On 3 June 2026, the European Commission published several legislative and policy measures wrapped up in one “tech sovereignty” package (see our posts summarising the package as a whole here, and diving deeper into the Cloud and AI Development Act here). But the EU’s tech sovereignty drive has a long history, and is by no means limited to this package.
In this post, we take a closer look at the current and forthcoming EU legislative measures aimed at increasing the resilience of services provided in the EU against external, malicious influence, a key aspect of tech sovereignty. Relevant legislation falls into two broad categories: (1) laws promoting cyber resilience generally, to prevent malicious actors from disrupting services and critical infrastructure; and (2) laws focused on building supply chain resilience and reducing dependencies on certain external actors by building European industrial capacity in key tech sectors.
1. Cyber Resilience
The EU’s resilience framework focuses on minimising potential risks to organisations operating and providing services in the EU, particularly those in sectors deemed to be critical infrastructure such as energy, transport, and digital infrastructure. The most recent Cyber Threat Landscape paper from ENISA—the EU cybersecurity Agency—emphasised the continued prevalence of ransomware, phishing, and activities of state-sponsored threat actors, while also stating that AI “has become a defining element of the threat landscape.” More recent developments—including the European Commission’s recently-published Action Plan on Cybersecurity and AI and the creation and partial release of AI models with significant vulnerability-detection capabilities—emphasise the view that cyber threats can undermine control of EU systems and data, while also viewing AI as a potential tool to guard against such threats.
The EU legislative framework around cyber resilience focuses on two key obligations: (1) proactive cybersecurity risk-management measures and incident reporting, with the aim of enabling covered organisations to reduce the risk of an incident occurring in the first place and, (2) if and when an incident does occur, allowing public authorities to understand those incidents and provide assistance. In that regard:
- The revised Network and Information Systems Directive (“NIS2”), which was due to be implemented by Member States in October 2024, establishes both (1) a horizontal framework for cybersecurity governance and (2) cyber incident reporting across various sectors deemed to be critical (e.g., energy, transport, manufacturing, and digital infrastructure). We describe NIS2 in more detail in our post here.
- The Directive on the Resilience of Critical Entities (“CER Directive”) complements NIS2. It applies to entities in some of the sectors covered by NIS2 that are also expressly designated by Member States as “critical entities.” These entities are required to implement measures to ensure their resilience against all types of incidents—not simply cyber incidents (such as, e.g., natural hazards such as extreme weather, physical attacks such as vandalism or insider threats, and technical and operational failures).
- The current version of the EU’s Cybersecurity Act (“CSA”) establishes a framework for ENISA and Member States to develop cybersecurity certifications for specific sectors. NIS2 also allows Member States to require entities in covered sectors to use products, services, and processes certified under such schemes in order to demonstrate compliance with NIS2. This certification scheme is not currently well-developed, but recently proposed revisions to the CSA, the so-called “CSA2,” would, among other things, implement measures intended to simplify the process of establishing such certification schemes. (For more details on the CSA2 proposal, see our prior post here).
- The Cyber Resilience Act (“CRA”) imposes more detailed cybersecurity measures on manufacturers of connected devices (i.e., “products with digital elements”). These include conformity assessment requirements, which must be conducted before such products are placed on the market. The CRA also establishes mandatory vulnerability reporting requirements for covered manufacturers, which the EU legislators hope will make it easier for companies to identify and patch vulnerabilities in their covered products.
- Finally, the Cyber Solidarity Act aims to promote information-sharing about incidents, vulnerabilities, and cyber threats between Member-State public authorities, requires Member States to carry out coordinated incident preparedness testing on companies in certain sectors covered by NIS2, and establishes an “EU Cybersecurity Reserve” comprised of trusted providers who can be called upon to assist with large-scale incident response. (For more details on the Commission’s original proposal for the Cyber Solidarity Act, see our prior post here).
Sector-specific legislation would also impose specific resilience obligations in particular sectors identified as “critical”. These include:
- The Digital Operational Resilience Act, covering financial institutions.
- The proposed EU Space Act, which would establish detailed obligations on a wide range of space services providers (beyond ground-station service providers that are already covered by NIS2). For more details on the EU Space Act, see our prior post here.
