Key Contacts: Sean McElligott – Partner
Executive Summary
Ireland’s National Cyber Security Bill 2024 is a best-in-class national cybersecurity instrument. Positioning the NCSC as lead competent authority, the Bill places board-level approval and personal liability for cybersecurity risk-management at the heart of governance, mandates supply-chain security obligations covering supplier-specific vulnerability assessment and the quality of supplier cybersecurity practices, and requires a national strategy addressing ICT supply-chain security, procurement, certification, and encryption. NIS2 permits Member States to adopt and maintain higher cybersecurity standards where consistent with EU law, and Ireland’s Bill makes full and deliberate use of that latitude.
That achievement, however, throws a deeper structural problem into sharp relief. The proposed Cybersecurity Act 2 (CSA2) empowers the Commission to adopt implementing acts identifying key ICT assets and imposing mitigation measures (including prohibitions on components from high-risk suppliers) with Member State competent authorities left to implement and enforce those decisions domestically. The cumulative effect of CSA2, NIS2, and the EU ICT Supply Chain Security Toolbox (30 January 2026) is that substantive decisions about who may supply Ireland’s critical national infrastructure are progressively migrating toward EU bodies over which Ireland holds no unilateral control. Decisions of that character (with direct national security, economic, and social consequences) should remain with institutions democratically accountable to the Irish people. ENISA should be advisory and carry out the functions for which it is designed: technical guidance, best-practice development, and support for Member States’ consistent implementation of EU cybersecurity law. The Commission’s supplier-designation powers should be exercised through transparent, evidence-based, and independently reviewable processes — not unchecked implementing acts that effectively federate critical infrastructure decision-making away from Member States.
CSA2 itself acknowledges that supply-chain mitigation measures can have restrictive effects on international trade and should be proportionate, targeted, and consistent with the Union’s international obligations. For Ireland, whose economic model depends on its reputation as a stable, open, rules-based jurisdiction, that acknowledgement should be given operational force. A regime permitting supplier exclusions on the basis of non-technical risk factors, without defined evidentiary thresholds or independent review, is difficult to reconcile with WTO disciplines requiring non-discrimination and necessity. If major non-EEA technology companies conclude that Irish establishment exposes their global operations to EU-driven designation risk (with worldwide turnover penalty exposure) the incentive calculus underpinning Ireland’s technology sector is materially and adversely altered.
Ireland is uniquely placed to advocate for a better-calibrated framework. It should deploy its full political weight in the NIS Cooperation Group, the Council, and the CSA2 legislative negotiations to ensure that ENISA remains advisory, that Commission designation powers are subject to genuine procedural and evidential constraints, and that the Union’s cybersecurity ambition is delivered in a manner fully compatible with Ireland’s identity as an open economy and a credible, rules-based partner for global technology investment.
1. Setting the Scene
The EU’s contemporary cybersecurity regime is no longer confined to “raising the floor” of technical security. As the European Commission’s January 2026 Cybersecurity Package makes explicit, cybersecurity is now framed as a condition of internal market integrity and strategic autonomy, extending to the management of “non-technical” risks associated with foreign interference and structural dependency. That strategic framing is particularly significant for suppliers established outside the European Economic Area (“EEA”). The same bundle of instruments that purports to harmonise cyber resilience also treats jurisdiction and ownership structure as inherent sources of supplier risk, recognised as a regulatory category in their own right.
This article analyses the combined effect of (1) the Proposal for a Regulation for the EU Cybersecurity Act (COM(2026)) (“CSA2”); (2) the NIS2 Directive (Directive (EU) 2022/2555) (“NIS2”); and (3) the EU ICT Supply Chain Security Toolbox of 30 January 2026 (the “Toolbox”).
It further examines how Ireland’s General Scheme of the National Cyber Security Bill 2024 (“Heads of Bill”), as a measure transposing NIS2, embeds EU level supply-chain risk assessments into domestic compliance duties in a manner capable of amplifying restrictive effects on non-EEA suppliers without explicitly identifying them.
