1. Insights
  2. Publications
  3. Alerts

EU Cyber and Connectivity Proposals with Extra-Territorial Impact: Cybersecurity Act 2 and Digital Networks Act Go to Negotiations

January 23, 2026

Reading Time : 4 min
Jump to
View Authors' DetailsView Related Services, Sectors, and Regions

By: Shiva Aminian, Davina Garrod, Natasha G. Kohne, Jennifer L. Richter, Hans Christopher Rickhoff, Jan Walter, Alan Yanovich, Evan D. Wolff, Jenny Arlington, Reggie Babin, Rita S. Heimes, John Hoffner, Hannes Sigurgeirsson

On 20 and 21 January 2026, the European Commission presented its proposals for a Cybersecurity Act 2 (CSA2) and a Digital Networks Act (DNA). The CSA2 aims to increase Information and Communication Technologies (ICT) supply chain security, to galvanize the implementation of the European cybersecurity certification framework and to expand the mandate of the European Union Agency for Cybersecurity (ENISA). Under the proposal, the Commission may designate a non-EU country as a “country posing cybersecurity concerns to ICT supply chains”, and entities established in such third countries (or controlled by an entity established in such countries or by a national of such countries) will be deemed “high-risk suppliers”, prohibited from, for example, participating in public procurement procedures or holding European cybersecurity certificates. The DNA’s objectives include incentivizing market players to innovate and invest in advanced connectivity, escalating the transition from legacy networks to fibre and high quality 5G and eventually 6G networks, and promoting cloud-based computing infrastructures that enable AI development and deployment. The proposals now go to the co-legislators, the European Parliament and the Council, where the drafts will be subject to intense negotiations over the upcoming months.

The DNA is a sweeping regulation consolidating fragmented telecom, spectrum, and network frameworks into a single, harmonized legal instrument. Coupled with a parallel CSA2, it represents a significant overhaul of the EU digital infrastructure governance. The Commission continues to (re-)shape the EU digital agenda, balancing long-standing efforts to harmonize and centralize across EU Member States, with today’s top priority of increasing the EU’s competitiveness.

The proposed Cybersecurity Act 2

The Commission proposes to expand significantly the mandate of ENISA, increasing the agency’s budget and workforce. Together with ENISA’s more traditional tasks of performing analysis of the main market trends in cybersecurity and disseminating technical advice (which ENISA does under the old Cybersecurity Act in any event), it will now maintain repositories of cyber threat intelligence and issue early alerts. ENISA will also provide the single reporting platform under the Network and Information Systems Directive 2 (NIS2) and the Cyber Resilience Act (see our alert on Navigating the EU's Digital Omnibus on Privacy, Cyber, Data and AI and Next Steps) and develop and implement the European Cybersecurity Certification Framework.

In relation to supply chain resilience, the CSA2 proposes a framework under which key ICT assets in critical ICT supply chains will be identified, with the assistance of EU-level coordinated security risk assessments, requested by the Commission or at least three Member States and to be finalized within six months. A risk assessment can also be conducted “without delay”, i.e. on an urgent basis, where the Commission has sufficient reason to believe that there is a significant cyber threat for the security of the EU in relation to an ICT supply chain and that action is required to preserve the proper functioning of the internal market. In addition, where the Commission considers that a third country poses “serious and structural non-technical risks to ICT supply chains”, such a third country may be designated as a “country posing cybersecurity concerns to ICT supply chains”. Entities established in such third countries, or controlled by an entity established in such countries or by a national of such countries, are deemed “high-risk suppliers”. They will not be allowed to carry out a number of activities, such as participate in public procurement procedures or hold European cybersecurity certificates. This “trusted ICT supply chain” framework is to apply also to mobile, fixed and satellite electronic communications networks, ensuring alignment between the CSA2 and the DNA (see below).

European cybersecurity certification – evidencing cyber resilience of certified entities - is now either required or encouraged under a number of EU laws, including the AI Act, the Cyber Resilience Act and NIS2. The CSA2 includes proposals for making such schemes more effective and agile, in particular in relation to ICT products, services and processes and managed security services.

The proposed Digital Networks Act

The DNA builds on the resilience theme of the CSA2, proposing a framework for network and service resilience and preparedness, such as obligations as to the availability and capabilities of networks and services. In alignment with the proposals for strengthening the ICT supply chain security under the CSA2, the DNA sets out a streamlined notification-based system enabling providers to operate in one, several or all Member States on the basis of a single confirmation by one national regulatory authority – a single passporting framework for a general authorisation regime.

Further harmonization proposals include the streamlining of the rules around authorisation, renewal, transfer and sharing of spectrum rights, including a spectrum single market procedure, one-stop-shop procedures and specific EU-wide authorisations and frameworks for satellite networks and services.

Other proposed rules, aimed at improving connectivity, set out details on transitioning to fibre-to-the-home networks and access to land and rights of way. Safeguarding end-user rights, including access to an affordable adequate internet access services, is also part of the DNA, as well as proposals for out-of-court dispute resolution between providers and consumers.

The DNA draft does not include a previously suggested and heavily contested "network levy", a fee that would have been payable by large companies (including those outside the EU) for using and maintaining digital networks.

Next Steps

The texts of the CSA2 and the DNA will be subject to intense negotiations during the EU legislative procedure. Businesses involved in the digital infrastructure, networks and services should consider which aspects of the comprehensive legislative proposals carry the risk of having the most significant impact on their operations from a financial and practical perspective, and consider engaging in steps which could reduce the compliance burden.

Share This Insight

Related Services, Sectors, and Regions

View All
© 2026 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.