EU launches new toolbox to strengthen ICT supply chain security
The EU introduced a new ICT Supply Chain Security Toolbox, providing an EU approach to identify, assess, and mitigate cybersecurity risks across ICT supply chains. The toolbox outlines risk scenarios and recommends mitigation measures, including the assessment of critical suppliers, the importance of multi-vendor strategies and approaches to overcome dependencies on high-risk suppliers. It empowers Member States to strengthen ICT supply chain security.
The NIS2 Cooperation Group, which involves EU Member States, the European Commission and the EU Agency for cybersecurity (ENISA), developed the toolbox and will review its progress in one year.
Underlining the importance of ensuring security of our ICT supply chains, in the revised Cybersecurity Act presented on 20 January 2026, the Commission has also proposed a trusted ICT supply chain framework focusing on addressing non-technical risks such as foreign interference, which will allow for a harmonised approach in the most critical supply chains. The release also includes two risks assessments focusing on connected and automated vehicles, as well as detection equipment used at borders and customs. These reports provide a comprehensive analysis of cybersecurity risks, their potential consequences, and the necessary mitigation measures. Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy, said: “Cyber-attacks on ICT supply chains are increasingly sophisticated and can impact our security and economy. With the adoption of the ICT Supply Chain Security Toolbox, we intensify our efforts to protect them by increasing our common understanding on risks and how we can mitigate them.” More information on the toolbox and risks assessments can be found online.
