European Commission Proposes New EU Cybersecurity Package
On 20 January 2026, the European Commission proposed a new cybersecurity package to strengthen the EU’s resilience and response to rising cyber threats, including amendments to the NIS2 Directive.
The package introduces a revised Cybersecurity Act aimed at securing ICT supply chains and ensuring that products placed on the EU market are secure by design through a simplified certification system. It also streamlines compliance with existing EU cybersecurity rules and strengthens ENISA’s role in supporting Member States and coordinating threat management across the EU.
New measures to simplify compliance with EU cybersecurity rules
The measures seek to simplify compliance with EU cybersecurity and risk-management rules by clarifying jurisdiction, streamlining ransomware data reporting, and strengthening ENISA’s coordination of cross-border supervision. This is expected to ease obligations for around 28,700 companies, including 6,200 micro and small enterprises.
The revised Cybersecurity Act seeks to mitigate risks from third-country ICT suppliers by introducing a harmonised, proportionate, and risk-based framework for securing the EU’s ICT supply chain, particularly given recent incidents exposing vulnerabilities in critical services and infrastructure.
Strengthening the security of ICT supply chains across the EU
The new Cybersecurity Act reduces risks in the EU’s ICT supply chain from high-risk third-country suppliers by establishing a harmonised, proportionate, and risk-based framework across 18 critical sectors.
In light of recent incidents and geopolitical risks, it addresses both technical vulnerabilities and supplier-related risks, including dependencies and foreign interference, and enables the mandatory derisking of European mobile telecommunications networks in line with the 5G security toolbox.
Simplifying and enhancing European Cybersecurity Certification Framework
The revised Cybersecurity Act will ensure that products and services reaching EU consumers are tested for security more efficiently through a renewed European Cybersecurity Certification Framework (ECCF). The ECCF will introduce clearer rules, simpler procedures, and faster development of certification schemes, with more transparent and inclusive governance.
Managed by ENISA, certification will serve as a practical, voluntary tool enabling businesses to demonstrate compliance, reduce costs, and certify their cyber posture. Overall, the renewed ECCF will strengthen competitiveness while ensuring a high level of security and trust across complex ICT supply chains.
Facilitating compliance with cybersecurity rules
The package simplifies compliance with EU cybersecurity and risk-management rules, complementing the single-entry point for incident reporting under the Digital Omnibus. Targeted amendments to the NIS2 Directive enhance legal clarity, ease obligations for 28,700 companies (including 6,200 micro and small enterprises), and introduce a new small mid-cap category to reduce costs for 22,500 companies.
The changes also clarify jurisdiction, streamline ransomware data collection, and strengthen ENISA’s coordination of cross-border supervision.
Empowering ENISA to boost Europe’s cybersecurity resilience
Since the adoption of the Cybersecurity Act in 2019, ENISA has become a cornerstone of the EU cybersecurity framework. The revised Act strengthens its role in helping the EU and Member States assess common threats and respond to cyber incidents.
ENISA will issue early alerts, support ransomware response in cooperation with Europol and CSIRTs, improve vulnerability management, and operate the single-entry point for incident reporting. It will also continue developing Europe’s cybersecurity workforce through the Cybersecurity Skills Academy and EU-wide skills attestation schemes.
The Cybersecurity Act will enter into force immediately following its approval by the European Parliament and the Council of the EU. The related amendments to the NIS2 Directive will also be submitted for adoption. After adoption, Member States will have one year to transpose the Directive into national law and notify the Commission accordingly.
