European Commission Proposes Major Cybersecurity Package to Strengthen EU Cyber Resilience

On 20 January 2026, the European Commission proposed a comprehensive new cybersecurity package with the aim of strengthening the European Union’s cybersecurity resilience and capabilities, in response to growing cyber and hybrid threats affecting essential services and democratic institutions across Europe. The package includes a proposal for a revised Cybersecurity Act and targeted amendments to the NIS2 Directive, representing a significant evolution of the European Union’s cybersecurity framework.

Since the adoption of the original Cybersecurity Act in 2019, the geopolitical landscape has changed with a worsening cyber threat environment affecting critical sectors across the European Union. Technological advancements have given rise to increasingly sophisticated cyber threats, with state actors and criminal groups developing capabilities to disrupt critical economic sectors and societal functions. The Commission has proposed this revision to make the European Union’s cybersecurity framework more agile, efficient, and responsive to these evolving challenges, which includes enabling the Commission to designate third countries which pose a cybersecurity threat, and to identify and place restrictions on high-risk suppliers and key assets used by organizations subject to NIS2.

Key Elements of the Revised Cybersecurity Act

ICT Supply Chain Security Framework

One of the most significant innovations is the suggested introduction of a horizontal framework for trusted information and communications technology (“ICT”) supply chain security across critical infrastructure sectors covered by the NIS2 Directive. This framework addresses “non-technical” risks in ICT supply chains, which would represent a first in EU law. The framework would enable the EU Commission and Member States to act together to address strategic risks of undue foreign interference and critical dependencies in ICT supply chains with targeted and proportionate measures.

Under the proposed new rules, the Commission would have the power to designate, through implementing acts:

• Third countries posing cybersecurity concerns;
• High-risk suppliers determined by their relationship with such countries; and
• Key ICT assets used by entities subject to NIS2.

High-risk suppliers would face significant restrictions, including exclusion from procurement procedures for key ICT components, exclusion from EU funding programs, and prohibition from obtaining EU cybersecurity certification.

Operators of electronic communications networks would be required to ensure they do not rely on high-risk suppliers for their critical assets. Breach of these supply chain measures may lead to fines of up to 7% of worldwide turnover, depending on the nature of the breach.

Enhanced European Cybersecurity Certification Framework

The revised Cybersecurity Act significantly expands and simplifies the European Cybersecurity Certification Framework (“ECCF”). Three main changes are proposed:

• The scope is clarified and extended to allow entities to certify their broader “cybersecurity posture,” in addition to ICT products, services, processes, and managed security services. This means organizations would be able to use such certificates to demonstrate compliance and obtain a presumption of conformity with NIS2 and other EU legislation.
• The framework establishes clear deadlines and a more efficient governance structure for developing and maintaining certification schemes. The European Union Agency for Cybersecurity (“ENISA”), as the scheme manager, would be responsible for scheme maintenance and must develop candidate schemes within 12 months of a Commission request as a rule.
• Schemes are designed to serve as compliance tools for businesses, with greater harmonization across schemes intended to reduce the compliance burden. Notably, while certification remains voluntary at this stage, it may become de facto mandatory through procurement rules, market expectations, or national requirements.

Strengthened Role for ENISA

The proposal significantly reinforces ENISA’s role in operational cooperation, shared situational awareness, standards and certification, ransomware attack mitigation, and implementation of the Cybersecurity Skills Academy. The budget for ENISA would increase by more than 75%, and Member States would designate two liaison officers each to facilitate operational cooperation and information exchange.

ENISA would take on new operational functions including managing European repositories of threats and incidents, issuing EU-wide early warnings, coordinating cybersecurity exercises, and operating the unified incident notification platform provided for in EU digital legislation. ENISA would also maintain the European Vulnerability Database and provide analysis on emerging risks. Additionally, it is proposed that ENISA’s involvement in developing cybersecurity standards at both European and international levels will be strengthened.

Targeted Amendments to the NIS2 Directive

The package proposes targeted amendments to the NIS2 Directive to increase legal clarity and simplify compliance. Key suggested changes include:

• Clarifications to scope and definitions to increase legal clarity and reduce compliance burden. A new category of small mid-cap enterprises would be introduced to reduce compliance costs.
• The amendments simplify jurisdictional rules, streamline the collection of data on ransomware attacks, and facilitate the supervision of cross-border entities with ENISA’s reinforced coordinating role. Member States would be required to adopt policies for migration to post-quantum cryptography as part of their national cybersecurity strategies.
• The scope of NIS2 would be extended to cover digital and business wallet providers, submarine infrastructure operators, and dual-use infrastructure regardless of size. Clarifications are also provided regarding the scope in the electricity (>1MW), hydrogen, healthcare, and chemical sectors.

Interaction with Other EU Legislation

The cybersecurity package is designed to complement other EU digital legislation. The proposed revised Cybersecurity Act would work alongside the upcoming Cloud and AI Development Act, which would ensure highly critical public sector use cases are powered by secure EU-based cloud and AI computing services. The proposals also complement the Digital Omnibus package, which aims to simplify implementation of EU cybersecurity rules and introduces a single entry point for incident reporting.

Legislative Timeline

The proposals will now move through trilogue negotiations with the European Parliament and the EU Council. Progress will take time, with amendments and changes expected as the proposals move through the legislative process.

Practical Considerations

The proposed package may have substantive impact on the cybersecurity framework in the European Union, so it is worth monitoring this development closely. 

Where organizations rely on ICT providers in third countries, they may benefit from reviewing their ICT supply chain arrangements to identify any dependencies on suppliers that may potentially be designated as high-risk under the new framework. This could include conducting an audit of critical ICT components across operations and mapping supplier relationships to third countries that may be considered to pose cybersecurity concerns.

Businesses could also consider whether they fall within the proposed expanded scope of NIS2, particularly if they operate in the electricity, hydrogen, healthcare, chemical, submarine infrastructure, or digital wallet sectors.