1.1 Three frameworks, one direction of travel
The Commission’s January 2026 Cybersecurity Package presents the CSA2 proposal as a structural upgrade of the EU cybersecurity ecosystem rather than a narrow legislative adjustment. In its Questions & Answers document, the Commission characterises the revision as a response to a transformed geopolitical and threat landscape, identifying the creation of a “horizontal framework for trusted ICT supply chain security” as a central pillar alongside reforms to ENISA, the European cybersecurity certification framework, and the simplification of NIS2 compliance. The accompanying factsheet further develops this supply chain strand, referring to coordinated risk assessments, the identification of key ICT assets, and “targeted mitigation measures”, including prohibitions on the use of components from “high-risk suppliers” in those assets. Even within this official narrative of resilience, the market-shaping character of the proposal is not concealed; it is presented as an operational feature of the framework.
Within this architecture, NIS2 functions as the foundational layer. It expands sectoral scope and strengthens governance, risk management and incident reporting obligations across “essential” and “important” entities, embedding supply chain security within the core risk management duty. The EU ICT Supply Chain Security Toolbox provides the practical bridge between that general obligation and the operational mechanics of assessing and mitigating supplier linked risk. Although expressly non-binding, the Toolbox is drafted as a common frame of reference for Member States and as the practical template for Union-level coordinated security risk assessments of critical supply chains under Article 22 NIS2. Read together, CSA2 supplies the binding supranational lever; NIS2 supplies the regulated customer base; and the Toolbox supplies the methods and vocabulary through which supplier restriction becomes administratively feasible at scale.
Ireland’s draft National Cyber Security Bill 2024 illustrates how this European triad is already reflected at domestic level, even prior to the enactment of CSA2. Head 24 of the draft Bill, which transposes NIS2’s national cybersecurity strategy obligations, requires those strategies to address cybersecurity in the ICT supply chain and the incorporation of cybersecurity requirements into public procurement, expressly referencing certification, encryption and open source cybersecurity products. While framed as a Member State strategy obligation, this provision also operates as a mechanism for aligning national procurement and compliance expectations with EU-level approaches, including certification regimes and supply-chain assessment tools capable of affecting suppliers regardless of where they are headquartered.
1.2 Scope and interrelationship – where “supply chain” becomes “supplier”
CSA2’s proposed “trusted ICT supply chain framework” is deliberately positioned on top of the NIS2 sectoral taxonomy. The proposal explains that Title IV targets “sectors of high criticality” and “other critical sectors” by direct reference to NIS2, and that its application is based on Union-level coordinated security risk assessments conducted through the NIS Cooperation Group mechanism (CSA2 proposal COM(2026) 11, explanatory sections on Title IV, including Articles 98–103). The Commission’s own descriptions emphasise that the objective is to de-risk critical ICT supply chains from entities “established in or controlled by” entities from third countries posing cybersecurity concerns, using the explicit language of “high risk suppliers” and dependency reduction.
The Toolbox adopts the same conceptual move. It makes clear that supply-chain security is not merely an internal governance or technical matter for regulated entities. “High-risk supplier” is treated as a working concept, with supplier risk framed by reference to jurisdictional exposure, ownership and governance structures, and a third country’s capacity to exert pressure. The consequence is that supply-chain assessment, even where it originates as a technical discipline, is structurally capable of evolving into a market-access discipline. Once supplier risk is defined in part by the legal and political environment of a supplier’s home jurisdiction, the “third-country supplier” acquires regulatory significance as such, rather than merely as an upstream participant in a broader supply chain.