2. Supply-chain Security and Capacity Building
Existing general trade controls and foreign direct investment frameworks already provide some tools to limit the influence of potentially high-risk actors in tech-related supply chains. There are also frameworks specific to tech supply chains:
- The NIS2 Directive discussed above contains obligations for covered operators to implement appropriate measures to ensure the security of their supply chains. It also empowers the European Commission—through an EU-level cooperation group—to carry out coordinated cybersecurity risk assessments on the supply chains for ICT products, services and systems, with a view to identifying and reporting on cyber threats in particular supply chains and sectors. To date, the group has published risk assessments on EU border crossing detection equipment and connected / autonomous vehicles, as well as a Supply Chain Security Toolbox.
- Building on this groundwork, the CSA2 proposal would grant the Commission powers to designate “high-risk suppliers” and countries that “pos[e] cybersecurity concerns to ICT supply chains” on the basis of these risk assessments. Having designated such suppliers and countries, the Commission would then be able to impose, via secondary legislation, “mitigating measures” on the use of ICT products, services, and systems supplied by high-risk suppliers or suppliers established in or controlled by a designated country. These mitigating measures may be broad, and could include, for example, restrictions or prohibitions on the use of certain ICT products, and systems, restrictions or prohibitions on data transfers to third countries, and/or operational restrictions such as a requirement for the service to be “operated, managed, maintained or supported” only by personnel vetted by competent Member State authorities.
The CSA2 proposal would also impose specific obligations on electronic communications network operators, effectively requiring them to remove equipment from designated high-risk suppliers from their 5G networks within three years.
Sector-specific legislation could go even further. For instance:
- The forthcoming EU Quantum Act is expected to address supply-chain resilience issues: in its 2025 Call for Evidence in advance of the legislative proposal, the Commission indicated that it could establish a supply-chain monitoring framework for the equipment needed for quantum computers, sensors, and the like. The Call for Evidence indicated that this framework could be used to identify areas of low cyber resilience, which could include potential threats from outside actors that should be removed from supply chains.
- The Commission’s proposal for the Space Act would also impose heightened conditions on space service providers from outside the EU wishing to provide their services in the EU. Public authorities from outside the EU wishing to provide such services would be subject to detailed assessments by the European Union Agency for the Space Programme, including a mapping of all their space assets and activities, before obtaining authorisation to provide these services.
- The Commission also recently proposed a Regulation for allocation of electromagnetic spectrum to mobile satellite services operators, which would reserve two-thirds of that spectrum to organisations that are established in a Member State, that are “directly or indirectly controlled by the EU or one or more Member States or by natural persons who have the nationality only of Member States, are not subject to control by a third country or by a third country national,” and are not subject to third-country jurisdiction. (For more details on this proposed Regulation, see our prior blog post here.)
Ensuring supply-chain security also implies establishing European industrial capacity in the tech sector. In that regard:
- The Critical Raw Materials Act (“CRMA”) seeks to secure the EU’s supply of strategic raw materials by setting 2030 benchmarks for domestic extraction, processing, and recycling, limiting reliance on any single third country, and requiring large companies in strategic sectors to assess supply chain risks. Targeted CRMA amendments, proposed by the Commission in December 2025 to strengthen supply chain risk and circularity rules, are now under negotiation.
- The Net-Zero Industry Act complements this framework by targeting 40% EU manufacturing capacity for strategic net-zero technologies by 2030 and embedding resilience and sustainability criteria in public procurement and renewable energy auctions.
- The Commission’s March 2026 proposal for an Industrial Accelerator Act, which amends the NZIA among other instruments, would extend and reinforce origin-based (“Made in EU”) requirements in certain public procurement procedures and support schemes for clean-tech products.
- On semiconductors, the current Chips Act aims to raise the EU’s share of the global semiconductor market to 20% by 2030 and establishes a coordinated crisis mechanism—including supply chain monitoring, joint purchasing and priority-rated orders—to respond to severe shortages. The Commission’s proposed Chips Act 2.0, published as part of the tech sovereignty package, would place greater emphasis on demand-side measures and introduce new categories of recognised projects to support EU chip design and manufacturing.
* * *
Covington’s Privacy and Cybersecurity, Technology and Communications, and Public Policy practices will continue to monitor developments related to tech sovereignty, cyber resilience, and law enforcement access to data. If you have any questions about the issues raised in this blog, please do not hesitate to contact us.