On February 13, 2026, the European Commission formally adopted the EU ICT Supply Chain Security Toolbox — a coordinated framework developed by the NIS2 Cooperation Group, which brings together EU Member States, the European Commission, and ENISA (the EU Agency for Cybersecurity).
The toolbox isn't optional guidance dressed up as policy. It's tied directly to Article 22 of the NIS2 Directive and was released alongside the revised Cybersecurity Act presented on January 20, 2026. It outlines specific risk scenarios affecting ICT supply chains and recommends concrete mitigation measures: frameworks for assessing critical suppliers, multi-vendor strategies to reduce concentration risk, and structured approaches to eliminating dependencies on high-risk vendors.
Two accompanying risk assessments were released simultaneously — one for connected and automated vehicles, one for detection equipment. The EU isn't speaking in abstractions. They're pointing at specific vendor categories and saying: these are the risk surfaces, and here is how you assess them.
Why This Matters for Vendor Risk
The EU just described, in regulatory language, the infrastructure problem that most organizations still treat as an aspiration: independently assessing the security posture of the vendors in your supply chain before something goes wrong.
The toolbox mandates what many practitioners have been arguing for years. Vendor risk cannot be managed through periodic questionnaires and self-reported certifications. The EU framework calls for structured assessment of critical suppliers — meaning external, independent evaluation of posture, not a spreadsheet the vendor fills out and returns.
This is significant not because the EU invented the idea, but because they formalized it in a way that now creates legal accountability. Under DORA and NIS2, financial institutions and critical infrastructure operators in the EU cannot simply rely on vendor attestations. They need to demonstrate they assessed the vendor. The toolbox tells them how.
The Structural Problem
Every major third-party breach in the past three years follows the same pattern: an organization trusted a vendor's security posture based on the vendor's own claims, and found out the claims were wrong when something burned.
The problem is structural. A vendor filling out a security questionnaire has every incentive to present the most favorable picture of their posture and no mechanism to be checked. The organization receiving that questionnaire has no independent source of data to validate it against. The entire risk transfer model — where procurement teams collect questionnaires and file them as evidence of due diligence — is built on a foundation that doesn't hold.
Third-party breaches now account for roughly 35% of all reported incidents, a figure that has risen consistently for four consecutive years. The organizations affected are not naive; many have sophisticated security programs. What they lack is independent data about the vendors in their ecosystem. They're navigating with instruments calibrated by the people they're supposed to be evaluating.
What VCRI Changes
The Value Chain Risk Institute is building the clearinghouse that makes independent vendor posture data available to the organizations that need it. Not questionnaire data. Not vendor-supplied certifications. Normalized posture signals drawn from objective sources, mapped to the CMMI maturity framework, assessed across six dimensions of the TIPPSS model.
The EU toolbox describes what the assessment framework should look like. VCRI is building the data infrastructure that makes that assessment possible at scale. When a procurement team needs to evaluate a vendor's ICT security posture, they shouldn't have to start from a blank questionnaire. There should be a clearinghouse with normalized, independently-sourced data covering that vendor — the same way financial data infrastructure allows credit assessment without asking the borrower to grade themselves.
The EU's timing matters for VCRI specifically. Japan's ISMAP framework maps closely to the EU's NIS2/DORA structure. Regulators across the major economies are converging on the same answer: vendor self-assessment is not sufficient. The question is who builds the infrastructure that replaces it.
What To Watch
Watch the first enforcement actions under DORA and NIS2 that cite vendor risk failures specifically. The toolbox gives regulators the language to say an organization failed to "adequately assess critical suppliers" — and enforcement examples will define what "adequate" means in practice. The first few cases will move the market faster than any amount of voluntary compliance guidance.
Also watch for US regulatory movement. The SEC's cyber disclosure rules and CISA's critical infrastructure guidance are both moving toward third-party posture requirements. The EU just provided the template.
The clearinghouse that normalizes posture data across all of these frameworks doesn't exist yet. That's what VCRI is building.