European Commission announces new Cybersecurity Package

European Commission announces new Cybersecurity Package

February 4, 2026 discoverhiddenusacom Technology

EU Sharpening Cyber Defenses: A New Era of Digital Resilience

On January 20, 2026, the European Commission unveiled a comprehensive cybersecurity package designed to bolster the EU’s defenses against escalating cyber threats. This initiative responds to an evolving threat landscape and aims to simplify compliance for organizations operating within the EU.

The Two-Pronged Approach: Cybersecurity Act 2 and NIS2 Amendments

The package centers around two key proposals: a revision of the 2019 Cybersecurity Act, dubbed Cybersecurity Act 2, and amendments to the NIS2 Directive (2022/2555). These measures are intended to work in tandem, enhancing overall cyber resilience and compliance across the EU.

Cybersecurity Act 2: Strengthening the Foundations

The proposed Cybersecurity Act 2 focuses on several critical areas. A key element is addressing vulnerabilities within the EU’s Information and Communication Technologies (ICT) supply chains. The Act introduces provisions to mitigate risks associated with vendors and third countries that present cybersecurity concerns.

Tackling Supply Chain Risks

The European Commission will have the authority to designate third countries and high-risk suppliers based on a thorough risk assessment. This could lead to restrictions on participation in public tenders, EU funding programs, and cybersecurity certification for those deemed to pose a significant threat. NIS2 entities will face prohibitions on using components from high-risk suppliers in key ICT assets, with requirements to phase out existing components. Breaches of these supply chain measures could result in fines of up to 7% of an operator’s worldwide turnover.

Boosting Certification and ENISA’s Role

The Act also aims to improve the uptake of the European Cybersecurity Certification Framework (ECCF), streamlining the certification process to be completed within 12 months. Businesses will be able to certify their overall cybersecurity posture, demonstrating legal compliance, including a presumption of compliance with NIS2. The EU Agency for Cybersecurity (ENISA) will see its role significantly reinforced, issuing alerts, supporting companies during ransomware attacks, and providing guidance on cybersecurity standards. ENISA will also manage certification schemes and operate a single-entry point for incident reporting.

NIS2 Directive Amendments: Expanding Scope and Simplifying Compliance

The proposed amendments to the NIS2 Directive broaden its scope to include digital and business wallet providers, submarine infrastructure operators, and dual-use infrastructure. Clarification is also provided regarding the application of NIS2 to sectors like electricity, hydrogen, healthcare, and chemicals.

Easing the Burden for Smaller Businesses

Recognizing the challenges faced by smaller organizations, the NIS2 Proposal aims to ease the compliance burden for micro, small, and medium-sized enterprises. Member States may also be able to require certain entities to obtain cybersecurity posture certificates under the Cybersecurity Act 2. Entities not established in the EU but offering services within the EU will be required to designate an EU-based representative.

Harmonized Data Collection on Ransomware

The amendments also introduce requirements for harmonized data collection related to ransomware attacks, potentially imposed upon request of the Computer Security Incident Response Team (CSIRT) or competent authority.

The Digital Networks Act: A Synergistic Approach

Complementing the cybersecurity package, the European Commission adopted a proposal for a Digital Networks Act (DNA) on January 21, 2026. This Act explicitly links to the Cybersecurity Act 2, requiring compliance with its ICT supply chain measures as a condition for obtaining authorization to provide networks and services or use radio spectrum.

Looking Ahead: A More Secure Digital Future

These initiatives represent a significant step towards a more secure digital future for the EU. By strengthening cybersecurity resilience, simplifying compliance, and enhancing the role of key agencies like ENISA, the EU aims to proactively address the evolving threat landscape and protect its citizens and businesses.

Frequently Asked Questions

What is the Cybersecurity Act 2?

It’s a proposed regulation to update and replace the 2019 Cybersecurity Act, focusing on ICT supply chain security and improving cybersecurity certification.

What is NIS2?

NIS2 is a directive aimed at strengthening the cybersecurity resilience of critical entities and digital service providers across the EU.

What is ENISA’s role in the new package?

ENISA will have a strengthened role in issuing alerts, supporting incident response, providing guidance, and managing certification schemes.

What are the potential fines for non-compliance?

Breaches of the ICT supply chain measures under the Cybersecurity Act 2 could lead to fines of up to 7% of an operator’s worldwide turnover.

Where can I find more information?

The press release on the cybersecurity package is available here. The Cybersecurity Act 2 Proposal is available here, the NIS 2 Proposal is available here and the DNA is available here.

Pro Tip: Regularly review your organization’s cybersecurity posture and supply chain risks to ensure compliance with evolving EU regulations.