Reading time
12 minutes
Category
Trends and Reports
Author
Stephanie van Wissen
Summary
New laws on both sides of the Atlantic are about to make some of your current vendors illegal to use.
The EU’s revised Cybersecurity Act, NIS2, DORA, and the Cyber Resilience Act aren’t guidance. They’re binding. They name specific vendor categories, define phase-out timelines, and put personal liability on executives who miss them.
The US National Cyber Strategy is moving in the same direction: adversary technology out of critical infrastructure, sector by sector.
If you haven’t mapped your supply chain, identified your high-risk vendor dependencies, or built an exit strategy – you’re already behind. The organizations that start now will manage a planned transition. Everyone else will do an emergency rip-and-replace under a regulatory deadline.
The window to act on your own terms is open. It won’t stay open.
What is critical infrastructure cyber legislation – and why should you care?
Critical infrastructure cyber legislation sets mandatory cybersecurity rules for sectors where disruption causes serious harm: energy, telecoms, healthcare, financial services, transport.
What’s new isn’t the regulation. It’s the teeth.
For the first time, EU law is moving from voluntary guidance to enforceable obligations – with supply chain provenance at the center. It’s no longer just about how you secure your environment. It’s about who you’re allowed to buy from for critical functions.
For CISOs and procurement leaders, that changes the math on every vendor decision you’ve made in the last decade.
Why this happened: the threat that drove the law
In a Threat Talks episode recorded earlier this year, Bart Groothuis – Member of the European Parliament and NIS2 rapporteur – put it plainly:
“You are always one software update away from disaster.”
– Bart Groothuis, MEP, Threat Talks March 2026
The Huawei debate spent years asking whether backdoors already existed. That was the wrong question. With hundreds of millions of lines of code in a single router, a future backdoor can be inserted through any software update. Source code audits don’t fix that.
China’s 2017 National Intelligence Law requires any Chinese company, anywhere in the world, to cooperate with the Chinese state on demand. That’s a structural risk – not a technical one. It exists regardless of what the product looks like today.
Groothuis added a number that should concern any energy sector leader: Huawei controls inverter infrastructure representing over 200 gigawatts of capacity connected to European grids. Chinese research universities have published open-source studies on how to create blackouts in European electricity markets. The dependency is real. The documented interest in exploiting it is real.
On the US side, Volt Typhoon and Salt Typhoon made the risk concrete. Volt Typhoon was pre-positioned intrusions into critical infrastructure, staged for disruption in a conflict scenario. Salt Typhoon was sustained espionage at the core of American telecommunications. Both were discussed in depth at Threat Talks RSA 2026 with Caitlin Clarke, former Special Assistant to the President for Cybersecurity and Emerging Technology.
What this means for you
The legislation isn’t speculative. It’s a response to documented, active threats. The vendors being targeted aren’t arbitrary. Your exposure depends on what’s in your stack right now.
What the new rules actually require
Lokke Moerel – professor of global ICT law at Tilburg University, senior counsel at Morrison Foerster, member of the Dutch Cyber Security Council – joined Threat Talks to walk through the full package:
“If you thought NIS2 was impactful, or DORA was impactful, or GDPR, you haven’t seen anything yet.”
– Lokke Moerel, Threat Talks April 2026
NIS2 and DORA: Your compliance floor
NIS2 replaces NIS1. DORA covers financial services. Both expand the scope of organizations with mandatory cybersecurity obligations – and both include supply chain obligations.
If you’re regulated under either, you must verify that your direct suppliers meet defined security standards. That’s enforceable now, not advisory.
If you supply NIS2 or DORA-regulated companies, expect documentation requests. The patchwork of different customer requirements that makes this painful today is being replaced by a unified EU-wide supplier certification framework through ENISA – one certification, valid across all your EU customer relationships.
What this means for you
Whether you’re regulated or a supplier into regulated sectors, the paperwork is coming. Early certification means less friction. Late certification means deadline pressure.
