EU Cybersecurity Act 2: New Challenges for Fiber Operators

Most fiber operators spent 2024 and 2025 scrambling to meet NIS2 obligations: documenting incident response, tightening access controls, and mapping critical assets. That work was necessary. But it may not be sufficient. The European Commission is now drafting the Cybersecurity Act 2 (CSA2), a second-wave regulation that moves beyond process and reporting to impose binding requirements on ICT supply chains. For mid-sized operators, the difference is stark: NIS2 asked you to demonstrate risk management; CSA2 will ask you to replace equipment.

The FTTH Council Europe has already urged Brussels to run a full impact assessment and adopt a proportionate approach. Their concern is well-founded. CSA2 would introduce a three-year deadline to swap out components from suppliers the Commission designates as "high-risk." Unlike NIS2, which left vendor selection to operator discretion within a risk framework, CSA2 treats supplier exposure as a hard compliance event. That shifts the burden from governance to execution—and execution at scale.

CSA2 Turns Vendor Risk into a Fixed-Timeline Problem

Under NIS2, operators were expected to identify and mitigate supply chain risks. That meant documenting vendor relationships, assessing concentration, and putting contracts in place that allowed for audits or exits. It was a governance exercise. CSA2 changes the stakes. Once the Commission issues a high-risk ruling, operators will have 36 months to remove affected components from critical infrastructure. No extensions. No carve-outs for brownfield deployments or legacy contracts.

For a mid-sized operator running a mix of active equipment, OSS, BSS, and third-party integrations, that timeline is tight. You cannot simply swap a DWDM platform or billing system without downstream impact. Dependencies run deep: interfaces, data models, process automation, trained staff, support agreements. The three-year window assumes you already know what you have, where it is deployed, and what it touches. Many operators do not.

This is not a theoretical risk. If CSA2 passes in its current form, the clock starts ticking the moment a supplier is designated. Operators without a clear vendor risk register and procurement audit trail will lose months just establishing the scope of the problem.

Mid-Sized Operators Face Asymmetric Cost and Complexity

Large incumbents can absorb CSA2 compliance through centralized procurement, in-house legal teams, and multi-vendor strategies. Mid-sized fiber operators often lack that luxury. Vendor relationships are leaner. Legal and sourcing capacity is stretched. And capital budgets are already earmarked for network expansion, not forced replacements.

CSA2 creates asymmetric compliance costs. The same three-year deadline applies whether you operate 50,000 premises or 5 million. But the fixed costs of auditing suppliers, validating component provenance, and managing replacements do not scale linearly. Smaller operators pay more per subscriber to comply.

There is also an execution risk. Replacing a core billing system or activation platform is not a weekend project. It requires parallel testing, data migration, staff retraining, and fallback planning. If multiple operators hit the same timeline, vendor delivery queues will stretch. Lead times for validated, CSA2-compliant equipment could double. Operators who wait until year two to act may find themselves scrambling in year three with limited options and premium pricing.

The operational lesson is clear: CSA2 compliance starts with visibility. You cannot replace what you have not mapped. And you cannot map it quickly if your procurement history lives in spreadsheets, email threads, and legacy contracts without structured metadata.

What CSA2 Means for OSS, BSS, and Network Automation

CSA2's scope includes "ICT products and services" used in critical infrastructure. That covers more than routers and switches. It includes:

• Operational support systems (OSS) for service activation, assurance, and inventory

• Business support systems (BSS) for billing, CRM, and subscriber management

• Network automation platforms that provision services or manage configurations

• Third-party integrations and APIs that touch subscriber data or network control planes

If any of these systems rely on components from a high-risk supplier, they fall under CSA2. That means operators need to trace dependencies not just at the hardware level, but through software supply chains. Does your OSS vendor use third-party libraries or cloud infrastructure that could be flagged? Does your BSS integrate with a payment gateway or identity provider on the risk list? These are not easy questions to answer without structured procurement data and vendor transparency.

Operators who have already invested in modular, API-driven architectures will have an advantage. Swapping out a microservice or replacing a single integration is faster and less disruptive than ripping out a monolithic platform. But modularity only helps if you know what is running, where, and under what license or support agreement. That requires asset inventory, configuration management, and audit trails—the same disciplines NIS2 encouraged, but CSA2 will enforce through hard deadlines.

What to Do Next

CSA2 is still in draft, but waiting for final text is the wrong strategy. Operators should treat this as the next compliance wave and start building the governance and visibility layer now. Here is where to focus:

• Map critical supplier dependencies across network, OSS, BSS, and third-party integrations. Document what you have, where it is deployed, and what it connects to.

• Create a vendor risk register with clear ownership. Assign a business owner for each critical supplier relationship. Track contract terms, support commitments, and exit pathways.

• Review procurement clauses for auditability and replacement. Ensure contracts allow you to request component provenance, audit supply chains, and exit without prohibitive penalties if a supplier is flagged.

• Prioritize systems with long replacement cycles. Billing platforms, inventory databases, and core OSS often take 12–18 months to replace. These should be at the top of your risk assessment.

• Engage vendors now. Ask suppliers how they plan to comply with CSA2. Request documentation on component sourcing, high-risk exposure, and alternative options if a ruling is issued.

Operators who treat CSA2 as a governance and execution problem—rather than a future regulatory event—will be better positioned when timelines become binding.

From Compliance to Operational Modernization

CSA2 is not just a regulatory burden. It is a forcing function for supply chain transparency and operational discipline. Operators who build the visibility layer now will not only meet CSA2 timelines—they will also reduce vendor lock-in, improve procurement efficiency, and accelerate automation. That makes compliance an investment in flexibility, not just a cost center.

The key is to start with data. Map your suppliers. Document your dependencies. Build a risk register with ownership and audit trails. These steps take time, but they are manageable if you start now. Waiting until the Commission issues its first high-risk ruling will compress that timeline into crisis mode.

Next step: Review your OSS and BSS procurement history. Identify which systems touch critical infrastructure. And assign a business owner to each vendor relationship. That is the foundation for CSA2 readiness—and for operational resilience beyond compliance.