Europe Strengthens Defense Against Cyber Threats with New Supply Chain Security Framework

Europe Strengthens Defense Against Cyber Threats with New Supply Chain Security Framework

2026-02-13 data

Brussels, Friday, 13 February 2026.
The European Union has adopted a comprehensive ICT Supply Chain Security Toolbox that standardizes how member states identify and mitigate cybersecurity risks across critical technology infrastructure. This framework specifically targets high-risk suppliers like Huawei and ZTE, requiring telecommunications companies to phase out equipment from blacklisted vendors within three years. The toolbox covers 18 critical industries and could save businesses up to €15 billion over five years through streamlined compliance, while the one-time replacement cost for risky equipment is estimated at €3.4-4.3 billion across the EU.

Comprehensive Framework Targets Critical Infrastructure Security

The NIS Cooperation Group officially adopted the EU ICT Supply Chain Security Toolbox on February 12, 2026, following development by Member States with support from the European Commission and the EU Agency for Cybersecurity (ENISA) [1]. This non-binding framework provides standardized approaches to identify, assess, and mitigate cybersecurity risks across ICT supply chains, aligning with the NIS2 Directive’s Article 22 to support Union-level coordinated security risk assessments [1]. The toolbox development followed EU Council Conclusions on ICT supply chain security from 2022 and will undergo review after one year of application in 2027 [1].

Expanded Coverage Across 18 Critical Industries

The framework applies to 27 EU Member States, Iceland, Liechtenstein, Norway, and Switzerland, covering 18 industries aligned with the NIS 2 Directive [6]. These are split into 11 industries of High Criticality—Energy, Transport, Banking, Financial Market Infrastructures, Health, Drinking Water, Waste Water, Digital Infrastructure, Public Administration, Space, and Telecommunications—and 7 Other Critical industries including Postal and Courier Services, Waste Management, Chemicals, Food, Manufacturing, Digital Providers, and Research [6]. The comprehensive scope reflects the interconnected nature of modern digital infrastructure and the cascading risks that supply chain vulnerabilities can create across multiple sectors [GPT].

Targeted Risk Assessments Address Emerging Threats

Alongside the toolbox adoption, the NIS Cooperation Group approved two specific security risk assessments focusing on connected and automated vehicles (CAVs) and detection equipment used at EU border crossing points [1]. The CAVs assessment highlights significant cybersecurity risks, noting that these vehicles can process sensitive data and potentially be weaponized [1]. The detection equipment assessment addresses critical infrastructure vulnerabilities, highlighting that compromised equipment can be controlled remotely or exploited, with the market dominated by non-EU manufacturers facing shortcomings in diversification, equipment availability, and infrastructure security [1].

High-Risk Suppliers Face Systematic Phase-Out Requirements

The framework specifically targets high-risk suppliers, with European Commission Vice President Henna Virkkunen identifying Huawei and ZTE as presenting “materially higher risks compared with other suppliers” [5]. The revised Cybersecurity Act, proposed on January 20, 2026, prohibits electronic communications network providers from using ICT components from high-risk suppliers, with mobile networks required to phase out these components within 36 months of the high-risk supplier list publication [3][5]. As of early 2026, approximately 30% of installed equipment in the covered territories comes from high-risk suppliers, with the largest concentrations in Germany, Italy, and Spain [6].

Significant Financial Impact and Implementation Timeline

The European Commission estimates the one-time cost to replace non-upgradeable equipment from high-risk suppliers at €3.4-4.3 billion, translating to €6.5-8.3 per mobile subscriber over three years if costs are passed to consumers [6]. However, the EU Commission anticipates up to €15.3 billion in cost savings for businesses over five years through streamlined compliance [6]. Germany, Italy, and Spain account for over 55% of the equipment requiring replacement in the next five years, with Vodafone being 100% reliant on Huawei in the Czech Republic, Greece, Hungary, and Romania [6]. The proposal will likely take 1 to 1.5 years to be adopted, after which telecommunications companies will have three years to implement the new rules [6].

Bronnen

• digital-strategy.ec.europa.eu
• digital-strategy.ec.europa.eu
• accesspartnership.com
• bisi.org.uk
• bisi.org.uk
• strandconsult.dk
• www.cna.org.cy

supply chain cybersecurity