EU vendor risk turns geopolitical

The European Commission’s new cyber proposal would let the European Union treat some foreign technology suppliers as a security risk, not just a procurement choice. (digital-strategy.ec.europa.eu) The proposal, published on 20 January 2026 as part of a revised European Union Cybersecurity Act, says the bloc needs a common framework for information and communications technology supply-chain risks in critical infrastructure. The Commission said the change responds to a worsened threat landscape and more capable state-backed attackers. (digital-strategy.ec.europa.eu) In its questions-and-answers note, the Commission said the draft law would address “strategic risks of undue foreign interference and critical dependencies” and would ensure telecom operators do not rely on high-risk suppliers for critical assets. That shifts the test from whether a product works securely to whether the supplier itself could be influenced from abroad. (digital-strategy.ec.europa.eu) The follow-on effect for companies is architectural, not just contractual. Lawyers at Fieldfisher said the draft Articles 98 to 117 would require entities in sectors covered by the Network and Information Security Directive 2 to assess vendor geopolitical risk and, in some cases, manage or remove suppliers from their technology stacks. (fieldfisher.com) The European Union is pairing that supply-chain push with a broader sovereignty drive in cloud and artificial intelligence. The Commission’s cybersecurity questions-and-answers says the revised Cybersecurity Act is meant to complement the planned Cloud and Artificial Intelligence Development Act, which would reserve highly critical public-sector uses for secure European Union-based cloud and artificial intelligence computing services. (digital-strategy.ec.europa.eu) That cloud agenda is already moving in parallel. The Commission says it will propose the Cloud and Artificial Intelligence Development Act in 2026, with a goal of at least tripling European Union data-centre capacity in five to seven years and meeting business and public-administration needs by 2035. (digital-strategy.ec.europa.eu) Brussels has also started writing sovereignty rules into its own buying. In October 2025, the Commission tied a cloud tender worth up to 180 million euros to a Cloud Sovereignty Framework that it described as a reference point for providers and a way to grow the European Union cloud market, especially in the public sector. (commission.europa.eu) A 13 February 2026 toolbox from the Network and Information Security Cooperation Group adds the operating manual. It gives Member States and companies a common method to identify, assess and mitigate information and communications technology supply-chain risks, including dependencies on high-risk suppliers. (digital-strategy.ec.europa.eu) European Parliament research has been framing the same problem in geopolitical terms. A February 2025 briefing warned that dependence on foreign providers for communications infrastructure can threaten the public interest and national security, and a December 2025 study mapped wider European software and cyber dependencies. (europarl.europa.eu, europarl.europa.eu) Industry groups are pushing back on parts of the sovereignty agenda. CCIA Europe said this month that the Commission’s Cloud Sovereignty Framework, released alongside the Cloud III purchasing system, needs to stay compatible with open markets and practical public-sector procurement. (ccianet.org) The immediate deadline is political, not technical. Fieldfisher said the revised Cybersecurity Act is open for public feedback until 12 May 2026, but the message to companies is already clear in the draft text: vendor risk in Europe now includes the passport, ownership and state influence behind the supplier. (fieldfisher.com)