- within Criminal Law, Real Estate and Construction and Privacy topic(s)
- with readers working within the Consumer Industries industries
On 20 January 2026, the European Commission proposed a new EU Cybersecurity Package, a legislative designed to strengthen the European Union's long-term resilience against increasingly frequent and sophisticated cyber threats.
The initiative comes at a time when cyberattacks and hybrid threats are increasingly targeting essential services, critical infrastructure and even democratic institutions. These attacks are attributed not only to organised criminal networks, but also, more critically, to state-linked actors operating in a rapidly evolving geopolitical landscape.
Why the EU is introducing a new cybersecurity package
Since the adoption of the Cybersecurity Act in 2019, the cybersecurity landscape has changed dramatically. The Commission highlights that technological developments, combined with geopolitical instability, have created heightened risks for critical sectors and key social and economic functions across the Union.
As a result, the existing legal framework is no longer adequate to address modern threats effectively. The new package seeks to deliver a more efficient and responsive EU-wide approach.
What are the key elements of the new cybersecurity act?
The new Cybersecurity Act will strengthen the cybersecurity framework with four key elements:
- Develop a framework for addressing the ICT supply chain security challenges in critical infrastructure.
- Simplify and enhance the European cybersecurity certification framework.
- Introduce simplification measures to reduce unnecessary administrative burden related to the implementation of the NIS2 Directive.
- Strengthened European Union Agency for Cybersecurity (ENISA) to make it fit for purpose.
The proposal will enhance the cybersecurity resilience of Europe's critical infrastructures by setting up a horizontal framework for trusted ICT supply chain security. This will allow the EU and Member States to act together to address strategic risks of undue foreign interference and critical dependencies in critical ICT supply chains with targeted and proportionate measures
Special focus on telecommunications and high-risk suppliers
Telecommunications networks are expected to receive particular attention. In line with the existing EU 5G Security Toolbox, the proposal would introduce mandatory measures aimed at reducing risks arising from the use of suppliers based in third countries considered "high-risk."
ENISA's role in the EU Cybersecurity Framework
As part of the wider EU Cybersecurity Package, the proposal significantly expands the role of ENISA to support member states, businesses and critical operators.
The revised Cybersecurity Act enables ENISA;
- to support the EU and its Member States to understand common cyber threats, and to strengthen preparedness and response to cyber incidents.
- to support companies and stakeholders operating in the EU by issuing early alerts on cyber threats and incidents and,
- to assist organisations in responding to and recovering from ransomware attacks, in cooperation with Europol and Computer Security Incident Response Teams (CSIRTs),
- to operate as the single entry point for incident reporting, as proposed under the Digital Omnibus.
The Enhanced European Cybersecurity Certification Framework (ECCF)
Another major pillar of the package is the reinforcement of the European Cybersecurity Certification Framework (ECCF).
The revised approach aims to make certification more practical, accessible, and effective by introducing clearer and simplified procedures. The proposal seeks to ensure that new certification schemes can generally be developed within 12 months.
Certification, managed by ENISA, would remain voluntary, but it is positioned as an increasingly valuable tool for businesses seeking to demonstrate compliance and cybersecurity maturity.
Amendments to NIS2: Clarity, Proportionality and Reduced Compliance Burdens
The legislative package also proposes targeted amendments to the NIS2 Directive, with the stated goal of increasing legal clarity and ensuring that obligations remain proportionate to the risk profile of regulated entities.
The amendments ensure:
- The NIS2 Directive clearly and specifically defines its scope, particularly in sectors such as electricity and chemicals.
- Submarine data cable infrastructure, as an increasingly critical type of infrastructure, is more comprehensively covered within the scope of the Directive.
- Coherence with the recent legislative proposal for a Regulation establishing a framework of measures to facilitate the transport of military equipment, goods, and personnel across the Union.
Next Step
The Cybersecurity Act will be applicable immediately after approval by the European Parliament and the Council of the EU. The accompanying NIS2 Directive amendments will also be presented for approval. Once adopted, Member States will have one year to implement the Directive into national law and communicate the relevant texts to the Commission.
Key Takeaways for Businesses
Organisations, particularly those operating in critical sectors, should begin assessing how these reforms may affect their cybersecurity obligations and internal controls, as well as how certification could support long-term compliance and operational resilience.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
