SUMMARY:

• On 20th January 2026, the European Commission unveiled a new cybersecurity package, including a proposal for a revision of the Cybersecurity Act (The Cybersecurity Act 2) and amendments to the NIS2 Directive (see attached).

The proposals aim to ensure that products reaching EU citizens are cyber-secure by design through a simpler certification process, to facilitate compliance for businesses with existing EU cybersecurity rules and to reinforce the EU Agency for Cybersecurity (ENISA) in case of cybersecurity threats. ‍

‍

MORE INFORMATION:

1. New Cybersecurity Act proposal - key elements:

• ‍New horizontal framework for addressing the ICT supply chain security challenges in critical infrastructure from third country suppliers with cybersecurity concerns‍
• Revised European cybersecurity certification framework: certification schemes to be developed within 12 months by default . Faster and simpler for companies to certify digital products, services, and processes (voluntary tool for businesses). Also more efficient and harmonised, so that one EU-wide certification is recognised across all Member States. Will helps ensure that products are secure “by design” before reaching users.‍
• Simplification measures to reduce unnecessary administrative burden related to the implementation of the NIS2 Directive: complements the single-entry point for incident reporting proposed in the Digital Omnibus.‍
• Strengthened role for the European Union Agency for Cybersecurity (ENISA): can issue early alerts on cyber threats, support Member States and private sector actors in responding to cyber attacks and ransomware incidents. Also possibility to coordinate common EU responses to major incidents and improve operational cooperation.

For more information, click here.

‍

2. NIS2 Directive proposal - key amendments:

• Clarification of certain aspects regarding the scope and definitions
• Removal of micro- and small-sized DNS service providers from the scope
• Introduction of a new category of small mid-caps
• Introduction of a harmonised collection of data on ransomware attacks

For more information, click here.

NEXT STEPS:

The Cybersecurity Act (Regulation proposal) will go through the co-legislative process (European Parliament and Council). After approval by the EP and Council, the Regulation will be applicable immediately.

The amended NIS2 proposal will also be presented to the Parliament and Council for approval. Once adopted, Member States will have one year to implement the Directive into national law.