EU Commission Proposes Revised Cybersecurity Act to Bolster EU Cyber Resilience
On January 20, 2026, the EU Commission unveiled a new Cybersecurity Package (the "Package") designed to reinforce the EU's cyber resilience in response to an increasingly complex and sophisticated threat environment.
A key component of this Package is the proposed "Cybersecurity Act 2.0," which would revise the original 2019 Cybersecurity Act (see our 2019 Alert here). In a nutshell, the new Cybersecurity Act would:
- Expand the role of the European Union Agency for Cybersecurity ("ENISA") by empowering it to issue early alerts on cyber threats and incidents, manage EU-level threat and incident repositories, operate a unified incident notification platform, support organizations in responding to and recovering from ransomware attacks, and contribute to the development of EU cybersecurity certification schemes.
- Simplify and enhance the Cybersecurity Certification Framework established under the 2019 Cybersecurity Act, which allows for the certification of information and communication technology ("ICT") products, services, and processes. While, at this stage, certification would remain voluntary for businesses, the proposal introduces three key changes: (i) expanding the scope of the certification so entities can certify their overall cybersecurity posture, creating a presumption of conformity with the NIS2 Directive and other relevant EU legislation; (ii) introducing defined procedures and timelines for the development of new certification schemes, including a default 12‑month period for ENISA to produce a candidate scheme after an EU Commission request; and (iii) aligning certification schemes more closely with EU cybersecurity regulations so businesses can use them as practical compliance tools.
- Introduce a horizontal framework to strengthen the security of ICT supply chains across critical sectors. The EU Commission would conduct EU‑level risk assessments to pinpoint ICT supply‑chain vulnerabilities, identify critical ICT assets, and assess technical and non‑technical risk factors, including potential third‑state influence. The framework provides for targeted mitigation measures, which may include restrictions or prohibitions on the use of ICT components from suppliers classified as high-risk (i.e., those based in third countries flagged by the EU Commission for cybersecurity concerns, or those that the EU Commission directly designates as posing significant non‑technical risk).
The Package will now proceed through the ordinary legislative procedure, with timing not yet specified. Further discussions and amendments are therefore expected. In the meantime, businesses should monitor the process and proactively evaluate how the Package may affect their cybersecurity governance, including by auditing their ICT supply chains.
