New year, new cybersecurity package? Changes to strengthen the EU's cyber resilience

The European Commission has kicked off 2026 with a new cybersecurity package. It sends a clear message that the current cyber threat landscape has outgrown the EU’s existing toolkit, that ICT supply chain security is a priority and that the Commission’s drive to simplify its digital rules extends to cyber. The Commission’s proposals seek to address the current challenges through stronger governance, simpler compliance and, crucially, a coordinated EU‑level Information and Communication Technologies (ICT) supply chain security framework. It amends both the Cyber Security Act and NIS2.

What’s in the package?

At the centre of the package is the proposal for a revised Cybersecurity Act (CSA2), built around three key pillars:

1.  A new EU framework for ICT supply chain security 
   Cybersecurity requirements for ICT supply chains are currently fragmented across Member States, creating uneven levels of protection and increased vulnerability. CSA2 seeks to resolve this by establishing a harmonised, technology-neutral, EU‑wide framework built on a risk-based approach. For example, it includes:
   • EU‑level coordinated risk assessments of key ICT supply chains in critical sectors;
   • the power for the Commission to designate high‑risk third‑country suppliers who will be excluded from certain activities (e.g. from engaging in public procurement projects for key ICT assets and participating in EU certifications);
   • the mandatory derisking of European mobile telecommunications networks from high-risk third-country suppliers – building on existing work around the 5G Cybersecurity Toolbox; and
   • an emergency procedure if immediate EU‑level action is needed in the event of a significant cyber threat for EU security in relation to critical ICT supply chains.

2. A re‑engineered EU Cybersecurity Certification Framework (ECCF)

   The Commission is promoting certification as a key compliance tool for organisations in scope of EU cyber laws such as NIS2, noting it could help reduce duplication and lower compliance costs. However, attempts to develop certification frameworks under the original Cybersecurity Act have stalled, with only one scheme being adopted so far. CSA2 would therefore introduce a simpler and clearer procedure through a renewed ECCF where certification schemes would be developed within 12 months (as a default). 

3. A bigger, more operational EU Agency for Cybersecurity (ENISA)

Where the 2019 Cybersecurity Act formalised the role of ENISA in enhancing cybersecurity in the EU, CSA2 aims to turn it into one of the EU’s principal cyber operators. It is likely to become more visible to organisations as its expanded mandate covers a stronger role in supporting incident preparedness, response and recovery across the EU. This would include issuing early threat alerts, operating the EUR 36 million EU Cybersecurity Reserve and leading on vulnerability management. 

NIS2 amendments

While most of the package focuses on CSA2, it does contain a number of targeted amendments to NIS2. These are designed to clarify some issues around scope, definitions and jurisdictional rules as well as reduce the compliance and supervision burden. Examples include: 

• Introducing a new category of “small mid-cap” enterprises to help reduce compliance costs for smaller entities.
• Clarifying and expanding scope: This includes clarifying which entities fall within scope in areas where the interpretation around this has been challenging - e.g. healthcare providers, electricity producers, hydrogen undertakings, and businesses in the chemical sector. The proposals also bring new areas in scope (including European Digital Identity and Business Wallets and operators of submarine data transmission infrastructure).
• Addressing the evolving threat landscape by:
  • requiring Member States to adopt policies for the migration to quantum proof cryptography to help mitigate the quantum threat to encryption and secure signatures - see our blogs here and here for more details on this; and
  • harmonising and improving the collection of data on ransomware attacks from in-scope entities (recognising that much of this information will be highly sensitive for the organisations involved).
• Aiding compliance by developing guidelines to help organisations in their supply chain diligence, encouraging the use of CSA2 certification schemes to demonstrate compliance, and strengthening ENISA’s role around international co-operation to help in-scope entities operating in more than one Member State. The proposals also support existing plans in the Digital Omnibus (see blog) to simplify incident reporting under NIS2 and other EU cyber laws by introducing an ENISA run central reporting platform (or so-called “single entry point”). 

The Commission estimates the proposed changes will ease NIS2 compliance for around 28,700 companies and reduce compliance costs for around 22,500 companies. 

What next?

The proposed changes will have a direct impact on a broad range of organisations, from NIS2 important and essential entities to manufacturers and providers of ICT products and services. Their influence on supply chain security and certification practices is likely to be felt even more widely. Organisations should therefore closely track the progress of the package. Now is also a sensible time to reassess supply chain resilience and consider potential certification opportunities.

Looking ahead, CSA 2, the NIS2 amendments and the new supply chain framework will move into the EU’s ordinary legislative procedure, where they will be scrutinised by both the European Parliament and the Council. Once adopted, CSA 2 will take effect immediately. Member States will then have one year to implement the agreed updates to the NIS2 Directive.