EU Cybersecurity Act 2 Advances Amid Member States’ Concerns Over EU Competence
As the revision of the EU Cybersecurity Act ("CSA 2") advances through the ordinary legislative procedure, its framework empowering the European Commission (the "Commission") to exclude high-risk suppliers from the EU market is drawing Member State scrutiny over the limits of EU competence in cybersecurity—a concern reinforced by Advocate General Ćapeta's recent opinion in Elisa Eesti reaffirming Member States' exclusive competence over national security.
CSA 2, which aims to reinforce the European Union's cybersecurity framework, is progressing through the ordinary legislative procedure. As discussed in our prior Alert, the proposal establishes a horizontal framework (meaning it applies uniformly across all critical sectors rather than on a sector-by-sector basis) to secure information and communications technology, or ICT, supply chains.
Under the proposal, the Commission would be empowered to designate third countries as raising cybersecurity concerns and to classify suppliers controlled by those countries as "high-risk." Such a designation would trigger automatic exclusion from EU funding, standardization, and public procurement, and could impose mandatory phase-out obligations requiring entities across all critical sectors to remove lawfully acquired equipment from those suppliers.
In its Progress Report of 22 May 2026, the Council of the European Union (the "Council") flagged concerns regarding the proposed framework. In particular, Member States sought greater clarity on the methodology and procedures for identifying high-risk suppliers, as well as on the scope and likely impact of the proposed measures. Several Member States also asked the Council Legal Service to review the appropriateness of the proposal's legal basis, questioning whether the European Union has competence to act—a concern echoed by some stakeholders in their contributions to the public consultation. These reservations find support in the Advocate General's recent opinion in Elisa Eesti (see our prior Alert), which recognizes that the European Union has no competence to determine "what is necessary for and how to protect the security of the Member States," a matter that remains reserved to each Member State. The Council Legal Service opinion is yet to be adopted.
Looking ahead, the Irish Presidency of the Council (1 July – 31 December 2026) will carry the proposal forward. Its challenge will be to ensure that the adoption process of CSA 2 already integrates the legal principles underpinning the Elisa Eesti case, rather than taking the risk of not doing so pending the Court of Justice's final ruling. Key milestones to watch include the expected Council Working Party discussions in September 2026 and a potential political agreement before year-end.