Ireland’s draft National Cyber Security Bill 2024 (Heads of Bill) illustrates how this shift becomes operational at the level of day-to-day compliance. Head 29, which transposes Article 21 NIS2, imposes an all-hazards risk-management duty that must include supply-chain security, expressly encompassing the security aspects of relationships with direct suppliers. Head 29 goes further in a way directly relevant to CSA2 and the Toolbox by requiring entities, when determining appropriate supply-chain measures, to “take into account” the results of coordinated security risk assessments of critical supply chains carried out by the NIS Cooperation Group under Article 22(1) NIS2. This is not an abstract point of EU governance design. It operates as a domestic compliance trigger, capable of converting EU level assessments into concrete procurement and contracting imperatives for Irish entities.
1.3 The restriction-enabling provisions – what, precisely, creates leverage over non-EEA suppliers
The CSA2 proposal is unusually explicit about the legal and operational machinery capable of producing third-country supplier restriction. The Commission is empowered to request Union level coordinated risk assessments through the NIS Cooperation Group (the “Cooperation Group”) and, on the basis of those assessments or other relevant sources, to verify whether a third country poses “serious and structural non-technical risks”. Where such risks are identified, the Commission may designate that country as posing cybersecurity concerns by implementing act. The criteria for verification include laws or practices requiring pre-patch vulnerability reporting to third-country authorities, the absence of democratic checks and judicial remedies, substantiated information on threat-actor activity or unwillingness to cooperate, and relevant information drawn from coordinated risk assessments or international organisations. Once designation occurs, the proposal contemplates lists of “high risk suppliers” linked to establishment, ownership and control, subject to consultation and rights of defence mechanisms that nevertheless remain embedded within the implementing-act framework.
The restrictive consequences extend well beyond deployment bans. High-risk suppliers may be excluded from participation in standardisation processes, prevented from obtaining or holding European cybersecurity certificates, barred from accreditation as conformity-assessment bodies, restricted from issuing certain cybersecurity attestations, and excluded from procurement and Union funding activities linked to key ICT assets. This amounts to a systemic exclusion toolkit, with effects capable of cascading across supply chains and market segments far beyond any individual sector or product.
NIS2’s contribution to this architecture is less explicit but no less consequential. The Toolbox clarifies that Article 21(3) NIS2 requires supply-chain measures to take account of supplier vulnerabilities and cybersecurity practices and, critically, that regulated entities must consider the results of coordinated risk assessments carried out under Article 22. Ireland’s Head 29(5) directly mirrors this requirement. The legal effect is to translate EU level assessments into customer side diligence obligations. In practice, this can place vendors, particularly non-EEA vendors, under sustained pressure to provide ongoing assurances, disclosures and contractual guarantees to avoid being characterised as a compliance risk.
2. Articulating the Threat
2.1 How risk-based frameworks produce bans, phase-outs, and “voluntary” exclusion
The Commission’s own package documents describe a clear policy sequence from assessment to mitigation and explicitly contemplate prohibition as a potential outcome. The accompanying factsheet refers to prohibitions on the use of components from high risk suppliers in key ICT assets, framed as targeted measures supported by market analysis and economic impact assessment. The CSA2 proposal operationalises this approach by empowering the Commission to identify key ICT assets and adopt mitigation measures by implementing acts once a coordinated risk assessment has been completed. It also provides for an emergency procedure where immediate intervention is justified, precisely the context in which measures with significant commercial impact may be adopted under compressed scrutiny.
The Toolbox anticipates comparable measures at national level, recommending that Member States “manage and, if necessary, restrict or exclude high-risk suppliers” within their domestic frameworks. Even where formally non-binding, the Toolbox normalises restriction as a routine component of supply-chain risk management rather than an exceptional act akin to foreign-policy intervention. That normalisation matters because it reshapes the compliance behaviour of regulated entities. Once supplier restriction is understood as a plausible, regulator-endorsed outcome, firms will begin to price, contract and procure on the assumption that future exit from certain suppliers may become necessary.
