity will start relocating their efforts to maintain activities with multiple partnerships and capital moves in Europe.

10. Recommendations

Once Cybersecurity Act V2 is in the final stage of the political pattern and before its full implementation (Q2 2026?), here are 5 recommandations :

5 Key actions for enterprises today

1. Conduct ICT asset inventory: Map all ICT components by vendor origin and ownership structure to identify potential high-risk supplier exposure in key assets.
2. Assess NIS2 classification: Confirm whether your organisation qualifies as an essential or important entity under NIS2 Annexes I & II; this determines applicability.
3. Develop vendor transition roadmap: Begin planning 36-month phase-out scenarios for any Chinese-origin equipment in critical network components.
4. Budget for compliance: Allocate resources for supply-chain due diligence, vendor audits, and potential equipment replacement cycles.
5. Monitor implementing acts: Track Commission publications on country designations and high-risk supplier lists to anticipate procurement restrictions.

5 Key Actions for vendors today

1. Assess ownership structure: Evaluate whether corporate governance, beneficial ownership, or establishment location triggers high-risk designation criteria under Article 104.
2. Engage in consultation process: Participate in any public consultations during the legislative process to advocate for exemption criteria or transition provisions.
3. Pursue EU certification: Invest in European Cybersecurity Certification Framework (ECCF) compliance to position products as “cyber-secure by design.”
4. Consider structural options: Evaluate feasibility of local production, European governance structures, or transparency measures that may mitigate designation risk.
5. Diversify market exposure: Develop contingency strategies for potential loss of access to EU critical infrastructure markets representing 29,000+ entities.

Sources: COM(2026) 11 final — Proposal for a Regulation on ENISA, the European cybersecurity certification framework, and ICT supply chain security (Cybersecurity Act 2), Strasbourg, 20.1.2026; accompanying Impact Assessment SWD(2026) 11; project document analysis.

Disclaimer: This analysis is based on the proposal text as of January 2026. Final adopted text may differ following trilogue negotiations.