Europe’s New Cybersecurity Playbook Tests the Balance Between Resilience and Digital Rights
Brussels has a knack for regulating through stealth and with far-reaching consequences simultaneously. The European Commission’s proposed reform of the Cybersecurity Act, informally known as “CSA2,” is no different. Published on 20 January 2026, the new draft regulation will replace the 2019 framework and enter into force together with a reform of the EU’s cybersecurity directive, Directive (EU) 2022/2555.
From Technical Update to Geopolitical Instrument
At first glance, it is a mere technical update. In truth, it represents a paradigm shift in the interplay between market access, digital sovereignty, and political trust in global supply chains. The proposed regulation introduces a new competence for the European Commission to qualify so-called “key ICT assets” in the sectors that fall under NIS2, and, more controversially, to qualify foreign suppliers as “high risk.” This is no theoretical categorization. It may trigger EU-wide bans, including exclusion from cybersecurity certification schemes, public procurement, and standardization activities. In the telecommunication sector, products from high-risk suppliers must be replaced within narrowly defined time limits. This is a structural risk for Brussels. The Commission argues that supply chains are no longer merely commercial networks but rather strategic infrastructure vulnerable to geopolitical pressure.
External laws requiring early warning systems for software vulnerabilities to national authorities, the absence of an independent judicial review procedure, or proof of malicious cyber activity may all be taken into account in a high-risk assessment. This is a clear extension of the debate, which was hitherto confined almost entirely to the 5G providers. CSA2 extends the debate to other areas. In this process, it enshrines a European ideal of digital sovereignty that is less about rhetorical moments on industrial policy and more about wielding regulatory muscle. But the ideal of sovereignty is a fraught one in the digital politics of Europe. The European Pirate Party, whose manifesto sees the digital revolution as an opportunity for democratic transformation rather than technocratic consolidation, has long argued that resilience must never come at the cost of transparency and basic rights. The Pirates’ program calls for open standards, accountability of state power, and robust judicial safeguards whenever digital governance is expanded. CSA2 does expand governance.
When Stronger Enforcement Meets Sharper Deadlines
The Commission will gain implementing powers to exclude certain actors from using specific ICT components or to specify mitigation measures that vary from supplier-transparency obligations to bans on remote data processing from nations outside of the EU. Non-compliance will incur fines of up to 7 percent of global annual turnover for the most serious infractions, a severity that matches the EU’s toughest enforcement instruments. The telecommunication sector will have sharper corners. Mobile network operators will have no more than 36 months to strip out components from suppliers that are deemed to be high-risk once a list is published. Fixed and satellite communications will follow a schedule that will be determined in further implementing decisions. The implication is clear: in strategic communications infrastructure, caution defeats gradualism. However, CSA2 also proposes to update the European Cybersecurity Certification Framework as established in Regulation (EU) 2019/881. Certification will no longer be exclusive to products and services. For the first time, it may also include an organization’s overall cybersecurity posture, maturity, readiness, and governance structures. This is a result of a broader regulatory strategy.
Cybersecurity is no longer a property that is inherent in hardware and software; it is a systemic property of organizations and, by extension, markets. The certification frameworks would be established by ENISA under the Commission’s mandate, with periodic reviews at least every four years. There would be little room for Member States to establish their own schemes if there are schemes in the EU. Harmonization and simplification are what the supporters of this regulation see. Centralization is what the opponents might see. ENISA is poised to take on a much bigger role. It is not only going to be responsible for the establishment of certification frameworks but will also be involved in EU-level risk assessments, administer the European Vulnerability Database under NIS2, and coordinate the EU Cybersecurity Reserve and crisis response efforts across borders, such as EU-CyCLONe. The challenge for digital rights campaigners is not that Europe needs improved cybersecurity. It clearly does.
How Security Ambition Threatens Democratic Safeguards
Ransomware attacks, state-sponsored hacking, and supply chain attacks have shown the weaknesses. The challenge is whether new powers like blacklisting suppliers, EU vulnerability registers, reporting mechanisms, are matched by similar robust safeguards on transparency, judicial review, and democratic oversight. The Pirate Party’s manifesto is crystal clear that the digital revolution must empower citizens and strengthen basic rights, not lock them into a permanent state of technological exception. CSA2 is not a surveillance bill. It is framed in industrial and security language.
But its architecture is part of a broader pattern: the progressive enhancement of regulatory and operational capabilities at the EU level in the name of resilience. The legislative procedure will now proceed to the European Parliament and the Council in the ordinary legislative procedure. The negotiations are likely to stretch into 2026. As amendments are tabled and compromises are struck, the debate is likely to polarize around familiar European divides-security vs. openness, sovereignty vs. global interdependence, harmonization vs. decentralization. In this debate, CSA2 will show whether the Union can build a more secure digital space without sacrificing the very values that made it a self-proclaimed global leader on digital rights in the first place.