Ireland’s Heads of Bill reinforces that behavioural shift by intensifying governance and liability dynamics around the NIS2 risk-management duty. Head 28 places responsibility for approving and overseeing risk-management measures at board level and provides for liability through the enforcement architecture. The practical effect is that supply-chain decisions are recast as board-accountable compliance decisions rather than ordinary procurement choices. In that setting, avoidance of supplier categories perceived as potentially problematic becomes a rational compliance strategy, particularly where Head 29(5) directs entities to incorporate EU-level coordinated risk assessments into their supplier risk calculus.
2.2 Why non-EEA reach is not limited to “geopolitical adversaries”
The proposed architecture is not drafted as a country-specific instrument, even if policy momentum was shaped by debates surrounding high-risk vendors in specific sectors such as telecommunications. The CSA2 designation mechanism applies generally to “third countries” and links supplier risk to establishment, ownership and control, as well as to non-technical factors derived from legal frameworks and governance conditions. Technical robustness alone is therefore insufficient. Even a technically secure supplier may face restriction based on ownership structure, third-country legal obligations or broader geopolitical context, with the locus of risk shifting from product compliance to jurisdictional exposure.
The Toolbox adopts a similar approach. It treats “high-risk supplier” as a category that may be triggered by jurisdictional exposure, particularly where democratic checks and balances are weak, government interference is frequent or cooperation frameworks are absent. Corporate ownership and the capacity of a third country to exert pressure are identified as relevant risk factors. The implication is that non-EEA suppliers must be prepared to explain how their governance, transparency and operational safeguards interact with their home jurisdiction’s legal environment. For US-based firms, this creates the risk of an ongoing procurement burden even in the absence of any formal designation, as regulated EU customers seek defensible narratives that a supplier’s legal environment does not give rise to “non-technical” risk.
Head 30 of the Bill further reinforces this dynamic by transposing NIS2’s certification lever into domestic law. Where CSA2 proposes to exclude high-risk suppliers from obtaining European cybersecurity certificates in certain contexts, the combined effect of Head 30 and CSA2 is to risk transforming certification from a voluntary market differentiator into a quasi-mandatory condition of market participation. For non-EEA suppliers, particularly those offering complex managed or integrated services, this may function as a de facto market-access filter even before any formal ban is issued.
2.3 The chilling effect: market damage before law compels it
It is likely that the mere possibility of future designation will lead customers to stop purchasing from suppliers perceived as exposed, eroding market value well before any implementing act is adopted. That outcome is plausible precisely because NIS2 and its domestic transpositions convert supply chain diligence into a regulated duty accompanied by management accountability. Procurement decisions need not be based on certainty that a supplier will be banned; they need only be justified by a defensible preference for suppliers unlikely to generate future compliance friction.
Ireland’s legislative framework illustrates this dynamic with unusual clarity. Heads 29(4)(d) and 29(5) create a direct incentive to translate EU level assessments into supplier controls, while Head 28 introduces board level oversight and associated liability exposure. The supply chain obligations under Head 29(d) also generate uncertainty as to the allocation of responsibility between users and direct suppliers, inevitably necessitating guidance and contractual standardisation. That combination of uncertainty, liability and imported EU level assessment mechanisms creates a textbook environment for a chilling effect.
3. Making the Case
3.1 Competence, proportionality and procedural credibility
CSA2 risks importing sanctions-like effects into internal market legislation. Through implementing acts, the Commission is empowered to designate third countries and impose supplier exclusions in a manner that functionally resembles restrictive measures. Ibec – Ireland’s largest business representative and lobbying organisation – has similarly argued that the proposal displaces national security competence by shifting supplier categorisation from Member States to the Commission on the basis of assessments incorporating non-technical criteria. The core legal concern is that this decision making pathway may be vulnerable to legitimacy and annulment challenges precisely because it centralises discretion while relying on criteria that may be difficult to test publicly.
Ireland’s Heads of Bill illustrates how Member States may be squeezed between supranational and domestic discretion. Head 24(10) expressly permits the Minister to request ENISA assistance in preparing the national cybersecurity strategy. While entirely sensible as a matter of expertise, this also illustrates a structural asymmetry: Member States rely on EU bodies for templates and guidance, which may later be treated as evidence of a common risk posture justifying further centralisation. In this way, coordination risks becoming a pathway to Member State “constraint”.
