EU launches ICT Supply Chain Security Toolbox to address cybersecurity risks

On 30 January 2026, the NIS Cooperation Group, comprising representatives of EU Member States, the European Commission and the EU Agency for Cybersecurity (ENISA), adopted the EU ICT Supply Chain Security Toolbox, establishing a common EU approach to identifying, assessing and mitigating cybersecurity risks across ICT supply chains.

The toolbox provides a structured, non-binding framework intended to support Member States in strengthening the security and resilience of ICT supply chains in critical sectors such as healthcare, telecommunications, finance, transport and energy. It facilitates the implementation of the NIS2 Directive and supplements existing EU cybersecurity legislation, including the Cyber Resilience Act and the Cybersecurity Act.

Key points

  • The toolbox recommends that Member States carry out national ICT supply chain risk assessments and identify critical suppliers and systemic dependencies across sectors.
  • It encourages multi-vendor strategies and supply diversification to reduce risks associated with supplier lock-in or strategic dependencies.
  • Member States are advised to assess suppliers in order to identify high-risk suppliers, including those potentially subject to third-country interference or weak cybersecurity practices.
  • The toolbox promotes information sharing, training and cooperation between authorities, EU institutions and industry to improve situational awareness and response to supply chain incidents.
  • It also supports the development of a secure and interoperable European ICT ecosystem, including the use of standards and certification schemes.

The NIS Cooperation Group will review the implementation of the toolbox approximately one year after its adoption.

The full text of the toolbox is available here.

See All News Here

Related News

Swedish Supreme Court Adds Nuance to Previous Ruling on Bulk Requests for Court Judgments and Decisions

NIS2 and the Swedish Regulation Jungle

EU Commission Proposes Tech Sovereignty Package with New Rules for Chips, Cloud Services and AI infrastructure