ACEA PositionPaperProposal for aCybersecurity Act 2 RECOMMENDATIONS 1.Exempt entities that carry out manufacturing activities within the Union from theTrusted ICT supply chain framework,which is not an appropriate framework forregulating products such as motor vehicles placed on the EU market.These entitiesshould only beregulated through existing sectoral instruments. •See Amendment proposal n.1 in Annex 2.Provide for structured, early, and continuous involvement of relevant industrystakeholders throughout the risk assessment processfor ICT supply chains.•See Amendment proposal n.2 in Annex 3.Empower the Commission to adopt prohibition measures only after mitigationrequirements have been implemented and applied for a minimum of 36 months, andonly where these measures were demonstrably insufficient to mitigate identified ICTsupply chain risks. •See Amendment proposal n. 4 in Annex 4.Require the Commission to rely on competent Europeanstandardisationorganisations to develop risk-proportionate ICT supply chain management measures.•See Amendment proposal n. 3 in Annex 5.Amend the high-risk supplier definition to explicitly exclude suppliers whodemonstrably implement effective mitigation measures.•See Amendment proposal n. 5 & 8 in Annex 6.Require verification of existing mitigation measures implemented by a supplier prior toany formal designation as high-risk.•See Amendment proposals n. 6, 7 and 8 in Annex 7.Empower a competent authority to thoroughly analyse a supplier's ties to high-riskthird countries,andthemitigation measuresthey implemented.•See Amendment proposals n. 6, 7 and 8 in Annex 8.Amend Article 102(2)(a) to replace the reference to the “functioning of productsmanufactured”by“manufacturing activities carried out” by the entity of the typereferred to in Annexes I and II to Directive (EU) 2022/2555.•See Amendment proposals n. 9 & 10 in Annex 9.Clarify expressly that only core business activities of an entity fall within the scope ofthe Trusted ICT supply chain framework, excluding the entity’s ancillary activities. •See Amendment proposals n.11 in Annex CONTEXT As modern vehicles increasingly evolve into highly connected, software-defined platformsintegrating advanced digital technologies, the automotive industry places cybersecurity at thecore of its design, development, and production processes. Ensuring theintegrity, resilience,and security of vehicles, including risks arising from complex and global ICT supply chains, isnot only a regulatory obligation but a fundamental prerequisite for safety, consumer trust, andthe proper functioning of the mobility ecosystem. European vehicle manufacturers havetherefore made significant investments in robust cybersecurity frameworks and processes,including the comprehensive implementation of internationally recognised standards such asUNECE Regulation No. 155. Against this background, ACEA recognises and supports the underlying objective of theCommission’s proposal to revise the Cybersecurity Act (CSA 2), and especially its ambitionto address the increasingly critical issue of Information and Communication Technology (ICT)supply chain security. Strengthening the resilience of digital supply chains is both necessaryand timelyconsideringgrowing technological complexity and evolving threat landscapes. However, while the objective is fully shared, the approach proposed under the Trusted ICTsupply chain framework raises significant concerns. As outlined in this paper, the frameworkrisks creating legal uncertainty, disproportionate obligations, and unintended competitiveadvantage for non-European industry. It also blurs the line between cybersecurity andbroader geopolitical considerations, overlaps with existing sector-specific regulation, andrelies heavily on mechanisms that lack sufficient transparency and oversight. For these reasons, ACEA believes that the current proposal does not provide the appropriateregulatory response to the challenges it seeks to address, and recommends a more targeted,proportionate, and effective approach. THEAUTOMOBILEMANUFACTURINGSUPPLYCHAINREQUIRESA DEDICATEDAPPROACH CSA 2 is not an appropriate framework for regulating products such as motor vehicles placedon the EU market.SubjectingEuropean manufacturers to theTrusted ICT supply chainframeworkwould create regulatory overlap, insufficiently governed and potentiallydisproportionate interventions, and an uneven playing field that disadvantagesdomesticmanufacturers compared toforeigncompetitors. Existing Automotive Cybersecurity Legislation Already Addresses SupplyChain Risks Vehicle cybersecurity is already comprehensively regulated through UNECE Regulation No.155, which is embedded in EU type-approval legislation and applies to all vehicles placed onthe EU market, regardless of origin. UN R155 requires both a certified CybersecurityManagement System (CSMS) and vehicle type-approval and explicitly addresses supplychain risks, including compromised components, malic