The classic trap
Article 22 looks remote because it targets the Cooperation Group and the Commission, not entities directly. This reading is dangerous: coordinated assessments produce EU lists of high-risk ICT vendors (the 5G Toolbox model) that the ILR then uses to demand mitigation measures, or even the exclusion of specific vendors from your critical chains. Essential and important entities that fail to anticipate these assessments end up being forced, under ILR supervision, to replace a strategic supplier on short notice, with a major and unprovisioned financial impact.
What the coordinated assessment will actually scrutinise
- Geographic origin of the vendor and exposure to extraterritorial legislation (US CLOUD Act, Chinese intelligence laws, etc.).
- Market concentration and critical dependency on a single vendor for a key technology layer (hyperscale cloud, network equipment, MSSP, SCADA).
- Depth of the subcontracting chain and opacity over sub-sub-processors (especially unmaintained open-source, third-party libraries).
- Documented cyber maturity of the vendor (ISO 27001, SOC 2 Type II, EUCC / EUCS certifications, recent penetration audits).
- Public incident history (HIBP, assigned CVEs, breach disclosures) and demonstrated response capability.
- ICT categories already targeted at EU level: 5G, cloud, MSSP, identity management, network equipment, industrial components.
Why this is an operational risk, not just a policy topic
When the ILR notifies you that one of your ICT vendors appears on a high-risk list issued under article 22, you will have weeks to demonstrate mitigation measures: network segmentation, reinforced encryption, exit plan, qualified backup vendor. Without an up-to-date map of your ICT chain, you cannot even answer the basic question: is this vendor in my critical perimeter?
How Luxgap automates this risk
Our Luxgap Supply Chain Radar turns article 22 intelligence into an operational alert targeted at your real ICT chain. Rather than asking you to fill in a vendor register (which nobody keeps up to date), the tool continuously ingests Sage BOB 50 financial flows, Odoo contracts, Microsoft Defender for Cloud Apps inventories, Azure AD groups and Crowdstrike configurations to rebuild the full map of your ICT dependencies, then cross-references that map with public decisions of the NIS 2 Cooperation Group, ENISA communications and EU high-risk vendor lists.
- Automatically detects every critical ICT vendor present in your IS through M365, Azure, AWS, Odoo, Sage and Defender connectors, with zero manual input.
- Continuously compares your map with NIS 2 Cooperation Group publications, ENISA opinions and EU lists such as the 5G Toolbox, and triggers instant Teams or email alerts when one of your vendors is flagged.
- Computes a criticality score per vendor combining jurisdictional origin, expired certifications, HIBP breach history and concentration in your value chain.
- Identifies one or two qualified backup vendors at EU level for each at-risk supplier, with matching certifications pre-verified.
- Generates the mitigation plan opposable to the ILR: segmentation, encryption, documented exit strategy, quantified replacement milestones.
- Produces a timestamped, cryptographically sealed PDF report demonstrating control of your ICT chain under article 21(2)(d) and anticipating future article 22 coordinated assessments.
Available as part of a Luxgap CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real ICT chain, with a free 48-hour blind audit to measure your exposure to upcoming EU coordinated assessments before any engagement.