3.2 Stability, investment and disproportionate cost in smaller Member States
Ibec has estimated that supply chain reconfiguration costs for the Irish telecommunications sector alone exceed €730 million, and it argues that exposure extends to any NIS2 in scope entity reliant on ICT assets supplied by vendors later designated as high risk. It highlights business-continuity risks, unforeseeable contractual liabilities and the bluntness of country-of-origin bans in complex modern supply chains. The Commission’s own impact assessment similarly acknowledges significant replacement costs at EU level, including annual costs in the billions under mobile network phase out scenarios.
For non-EEA suppliers, including US firms providing cloud, managed security and industrial software services, the commercial impact is mediated through regulated customers. Those customers must demonstrate supply chain risk management, often under conservative timelines and the shadow of enforcement. In Ireland alone, more than 4,500 organisations are expected to fall directly within NIS2 scope, with many more affected indirectly. That scale of regulated demand incentivises customers to standardise around suppliers perceived as “future-proof” under EU assessments, irrespective of actual technical risk.
3.3 Sovereignty, centralisation and Ireland’s asymmetric exposure
The cumulative effect of the current architecture has received limited political attention. Member States, including Ireland, are progressively ceding substantive procurement and supply chain management decisions to EU-level bodies. This represents not merely regulatory harmonisation, but a structural reallocation of decision-making authority over who may supply critical national infrastructure.
Under NIS2, the Cooperation Group is responsible for producing coordinated supply-chain risk assessments and implementation guidance. Under CSA2, the Commission adopts implementing acts designating third countries and listing high risk suppliers, with Member States responsible for domestic enforcement. Under the Toolbox, a common framework agreed collectively shapes national supervision without any single Member State enjoying a veto.
A Member State such as Ireland, which has historically served as the European hub for many of the world’s largest US technology companies, and whose economic model is substantially predicated on attracting and retaining those companies’ investment, employment, and tax contributions, has no effective veto over a Commission decision to designate a third country or list an individual supplier as high-risk. The political implications are stark. In the context of some future geopolitical trade war, one hypothetical, albeit remote scenario, might be if the Commission were to designate the United States as a country posing cybersecurity concerns (even partially, in respect of specific legal provisions) the downstream effect on Ireland’s technology sector would be devastating. Ireland’s ability to respond would be limited to participation in the Cooperation Group and advocacy within Commission consultations. Once an implementing act is adopted, the Member State’s role is essentially one of implementation and enforcement.
The Bill’s enforcement architecture makes this point concrete. Head 29 requires entities to take into account the results of EU coordinated critical supply chain risk assessments carried out via the NIS2 Cooperation Group under Article 22(1) NIS2. This means that Irish-law compliance obligations are directly tethered to Union-level political and technical outputs over which Ireland has no unilateral control and which the Irish legislature has no power to modify. The National Cyber Security Centre (operating under the Bill as Ireland’s primary competent authority, would be legally obliged to enforce supply-chain compliance standards that reflect Cooperation Group outputs, including those designating particular non-EEA suppliers as high-risk, even if Ireland’s own policy preference would be to maintain commercial relationships with those suppliers.
This dynamic raises profound questions about democratic accountability. Head 24(3)’s policy duty on supply-chain security, procurement, and certification is framed as a domestic Irish legislative requirement. However, its substantive content is, in practice, shaped by Union level bodies whose decision-making processes offer Ireland only a collective, non-determinative voice. For a small, trade-dependent Member State, this represents a material erosion of the sovereign capacity to manage its own economic and technological relationships.
4. Proposed Reforms
The purpose of this article is not to oppose cybersecurity governance. The EU’s ambition to build resilient digital infrastructure is both legitimate and necessary. The critique is that the current and proposed instruments are insufficiently calibrated, structurally asymmetric and constitutionally under-scrutinised in their impact on Member State autonomy and third-country suppliers’ procedural fairness. The following reforms would address those concerns without undermining cybersecurity objectives.
