On 21 January 2026, the European Commission published COM(2026) 16 — the proposed Digital Networks Act (DNA), the most consequential rewrite of EU telecoms law since the 2018 European Electronic Communications Code. One day earlier, the Commission released the revised Cybersecurity Act, known as CSA2. The two texts are designed to operate as a single instrument. Together they convert what has been a patchwork of voluntary measures, recommendations, and member-state-specific rules into a directly applicable regulation that conditions the right to operate a network on EU-level cybersecurity compliance.
The headline change for security teams: under the DNA, an authorisation to provide electronic communications networks or services in the EU is contingent on compliance with the supply-chain security regime in CSA2 — including the prospect of forced phase-out of components from designated high-risk suppliers within 36 months. This article unpacks what the DNA actually does, how its security architecture interlocks with CSA2 and NIS2, and what it means for operators, vendors, and the broader European telecoms market.
What the DNA Replaces and Why It Matters
The DNA is a regulation, not a directive. That distinction is the entire game. Directives require transposition into national law, but regulations are binding in their entirety and apply directly and uniformly across all member states. The 2018 European Electronic Communications Code (EECC) was a directive, and 27 different national transpositions produced 27 different rulebooks. The DNA collapses that fragmentation by repealing and replacing four legal acts in one move: the European Electronic Communications Code (EECC), the BEREC Regulation, the Radio Spectrum Policy Programme and the core parts of the Open Internet Regulation, with amendments touching the ePrivacy Directive as well.
The economic motivation comes from the Draghi and Letta reports, which concluded that the electronic communications sector in the EU remains fragmented into 27 national markets, and European operators continue to face barriers to operate cross-border and scale-up. The political motivation is more pointed. Submarine cable incidents in the Baltic, hybrid campaigns against EU infrastructure, and a sustained debate about Chinese vendors in 5G cores pushed Brussels toward a sovereignty-flavoured industrial policy that uses cybersecurity rules as the binding mechanism.
The DNA codifies that approach. It is not a cybersecurity law in the strict sense — that is CSA2’s job — but it makes cybersecurity the gatekeeper of market access.
The Security Architecture: How DNA, CSA2, and NIS2 Interlock
The new framework has three layers, and understanding how they fit together is essential to reading the DNA correctly.
CSA2 (the revised Cybersecurity Act) does the heavy lifting on supply chain. The revised Cybersecurity Act (CSA 2.0), published on January 20, 2026, will repeal and replace the original Regulation (EU) 2019/881. Where the 2019 Cybersecurity Act centred on voluntary product certification and ENISA’s coordinating role, CSA2 introduces a horizontal framework for ICT supply chain security and equips the Commission with designation powers. For the first time, EU law directly addresses non-technical risks embedded in technology supply chains, including political influence, legal obligations imposed by third countries and systemic dependency on a narrow group of vendors.
The DNA sits on top of that and uses CSA2 compliance as a precondition for general authorisation and spectrum rights. The DNA and the CSA 2.0 make the right to provide electronic communications networks and services subject to compliance with the supply chain cybersecurity imposed by the CSA 2.0. A telco that fails to comply with CSA2 supply-chain rules cannot lawfully operate.
NIS2 continues to govern incident-handling, risk management, and reporting obligations across critical sectors. The Commission also published targeted amendments to NIS2 alongside the DNA and CSA2 packages, but those changes are narrower in scope.
High-Risk Vendors: From Toolbox to Mandate
The 5G Cybersecurity Toolbox, published in 2020, asked member states to assess and where appropriate exclude high-risk suppliers from sensitive parts of 5G networks. It was non-binding. National implementation diverged sharply: Germany dragged, Sweden moved early, and the UK — outside the EU — passed the Telecommunications (Security) Act 2021 with its own designated-vendor regime.
The DNA-CSA2 package ends the voluntarism. Executive Vice-President Henna Virkkunen, responsible for Tech Sovereignty, Security and Democracy, framed the change explicitly: “We are turning the 5G Cybersecurity Toolbox into a mandatory approach to ensure a level-playing field and non-fragmentation of the EU market.”
Three mechanics matter.
First, third-country designation. Under the proposal, the Commission may designate a non-EU country as a “country posing cybersecurity concerns to ICT supply chains”, and entities established in such third countries (or controlled by an entity established in such countries or by a national of such countries) will be deemed “high-risk suppliers”, prohibited from, for example, participating in public procurement procedures or holding European cybersecurity certificates. The criteria for that designation include the legal regime in the vendor’s home jurisdiction — particularly any compulsory vulnerability-disclosure obligations to a third-country government — and the country’s record on state-linked malicious cyber activity.
Second, key ICT assets. CSA2 pre-defines categories of network components for fixed, mobile, and satellite networks that are treated as security-critical. Any component sourced from a designated high-risk supplier and falling within those categories must be removed.
Third, phase-out timelines. For mobile networks, the maximum phase-out period is 36 months from the publication of a high-risk supplier list. For fixed and satellite networks, the timelines will be set through Commission implementing acts. Network operators are also prohibited from deploying new components from high-risk suppliers once a designation is in force.
The financial stakes are heavy. The CSA 2.0 introduces strict financial and operational penalties, in case of non-compliance, including fines of up to 7% of the total worldwide annual turnover. That is in line with the DSA and DMA tier rather than the GDPR’s 4% ceiling.
The Single Passport and What It Means for Cross-Border Threat Models
Outside the supply-chain regime, the DNA’s flagship change is the Single Passport. According to article 10.1 of the draft DNA, “under the general authorization regime, where a provider intends to provide electronic communications networks or services in one or several Member States, it shall submit a notification to the national regulatory authority of one of those Member States under the Single Passport procedure.” A single notification confers EU-wide authorisation. Member states cannot “gold-plate” the harmonised list of conditions.
