sota.io
2026-04-20·13 min read·

EU Cybersecurity Act 2.0: COM(2026) 11 ICT Supply Chain Security — Developer Guide

Post #488 in the sota.io EU Cyber Compliance Series

On January 20, 2026, the European Commission published COM(2026) 11 — a proposal to revise the EU Cybersecurity Act (Regulation 2019/881). The revision, informally called the EU Cybersecurity Act 2.0, introduces two major changes that directly affect software developers: a mandatory horizontal ICT supply chain security framework and a reformed ENISA certification system that creates compliance shortcuts under the CRA and NIS2 Directive.

While the regulation is still in legislative procedure — with Parliament and Council negotiations ongoing throughout 2026 — developers who build ICT products and services for EU-regulated sectors need to understand what's coming now. The supply chain provisions in particular will require lead time to implement.

Background: What the Original CSA Did (and Didn't Do)

The EU Cybersecurity Act 2019/881 gave ENISA a permanent mandate and created the European cybersecurity certification framework (EUCC). It established three assurance levels for ICT products:

Assurance LevelWhat it coversRequired by
BasicSelf-assessmentVoluntary
SubstantialThird-party reviewSector-specific
HighIndependent evaluation (ITSEF)Critical infrastructure

The 2019 CSA was largely voluntary. Certification schemes existed but no regulation mandated that you use them. The EU Cybersecurity Act 2.0 changes that.

What COM(2026) 11 Adds: The Three Core Changes

1. Mandatory Horizontal ICT Supply Chain Security Framework

The most significant new element is a horizontal supply chain security framework — the first of its kind in EU law that applies across sectors.

Key requirements in COM(2026) 11:

Supply chain risk assessments (Art.X of COM(2026) 11): Manufacturers and service providers of ICT products used by critical entities under NIS2 and DORA must conduct documented supply chain risk assessments covering:

ICT supplier governance: Contracts with ICT sub-suppliers must include:

Critical ICT dependencies: ENISA will maintain a register of "critical ICT dependencies" — specific products or suppliers whose failure would affect a significant portion of EU critical infrastructure. If your product is on that list, heightened obligations apply.

Coordinated risk assessments: Member states and ENISA can run coordinated supply chain risk assessments (similar to the 5G Security Toolbox methodology) for entire technology categories. Developers who supply to critical sectors may receive binding security improvement orders.

2. Reformed ENISA Certification — Now a Cross-Regulation Compliance Shortcut

Under the 2019 CSA, ENISA certificates were "nice to have." Under the 2.0 revision, EUCC certification at Substantial or High level creates a presumption of conformity under:

RegulationHow EUCC certificate helps
CRA (2024/2847)Substitutes conformity assessment for certain product categories
NIS2 (2022/2555)Satisfies Art.21 technical security measures for the certified component
DORA (2022/2554)Evidence for ICT risk management framework compliance
CER DirectiveDemonstrates baseline resilience for relevant components

This is a major change. Previously, you had to satisfy each regulation's conformity requirements separately. With a EUCC certificate at the right assurance level, one assessment can satisfy multiple regulators simultaneously.

Developer implication: If you build ICT products for regulated EU markets, getting EUCC-certified is now a multi-regulation compliance shortcut, not just a marketing credential.

3. Enforcement: Up to 7% Global Annual Turnover

COM(2026) 11 proposes fines in line with GDPR-scale penalties:

InfringementMaximum fine
Failure to conduct supply chain risk assessment when required2% global turnover
Misrepresentation of certification status3% global turnover
Failure to cooperate with coordinated risk assessment2% global turnover
Using non-compliant critical ICT dependency without remediation plan4% global turnover
Systematic supply chain security failures7% global turnover

These are administrative fines imposed by national cybersecurity authorities (NCAs) — the same bodies that enforce NIS2.

Timeline: Where COM(2026) 11 Is Now

Jan 20, 2026  → COM(2026) 11 published (Commission proposal)
Q1-Q2 2026   → European Parliament committees review (ITRE lead committee)
Q2-Q3 2026   → Council working party negotiations
Q4 2026      → Expected trilogue (Parliament + Council + Commission)
2027         → Expected final text + OJ publication
2028-2029    → Likely entry into force (18-24 month transition)

Key legislative milestone to watch: The ITRE committee (Industry, Research and Energy) is the lead committee in the European Parliament. Their rapporteur report, expected Q2 2026, will shape the final text significantly — particularly the scope of the mandatory supply chain framework.