4.1 Application of an Evidence Threshold
The Toolbox’s geopolitical tensions risk scenario — which encompasses third-country interference with suppliers, including through home-jurisdiction legal obligations — is the mechanism most likely to be applied against non-EEA suppliers in a manner disproportionate to demonstrable security risk. Reform should require that any national risk assessment applying this scenario to a specific supplier be supported by specific, documented evidence of a demonstrated cybersecurity risk materialising or plausibly likely to materialise from the identified legal or structural factor — not merely the theoretical existence of third-country legal provisions. This would align risk assessment practice with NIS2’s own proportionality requirement, which conditions all risk-management measures on the likelihood and severity of incidents and their societal and economic impact , not on jurisdictional attribution alone.
4.2 Require Independent Judicial or Quasi-Judicial Review of CSA2 Supplier Designation Decisions
The CSA2 high-risk supplier designation and listing process is initiated and concluded by the Commission, with Member State competent authorities, including Ireland’s NCSC, playing an implementation role. Reform should introduce a mandatory independent review mechanism, that allows an affected supplier to obtain a substantive review of the factual basis for its designation prior to the prohibition taking effect, with suspensory effect pending review. The Bill’s own provision of a District Court appeal mechanism against compliance notices demonstrates that tiered review processes are not structurally incompatible with effective enforcement — they should be replicated at the Union level for designation decisions themselves.
4.3 Establish Binding Mutual Recognition Frameworks With Third Countries
The Cybersecurity Act contemplates conditions for the mutual recognition of certification schemes with third countries. The Toolbox’s Recommendation R07 (on standards and certification) emphasises the importance of international standards alignment and interoperability of certification schemes. Reform should require the Commission to establish a defined process and timeline for negotiating mutual recognition arrangements with allied third countries whose cybersecurity regulatory frameworks meet defined criteria. Suppliers whose products are certified under a mutually recognised scheme should be entitled to rely on that certification for the purposes of NIS2 Article 24’s provision that Member States may require essential and important entities to use ICT products, ICT services and ICT processes certified under European cybersecurity certification schemes, without requirement for re-testing within the EEA.
4.4 Mandate Formal Parliamentary and Stakeholder Scrutiny of Coordinated Risk Assessment Outputs and Toolbox Updates
NIS2 Articles 22(1) and 22(2) give the Commission, the Cooperation Group, and ENISA authority to carry out coordinated supply-chain risk assessments with outputs that are then embedded in private compliance decisions. Reform should require that draft coordinated risk assessment outputs, particularly those invoking non-technical risk factors, and material updates to the Toolbox be subject to a public consultation period, with the obligation to publish and address substantive responses from affected industry stakeholders including non-EEA suppliers. Both instruments should be subject to ex ante scrutiny by the European Parliament, allowing democratic oversight of measures with potentially significant trade-policy consequences. At national level, the Oireachtas should scrutinise Commission implementing acts designating third countries or listing high-risk suppliers before those acts become operative within the Irish enforcement framework under the Bill.
5. Protect Member State Flexibility to Engage Non-EEA Suppliers Where Equivalent Security Assurance Is Demonstrated
CSA2’s framework provides that Member States may adopt or maintain higher-level ICT supply chain security provisions, but it does not create a symmetrical discretion to accept non-EEA suppliers on the basis of demonstrated security equivalence. The Toolbox’s all-hazards, evidence-based risk assessment approach, applied consistently, should in principle support such a determination. Reform should explicitly codify Member State flexibility – Member States should be permitted to grant national-level exemptions from high-risk supplier restrictions where the competent authority certifies (on the basis of a documented technical assessment applying Toolbox-aligned criteria) that the specific supplier’s product or service presents no elevated risk in the specific deployment context. Any such exemption should be subject to ENISA notification and Cooperation Group peer review.
