EU Council TTE June 9: CSA2 (high-risk supplier framework) + NIS2 simplification progress reports tabled; trilogue targeted early 2027 [SINGLE-SOURCE]

The EU Transport, Telecommunications and Energy Council met on 9 June with the Presidency presenting progress reports on the Cybersecurity Act 2 (CSA2) and a targeted NIS2 simplification directive, both proposed by the Commission on 20 January 2026 (Industrial Cyber, 2026-06-05). CSA2 introduces a "high-risk supplier" designation mechanism targeting ICT vendors whose legal or geopolitical context creates cybersecurity risk to critical sectors, with consequences including exclusion from EU public procurement and penalties up to 7% of worldwide turnover. NIS2 simplification amendments clarify jurisdictional rules, add EU Digital Identity Wallet providers and submarine data-transmission infrastructure operators as new essential-entity categories, and streamline ransomware-attack data collection. Both proceed to trilogue; political agreement is targeted for early 2027. For Swiss ICT vendors and public-sector procurement teams: the CSA2 high-risk-supplier framework, once enacted, will reshape EU critical-sector supply-chain decisions and is expected to influence Swiss procurement policy given bilateral-track alignment pressure.