How COM(2026) 11 Interacts with CRA and NIS2

With the Cyber Resilience Act

The CRA already requires a Software Bill of Materials (SBOM) under Art.13(13) and supply chain due diligence under Art.9. COM(2026) 11 builds on top of CRA's supply chain requirements rather than replacing them:

ObligationCRA (2024/2847)EU CSA 2.0 (COM(2026) 11)
SBOMRequired (Art.13(13))SBOM delivery to critical entity customers
Vulnerability reportingArt.14 — ENISA SRP 24h/72hUpstream notification ≤8h for critical deps
Conformity assessmentArt.25 — self-assessment or third-partyEUCC certificate substitutes assessment
Supply chain riskArt.9 — due diligenceFormal risk assessment framework

Practical implication: If you hold a EUCC certificate at Substantial level, you can use it to satisfy both CRA Art.25 (for products in Annex I Class I categories) and NIS2 Art.21 for the certified component. One audit, two compliance checkboxes.

With NIS2

NIS2 Art.21(2)(d) already requires "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers." COM(2026) 11 adds:

NIS2 essential entities in sectors like cloud, managed services, digital infrastructure, and online marketplaces are the primary target of these supply chain provisions.

What Needs to Change in Your Development Pipeline

Even while COM(2026) 11 is still in legislative procedure, there are practical steps you can take now that align with the direction:

Step 1: Map Your ICT Supply Chain

Start with a dependency inventory that goes beyond your SBOM:

# ICT supply chain inventory starting point
dependencies = {
    "tier_1_direct": [
        # Libraries, frameworks, cloud services you directly use
        {"name": "auth-library", "type": "open_source", "critical": True},
        {"name": "payment-sdk", "type": "commercial", "critical": True},
    ],
    "tier_2_transitive": [
        # What your Tier-1 depends on
    ],
    "managed_services": [
        # Cloud providers, DNS, CDN, monitoring
        {"name": "cloud_provider", "type": "managed_service", "critical": True},
    ],
}

Step 2: Identify ENISA Certification Status

Check whether any of your key dependencies have or are pursuing EUCC certification. The ENISA certification database lists certified products and their assurance levels.

Step 3: Plan for Upstream Notification Chains

The ≤8h upstream notification requirement for critical dependencies means you need incident notification clauses in supplier contracts now — these take time to negotiate and can't be retrofitted overnight.

Python: ICT Supply Chain Compliance Assessor

from dataclasses import dataclass, field
from typing import Optional
from enum import Enum

class AssuranceLevel(Enum):
    NONE = "none"
    BASIC = "basic"
    SUBSTANTIAL = "substantial"
    HIGH = "high"

class SupplierType(Enum):
    OPEN_SOURCE = "open_source"
    COMMERCIAL = "commercial"
    MANAGED_SERVICE = "managed_service"
    HARDWARE = "hardware"

@dataclass
class ICTDependency:
    name: str
    supplier_type: SupplierType
    eucc_certification: AssuranceLevel = AssuranceLevel.NONE
    sbom_available: bool = False
    incident_notification_sla_hours: Optional[int] = None
    audit_rights_in_contract: bool = False
    critical_dependency: bool = False
    tier: int = 1  # 1=direct, 2=transitive

@dataclass
class SupplyChainAssessment:
    product_name: str
    dependencies: list[ICTDependency] = field(default_factory=list)

    def add_dependency(self, dep: ICTDependency) -> None:
        self.dependencies.append(dep)

    def critical_gaps(self) -> list[str]:
        gaps = []
        for dep in self.dependencies:
            if not dep.critical_dependency:
                continue
            if not dep.sbom_available:
                gaps.append(f"{dep.name}: SBOM missing (required under CRA Art.13(13) + CSA 2.0)")
            if dep.incident_notification_sla_hours is None or dep.incident_notification_sla_hours > 8:
                gaps.append(
                    f"{dep.name}: notification SLA missing or >8h "
                    f"(CSA 2.0 requires ≤8h for critical ICT deps)"
                )
            if not dep.audit_rights_in_contract and dep.supplier_type == SupplierType.COMMERCIAL:
                gaps.append(f"{dep.name}: no audit rights in contract (CSA 2.0 Art.X)")
        return gaps

    def certification_shortcuts(self) -> list[str]:
        shortcuts = []
        for dep in self.dependencies:
            if dep.eucc_certification in (AssuranceLevel.SUBSTANTIAL, AssuranceLevel.HIGH):
                shortcuts.append(
                    f"{dep.name} (EUCC {dep.eucc_certification.value}): "
                    f"satisfies CRA Art.25 + NIS2 Art.21 for this component"
                )
        return shortcuts

    def supply_chain_risk_score(self) -> dict:
        critical_deps = [d for d in self.dependencies if d.critical_dependency]
        if not critical_deps:
            return {"score": 0, "level": "LOW", "critical_count": 0}

        risk_points = 0
        for dep in critical_deps:
            if not dep.sbom_available:
                risk_points += 3
            if dep.eucc_certification == AssuranceLevel.NONE:
                risk_points += 2
            if dep.incident_notification_sla_hours is None:
                risk_points += 3
            if not dep.audit_rights_in_contract and dep.supplier_type == SupplierType.COMMERCIAL:
                risk_points += 2
            if dep.tier > 1:
                risk_points += 1  # transitive deps harder to control