The Cyber Resilience Act: Your products have to comply too
The CRA sets cybersecurity requirements for products and services with digital elements. Manufacturers and importers must meet defined standards before placing products on the EU market – and maintain them throughout the product lifecycle.
What this means for you
If you manufacture or import technology used in regulated sectors, product-level compliance is now your responsibility, not just your customer’s.
The Revised Cybersecurity Act: The one that changes procurement
This is the legislation that will force actual vendor changes. It separates technical certification from geopolitical risk assessment – something no predecessor did.
For critical sectors – starting with telecoms, extending to energy, health, cloud, and satellites – the framework will define which ICT components are critical. Vendors from countries assessed as high-risk will be prohibited from supplying those components. The adversary technology risk calculus is now written into law.
The 5G toolbox was optional guidance. This is not. Telco companies have 36 months after implementation to phase out non-compliant components. Zero Trust compliance will be a condition of operating in these sectors, not a differentiator.
ON2IT has been helping organizations implement Zero Trust architectures designed for exactly this kind of regulatory environment. Organizations investing in Zero Trust now are building a foundation that regulators are starting to require. Those waiting are heading for a catch-up sprint.
What this means for you
If your current stack includes components from high-risk vendors in a critical function, you have a regulatory-forced replacement coming. The question is whether you plan it or react to it.
The US side: Same direction, different mechanism
The US National Cyber Strategy frames cyber explicitly as a tool of national power. Pillar four calls for moving adversary technology out of all 16 designated critical infrastructure sectors.
The rip-and-replace program for Huawei and ZTE in US telco networks is the reference case. Still incomplete after years of execution. The strategy signals that approach will expand.
At Threat Talks RSA 2026, Caitlin Clarke – former Special Assistant to the President for Cybersecurity and Emerging Technology – was direct about where the definition stands today:
“‘Adversary technology’ doesn’t yet have a binding regulatory definition. The entity lists from the FCC and Department of Commerce are where you start. Executive orders will follow.”
– Caitlin Clarke, Threat Talks RSA 2026
Pillar two is often read as deregulation. Clarke framed it more precisely as regulatory harmonization – reducing duplicative compliance burden across agencies without reducing the underlying security obligations. One framework, applied consistently. Pillar three names Zero Trust architecture and post-quantum cryptography explicitly as investment priorities – the same two the EU frameworks require.
What this means for you
EU and US frameworks are converging on the same destination. If you operate in both markets, or supply organizations that do, a single aligned strategy is more efficient than separate compliance tracks.
Data sovereignty: the dimension most procurement frameworks miss
Cyber legislation and data sovereignty overlap – but they’re not the same thing. Moerel identified four distinct forms that need to be addressed separately in procurement decisions:
- Where data is hosted
- Whether systems can function if cross-border dependencies are disrupted
- Whether foreign governments can access data through jurisdictional reach
- Whether collective reliance on foreign infrastructure leaves a whole sector unable to function without external permission
The fourth is the most underappreciated. The Dutch government is addressing it through public procurement: KPN is working with the Dutch Ministry of Defense on sovereign cloud infrastructure; Dutch banks are collaborating on migration to sovereign systems. These are proactive decisions made ahead of regulatory requirements.
Moerel named the opposite pattern:
“Every decision in and of itself is completely justified. But if everybody does it, the country as a whole suffers.”
– Lokke Moerel, Threat Talks April 2026
What this means for you
Treating supply chain provenance as an individual compliance checkbox misses the systemic risk. Your procurement decisions don’t just affect your organization – they affect whether your sector retains functional independence. That’s the NIS2 supply chain obligation made real.
What to do now
The frameworks aren’t fully in force yet. The direction is locked. Early action costs substantially less than reactive compliance.
At Threat Talks RSA 2026, Clarke was asked what she tells CISOs who are waiting for the final regulatory text before acting. Her answer:
“By the time the requirements are published, the organizations that haven’t mapped their supply chains will be in a very difficult position. You can’t build an exit strategy for a dependency you haven’t found yet.”
