EU Launches ICT Supply Chain Security Toolbox
The EU has launched a new ICT Supply Chain Security Toolbox. The initiative aims to standardize how member states assess risks from technology vendors, enhancing regulatory frameworks and bolstering the bloc's tech sovereignty efforts.
This new toolbox is a direct operationalization of Article 22 of the NIS2 Directive, which mandates Union-level coordinated security risk assessments of critical ICT supply chains. Developed by the NIS Cooperation Group, with support from the European Commission and ENISA, it provides member states a non-binding, common framework for assessing and managing risks from both a technical and non-technical standpoint. The approach is intentionally "actor-agnostic," yet it recommends scrutiny of critical suppliers and promoting multi-vendor strategies to reduce strategic dependencies on what could be deemed high-risk vendors. This methodology builds directly on the precedent set by the EU's 5G Security Toolbox, which introduced the concept of "high-risk vendors" (HRVs) and led several member states to impose market restrictions. A key driver is addressing non-technical risks, such as foreign interference, a concern explicitly mentioned in the revised Cybersecurity Act proposal from January 20, 2026. The framework aims to create a harmonized approach for identifying and mitigating these geopolitical risks within the supply chains of the EU's 18 critical sectors. The toolbox was released alongside two specific coordinated risk assessments: one for connected and automated vehicles (CAVs) and another for detection equipment used at EU borders. For CAVs, the group recommended measures to de-risk supply chains from high-risk suppliers, particularly for systems controlling data processing, communications, and remote vehicle updates. Under the NIS2 Directive, organizations are now responsible for the cybersecurity practices of their entire supply chain, extending these security obligations to all third-party vendors and service providers. This means contractual arrangements must now incorporate specific cybersecurity risk management measures, and suppliers may need to adhere to standards like ISO/IEC 27001. The NIS Cooperation Group, which includes all member states, the Commission, and ENISA, will review the toolbox's implementation and effectiveness after one year to share best practices and recommend adjustments. This review will assess progress on strengthening risk management, fostering multi-vendor strategies, and enhancing cooperation across the bloc.