        avg_risk = risk_points / len(critical_deps)
        level = "LOW" if avg_risk < 3 else "MEDIUM" if avg_risk < 6 else "HIGH"
        return {"score": round(avg_risk, 1), "level": level, "critical_count": len(critical_deps)}

    def report(self) -> str:
        risk = self.supply_chain_risk_score()
        gaps = self.critical_gaps()
        shortcuts = self.certification_shortcuts()

        lines = [
            f"=== EU CSA 2.0 Supply Chain Assessment: {self.product_name} ===",
            f"Critical dependencies: {risk['critical_count']}",
            f"Risk score: {risk['score']}/10 ({risk['level']})",
            "",
        ]
        if gaps:
            lines.append("COMPLIANCE GAPS (COM(2026) 11):")
            for g in gaps:
                lines.append(f"  ✗ {g}")
        else:
            lines.append("✓ No critical compliance gaps found")

        if shortcuts:
            lines.append("")
            lines.append("CERTIFICATION SHORTCUTS AVAILABLE:")
            for s in shortcuts:
                lines.append(f"  ✓ {s}")

        return "\n".join(lines)


# Example usage
if __name__ == "__main__":
    assessment = SupplyChainAssessment(product_name="MyEUSaaSProduct")

    assessment.add_dependency(ICTDependency(
        name="PostgreSQL (managed cloud)",
        supplier_type=SupplierType.MANAGED_SERVICE,
        eucc_certification=AssuranceLevel.NONE,
        sbom_available=False,
        incident_notification_sla_hours=None,
        audit_rights_in_contract=False,
        critical_dependency=True,
        tier=1,
    ))
    assessment.add_dependency(ICTDependency(
        name="Auth library (open source)",
        supplier_type=SupplierType.OPEN_SOURCE,
        eucc_certification=AssuranceLevel.NONE,
        sbom_available=True,
        incident_notification_sla_hours=None,
        audit_rights_in_contract=False,
        critical_dependency=True,
        tier=1,
    ))
    assessment.add_dependency(ICTDependency(
        name="CDN provider",
        supplier_type=SupplierType.COMMERCIAL,
        eucc_certification=AssuranceLevel.SUBSTANTIAL,
        sbom_available=True,
        incident_notification_sla_hours=4,
        audit_rights_in_contract=True,
        critical_dependency=True,
        tier=1,
    ))

    print(assessment.report())

Output:

=== EU CSA 2.0 Supply Chain Assessment: MyEUSaaSProduct ===
Critical dependencies: 3
Risk score: 5.3/10 (MEDIUM)

COMPLIANCE GAPS (COM(2026) 11):
  ✗ PostgreSQL (managed cloud): SBOM missing (required under CRA Art.13(13) + CSA 2.0)
  ✗ PostgreSQL (managed cloud): notification SLA missing or >8h (CSA 2.0 requires ≤8h for critical ICT deps)
  ✗ PostgreSQL (managed cloud): no audit rights in contract (CSA 2.0 Art.X)
  ✗ Auth library (open source): notification SLA missing or >8h (CSA 2.0 requires ≤8h for critical ICT deps)

CERTIFICATION SHORTCUTS AVAILABLE:
  ✓ CDN provider (EUCC substantial): satisfies CRA Art.25 + NIS2 Art.21 for this component

30-Item EU CSA 2.0 Readiness Checklist

Supply Chain Mapping (Items 1–8)

ENISA Certification (Items 9–14)

Contractual Obligations (Items 15–21)

Risk Assessment Process (Items 22–27)

Incident Response Integration (Items 28–30)

What To Do Now (Before COM(2026) 11 Is Final)

If you supply ICT products to NIS2 essential entities: Start supply chain mapping and SBOM generation now. This is already required under CRA Art.9 and NIS2 Art.21(2)(d). COM(2026) 11 adds formality but the underlying obligation is already law.

If you are a NIS2 essential entity: Review contracts with your critical ICT suppliers for notification SLAs and SBOM delivery. The 8h notification requirement in COM(2026) 11 is stricter than anything currently mandated — negotiating it into contracts takes months.

If you're evaluating EUCC certification: The multi-regulation shortcut value of EUCC certification increases significantly under the 2.0 proposal. A Substantial-level certificate issued today will likely satisfy CRA Art.25 + NIS2 Art.21 simultaneously once the 2.0 regulation enters into force.

Monitor ITRE committee: The rapporteur report (expected Q2 2026) will reveal whether the mandatory supply chain framework scope is broadened or narrowed. Changes to the "critical ICT dependency" definition will directly affect who is in scope.

Key Resources

EU Cybersecurity Act 2.0 represents the EU's move from voluntary to mandatory supply chain security governance. The legislative timeline means developers have 2–3 years before full enforcement, but the supply chain mapping, contractual obligations, and certification planning need to start now — these are not overnight changes.