For network defenders this is consequential in two directions. First, the harmonised authorisation conditions explicitly include requirements to: ensure the security and resilience of their services, including taking steps to prepare for potential natural and man-made disruptions; comply with other cybersecurity rules. The security floor is the same in Tallinn, Lisbon, and Sofia. Second, providers will still face national enforcement in each country where they operate, so a cyber incident affecting a pan-EU passported provider can trigger parallel investigations under 27 supervisory regimes — even though the underlying obligations are uniform.
The satellite regime takes harmonisation further. The DNA Proposal would also establish a single, EU-level framework for satellite networks and communications services to obtain authorizations to provide their services, and to obtain access to radio spectrum. The Commission, not individual member states, monitors compliance, and authorisation requires a requirement to be established in the EU, to ensure a high level of security, to maintain permanent control over all transmissions using the spectrum, and to enable data retention and lawful interception in accordance with EU law. The lawful-intercept clause is worth flagging — it imports operator-side surveillance obligations directly into the EU-level satellite authorisation, which has implications for non-EU constellations seeking access.
The Preparedness Plan and Physical-Layer Resilience
The DNA introduces an EU-level Preparedness Plan. The DNA introduces an EU-level Preparedness Plan to tackle the rising risks of natural disasters and foreign interference in networks and radio signals. In addition, the common mechanism for selecting pan-EU satellite communications will incorporate criteria focused on security and resilience.
This sits alongside, and is meant to integrate with, the EU Action Plan on Cable Security of 21 February 2025, which targets the physical layer of the internet itself — submarine communication cables [that] carry 99% of inter-continental internet traffic. After a string of suspected sabotage incidents in the Baltic, the Commission and the High Representative built out detection, response, and deterrence measures, including an EU Cable Vessels Reserve and additional Connecting Europe Facility funding. The DNA’s Preparedness Plan provides the regulatory hook that ties these capabilities into mandatory operator obligations rather than recommendations.
What Operators Need to Do Now
The proposal is not yet law — the DNA and CSA 2.0 proposals will now proceed to the European Parliament and Council for negotiation under the ordinary legislative procedure, with public feedback on CSA2 open through 12 May 2026. Final adoption is plausibly Q4 2027 or later, with formal entry into force following. But the trajectory is clear enough that waiting is an expensive strategy.
For technical and security leaders inside European telcos, fixed-line operators, satellite providers, and cloud/edge infrastructure firms supplying them, several preparation tracks are worth opening now.
Critique: Where the Proposal Is Likely to Get Pushback
The DNA is being negotiated in public, and the lines of attack are already visible.
Investment burden. The majority of respondents to the relevant question anticipate that, up to 50% of their annual revenues (which analysts currently estimate at around €300 billion per year for the EU telecoms sector) will have to be allocated over the next five years to meet the investment needs in connectivity infrastructure and replacement of high-risks vendors. That is an industry-supplied number and should be read accordingly, but it captures the direction of travel: simultaneous fibre rollout, copper switch-off (mandated by 2035), and equipment replacement strain capital plans.
Geopolitical exposure. The CSA2 has reportedly already attracted criticism from Chinese officials. The proposal’s de-facto effect on Chinese vendors is unmistakable, even though no country is named in the text. Retaliatory measures against European firms operating in third-country markets are a non-trivial risk.
Sovereign-by-design concern. Industry group Connect Europe has argued that focusing supply-chain rules on telecoms equipment alone leaves cloud, end-user device, and downstream infrastructure exposure under-addressed, producing a partial solution at substantial cost. The point has merit: a hardened RAN behind a compromised cloud control plane is not a meaningfully more secure network.
Procedural risk for vendors. The Commission gains broad designation power, and the procedural safeguards available to a designated entity — standard of evidence, judicial review, time-bound rebuttal — are still being scrutinised in the Parliament’s read-through.
FAQ
Is the DNA in force yet? No. The proposal was published on 21 January 2026 and is now in negotiation between the European Parliament and Council under the ordinary legislative procedure. Indicative roadmaps point toward Q4 2027 as a target window for adoption, with formal entry into force following.
Does the DNA name specific vendors as high-risk? No. The DNA itself does not list vendors. The designation power lives in CSA2 and is exercised by the Commission through risk assessments and implementing acts. The 5G Cybersecurity Toolbox sits behind the framework as the policy heritage.
How does the DNA relate to NIS2 and the Cyber Resilience Act? The DNA conditions market access on CSA2 supply-chain compliance. NIS2 separately imposes risk-management and incident-reporting obligations on essential and important entities, including digital infrastructure. The Cyber Resilience Act covers product-side security obligations for connected products and is a different instrument.
What happens to non-EU satellite providers? EU-level satellite authorisation is conditional on EU establishment, lawful-intercept capability, and permanent control of transmissions. Non-EU constellations seeking pan-EU service will need to structure compliance carefully or rely on member-state-level arrangements where possible.
The Bottom Line
The DNA reframes EU telecom regulation as an extension of cybersecurity and industrial policy. The Single Passport, satellite framework, and copper-to-fibre transition are the visible pieces; the binding mechanism underneath is supply-chain control. CSA2 supplies the designation power, the DNA ties authorisation to compliance, and NIS2 governs how operators run the network day to day. Treated as one instrument — which is how it was designed — the package gives Brussels a tool it has not previously possessed: the ability to remove vendors from the European telecoms market by regulation rather than by 27 separate national decisions.
Whether that is the right answer to the supply-chain risks Europe faces is a debate worth having on the merits. The architectural shift is already settled. Operators that wait for the final text before opening vendor inventories and substitution plans will find the 36-month phase-out clock starts faster than the legislative timeline suggests.
