European Commission Proposes Revisions to Strengthen EU Cybersecurity Act and NIS2 Directive

Executive Summary

On January 20, 2026, the European Commission unveiled a significant legislative package designed to bolster the European Union's cybersecurity posture. The package features a proposal to revise the EU Cybersecurity Act (CSA) and make targeted amendments to the recently implemented NIS2 Directive. The core objectives are to address the rising tide of supply chain attacks, embed security into technology products from the start, and strengthen the mandate of the European Union Agency for Cybersecurity (ENISA). This move reflects a strategic push by the EU to create a more resilient and secure digital single market in response to a complex geopolitical landscape and evolving cyber threats.

Regulatory Details

The new legislative package consists of two main components:

1. Revised EU Cybersecurity Act (CSA): The primary goal of the revised CSA is to improve the security of information and communication technology (ICT) products and services within the EU. Key provisions include:

• ICT Supply Chain Security: Establishing a horizontal framework to manage risks associated with the ICT supply chain. This is a direct response to major incidents like the SolarWinds attack, aiming to secure the development, production, and delivery of technology.
• 'Cyber-Secure by Design': Promoting the development of products that are secure by default. The proposal aims to simplify the EU's cybersecurity certification framework, making it easier for vendors to get their products certified and for customers to identify secure products.
• Strengthening ENISA: The proposal significantly reinforces ENISA's role as the EU's central technical authority on cybersecurity. ENISA will be given more resources and a stronger mandate to support Member States, coordinate incident response, and manage the EU's certification schemes.

2. Amendments to the NIS2 Directive: The NIS2 Directive, which sets a baseline for cybersecurity risk management measures across critical sectors, will receive targeted amendments to:

• Clarify Jurisdictional Rules: Provide clearer guidance on which Member State's rules apply to entities operating across borders.
• Streamline Ransomware Data Collection: Improve and harmonize the way data on ransomware incidents is collected and shared among Member States, providing a clearer picture of the threat.
• Introduce a 'Small Mid-Cap' Category: Create a new category for certain medium-sized enterprises to potentially lower their compliance burden under NIS2, acknowledging that a one-size-fits-all approach can be challenging.

Affected Organizations

This legislation will have a broad impact across the EU's economy. The primary groups affected include:

• ICT Product Manufacturers and Software Developers: Any company producing hardware or software for the EU market will be impacted by the new certification and 'secure by design' requirements.
• ICT Service Providers: Cloud providers, managed service providers (MSPs), and other digital service providers will face increased scrutiny regarding their supply chain security.
• Entities Covered by NIS2: Organizations in critical sectors (energy, transport, health, etc.) will need to adapt to the amended requirements, particularly regarding incident reporting.
• EU Member States: National governments and their cybersecurity agencies will have to work closely with ENISA and transpose the new rules into their national laws.

Implementation Timeline

Once the proposals are formally adopted by the European Parliament and the Council, Member States will be given a one-year period to transpose the amended provisions into their national legal frameworks. The full implementation and enforcement will likely take place over the next 2-3 years.

Impact Assessment

• For Businesses: The proposals will likely increase compliance costs in the short term, as companies will need to invest in more secure development practices and potentially undergo certification processes. However, in the long term, this is expected to lead to more resilient products, reduced risk of breaches, and increased customer trust. The clarification for 'small mid-caps' may provide some relief for medium-sized businesses.
• For the EU Market: The legislation aims to level the playing field by setting a common security standard, preventing a race to the bottom on price at the expense of security. It strengthens the EU's concept of 'digital sovereignty' by reducing reliance on insecure technology from outside the bloc.
• For Consumers: The end goal is to provide EU citizens with access to more secure technology products, reducing their personal risk of being impacted by cyberattacks.

Compliance Guidance

Organizations should begin preparing now:

1. Monitor Legislative Progress: Keep track of the proposals as they move through the EU legislative process to understand the final requirements.
2. Review Secure Development Lifecycles (SDLC): Companies that develop software or hardware should begin reviewing their development practices to align them with 'secure by design' principles.
3. Assess Supply Chain Risk: Start mapping out your critical ICT suppliers and assessing their security posture. This will be a key requirement under the new framework.
4. Engage with ENISA: Follow ENISA's publications and guidance, as the agency will be central to the implementation and management of the new certification schemes.