The EU Cybersecurity Act Redefines Vendor Risk

Summary

The EU Cybersecurity Act revision changes what vendor risk means. It is no longer just about technical vulnerabilities. It is about who controls updates, who can access your infrastructure, and which laws govern your suppliers. In virtualized 5G and digitally managed energy systems, dependency becomes difficult to unwind once embedded.

In a recent Threat Talks episode, MEP Bart Groothuis explains why supply chain security is shifting from internal risk management to enforceable regulatory exposure.

Vendor Risk Just Moved to the Board

For years, vendor risk meant questionnaires, certifications, penetration tests, audit trails.

In other words – a technical checklist.

That approach assumed the risk lived in the code.

The revised EU Cybersecurity Act changes the focus.

It’s no longer only about whether a vendor is secure today — it’s about who ultimately controls updates, access, and leverage tomorrow.

That’s not a technical nuance.

That’s board-level risk.

What Vendor Risk Means Now

A modern vendor risk assessment must go beyond code review.

It must assess:

• Jurisdiction and intelligence legislation
• State influence over corporate governance
• Remote maintenance and update authority
• Structural dependency inside critical systems

The CSA revision formally integrates non-technical risk into certification decisions.

That is the shift.

If a supplier operates under laws that compel cooperation with a foreign state, that exposure becomes part of your risk profile.

Vendor risk is no longer purely technical – it is geopolitical.

Soft Law Is Becoming Hard Obligation

Europe has relied on guidance frameworks for years – toolboxes, advisories, risk recommendations.

That model is shifting.

The CSA revision moves vendor scrutiny toward enforceable certification structures. Combined with NIS2 and the Cyber Resilience Act, supply chain security is tightening.

This matters for one reason.

Procurement decisions can now trigger regulatory exposure.

And regulatory exposure lands on the CISO and CIO.

5G Shows Why Dependency Is the Real Risk

The public debate often focused on hidden backdoors.

That misses the structural issue.

As discussed in Threat Talks, the decisive risk is not whether malicious code exists today, but whether it could be introduced tomorrow via software updates.

5G architecture is virtualized.

That means:

• Core functions are centralized.
• Segmentation is reduced.
• Replacement is costly and complex.

You can inspect current firmware but you cannot inspect future updates.

Once dependency is embedded, mitigation options shrink. That is why vendor risk is now about control.

Energy Infrastructure Makes the Stakes Clear

Telecom is not the only example.

Energy systems are increasingly digital. Remote inverters, software-driven grid balancing, and centralized control panels now manage critical supply.

A 2.5GW generation drop caused cascading blackouts across parts of Europe.

The issue is not speculation.

It is concentration of control.

When digital management layers sit with a single vendor, structural risk scales fast.

And structural risk becomes systemic risk.

Supply Chain Security Is Now Governance

The CSA discussion makes something explicit:

This is risk-based, not ideological.

But risk-based does not mean optional – it means accountable.

Boards now need clear answers:

• Who controls firmware updates?
• Under what legal authority?
• Can we replace this vendor if required?
• What happens during geopolitical escalation?

Vendor strategy is no longer a procurement optimization.

It is a governance decision.

5 Things Security Leaders Should Do Now

In a recernt Threat Talks episode, MEP Bart Groothuis explains why the CSA revision makes one thing very clear:

Waiting for enforcement is not a strategy.

He lists 5 steps CIOs and CISOs should prioritize now:

1. Expand Your Vendor Risk Model
   Add jurisdictional and geopolitical analysis to existing frameworks.
   
2. Identify Structural Dependencies
   Map vendors embedded in telecom, energy, cloud control planes, and remote management systems.
   
3. Classify Critical Exposure
   Focus first on systems where failure creates systemic impact.
   
4. Build Realistic Transition Plans
   Phasing out vendors takes years, not quarters.
   
5. Align Procurement with Regulatory Direction
   Vendor selection now intersects with certification and compliance risk.

Vendor Risk Doesn’t Stop at Vulnerabilities

Now is the time to shift your mindset on vendor risk.

Because it’s no longer just about technical vulnerability management.

MEP Bart Groothuis explains:

• Why non-technical risk must be part of certification
• Why virtualization changes the security model
• Why energy grids amplify dependency risk
• Why vendor exposure becomes regulatory exposure

For CISOs and CIOs, this conversation is not policy theory.

It is your vendor management action plan.

Key Takeaways

Short on time? Here’s what actually matters:

• The EU Cybersecurity Act expands vendor risk beyond technical flaws.
• Jurisdiction and update control now matter.
• 5G and digital energy systems increase structural dependency.
• Supply chain security is becoming enforceable regulatory risk.
• Vendor strategy is now a board-level responsibility.

Conclusion

Vendor risk is no longer a checklist.

It is a control question.

The risk avoided is long-term coercion, regulatory penalties, and systemic disruption.

The outcome gained is defensible procurement, measurable resilience, and strategic clarity.

Under the EU Cybersecurity Act, vendor risk defines who controls your infrastructure.

If you need help mapping your vendors, and future-proof your infrastructure, get in touch with us.

FAQ