EU Proposes 'Cybersecurity Act 2.0' to Counter Hybrid Threats and Regulate ICT Suppliers

Executive Summary

On January 20, 2026, the European Commission proposed a significant new legislative package, informally named "Cybersecurity Act 2.0," to fortify the European Union's cybersecurity posture. This initiative is a direct response to the escalating threat landscape, characterized by sophisticated cyberattacks and hybrid threats targeting the EU's critical infrastructure and democratic processes. The package consists of a revised Cybersecurity Act and strategic amendments to the existing NIS2 Directive. One of the most impactful provisions would grant the Commission authority to identify high-risk ICT suppliers, particularly those with ties to designated third countries posing a cybersecurity threat, and to implement restrictions on them. This aims to mitigate strategic dependencies and supply chain risks. The proposal also strengthens the mandate of the European Union Agency for Cybersecurity (ENISA) and aims to simplify compliance for thousands of businesses across the Union.

Regulatory Details

The "Cybersecurity Act 2.0" package introduces several key changes to the EU's cybersecurity legal framework.

Revised Cybersecurity Act

• High-Risk ICT Supplier Designation: The Commission will be empowered to designate specific third countries as posing a cybersecurity threat. Based on this, they can identify and impose restrictions on high-risk ICT service providers associated with these countries. This measure is designed to address risks of undue foreign interference and create a more secure and resilient ICT supply chain across the EU.
• Strengthened ENISA Mandate: The role of ENISA will be reinforced, solidifying its position as the EU's central technical authority on cybersecurity. This will likely involve an expanded budget and more responsibilities in coordinating cross-border incident response and developing cybersecurity certification schemes.
• Security-by-Design Requirements: The act is expected to introduce more stringent security-by-design and security-by-default requirements for ICT products and services sold within the EU, pushing manufacturers to build security in from the start.

Amendments to the NIS2 Directive

• Legal Clarity and Simplification: The proposed amendments aim to reduce the administrative burden on companies by clarifying risk-management obligations and streamlining reporting requirements. This is intended to make compliance more straightforward for the approximately 28,700 companies that fall under the scope of NIS2.
• Harmonization: The changes seek to further harmonize the implementation of NIS2 across all EU member states, ensuring a consistent and high level of cybersecurity for essential and important entities throughout the Union.

Affected Organizations

The proposed legislation will have a broad impact across multiple sectors.

• ICT Suppliers: Technology companies, especially those based outside the EU or with significant ties to countries that may be designated as high-risk (e.g., China, Russia), could face market access restrictions. This will force a re-evaluation of supply chains for many European companies.
• Essential and Important Entities (under NIS2): An estimated 28,700 companies in critical sectors like energy, transport, health, and digital infrastructure will be affected. While the amendments aim to simplify compliance, these organizations will need to adapt their risk management processes to the new legal requirements.
• EU Member States: National cybersecurity authorities will have to implement the revised regulations and work closely with ENISA on enforcement and coordination.

Implementation Timeline

The proposal was introduced on January 20, 2026. It will now enter the EU's ordinary legislative procedure, which involves negotiations and amendments by the European Parliament and the EU Council. This process can take a significant amount of time, often a year or more. Once an agreement is reached and the final text is adopted, member states will have a specific period (typically 18-24 months) to transpose the new rules into their national laws.

Impact Assessment

• Business and Operational Impacts: Companies, particularly those in critical sectors, will need to allocate resources to understand and implement the new requirements. The provisions on high-risk suppliers may force many organizations to conduct complex and costly reviews of their technology supply chains, potentially requiring them to replace existing vendors.
• Compliance Gaps: Common gaps will likely be found in supply chain risk management. Many companies may not have full visibility into the origin of their software and hardware components, which will become a key compliance requirement.
• Market Fragmentation: Non-EU ICT suppliers may face a more challenging market in Europe, potentially leading to a bifurcation of global technology standards.

Compliance Guidance

Organizations should begin preparing for these changes now.

1. Conduct a Supply Chain Audit: Proactively map out your critical ICT suppliers and their countries of origin. Identify any dependencies on vendors that might be deemed high-risk in the future.
2. Review NIS2 Compliance: For organizations already under NIS2, review your current risk management and incident reporting processes. Identify areas where the proposed amendments might require changes.
3. Engage with Legal and Compliance Teams: Involve legal experts to interpret the new legislative proposals and assess their specific impact on your business operations.
4. Monitor Legislative Developments: Stay informed about the progress of the negotiations between the Parliament and Council, as the final text may differ from the initial proposal.