EU launches ICT Supply Chain Security Toolbox, including risk assessments for Connected and Automated Vehicles

23 February 2026

The European Union has introduced a new ICT Supply Chain Security Toolbox, providing a coordinated EU approach to identify, assess, and mitigate cybersecurity risks across ICT supply chains. The Toolbox includes two risk assessments focusing on Connected and Automated Vehicles (CAVs) and Detection Equipment used at borders and customs. These reports provide a comprehensive analysis of cybersecurity risks, their potential consequences, and the necessary mitigation measures.

The toolbox was developed by the NIS2 Cooperation Group — bringing together EU Member States, the European Commission and the EU Agency for Cybersecurity (ENISA) — it outlines key risk scenarios and recommends mitigation measures to strengthen ICT supply chain resilience across Europe.

Recommended mitigation measures includes

  • the assessment of critical suppliers,
  • the stressing the importance of multi-vendor strategies,
  • and approaches to reduce dependencies on high-risk suppliers.

The initiative aims to empower Member States as well as public and private stakeholders to enhance the security of ICT supply chains in line with the revised Cybersecurity Act presented on 20 January 2026 and which aims to ensure that products and services reaching EU consumers are tested for security in a more efficient way, through a renewed European Cybersecurity Certification Framework (ECCF).

Highlighting the urgency of strengthening supply chain resilience, Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy, stated:

Cyber-attacks on ICT supply chains are increasingly sophisticated and can impact our security and economy. With the adoption of the ICT Supply Chain Security Toolbox, we intensify our efforts to protect them by increasing our common understanding on risks and how we can mitigate them.


The NIS2 Cooperation Group will review progress on the implementation of the toolbox within one year.

The Toolbox and Risk Assessments are available for download here

Sources: the original articles were published here and here