EU Cybersecurity Act Draft Mandates Phase-Out of High-Risk Hardware Suppliers

On 28 May 2026, the European Commission published the revised draft of the EU Cybersecurity Act, introducing binding legal requirements for Member States to phase out equipment and components from designated ‘high-risk suppliers’ across 18 critical sectors—including 5G core networks, semiconductors, power systems, autonomous vehicles, and medical devices—within 36 months. The measure significantly affects CE/EN conformity pathways and market access timelines for hardware exports from China, including smart locks, cloud security gateways, high-strength bolts, and ventilators.

Key Provisions of the Revised Cybersecurity Act Draft

On 28 May 2026, the European Commission formally released the updated draft of the EU Cybersecurity Act. For the first time, the draft establishes a mandatory, legally enforceable obligation requiring all EU Member States to remove hardware and critical components supplied by entities classified as ‘high-risk suppliers’ from 18 defined critical infrastructure domains within 36 months of the law’s entry into force. These domains explicitly include 5G core networks, semiconductor manufacturing equipment, electricity grid control systems, autonomous driving platforms, and medical diagnostic and life-support devices. While the draft does not name specific companies or countries, its scope and risk-assessment criteria strongly indicate implications for suppliers whose origin, ownership structure, or compliance history raises concerns under EU cybersecurity and supply chain integrity frameworks. The regulation directly affects CE marking procedures, EN standard alignment, and conformity assessment timelines for affected products.

Impact Across Supply Chain Roles

Export-oriented trading enterprises

These firms face immediate pressure on customs clearance, product registration, and post-market surveillance obligations. CE declarations may now require additional supplier due diligence documentation, and existing stock may be subject to re-evaluation if sourced from flagged vendors. Lead times for new certifications are expected to extend due to intensified technical file reviews.

Raw material and component procurement enterprises

Procurement teams must now verify not only material specifications but also the cybersecurity-related provenance of subcomponents—especially for items integrated into critical systems (e.g., firmware-enabled bolts used in energy infrastructure or sensors embedded in ventilators). Traceability documentation and supplier risk self-declarations will become mandatory prerequisites.

Contract manufacturers and OEMs

Manufacturers supplying to EU-based integrators must reassess their entire bill-of-materials (BOM) for exposure to high-risk supplier designations. Product redesigns, alternative sourcing, and updated technical documentation—including firmware update policies and vulnerability disclosure protocols—may be required before CE renewal cycles.

Supply chain service providers

Logistics, testing labs, and conformity assessment bodies will need to adapt certification workflows to incorporate new cybersecurity risk assessments. EN standards referenced in conformity reports (e.g., EN 303 645, EN ISO/IEC 27001) may require expanded scope coverage, especially regarding software supply chain integrity and third-party code attestation.

Strategic Priorities for Affected Companies

Reassess CE/EN conformity strategy beyond baseline compliance

CE marking can no longer be treated as a static, one-time procedure. Firms must prepare for dynamic conformity monitoring—including periodic updates to technical files, evidence of supplier risk mitigation, and documented firmware lifecycle management aligned with EN 303 645 and ETSI TS 103 645.

Map and validate upstream supplier cybersecurity posture

A full BOM-level audit is essential—not just for final products but for every firmware-integrated or network-connected subassembly. This includes verifying whether upstream suppliers meet EU-defined cybersecurity assurance levels (e.g., ENISA’s ICT Supply Chain Risk Management Framework).

Prepare for extended certification timelines and documentation depth

Notified Bodies are expected to introduce additional verification steps for products falling within the 18 high-risk categories. Anticipate longer review periods for technical documentation, source-code transparency requests (where applicable), and evidence of secure development lifecycle adherence (e.g., ISO/IEC 27034, IEC 62443-4-1).

Review tender specifications and public procurement eligibility criteria

EU public tenders—particularly in energy, health, and transport sectors—are likely to embed explicit clauses referencing the Cybersecurity Act draft. Bidders may soon need to submit supplier risk statements, independent cybersecurity audit summaries, and evidence of alternative sourcing readiness.

Industry Perspective: Beyond Compliance Toward Resilience

Analysis shows this draft represents a structural shift—not merely an extension of existing CE or EN requirements, but a foundational recalibration of how cybersecurity risk is governed across hardware supply chains. From an industry perspective, what deserves closer attention is the de facto elevation of supplier due diligence to a statutory precondition for market access. Observably, the 36-month transition window is shorter than typical product redesign and re-certification cycles for complex hardware, suggesting that firms without mature cybersecurity governance frameworks will face disproportionate delays. It is more appropriate to understand this as a catalyst for integrating cybersecurity assurance into procurement, R&D, and quality management—not as a standalone certification hurdle.

Toward Adaptive Conformity Management

This regulatory development signals a broader evolution in EU market access: conformity is increasingly conditional on verifiable, end-to-end supply chain integrity—not just product-level performance. While the draft remains subject to co-decision procedures, its core architecture reflects a durable policy direction. Companies that proactively align technical documentation, supplier vetting, and vulnerability response capabilities with emerging EU expectations will gain competitive advantage—not only in regulatory readiness but also in customer trust and bid responsiveness.

Source Information and Verification Notes

This article is generated exclusively from the user-provided information: title, event date (28 May 2026), and event summary. Specific official source links were not provided in the input and should be verified continuously. Readers are advised to monitor updates from the European Commission, ENISA, and official EU publications such as the Official Journal of the European Union. Key developments to track include final adoption timing, detailed implementing acts, guidance from Notified Bodies on revised assessment criteria, and early examples of tender documents incorporating the new supplier risk requirements.