– Caitlin Clarke, Threat Talks RSA 2026
- Map your supply chain – properly. Not a vendor list. A component-level mapping: which technologies support which critical functions, where they come from, and what the provenance looks like at the third and fourth tier. Shell companies and open-source dependency chains count.
- Put procurement and security in the same room. A component that’s 40% cheaper from a high-risk vendor looks very different when forced replacement cost is in the calculation. The CISO and CFO need to make that call together – before the purchase, not after the deadline.
- Build exit strategies before you need them. For every critical dependency that could fall under the new frameworks, document a replacement path. Test alternatives. Understand what a transition costs operationally. Vendor-forced replacement is now a business continuity scenario.
- Pursue early certification. If you supply NIS2 or DORA-regulated entities, track ENISA’s supply chain certification scheme development and position for early certification. First movers will have cleaner customer conversations. Laggards will be managing compliance under deadline pressure.
- Read the annex for your sector. The EU cybersecurity package is publicly available. The telecoms annex already lists which components are considered critical. Energy, health, and cloud will follow. That annex defines the scope of your exposure.
Key takeaways
Guidance is becoming hard law. The 5G toolbox was optional. The revised Cybersecurity Act is not. Telco has 36 months. Other sectors are next.
Supply chain provenance is now a compliance requirement. Critical infrastructure operators must demonstrate where their critical ICT components come from – including their suppliers’ suppliers.
EU and US frameworks are converging. Both treat adversary technology risk as something that must be managed out of critical infrastructure. The mechanisms differ. The destination is the same.
Zero Trust compliance is explicitly named. Investment in Zero Trust architecture and post-quantum cryptography is regulatory direction in both frameworks – not optional.
Early action costs less. Mapped supply chains, documented exit strategies, and early certification mean lower cost and less disruption than waiting for the deadline.
FAQ
It introduces binding requirements on which ICT components can be used in critical infrastructure, based on vendor provenance. For the first time, EU law separates technical certification from geopolitical risk assessment. Vendors from high-risk countries – assessed against criteria including foreign intelligence legislation like China’s National Intelligence Law – can be prohibited from supplying critical components. Telco faces a 36-month phase-out window. Other sectors follow.
Pillar four calls for removing adversary technology from all 16 designated critical infrastructure sectors. A binding regulatory definition of ‘adversary technology’ is still forthcoming, but FCC and Department of Commerce entity lists provide a current starting point. Map your supply chain now, before requirements are published, so you understand your exposure before the deadline is set.
Previously, every NIS2-regulated company set its own supplier requirements – creating a compliance patchwork. The new package introduces a unified certification scheme through ENISA. One certification, valid across all EU customer relationships. If you supply into regulated sectors, early certification means less friction and stronger commercial positioning.
Not immediately. But scope is expanding – from telecoms to energy, health, cloud, satellites, and water. Cloud services are now being treated as public infrastructure equivalent to telecoms. If you’re outside current scope, supply chain mapping now means less disruption when scope expands. GDPR started narrow too.
They address overlapping risks at different levels. Cyber legislation restricts which vendors can supply critical ICT components. Data sovereignty addresses where data lives, who can access it, and whether your systems can function independently. A cloud service can be data sovereign and still depend on components restricted under the new cyber legislation. Your procurement framework needs to address both dimensions together.
The strategy is set. The implementation is yours
The legislative frameworks taking shape in Brussels and Washington will not be negotiated away. Every organization now has a choice: position for these requirements, or react to them.
Reactive compliance is expensive. Finding a critical dependency on a high-risk vendor after the regulatory deadline means emergency rip-and-replace – against a market where trusted alternatives are in high demand. The Huawei replacement program in US telco networks has been running for years. It isn’t finished.
Zero Trust provides the architectural foundation, the architecture ON2IT has built its practice around, supporting organizations across the sectors now at the center of this legislation. Supply chain mapping provides the visibility. Regulatory awareness provides the timeline. Together, they make the difference between a managed transition and a forced one.
