European Commission proposes new cybersecurity package

On 20 January 2026 the European Commission published its proposal for a new cybersecurity package to strengthen the EU's cybersecurity resilience and capabilities in the face of growing threats of sophisticated cyber-attacks, including undue foreign interference. The package includes:

A revised Cybersecurity Act (CSA2)

The Cybersecurity Act establishes a voluntary EU-wide cybersecurity certification framework (ECCF) for digital products, services and processes. It was adopted in 2019 and updated in 2023 to bring managed security services into scope.

The proposal to revise the CSA includes:

• Introducing a trusted ICT supply chain security framework for critical infrastructure to identify and address risks associated with suppliers, including third-country suppliers with cybersecurity concerns. Entities will be able to certify their cyber posture, which will enable them to obtain a presumption of conformity with NIS2. 
• Giving the European Commission new powers, including the ability to:
  
  • designate third countries as posing serious risks to ICT supply chains, with suppliers controlled by those countries being classified as high risk;
  • prohibit in-scope organisations from using components provided by high-risk suppliers; and
  • prohibit data transfers to high-risk countries.
• Updating the ECCF to simplify and clarify its procedures, aligning more closely with other EU laws, including NIS2 and the Cyber Resilience Act.
  
  • a clearer and extended scope to ensure legal certainty and meet market needs;
  • a more efficient and effective governance framework; and
  • schemes should serve as compliance tools for businesses.
• Reinforcing the role of ENISA (the EU Agency for Cybersecurity), including issuing early alerts of cyber threats and incidents and supporting companies to respond to and recover from ransomware attacks. ENISA’s budget will be increased by over 75% to enable it to carry out these additional responsibilities.

Amendments to NIS2

The NIS2 Directive has replaced the original NIS (Network and Information Systems) Directive to strengthen the rules on cybersecurity and incident reporting for organisations operating in critical sectors, including energy, digital infrastructure and ICT service management.

The Commission announcement about the cybersecurity package states that it will complement the EU Digital Omnibus, which was published in November 2025. The Digital Omnibus has already proposed an amendment to NIS2 to introduce a single reporting platform to be operated by ENISA for breaches under NIS2, the GDPR, the Digital Operational Resilience Act (DORA) and the Critical Entities Resilience Directive. Click here to read our article about the Digital Omnibus proposals. 

The new cybersecurity package proposes further amendments to NIS2 intended to simplify specific aspects of the cybersecurity framework, increase legal certainty and harmonise implementation, including:

• Removing micro and small DNS (domain name service) providers from its scope, to support the Commission’s goal of cutting costs for small and medium-sized enterprises.
• Introducing a new category of small mid-cap entities, which will be designated as important entities rather than essential entities, meaning that they are subject to a lighter supervisory and penalty regime. 
• Increased reporting obligations in relation to ransomware incidents including, on request, information about whether a ransom was paid.
• New guidelines on supply chain security assessments.
• An obligation for in-scope entities based outside the EU to designate an EU representative.