The EU is moving toward tougher restrictions on “high-risk” suppliers in critical infrastructure, as part of a proposed revision of the Cybersecurity Act. Reuters reported that the EU is planning to phase out components and equipment from high-risk suppliers — with public discussion frequently focusing on Huawei and other Chinese firms — across multiple sectors.
TechRadar’s coverage similarly describes a proposal that would enable mandatory exclusion of suppliers deemed high-risk, with aims including stronger “cyber-secure by design” practices and reduced dependency on vendors that present national security concerns. While public debate often turns geopolitical, the operational point is simpler: supplier risk is becoming a formal compliance and resilience requirement, not just a procurement preference.
If implemented, such measures will affect organisations operating in regulated or critical sectors — and it will likely spill into adjacent sectors through supply chain expectations. Even companies not directly in scope may face customer requirements to demonstrate that their products and services do not embed high-risk components or dependencies.
For security and procurement teams, the challenge is practical: understanding vendor chains, mapping embedded technology dependencies, and managing replacement cycles. The measures also emphasise the need for lifecycle planning — de-risking cannot be done as an emergency reaction without major cost.
Acompli perspective: Supplier governance is increasingly a data problem. If you cannot quickly answer “where do we use this vendor?”, “what systems depend on them?”, and “what data flows through those dependencies?”, you will struggle with any mandatory exclusion or accelerated remediation. A structured vendor register connected to systems, risks and controls turns what could be a crisis into an executable programme.